| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
|
|
traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting is
enabled. Patch from Antonio Larrosa via bz3655
|
|
ok dtucker@
|
|
by default. Specifically, this removes the diffie-hellman-group* and
diffie-hellman-group-exchange-* methods. The client is unchanged and
continues to support these methods by default.
Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.
ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.
ok markus@
|
|
Matches; spotted by phessler@ ok deraadt@
|
|
|
|
the original diff had a couple of errors, which i've fixed
|
|
to a more shell-like one. Apparently the old tokeniser (accidentally?)
allowed "Match criteria=argument" as well as the "Match criteria argument"
syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
|
|
|
|
|
|
|
|
|
|
using -fwrapv to provide defined over/underflow behaviour, but we use
-ftrapv to catch integer errors and abort the program. ok dtucker@
|
|
|
|
|
|
in SUPERCOP 20201130 to the "compact" implementation in SUPERCOP
20240808. The new version is substantially faster.
Thanks to Daniel J Bernstein for pointing out the new implementation
(and of course for writing it).
tested in snaps/ok deraadt@
|
|
|
|
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
|
|
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
|
|
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
|
|
ok markus@
|
|
tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@
|
|
the user know what's going on when ssh-keygen is invoked via other
tools. Requested in GHPR503
|
|
fails. Prevents restrictive key options being incorrectly applied
to subsequent keys in authorized_keys. bz3733, ok markus@
|
|
which incorrectly required that sshd was started with an absolute path
in inetd mode. bz3717, patch from Colin Wilson
|
|
|
|
flag now than an IANA codepoint has been assigned for the algorithm.
Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.
ok markus@
|
|
string rather than the first. This makes it possible to use usernames
that contain '@' characters.
Prompted by Max ZettlmeiÃl; feedback/ok millert@
|
|
"rsa") in user-interface code and require full SSH protocol names (e.g.
"ssh-rsa") everywhere else.
Prompted by bz3725; ok markus@
|
|
|
|
|
|
that "Match Exec" and environment variables.
ok dtucker@
|
|
|
|
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
ok markus@ deraadt@
|
|
(which is requested as the name "zlib"). Compression starts very early in
the session.
Relative early in OpenSSH lifetime, privsep was added to sshd, and this
required a shared-memory hack so the two processes could see what was going
on in the dataflow. This shared-memory hack was soon recognized as a tremendous
complexity risk, because it put libz (which very much trusts it's memory)
in a dangerous place, and a new option ("zlib@openssh.com") was added begins
compression after authentication (aka delayed-compression). That change
also permitted removal of the shared-memory hack.
Despite removal from the server, the old "zlib" support remained in the
client, to allow negotiation with non-OpenSSH daemons which lack the
delayed-compression option.
This commit deletes support for the older "zlib" option in the client.
It reduces our featureset in a small way, and encourages other servers
to move to a better design.
The SSH protocol is different enough that compressed-key-material attacks
like BEAST are unlikely, but who wants to take the chance?
We encourage other ssh servers who care about optional compression support
to add delayed-zlib support. (Some already do "zlib@openssh.com")
ok djm markus
|
|
so we can make the algorithm available without the @openssh.com
suffix too. ok markus@ deraadt@
|
|
|
|
constant (this makes no difference in practice because the length
is always the same); reported by martin AT nmkd.net
|
|
using mmap(3) with MAP_CONCEAL set. This prevents exposure of the
key material in coredumps, etc (this is in addition to other measures
we take in this area).
ok deraadt@
|
|
clarify that rsa-sha2-512 is the default signature scheme when RSA
is in use. Based on GHPR505 from SebastianRzk
|
|
from Antonio Larrosa via GHPR515
|
|
|
|
unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
ok tb@
|
|
The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.
Spotted with Benny Baumann (BenBE at geshi dot org).
ok djm@
|
|
Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would result in reference counting issues.
This is a cheap way of testing this with very little overhead. It does not
detect A->B->A linkages though for performance reason and the fact that it
takes a programming error for this to occur anyway.
Authored with Benny Baumann (BenBE at geshi dot org).
ok djm@
|
|
It has the same meaning as the current pair of calling explicit_bzero
and free. Spotted with Benny Baumann (BenBE at geshi dot org).
ok djm@
|
|
Spotted with Benny Baumann (BenBE at geshi dot org).
ok djm@
|
|
ok deraadt@ djm@
|
