Darren Tucker [Sun, 15 Feb 2026 19:16:56 +0000 (14:16 -0500)]
Remove "draining" of PAM prompts.
With the previous commit, both prompts and info/error error messages are
returned to keyboard-interactive immedately and none are accumulated, so
there will never be any un-drained prompts. ok djm@
Matthew Heller [Mon, 14 Oct 2024 14:25:41 +0000 (09:25 -0500)]
fix duplicate PAM msgs, missing loginmsg reset
without this change in mm_answer_pam_account all messages added in
auth-pam.c sshpam_query(...) case PAM_SUCCESS end up sent here, then are
still sitting in the loginmsg buffer and printed a second time in
session.c do_login(...)
Darren Tucker [Wed, 11 Feb 2026 22:36:42 +0000 (17:36 -0500)]
Factor out RNG reseeding in to a single function.
sshd and sshd-session both reseed the RNG after a fork. Move the
existing reseed_prngs() function into entropy.c and use for both.
Clean up entropy.h too. ok djm@
Darren Tucker [Mon, 9 Feb 2026 18:34:46 +0000 (05:34 +1100)]
Provide compat shims for sys/{mount.h,statvfs.h).
In addition to shimming on platforms that don't have them, we also need to
shim sys/mount.h on DragonFlyBSD since it uses its native STAILQ_ENTRYs
which our compat queues.h does not have, which causes sftp-server.o to
not build. This is a little icky, but it limits the blast radius to
just one source file on only DragonFly. ok djm@
Darren Tucker [Sun, 8 Feb 2026 19:56:35 +0000 (06:56 +1100)]
Remove openindiana VM test.
When it works it's by far the slowest (>1h to install packages) and the
package installation is flaky. We can bring it back if their infra ever
improves.
upstream: Make ssh optionally build with Kerberos 5 against the
Heimdal port. This updates the Makefiles and repairs some bitrot in headers,
resyncing them against Portable. To do this, "pkg_add heimdal" then "make
KERBEROS5=yes". ok djm@
Darren Tucker [Sun, 8 Feb 2026 00:30:21 +0000 (11:30 +1100)]
Move USE_SYSTEM_GLOB into a glob.h compat shim.
This moves the logic for selecting whether or not we can use the system
glob into configure, and if either don't have glob or can't use it, we
create the shim. Removes several diffs vs upstream.
Artem Savkov [Tue, 18 Nov 2025 15:26:11 +0000 (16:26 +0100)]
Fix ut_type for btmp records
According to man utmp ut_type is supposed to be only switched from
LOGIN_PROCESS to USER_PROCESS after succesfull authentication and this
is how sshd behaved before 671c44078.
if available, append it to the corresponding ssh error message and
optionall print the libcrypto full error stack (at debug1). with &
ok tb@ djm@ millert@ schwarze@
Note that the quality of errors obtainable from libcrypto is somewhat
variable, so these may be any of: useful, misleading, incomplete
or missing entirely. As a result we reserve the right to change
what is returned or even stop returning it if it does more harm than
good.
upstream: Make it clear that DenyUsers/DenyGroups overrides
AllowUsers/AllowGroups. Previously we specified the order in which the
directives are processed but it was ambiguous as to what happened if both
matched. OK djm@
djm@openbsd.org [Wed, 21 Jan 2026 23:58:20 +0000 (23:58 +0000)]
upstream: In ssh(1), don't try to match certificates held in an
agent to private keys.
This matching is done to support certificates that were
loaded without their private key material, but is unnecessary for
agent-hosted certificate which always have private key material
loaded in the agent. Worse, this matching would mess up the
request sent to the agent in such a way as to break usage of these
keys when the key usage was restricted in the agent.
upstream: If editline has been switched to vi mode (i.e. via "bind
-v" in .editrc), setup a keybinding so that command mode can be entered. Diff
originally from Walter Alejandro Iglesias with tweaks. Feedback from Crystal
Kolipe. ok djm
upstream: Fill entropy in a single operation instead of hundreds.
The sntrup761 code we use from SUPERCOP fills entropy arrays 4 bytes at
a time. On some platforms each of these operations has a significant
overhead, so instead fill it in a single operation and as a precaution
zero that array after it's used.
Analysis and code change is from Mike Frysinger via Github PR#621 with
feedback from djm@ and sed-ification from me. ok djm@ beck@.
This change was submitted by Mike to SUPERCOP upstream so hopefully
future versions will already have it.
djm@openbsd.org [Tue, 30 Dec 2025 00:22:58 +0000 (00:22 +0000)]
upstream: Enforce maximum packet/block limit during
pre-authentication phase
OpenSSH doesn't support rekeying before authentication completes to
minimise pre-auth attack surface.
Given LoginGraceTime, MaxAuthTries and strict KEX, it would be
difficult to send enough data or packets before authentication
completes to reach a point where rekeying is required, but we'd
prefer it to be completely impossible.
So this applies the default volume/packet rekeying limits to the
pre-auth phase. If these limits are exceeded the connection will
simply be closed.
djm@openbsd.org [Mon, 22 Dec 2025 01:49:03 +0000 (01:49 +0000)]
upstream: When certificate support was added to OpenSSH,
certificates were originally specified to represent any principal if the
principals list was empty.
This was, in retrospect, a mistake as it created a fail-open
situation if a CA could be convinced to accidentally sign a
certificate with no principals. This actually happened in a 3rd-
party CA product (CVE-2024-7594).
Somewhat fortunately, the main pathway for using certificates in
sshd (TrustedUserCAKeys) never supported empty-principals
certificates, so the blast radius of such mistakes was
substantially reduced.
This change removes this footcannon and requires all certificates
include principals sections. It also fixes interpretation of
wildcard principals, and properly enables them for host
certificates only.
This is a behaviour change that will permanently break uses of
certificates with empty principals sections.
djm@openbsd.org [Mon, 22 Dec 2025 01:20:39 +0000 (01:20 +0000)]
upstream: Don't misuse the sftp limits extension's open-handles
field. This value is supposed to be the number of handles a server will allow
to be opened and not a number of outstanding read/write requests that can be
sent during an upload/download.
upstream: Add 'invaliduser' penalty to PerSourcePenalties, which is
applied to login attempts for usernames that do not match real accounts.
Defaults to 5s to match 'authfail' but allows administrators to block such
sources for longer if desired. with & ok djm@
projects / thirdparty / openssh-portable.git / log
