Damien Miller [Sun, 29 Mar 2026 05:24:59 +0000 (16:24 +1100)]
fix state confusion between PAM and privsep code
Commits b9a6dd4d6 and df2b28163 introduced a potential desynchronisation
between the PAM code and the sshd-session monitor that could result in
authentication bypass if the unprivileged sshd-auth process had been
compromised.
Reported by Ben Edelman of NIST. Only git HEAD is affected, these
changes have not yet been included in an OpenSSH release.
Icenowy Zheng [Sun, 22 Mar 2026 07:13:31 +0000 (15:13 +0800)]
seccomp sandbox: allow riscv_hwprobe syscall if present
The development branch of zlib-ng now contains code for utilizing
riscv_hwprobe syscall to retrieve availability information for several
RISC-V extensions (and accelerate deflate algorithm with them).
As the seccomp sandbox of OpenSSH will raise SIGSYS for filtered out
syscalls, this will abruptly terminate the process when the
riscv_hwprobe syscall is tried.
Put it into the allowlist to prevent process termination. As all
syscalls here are guarded by #ifdef's, the same will be done for
riscv_hwprobe, and thus on non-RISC-V builds nothing will happen.
upstream: Check return values of fcntl(... O_CLOEXEC)
calls by reusing the macro in monitor.c. Flagged by Coverity CID
901297 in ssh-sk-client.c, a few other instances added for good measure.
begrudging ok deraadt@
upstream: With it's own daemonization / fd cleaning code, ssh-agent
opens /dev/null O_RDWR after a pledge without "wpath". This is allowed in
current pledge because "/dev/null" is implicitly allowed to be opened even
with the most restrictive pledges or unveils. This is a design decision in
pledge made at the very beginning, to satisfy libc requirements. We've
finally had enough experience and know how to fix that in the near-future,
but need to review and fix all code which opens these implicit paths. The fix
is to add "wpath", so that "/dev/null" can be opened O_RDWR. But that is
uncomfortable, so we add unveil() allowing "/" with "r", 4 unveil "x" for the
potential askpass and helpers to be execve'd, and "/dev/null" with "wr". As
a result filesystem access is substantially more restricted than before, and
ssh-agent is ready for the future pledge change. ok djm dtucker
upstream: Stop doing access() before execve(). It is a TOCTOU, but
also it forces use of unveil "rx" instead of "x". This is done by using a
pipe() through the fork+execve attempt to expose execve failure and create
the same error return as the access() used to do. ok djm dtucker
djm@openbsd.org [Thu, 5 Mar 2026 05:40:35 +0000 (05:40 +0000)]
upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now
allocated, it's safe to start using the standard names for requesting agent
forwarding over the @openssh.com extension names we've used to date.
Support for the standard names is advertised via EXT_INFO. When the
client sees such support it will use the new names preferentially,
but the existing names remain supported unconditionally.
extension requests should indicate failure using
SSH_AGENT_EXTENSION_FAILURE rather than the generic SSH_AGENT_FAILURE
error code. This allows the client to discern between "the request
failed" and "the agent doesn't support this extension".
djm@openbsd.org [Mon, 2 Mar 2026 02:40:15 +0000 (02:40 +0000)]
upstream: Move banner exchange to sshd-auth process
Previously, exchange of the initial SSH- banners was performed
by the privileged sshd-session monitor. This moves it to the
unprivileged sshd-auth subprocess, removing ~200 LoC from the
monitor's privileged attack surface.
The monitor gains a new "setcompat" RPC to allow sshd-auth to
inform it of bug compat flags picked up from the client's banner.
Darren Tucker [Sat, 28 Feb 2026 22:46:39 +0000 (09:46 +1100)]
Try -lstdc++ for libcrypto before giving up.
BoringSSL recently added destructors to libcrypto, which requires
linking against libstdc++, so when checking for a working libcrypto if
at first the link fails, try again with -lstdc++ before giving up.
Darren Tucker [Tue, 24 Feb 2026 02:34:48 +0000 (21:34 -0500)]
Remove potentially leftover include compat shims.
If we don't need a specific shim, ensure it does not exist. Prevents
confusion if configurations change or the directory is reused across
different platforms.
djm@openbsd.org [Wed, 18 Feb 2026 02:59:27 +0000 (02:59 +0000)]
upstream: when uploading a directory using sftp/sftp (e.g. during a
recursive transfer), don't clobber the remote directory permissions unless
either we created the directory during the transfer or the -p flag was set.
bz3925 ok dtucker@
Darren Tucker [Sun, 15 Feb 2026 19:16:56 +0000 (14:16 -0500)]
Remove "draining" of PAM prompts.
With the previous commit, both prompts and info/error error messages are
returned to keyboard-interactive immedately and none are accumulated, so
there will never be any un-drained prompts. ok djm@
Matthew Heller [Mon, 14 Oct 2024 14:25:41 +0000 (09:25 -0500)]
fix duplicate PAM msgs, missing loginmsg reset
without this change in mm_answer_pam_account all messages added in
auth-pam.c sshpam_query(...) case PAM_SUCCESS end up sent here, then are
still sitting in the loginmsg buffer and printed a second time in
session.c do_login(...)
Darren Tucker [Wed, 11 Feb 2026 22:36:42 +0000 (17:36 -0500)]
Factor out RNG reseeding in to a single function.
sshd and sshd-session both reseed the RNG after a fork. Move the
existing reseed_prngs() function into entropy.c and use for both.
Clean up entropy.h too. ok djm@
Darren Tucker [Mon, 9 Feb 2026 18:34:46 +0000 (05:34 +1100)]
Provide compat shims for sys/{mount.h,statvfs.h).
In addition to shimming on platforms that don't have them, we also need to
shim sys/mount.h on DragonFlyBSD since it uses its native STAILQ_ENTRYs
which our compat queues.h does not have, which causes sftp-server.o to
not build. This is a little icky, but it limits the blast radius to
just one source file on only DragonFly. ok djm@
Darren Tucker [Sun, 8 Feb 2026 19:56:35 +0000 (06:56 +1100)]
Remove openindiana VM test.
When it works it's by far the slowest (>1h to install packages) and the
package installation is flaky. We can bring it back if their infra ever
improves.
upstream: Make ssh optionally build with Kerberos 5 against the
Heimdal port. This updates the Makefiles and repairs some bitrot in headers,
resyncing them against Portable. To do this, "pkg_add heimdal" then "make
KERBEROS5=yes". ok djm@
Darren Tucker [Sun, 8 Feb 2026 00:30:21 +0000 (11:30 +1100)]
Move USE_SYSTEM_GLOB into a glob.h compat shim.
This moves the logic for selecting whether or not we can use the system
glob into configure, and if either don't have glob or can't use it, we
create the shim. Removes several diffs vs upstream.
projects / thirdparty / openssh-portable.git / log
