Darren Tucker [Wed, 22 Dec 2021 08:33:10 +0000 (19:33 +1100)]
Use SHA.*_HMAC_BLOCK_SIZE if needed.
If the platform has a native SHA2, does not define SHA.*_BLOCK_LENGTH
but does define SHA.*_HMAC_BLOCK_SIZE (eg Solaris) then use the latter.
Should fix --without-openssl build on Solaris.
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.
djm@openbsd.org [Sun, 19 Dec 2021 22:13:55 +0000 (22:13 +0000)]
upstream: Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
djm@openbsd.org [Sun, 19 Dec 2021 22:11:39 +0000 (22:11 +0000)]
upstream: ssh-agent side of destination constraints
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
djm@openbsd.org [Sun, 19 Dec 2021 22:11:06 +0000 (22:11 +0000)]
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
djm@openbsd.org [Sun, 19 Dec 2021 22:10:24 +0000 (22:10 +0000)]
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
djm@openbsd.org [Sun, 19 Dec 2021 22:08:48 +0000 (22:08 +0000)]
upstream: ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.
djm@openbsd.org [Thu, 2 Dec 2021 23:23:13 +0000 (23:23 +0000)]
upstream: improve the testing of credentials against inserted FIDO
keys a little more: ask the token whether a particular key belongs to it in
cases where the token support on-token user- verification (e.g. biometrics)
rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases.
Darren Tucker [Fri, 19 Nov 2021 05:01:51 +0000 (16:01 +1100)]
Don't auto-enable Capsicum sandbox on FreeBSD 9/10.
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
Damien Miller [Wed, 17 Nov 2021 23:16:55 +0000 (10:16 +1100)]
adjust seccomp filter for select->poll conversion
Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.
Darren Tucker [Fri, 12 Nov 2021 11:55:27 +0000 (22:55 +1100)]
Switch from LibreSSL 3.4.0 to 3.4.1.
The LibreSSL 3.4.0 release has an OPENBSD_BRANCH that points to
"master" and that branch no longer has the files LibreSSL expects
and thus it will no longer build, breaking the test.
Darren Tucker [Wed, 10 Nov 2021 01:34:25 +0000 (12:34 +1100)]
Don't trust closefrom() on Linux.
glibc's closefrom implementation does not work in a chroot when the kernel
does not have close_range. It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call close_range
ourselves from our compat code and fall back if that fails. bz#3349,
with william.wilson at canonical.com and fweimer at redhat.com.
Darren Tucker [Sat, 6 Nov 2021 10:07:03 +0000 (21:07 +1100)]
Skip getline() on HP-UX 10.x.
HP-UX 10.x has a getline() implementation in libc that does not behave
as we expect so don't use it. With correction from Thorsten Glaser and
typo fix from Larkin Nickle.
djm@openbsd.org [Tue, 2 Nov 2021 22:56:40 +0000 (22:56 +0000)]
upstream: Better handle FIDO keys on tokens that provide user
verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports
on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag
in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities
again and check whether the token is able (right now) to perform user-
verification without a PIN. If it is then the PIN prompt is bypassed
and user verification delegated to the token. If not (e.g. the token
is biometric capable, but no biometric are enrolled), then fall back
to user verification via the usual PIN prompt.
djm@openbsd.org [Fri, 29 Oct 2021 03:03:06 +0000 (03:03 +0000)]
upstream: sshsig: add tests for signing key validity and
find-principals
- adds generic find-principals tests (this command had none before)
- tests certs with a timeboxed validity both with and without a
restriced lifetime for the CA
- test for a revoked CA cert
projects / thirdparty / openssh-portable.git / log
