djm@openbsd.org [Mon, 18 Dec 2023 14:48:08 +0000 (14:48 +0000)]
upstream: ssh-agent: record failed session-bind attempts
Record failed attempts to session-bind a connection and refuse signing
operations on that connection henceforth.
Prevents a future situation where we add a new hostkey type that is not
recognised by an older ssh-agent, that consequently causes session-bind
to fail (this situation is only likely to arise when people mix ssh(1)
and ssh-agent(1) of different versions on the same host). Previously,
after such a failure the agent socket would be considered unbound and
not subject to restriction.
djm@openbsd.org [Mon, 18 Dec 2023 14:47:44 +0000 (14:47 +0000)]
upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
djm@openbsd.org [Mon, 18 Dec 2023 14:47:20 +0000 (14:47 +0000)]
upstream: stricter handling of channel window limits
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Darren Tucker [Tue, 21 Nov 2023 05:19:29 +0000 (16:19 +1100)]
Expand -fzero-call-used-regs test to cover gcc 11.
It turns out that gcc also has some problems with -fzero-call-used-regs,
at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE
was sufficient to catch it with "=all", but not sufficient for "=used".
Expand the testcase and include it in the other tests for good measure.
See bz#3629. ok djm@.
Darren Tucker [Tue, 21 Nov 2023 03:04:34 +0000 (14:04 +1100)]
Stop using -fzero-call-used-regs=all
... since it seems to be problematic with several different versions of
clang. Only use -fzero-call-used-regs=used which is less
problematic, except with Apple's clang where we don't use it at all.
bz#3629, ok djm@
djm@openbsd.org [Wed, 15 Nov 2023 23:03:38 +0000 (23:03 +0000)]
upstream: when connecting via socket (the default case), filter
addresses by AddressFamily if one was specified. Fixes the case where, if
CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
dtucker
upstream: Make sure sftp_get_limits() only returns 0 if 'limits'
was initialized. This fixes a potential uninitialized use of 'limits' in
sftp_init() if sftp_get_limits() returned early because of an unexpected
message type.
Darren Tucker [Wed, 1 Nov 2023 02:11:31 +0000 (13:11 +1100)]
Put long-running test targets on hipri runners.
Some of the selfhosted test targets take a long time to run for various
reasons, so label them for "libvirt-hipri" runners so that they can
start immediately. This should reduce the time to complete all tests.
upstream: Don't try to use sudo inside sshd log wrapper.
We still need to check if we're using sudo since we don't want to chown
unecessarily, as on some platforms this causes an error which pollutes
stderr. We also don't want to unnecessarily invoke sudo, since it's
running in the context of the proxycommand, on *other* platforms it
may not be able to authenticate, and if we're using SUDO then it should
already be privileged.
Fabio Pedretti [Mon, 16 Oct 2023 09:59:53 +0000 (11:59 +0200)]
Update openssl-devel dependency in RPM spec.
Since openssh 9.4p1, openssl >= 1.1.1 is required, so
build with --without-openssl elsewhere.
According to https://repology.org/project/openssl/versions
openssl 1.1.1 is available on fedora >= 29 and rhel >= 8.
Successfully build tested, installed and run on rhel 6
Damien Miller [Fri, 13 Oct 2023 04:15:05 +0000 (15:15 +1100)]
run t-extra regress tests
This exposes the t-extra regress tests (including agent-pkcs11.sh) as
a new extra-tests target in the top level Makefile and runs them by
default. ok dtucker@
Darren Tucker [Thu, 12 Oct 2023 11:01:23 +0000 (22:01 +1100)]
Don't use make -j2.
While we have 2 cores available on github runners, not using it means
that the most recent log message is the actual failure, rather than
having to search back through the log for it.
djm@openbsd.org [Wed, 11 Oct 2023 05:42:08 +0000 (05:42 +0000)]
upstream: in olde rcp/scp protocol mode, when rejecting a path from the
server as not matching the glob that the client sent, log (at debug level)
the received pathname as well as the list of possible expected paths expanded
from the glob. bz2966
Darren Tucker [Sun, 10 Sep 2023 05:45:38 +0000 (15:45 +1000)]
Use zero-call-used-regs=used with Apple compilers.
Apple's versions of clang have version numbers that do not match the
corresponding upstream clang versions. Unfortunately, they do still
have the clang-15 zero-call-used-regs=all bug, so for now use the value
that doesn't result in segfaults. We could allowlist future versions
that are known to work. bz#3584 (and probably also our github CI
failures).
upstream: the sftp code was one of my first contributions to
OpenSSH and it shows - the function names are terrible.
Rename do_blah() to sftp_blah() to make them less so.
Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.
projects / thirdparty / openssh-portable.git / log
