Darren Tucker [Sat, 11 Feb 2023 01:32:19 +0000 (12:32 +1100)]
Improve seccomp compat on older systems.
Check if flags to mmap and madvise are defined before using them.
Should fix problems building on older Linux systems that don't have
these. bz#3537, with & ok djm@.
djm@openbsd.org [Fri, 10 Feb 2023 04:47:19 +0000 (04:47 +0000)]
upstream: add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.
Damien Miller [Fri, 3 Feb 2023 05:33:09 +0000 (16:33 +1100)]
harden Linux seccomp sandbox
Linux mmap(2) and madvise(2) syscalls support quite a number of funky
flags that we don't expect that sshd/libc will ever need. We can
exclude this kernel attack surface by filtering the mmap(2) flags
and the madvise(2) advice arguments.
Similarly, the sandboxed process in sshd is a single-threaded program
that does not use shared memory for synchronisation or communication.
Therefore, there should be no reason for the advanced priority
inheritance futex(2) operations to be necessary. These can also be
excluded.
Motivated by Jann Horn pointing out that there have been kernel bugs
in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and
CVE-2022-42703.
Darren Tucker [Wed, 1 Feb 2023 06:17:26 +0000 (17:17 +1100)]
Skip connection-timeout test on minix3.
Minix 3's Unix domain sockets don't seem to work the way we expect, so
skip connection-timeout test on that platform. While there, group
together all similarly skipped tests and explicitly comment.
upstream: Create and install sshd random relink kit.
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach. The resulting sshd
binary is tested with the new sshd -V option before installation. As the
binary layout is now semi-unknown (meaning relative, fixed, and gadget
offsets are not precisely known), change the filesystem permissions to 511 to
prevent what I call "logged in BROP". I have ideas for improving this further
but this is a first step ok djm
djm@openbsd.org [Tue, 17 Jan 2023 09:44:48 +0000 (09:44 +0000)]
upstream: Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
djm@openbsd.org [Sun, 15 Jan 2023 23:05:32 +0000 (23:05 +0000)]
upstream: update OpenSSH's Ed25519 code to the last version of SUPERCOP
(20221122) and change the import approach to the same one we use for
Streamlined NTRUPrime: use a shell script to extract the bits we need from
SUPERCOP, make some minor adjustments and squish them all into a single file.
Darren Tucker [Fri, 13 Jan 2023 12:02:34 +0000 (23:02 +1100)]
Retry package installation 3 times.
When setting up the CI environment, retry package installation 3 times
before going up. Should help prevent spurious failures during
infrastructure issues.
upstream: Move scp path setting to a helper function. The previous
commit to add scp to the test sshd's path causes the t-envpass test to fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
upstream: Switch scp from using pipes to a socketpair for
communication with it's ssh sub-processes. We no longer need to reserve two
descriptors to ensure that we don't end up using fd 0-2 unexpectedly, that is
handled by sanitise_stdfd() in main(). Based on an original diff from djm@.
OK deraadt@ djm@
Darren Tucker [Sat, 7 Jan 2023 12:24:50 +0000 (23:24 +1100)]
Skip dynamic-forward test on minix3.
This test relies on loopback addresses which minix does not have.
Previously the test would not run at all since it also doesn't have
netcat, but now we use our own netcat it tries and fails.
Darren Tucker [Sat, 7 Jan 2023 03:30:43 +0000 (14:30 +1100)]
Use autoconf to find openssl binary.
It's possible to install an OpenSSL in a path not in the system's
default library search path. OpenSSH can still use this (eg if you
specify an rpath) but the openssl binary there may not work. If one is
available on the system path just use that.
Damien Miller [Fri, 6 Jan 2023 08:13:36 +0000 (19:13 +1100)]
unbreak scp on NetBSD 4.x
e555d5cad5 effectively increased the default copy buffer size for SFTP
transfers. This caused NetBSD 4.x to hang during the "copy local file to
remote file in place" scp.sh regression test.
This puts back the original 32KB copy buffer size until we can properly
figure out why.
djm@openbsd.org [Fri, 6 Jan 2023 02:47:18 +0000 (02:47 +0000)]
upstream: Implement channel inactivity timeouts
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.
Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.
djm@openbsd.org [Fri, 6 Jan 2023 02:39:59 +0000 (02:39 +0000)]
upstream: Add channel_force_close()
This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.
Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.
djm@openbsd.org [Fri, 16 Dec 2022 06:56:47 +0000 (06:56 +0000)]
upstream: Clear signal mask early in main(); sshd may have been
started with one or more signals masked (sigprocmask(2) is not cleared
on fork/exec) and this could interfere with various things, e.g. the
login grace timer.
Execution environments that fail to clear the signal mask before running
sshd are clearly broken, but apparently they do exist.
djm@openbsd.org [Fri, 16 Dec 2022 03:40:03 +0000 (03:40 +0000)]
upstream: add a -X option to both scp(1) and sftp(1) to allow
control over some SFTP protocol knobs: the copy buffer length and
the number of inflight requests, both of which are used during
upload/download.
Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.
upstream: The idiomatic way of coping with signed char vs unsigned
char (which did not come from stdio read functions) in the presence of
ctype macros, is to always cast to (unsigned char). casting to (int)
for a "macro" which is documented to take int, is weird. And sadly wrong,
because of the sing extension risk.. same diff from florian
Darren Tucker [Mon, 19 Dec 2022 07:49:51 +0000 (18:49 +1100)]
Simply handling of SSH_CONNECTION PAM env var.
Prompted by bz#3508: there's no need to cache the value of
sshpam_conninfo so remove the global. While there, add check of
return value from pam_putenv. ok djm@
projects / thirdparty / openssh-portable.git / log
