Darren Tucker [Fri, 17 May 2019 03:14:12 +0000 (13:14 +1000)]
Add no-op implementation of pam_putenv.
Some platforms such as HP-UX do not have pam_putenv. Currently the
calls are ifdef'ed out, but a new one was recently added. Remove the
ifdefs and add a no-op implementation. bz#3008, ok djm.
Darren Tucker [Fri, 26 Apr 2019 08:06:34 +0000 (18:06 +1000)]
Don't install duplicate STREAMS modules on Solaris
Check if STREAMS modules are already installed on pty before installing
since when compiling with XPG>=4 they will likely be installed already.
Prevents hangs and duplicate lines on the terminal. bz#2945 and bz#2998,
patch from djm@
upstream: Increase the default RSA key size to 3072 bits. Based on
the estimates from NIST Special Publication 800-57, 3k bits provides security
equivalent to 128 bits which is the smallest symmetric cipher we enable by
default. ok markus@ deraadt@
Darren Tucker [Wed, 13 Mar 2019 21:51:17 +0000 (08:51 +1100)]
On Cygwin run sshd as SYSTEM where possible.
Seteuid now creates user token using S4U. We don't create a token
from scratch anymore, so we don't need the "Create a process token"
privilege. The service can run under SYSTEM again...
...unless Cygwin is running on Windows Vista or Windows 7 in the
WOW64 32 bit emulation layer. It turns out that WOW64 on these systems
didn't implement MsV1_0 S4U Logon so we still need the fallback
to NtCreateToken for these systems.
upstream: Reset last-seen time when sending a keepalive. Prevents
sending two keepalives successively and prematurely terminating connection
when ClientAliveCount=1. While there, collapse two similar tests into one.
ok markus@
djm@openbsd.org [Fri, 1 Mar 2019 02:32:39 +0000 (02:32 +0000)]
upstream: Fix two race conditions in sshd relating to SIGHUP:
1. Recently-forked child processes will briefly remain listening to
listen_socks. If the main server sshd process completes its restart
via execv() before these sockets are closed by the child processes
then it can fail to listen at the desired addresses/ports and/or
fail to restart.
2. When a SIGHUP is received, there may be forked child processes that
are awaiting their reexecution state. If the main server sshd
process restarts before passing this state, these child processes
will yield errors and use a fallback path of reading the current
sshd_config from the filesystem rather than use the one that sshd
was started with.
To fix both of these cases, we reuse the startup_pipes that are shared
between the main server sshd and forked children. Previously this was
used solely to implement tracking of pre-auth child processes for
MaxStartups, but this extends the messaging over these pipes to include
a child->parent message that the parent process is safe to restart. This
message is sent from the child after it has completed its preliminaries:
closing listen_socks and receiving its reexec state.
bz#2953, reported by Michal Koutný; ok markus@ dtucker@
djm@openbsd.org [Sat, 23 Feb 2019 08:20:43 +0000 (08:20 +0000)]
upstream: openssh-7.9 accidentally reused the server's algorithm lists
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
between the client and server, but the error accidentially disabled the
diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but
because nobody complained, it also disables the
diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
Corinna Vinschen [Wed, 20 Feb 2019 12:41:25 +0000 (13:41 +0100)]
Cygwin: implement case-insensitive Unicode user and group name matching
The previous revert enabled case-insensitive user names again. This
patch implements the case-insensitive user and group name matching.
To allow Unicode chars, implement the matcher using wchar_t chars in
Cygwin-specific code. Keep the generic code changes as small as possible.
Cygwin: implement case-insensitive Unicode user and group name matching
djm@openbsd.org [Fri, 22 Feb 2019 03:37:11 +0000 (03:37 +0000)]
upstream: perform removal of agent-forwarding directory in forward
setup error path with user's privileged. This is a no-op as this code always
runs with user privilege now that we no longer support running sshd with
privilege separation disabled, but as long as the privsep skeleton is there
we should follow the rules.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
djm@openbsd.org [Sat, 26 Jan 2019 22:41:28 +0000 (22:41 +0000)]
upstream: check in scp client that filenames sent during
remote->local directory copies satisfy the wildcard specified by the user.
This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.
For this reason, this also adds a new -T flag to disable the check.
reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@
upstream: Accept the host key fingerprint as a synonym for "yes"
when accepting an unknown host key. This allows you to paste a fingerprint
obtained out of band into the yes/no prompt and have the client do the
comparison for you. ok markus@ djm@
upstream: Always initialize 2nd arg to hpdelim2. It populates that
*ONLY IF* there's a delimiter. If there's not (the common case) it checked
uninitialized memory, which usually passed, but if not would cause spurious
failures when the uninitialized memory happens to contain "/". ok deraadt.
upstream: Remove support for obsolete host/port syntax.
host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@
upstream: Remove 3 as a guess for possible generator during moduli
generation. It's not mentioned in RFC4419 and it's not possible for
Sophie-Germain primes greater than 5. bz#2330, from Christian Wittenhorst ,
ok djm@ tb@
upstream: Sanitize scp filenames via snmprintf. To do this we move
the progressmeter formatting outside of signal handler context and have the
atomicio callback called for EINTR too. bz#2434 with contributions from djm
and jjelen at redhat.com, ok djm@
Darren Tucker [Wed, 23 Jan 2019 23:00:20 +0000 (10:00 +1100)]
For broken read/readv comparisons, poll(RW).
In the cases where we can't compare to read or readv function pointers
for some reason we currently ifdef out the poll() used to block while
waiting for reads or writes, falling back to busy waiting. This restores
the poll() in this case, but has it always check for read or write,
removing an inline ifdef in the process.
projects / thirdparty / openssh-portable.git / log
