djm@openbsd.org [Thu, 15 Aug 2024 00:51:51 +0000 (00:51 +0000)]
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.
Spotted with Benny Baumann (BenBE at geshi dot org).
Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would result in reference counting issues.
This is a cheap way of testing this with very little overhead. It does not
detect A->B->A linkages though for performance reason and the fact that it
takes a programming error for this to occur anyway.
Authored with Benny Baumann (BenBE at geshi dot org).
If a mux started with ControlPersist then later has a forwarding added using
mux proxy connection and the forwarding was used, then when the mux proxy
session terminates, the mux master process will send a channel close to the
server with a bad channel ID and crash the connection.
This was caused by my stupidly reusing c->remote_id for mux channel
associations when I should have just added another member to struct channel.
Samuel Thibault [Tue, 26 Mar 2024 21:15:08 +0000 (22:15 +0100)]
Fix detection of setres*id on GNU/Hurd
Like Linux, proper _SOURCE macros need to be set to get declarations of
various standard functions, notably setres*id. Now that Debian is using
-Werror=implicit-function-declaration this is really required. While at
it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses
the same glibc.
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
upstream: Instead of using possibly complex ssh_signal(), write all
the parts of the grace_alarm_handler() using the exact things allowed by the
signal-safe rules. This is a good rule of thumb: Handlers should be written
to either set a global volatile sig_atomic_t inspected from outside, and/or
directly perform only safe operations listed in our sigaction(2) manual page.
ok djm markus
upstream: Work around dbclient cipher/mac query bug.
Unlike earlier versions, recent Dropbear (at least v2024.85) requires
a host arg when querying supported ciphers and macs via "-c/-m
help". Earlier versions accept but do not require it, so always
provide it. If these queries fail, skip the test with a warning.
if querying for them fails since on some versions of Dropbear (at least
v2024.85) "-m help" doesn't seem to work. Enable all supported pubkey
algorithms in the server.
Darren Tucker [Wed, 19 Jun 2024 10:20:24 +0000 (20:20 +1000)]
Restart sshd after installing it for testing.
When installing an sshd built without OpenSSL the mismatch between
the running sshd and newly installed sshd-session will cause the
remainder of the test to fail.
Damien Miller [Mon, 17 Jun 2024 07:02:18 +0000 (17:02 +1000)]
propagate PAM crashes to PerSourcePenalties
If the PAM subprocess crashes, exit with a crash status that will be
picked up by the sshd(8) listener process where it can be used by
PerSourcePenalties to block the client. This is similar handling to
the privsep preauth process.
Damien Miller [Fri, 14 Jun 2024 04:19:23 +0000 (14:19 +1000)]
add a sshd_config PamServiceName option
Allows selecting which PAM service name to use when UsePAM is
enabled. Defaults to "sshd" unless overridden at compile time
by defining SSHD_PAM_SERVICE.
Damien Miller [Thu, 13 Jun 2024 06:41:29 +0000 (16:41 +1000)]
sshd: don't use argv[0] as PAM service name
sshd would implicitly use argv[0] as the PAM service name to
allow people to select different PAM service names by making
differently-named copies/links to the sshd binary.
Splitting sshd into sshd/sshd-session broke this, as the process
that starts PAM is always sshd-session and the user has no control
over this.
Hardcode "sshd" as the default PAM service name unless/until we
figure out a better way. Should unbreak OSX integration tests.
Damien Miller [Thu, 13 Jun 2024 05:00:28 +0000 (15:00 +1000)]
prepare for checking in autogenerated files
We plan to check in automatically generated files (config.h.in, etc) on
release branches. These files are normally ignored by .gitignore, but
this shuffles the contents of this file to make it easy to un-ignore
them.
Damien Miller [Thu, 13 Jun 2024 04:35:25 +0000 (14:35 +1000)]
fix PTY allocation on Cygwin, broken by sshd split
Cygwin doesn't support FD passing and so used to disable post-auth
privilege separation entirely because privsep requires PTY allocation
to happen in the privileged monitor process with the PTY file
descriptors being passed back to the unprivileged process.
This brings back a minimal version of the previous special treatment
for Cygwin (and any other platform that sets DISABLE_FD_PASSING):
privilege separation remains enabled, but PTY allocation happens in
the post-auth user process rather than the monitor.
This either requires PTY allocation to not need privilege to begin
with (this appears to be the case on Cygwin), or the post-auth
privsep process retain privilege (other platforms that set the
DISABLE_FD_PASSING option).
Keeping privileges here is bad, but the non-Cygwin systems that set
DISABLE_FD_PASSING are so deeply legacy that this is likely to be the
least of their problems.
Damien Miller [Thu, 13 Jun 2024 01:33:09 +0000 (11:33 +1000)]
delay lookup of privsep user until config loaded
sshd-session attempting to use options.kerberos_authentication to
decide whether it needed to lookup the privsep user before the
configuration was loaded. This caused it to get a placeholder value
that caused it always to try to lookup the privsep user, breaking at
least one test environment.
djm@openbsd.org [Wed, 12 Jun 2024 22:36:00 +0000 (22:36 +0000)]
upstream: split PerSourcePenalties address tracking. Previously it
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it
will use separate tables and optionally different overflow policies.
This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.
djm@openbsd.org [Thu, 6 Jun 2024 20:25:48 +0000 (20:25 +0000)]
upstream: enable PerSourcePenalties by default.
ok markus
NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.
Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.
djm@openbsd.org [Thu, 6 Jun 2024 17:15:25 +0000 (17:15 +0000)]
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
projects / thirdparty / openssh-portable.git / log
