upstream: move username validity check for usernames specified on
the commandline to earlier in main(), specifically before some contexts where
a username with shell characters might be expanded by a %u directive in
ssh_config.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We continue to recommend against using untrusted input on
the SSH commandline. Mitigations like this are not 100%
guarantees of safety because we can't control every
combination of user shell and configuration where they are
used.
upstream: Fix possible sshd crash when sshd_config set MaxStartups
to a value <10 using the single-argument form of MaxStartups (e.g.
MaxStartups=3). This doesn't affect the three-argument form of the directive
(e.g. MaxStartups 3:20:5).
Damien Miller [Thu, 2 Apr 2026 07:32:00 +0000 (18:32 +1100)]
properly bail out when PAM changes username
OpenSSH doesn't support PAM changing its conception of the
username via a module calling pam_set_item(h, PAM_USER, ...).
We were supposed to bail out here, but I messed up while "fixing"
this last time and dropped a return statement.
This will MODIFY THE CONFIG OF THE SYSTEM IT IS RUNNING ON to enable
hostbased authentication to/from itself and run the hostbased tests. It
won't undo these changes, so don't do this on a system where this matters.
djm@openbsd.org [Mon, 30 Mar 2026 07:18:24 +0000 (07:18 +0000)]
upstream: apply the same validity rules to usernames and hostnames
set for ProxyJump/-J on the commandline as we do for destination user/host
names.
Specifically, they are no longer allowed to contain most characters
that have special meaning for common shells. Special characters are
still allowed in ProxyJump commands that are specified in the config
files.
This _reduces_ the chance that shell characters from a hostile -J
option from ending up in a shell execution context.
Don't pass untrusted stuff to the ssh commandline, it's not intended
to be a security boundary. We try to make it safe where we can, but
we can't make guarantees, because we can't know the parsing rules
and special characters for all the shells in the world, nor can we
know what the user does with this data in their ssh_config wrt
percent expansion, LocalCommand, match exec, etc.
While I'm in there, make ProxyJump and ProxyCommand first-match-wins
between each other.
Damien Miller [Sun, 29 Mar 2026 05:24:59 +0000 (16:24 +1100)]
fix state confusion between PAM and privsep code
Commits b9a6dd4d6 and df2b28163 introduced a potential desynchronisation
between the PAM code and the sshd-session monitor that could result in
authentication bypass if the unprivileged sshd-auth process had been
compromised.
Reported by Ben Edelman of NIST. Only git HEAD is affected, these
changes have not yet been included in an OpenSSH release.
Icenowy Zheng [Sun, 22 Mar 2026 07:13:31 +0000 (15:13 +0800)]
seccomp sandbox: allow riscv_hwprobe syscall if present
The development branch of zlib-ng now contains code for utilizing
riscv_hwprobe syscall to retrieve availability information for several
RISC-V extensions (and accelerate deflate algorithm with them).
As the seccomp sandbox of OpenSSH will raise SIGSYS for filtered out
syscalls, this will abruptly terminate the process when the
riscv_hwprobe syscall is tried.
Put it into the allowlist to prevent process termination. As all
syscalls here are guarded by #ifdef's, the same will be done for
riscv_hwprobe, and thus on non-RISC-V builds nothing will happen.
upstream: Check return values of fcntl(... O_CLOEXEC)
calls by reusing the macro in monitor.c. Flagged by Coverity CID
901297 in ssh-sk-client.c, a few other instances added for good measure.
begrudging ok deraadt@
upstream: With it's own daemonization / fd cleaning code, ssh-agent
opens /dev/null O_RDWR after a pledge without "wpath". This is allowed in
current pledge because "/dev/null" is implicitly allowed to be opened even
with the most restrictive pledges or unveils. This is a design decision in
pledge made at the very beginning, to satisfy libc requirements. We've
finally had enough experience and know how to fix that in the near-future,
but need to review and fix all code which opens these implicit paths. The fix
is to add "wpath", so that "/dev/null" can be opened O_RDWR. But that is
uncomfortable, so we add unveil() allowing "/" with "r", 4 unveil "x" for the
potential askpass and helpers to be execve'd, and "/dev/null" with "wr". As
a result filesystem access is substantially more restricted than before, and
ssh-agent is ready for the future pledge change. ok djm dtucker
upstream: Stop doing access() before execve(). It is a TOCTOU, but
also it forces use of unveil "rx" instead of "x". This is done by using a
pipe() through the fork+execve attempt to expose execve failure and create
the same error return as the access() used to do. ok djm dtucker
djm@openbsd.org [Thu, 5 Mar 2026 05:40:35 +0000 (05:40 +0000)]
upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now
allocated, it's safe to start using the standard names for requesting agent
forwarding over the @openssh.com extension names we've used to date.
Support for the standard names is advertised via EXT_INFO. When the
client sees such support it will use the new names preferentially,
but the existing names remain supported unconditionally.
extension requests should indicate failure using
SSH_AGENT_EXTENSION_FAILURE rather than the generic SSH_AGENT_FAILURE
error code. This allows the client to discern between "the request
failed" and "the agent doesn't support this extension".
djm@openbsd.org [Mon, 2 Mar 2026 02:40:15 +0000 (02:40 +0000)]
upstream: Move banner exchange to sshd-auth process
Previously, exchange of the initial SSH- banners was performed
by the privileged sshd-session monitor. This moves it to the
unprivileged sshd-auth subprocess, removing ~200 LoC from the
monitor's privileged attack surface.
The monitor gains a new "setcompat" RPC to allow sshd-auth to
inform it of bug compat flags picked up from the client's banner.
Darren Tucker [Sat, 28 Feb 2026 22:46:39 +0000 (09:46 +1100)]
Try -lstdc++ for libcrypto before giving up.
BoringSSL recently added destructors to libcrypto, which requires
linking against libstdc++, so when checking for a working libcrypto if
at first the link fails, try again with -lstdc++ before giving up.
Darren Tucker [Tue, 24 Feb 2026 02:34:48 +0000 (21:34 -0500)]
Remove potentially leftover include compat shims.
If we don't need a specific shim, ensure it does not exist. Prevents
confusion if configurations change or the directory is reused across
different platforms.
djm@openbsd.org [Wed, 18 Feb 2026 02:59:27 +0000 (02:59 +0000)]
upstream: when uploading a directory using sftp/sftp (e.g. during a
recursive transfer), don't clobber the remote directory permissions unless
either we created the directory during the transfer or the -p flag was set.
bz3925 ok dtucker@
Darren Tucker [Sun, 15 Feb 2026 19:16:56 +0000 (14:16 -0500)]
Remove "draining" of PAM prompts.
With the previous commit, both prompts and info/error error messages are
returned to keyboard-interactive immedately and none are accumulated, so
there will never be any un-drained prompts. ok djm@
Matthew Heller [Mon, 14 Oct 2024 14:25:41 +0000 (09:25 -0500)]
fix duplicate PAM msgs, missing loginmsg reset
without this change in mm_answer_pam_account all messages added in
auth-pam.c sshpam_query(...) case PAM_SUCCESS end up sent here, then are
still sitting in the loginmsg buffer and printed a second time in
session.c do_login(...)
Darren Tucker [Wed, 11 Feb 2026 22:36:42 +0000 (17:36 -0500)]
Factor out RNG reseeding in to a single function.
sshd and sshd-session both reseed the RNG after a fork. Move the
existing reseed_prngs() function into entropy.c and use for both.
Clean up entropy.h too. ok djm@
projects / thirdparty / openssh-portable.git / log
