Darren Tucker [Fri, 5 Sep 2025 07:06:14 +0000 (17:06 +1000)]
Fill in missing system header files.
Create replacement header files inside openbsd-compat for common headers
that are missing on a given platform. Usually these are just empty,
but in some cases they'll include the equivalent file. This avoids
having to wrap those includes in '#ifdef HAVE_FOO_H' and reduces the
diff vs OpenBSD.
If we create any such headers, add the path to includes.
upstream: Improve rules for %-expansion of username.
Usernames passed on the commandline will no longer be subject to
% expansion. Some tools invoke ssh with connection information
(i.e. usernames and host names) supplied from untrusted sources.
These may contain % expansion sequences which could yield
unexpected results.
Since openssh-9.6, all usernames have been subject to validity
checking. This change tightens the validity checks by refusing
usernames that include control characters (again, these can cause
surprises when supplied adversarially).
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
include no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This
is done on the basis that ssh's configuration is trusted.
Damien Miller [Mon, 18 Aug 2025 06:47:23 +0000 (16:47 +1000)]
Match version instead of groups in connect-bigconf
The connect-bigconf makes a giant config file to test config passing
between the sshd subprocesses. Previously it used a bunch of "Match
group" lines to construct a large file. However checking group
membership can be expensive (e.g. if a large groups database is
present or if group lookup is remote via NSS). This could be slow
enough to exceed LoginGraceTime.
This switches it to "Match version" which is just a string compare
and does just as well for making a giant nonsense config file.
djm@openbsd.org [Mon, 18 Aug 2025 03:43:01 +0000 (03:43 +0000)]
upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
continually at runtime based on what sessions/channels are open.
Previously, ssh(1) and sshd(8) would pick a QoS value when they
were started and use it for the whole connection. This could
produce suboptimal choices for the QoS value, e.g. for multiplexed
sessions that started interactive but picked up a sftp client,
or sessions that moved large amounts of data via port forwarding.
Now the QoS value will change to the non-interactive IPQoS whenever
a "non-interactive" channel is open; basically any channel that lacks
a tty other than agent forwarding.
This is important now that the default interactive IPQoS is EF
(Expedited Forwarding), as many networks are configured to allow
only relatively small amounts of traffic of this class and they will
aggressively deprioritise the entire connection if this is exceeded.
NB. because ssh(1) and sshd(8) now change IP_TOS/IPV6_TCLASS
continually via setsockopt(), this commit requires a recent pledge(2)
change that landed recently in the OpenBSD kernel. Please ensure
you have updated to a kernel from within the last two weeks before
updating OpenSSH.
Damien Miller [Mon, 18 Aug 2025 03:46:37 +0000 (13:46 +1000)]
allow some socket syscalls in seccomp sandbox
Allow getsockname(2), getpeername(2) and getsockopt(2).
Also allow setsockopt(2) but only IP_TOS and IPV6_TCLASS.
Note that systems that use the older socketcall(2) mux syscall will
not have IP_TOS and IPV6_TCLASS allowlisted. On these platforms,
these calls will be soft-blocked (i.e. will fail rather than
terminate the whole process with a sandbox violation).
Damien Miller [Mon, 18 Aug 2025 03:44:53 +0000 (13:44 +1000)]
handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
djm@openbsd.org [Wed, 6 Aug 2025 04:53:04 +0000 (04:53 +0000)]
upstream: when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the reason why
it was being denied. Makes debugging certificate authz problems a bit easier.
job@openbsd.org [Tue, 5 Aug 2025 09:08:16 +0000 (09:08 +0000)]
upstream: Use the operating system default DSCP marking for
non-interactive traffic
It seems the CS1 traffic class mark is considered ambiguous and therefore
somewhat unhelpful (see RFC 8622 for more considerations). But, the new
'LE' scavenger class (also proposed in RFC 8622) offers high probability
of excessive delays & high packet loss, which would be inappropriate
for use with, for example, X11 forwardings. In fact, it is not known to
SSH what's appropriate because SSH is not aware of the content of what
passing through session forwardings. Therefore, no marking is appropriate.
Non-interactive traffic simply is best effort.
upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS
keywords
Type of Service (ToS) was deprecated in the late nineties and replaced
with the Differentiated Services architecture. Diffserv has significant
advantages for operators because this mechanism offers more granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be
ignored and instead the system default QoS settings apply. Additionally, a
debug message is logged about the deprecation with a suggestion to use DSCP.
upstream: Set default IPQoS for interactive sessions to Expedited
Forwarding (EF)
Marking interactive session data with DSCP value EF (RFC3246, RFC3247)
helps inform the network on relative priority compared to other traffic.
This is especially useful for differentiated treatment over wireless media.
Following the reconciled IETF Diffserv to IEEE 802.11 mappings (RFC 8325),
traffic marked with DSCP value EF maps to User Priority 6 in QoS Control,
in turn mapping to the high priority WMM AC_VO access category.
upstream: Help OpenSSH's PKCS#11 support kick its meth habit.
The PKCS#11 code in OpenSSH used the libcrypto public key method API
(e.g. the delightfully named RSA_meth_free()) to delegate signing
operations to external keys. This had one advantage - that it was
basically transparent to callers, but also had a big disadvantage -
that we'd manually have to track the method implementations, their
state and their relationships to the underlying PKCS#11 objects.
This rips this out and replaces it with explicit delegation to
PKCS#11 code for externally hosted keys via the ssh-pkcs11-helper
subprocess. This is very similar to how we handle FIDO keys in
OpenSSH (i.e. via ssh-sk-helper). All we need to track now is a
much simpler mapping of public key -> helper subprocess.
Kicking our libcrypto meth dependency also makes it much easier
to support Ed25519 keys in PKCS#11, which will happen in a subsequent
commit.
upstream: add a ssh_config RefuseConnection option that, when
encountered while processing an active section in a configuration file,
terminates ssh(1) with an error message that contains the argument to the
option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
Jan Tojnar [Thu, 18 May 2023 14:30:35 +0000 (16:30 +0200)]
Add gnome-ssh-askpass4 for GNOME 40+
GTK 3 has been in maintenance mode for a while now, and it is on the road
to being abandoned. As a result, the dialogue looks out of place on modern
systems.
We could port it to GTK 4 but without the program being registered as an
application (i.e. having a .desktop file), GNOME Shell would ask for
permission to grab input every time.
Let’s instead use the GNOME Shell’s native prompt through the unstable
Gcr API.
Damien Miller [Sat, 12 Jul 2025 00:20:27 +0000 (17:20 -0700)]
let ga_init() fail gracefully if getgrouplist does
Apparently getgrouplist() can fail on OSX for when passed a non-existent
group name. Other platforms seem to return a group list consisting of
the numeric gid passed to the function.
This makes ga_init() handle this failure case gracefully, where it will
return success but with an empty group list array.
upstream: the messaging layer between sshd-session and sshd-auth had a
maximum message size of 256KB. Some people apparently have configurations
larger than this and would hit this limit.
Worse, there was no good logging that could help diagnose what was
going wrong.
So this bumps the maximum message size to 4MB and implements an early
check (usable via the sshd -t test mode) that will report it to the
user where it is hopefully more visible.
bz3808, reported by Dmitry Belyavskiy, ok dtucker@
projects / thirdparty / openssh-portable.git / log
