Maxim Khon [Mon, 18 Aug 2025 12:05:42 +0000 (12:05 +0000)]
Use SSH_TUN_COMPAT_AF on FreeBSD.
Otherwise tun forwarding from other OSes fails as soon as the first IPv6
message is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up): all other
OS'es use SSH_TUN_COMPAT_AF or SSH_TUN_PREPEND_AF which effectively uses
OpenBSD AF_INET/AF_INET6 values.
Darren Tucker [Fri, 5 Sep 2025 11:32:30 +0000 (21:32 +1000)]
Check for nlist function.
Check for nlist function presence before attenmpting to use it instead
of relying on the presence of the nlist.h header. Mac OS X, in particular
has the header, but only has the function in the 32bit libraries.
Darren Tucker [Fri, 5 Sep 2025 07:06:14 +0000 (17:06 +1000)]
Fill in missing system header files.
Create replacement header files inside openbsd-compat for common headers
that are missing on a given platform. Usually these are just empty,
but in some cases they'll include the equivalent file. This avoids
having to wrap those includes in '#ifdef HAVE_FOO_H' and reduces the
diff vs OpenBSD.
If we create any such headers, add the path to includes.
upstream: Improve rules for %-expansion of username.
Usernames passed on the commandline will no longer be subject to
% expansion. Some tools invoke ssh with connection information
(i.e. usernames and host names) supplied from untrusted sources.
These may contain % expansion sequences which could yield
unexpected results.
Since openssh-9.6, all usernames have been subject to validity
checking. This change tightens the validity checks by refusing
usernames that include control characters (again, these can cause
surprises when supplied adversarially).
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
include no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This
is done on the basis that ssh's configuration is trusted.
Damien Miller [Mon, 18 Aug 2025 06:47:23 +0000 (16:47 +1000)]
Match version instead of groups in connect-bigconf
The connect-bigconf makes a giant config file to test config passing
between the sshd subprocesses. Previously it used a bunch of "Match
group" lines to construct a large file. However checking group
membership can be expensive (e.g. if a large groups database is
present or if group lookup is remote via NSS). This could be slow
enough to exceed LoginGraceTime.
This switches it to "Match version" which is just a string compare
and does just as well for making a giant nonsense config file.
djm@openbsd.org [Mon, 18 Aug 2025 03:43:01 +0000 (03:43 +0000)]
upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
continually at runtime based on what sessions/channels are open.
Previously, ssh(1) and sshd(8) would pick a QoS value when they
were started and use it for the whole connection. This could
produce suboptimal choices for the QoS value, e.g. for multiplexed
sessions that started interactive but picked up a sftp client,
or sessions that moved large amounts of data via port forwarding.
Now the QoS value will change to the non-interactive IPQoS whenever
a "non-interactive" channel is open; basically any channel that lacks
a tty other than agent forwarding.
This is important now that the default interactive IPQoS is EF
(Expedited Forwarding), as many networks are configured to allow
only relatively small amounts of traffic of this class and they will
aggressively deprioritise the entire connection if this is exceeded.
NB. because ssh(1) and sshd(8) now change IP_TOS/IPV6_TCLASS
continually via setsockopt(), this commit requires a recent pledge(2)
change that landed recently in the OpenBSD kernel. Please ensure
you have updated to a kernel from within the last two weeks before
updating OpenSSH.
Damien Miller [Mon, 18 Aug 2025 03:46:37 +0000 (13:46 +1000)]
allow some socket syscalls in seccomp sandbox
Allow getsockname(2), getpeername(2) and getsockopt(2).
Also allow setsockopt(2) but only IP_TOS and IPV6_TCLASS.
Note that systems that use the older socketcall(2) mux syscall will
not have IP_TOS and IPV6_TCLASS allowlisted. On these platforms,
these calls will be soft-blocked (i.e. will fail rather than
terminate the whole process with a sandbox violation).
Damien Miller [Mon, 18 Aug 2025 03:44:53 +0000 (13:44 +1000)]
handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
djm@openbsd.org [Wed, 6 Aug 2025 04:53:04 +0000 (04:53 +0000)]
upstream: when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the reason why
it was being denied. Makes debugging certificate authz problems a bit easier.
job@openbsd.org [Tue, 5 Aug 2025 09:08:16 +0000 (09:08 +0000)]
upstream: Use the operating system default DSCP marking for
non-interactive traffic
It seems the CS1 traffic class mark is considered ambiguous and therefore
somewhat unhelpful (see RFC 8622 for more considerations). But, the new
'LE' scavenger class (also proposed in RFC 8622) offers high probability
of excessive delays & high packet loss, which would be inappropriate
for use with, for example, X11 forwardings. In fact, it is not known to
SSH what's appropriate because SSH is not aware of the content of what
passing through session forwardings. Therefore, no marking is appropriate.
Non-interactive traffic simply is best effort.
upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS
keywords
Type of Service (ToS) was deprecated in the late nineties and replaced
with the Differentiated Services architecture. Diffserv has significant
advantages for operators because this mechanism offers more granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be
ignored and instead the system default QoS settings apply. Additionally, a
debug message is logged about the deprecation with a suggestion to use DSCP.
upstream: Set default IPQoS for interactive sessions to Expedited
Forwarding (EF)
Marking interactive session data with DSCP value EF (RFC3246, RFC3247)
helps inform the network on relative priority compared to other traffic.
This is especially useful for differentiated treatment over wireless media.
Following the reconciled IETF Diffserv to IEEE 802.11 mappings (RFC 8325),
traffic marked with DSCP value EF maps to User Priority 6 in QoS Control,
in turn mapping to the high priority WMM AC_VO access category.
projects / thirdparty / openssh-portable.git / log
