This was due to the sshd logs being written to the wrong log file.
While there, make save_debug_logs less verbose, write the name of the
tarball to regress.log and use $SUDO to remove the old symlinks (which
shouldn't be needed, but won't hurt). Initial problem spotted by anton@.
In the case of an fprintf failure we would not call fclose which would
leak the FILE pointer. While we're there, try to clean up the temp file
on failure. Spotted by Coverity, ok djm@
upstream: Rework logging for the regression tests.
Previously we would log to ssh.log and sshd.log, but that is insufficient
for tests that have more than one concurent ssh/sshd.
Instead, we'll log to separate datestamped files in a $OBJ/log/ and
leave a symlink at the previous location pointing at the most recent
instance with an entry in regress.log showing which files were created
at each point. This should be sufficient to reconstruct what happened
even for tests that use multiple instances of each program. If the test
fails, tar up all of the logs for later analysis.
This will let us also capture the output from some of the other tools
which was previously sent to /dev/null although most of those will be
in future commits.
Damien Miller [Mon, 27 Feb 2023 06:07:52 +0000 (17:07 +1100)]
avoid clash between for getopt's struct option
Since we don't use getopt_long() nothing outside the getopt()
implementation itself uses this structure, so move it into the
source to remove it from visibility and clashes with libc's
upstream: fseek to end of known_hosts before writing to it.
POSIX and ANSI C require that applications call fseek or similar between
read and writing to a RW file. OpenBSD doesn't enforce this, but some
(System V derived) platforms need this to prevent it from writing a
spurious extra byte (in this case, a newline). ok djm@ deraadt@
Darren Tucker [Sat, 11 Feb 2023 01:32:19 +0000 (12:32 +1100)]
Improve seccomp compat on older systems.
Check if flags to mmap and madvise are defined before using them.
Should fix problems building on older Linux systems that don't have
these. bz#3537, with & ok djm@.
djm@openbsd.org [Fri, 10 Feb 2023 04:47:19 +0000 (04:47 +0000)]
upstream: add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.
Damien Miller [Fri, 3 Feb 2023 05:33:09 +0000 (16:33 +1100)]
harden Linux seccomp sandbox
Linux mmap(2) and madvise(2) syscalls support quite a number of funky
flags that we don't expect that sshd/libc will ever need. We can
exclude this kernel attack surface by filtering the mmap(2) flags
and the madvise(2) advice arguments.
Similarly, the sandboxed process in sshd is a single-threaded program
that does not use shared memory for synchronisation or communication.
Therefore, there should be no reason for the advanced priority
inheritance futex(2) operations to be necessary. These can also be
excluded.
Motivated by Jann Horn pointing out that there have been kernel bugs
in nearby Linux kernel code, e.g. CVE-2020-29368, CVE-2020-29374 and
CVE-2022-42703.
Darren Tucker [Wed, 1 Feb 2023 06:17:26 +0000 (17:17 +1100)]
Skip connection-timeout test on minix3.
Minix 3's Unix domain sockets don't seem to work the way we expect, so
skip connection-timeout test on that platform. While there, group
together all similarly skipped tests and explicitly comment.
upstream: Create and install sshd random relink kit.
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach. The resulting sshd
binary is tested with the new sshd -V option before installation. As the
binary layout is now semi-unknown (meaning relative, fixed, and gadget
offsets are not precisely known), change the filesystem permissions to 511 to
prevent what I call "logged in BROP". I have ideas for improving this further
but this is a first step ok djm
djm@openbsd.org [Tue, 17 Jan 2023 09:44:48 +0000 (09:44 +0000)]
upstream: Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
djm@openbsd.org [Sun, 15 Jan 2023 23:05:32 +0000 (23:05 +0000)]
upstream: update OpenSSH's Ed25519 code to the last version of SUPERCOP
(20221122) and change the import approach to the same one we use for
Streamlined NTRUPrime: use a shell script to extract the bits we need from
SUPERCOP, make some minor adjustments and squish them all into a single file.
Darren Tucker [Fri, 13 Jan 2023 12:02:34 +0000 (23:02 +1100)]
Retry package installation 3 times.
When setting up the CI environment, retry package installation 3 times
before going up. Should help prevent spurious failures during
infrastructure issues.
upstream: Move scp path setting to a helper function. The previous
commit to add scp to the test sshd's path causes the t-envpass test to fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
upstream: Switch scp from using pipes to a socketpair for
communication with it's ssh sub-processes. We no longer need to reserve two
descriptors to ensure that we don't end up using fd 0-2 unexpectedly, that is
handled by sanitise_stdfd() in main(). Based on an original diff from djm@.
OK deraadt@ djm@
Darren Tucker [Sat, 7 Jan 2023 12:24:50 +0000 (23:24 +1100)]
Skip dynamic-forward test on minix3.
This test relies on loopback addresses which minix does not have.
Previously the test would not run at all since it also doesn't have
netcat, but now we use our own netcat it tries and fails.
Darren Tucker [Sat, 7 Jan 2023 03:30:43 +0000 (14:30 +1100)]
Use autoconf to find openssl binary.
It's possible to install an OpenSSL in a path not in the system's
default library search path. OpenSSH can still use this (eg if you
specify an rpath) but the openssl binary there may not work. If one is
available on the system path just use that.
Damien Miller [Fri, 6 Jan 2023 08:13:36 +0000 (19:13 +1100)]
unbreak scp on NetBSD 4.x
e555d5cad5 effectively increased the default copy buffer size for SFTP
transfers. This caused NetBSD 4.x to hang during the "copy local file to
remote file in place" scp.sh regression test.
This puts back the original 32KB copy buffer size until we can properly
figure out why.
djm@openbsd.org [Fri, 6 Jan 2023 02:47:18 +0000 (02:47 +0000)]
upstream: Implement channel inactivity timeouts
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.
Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.
projects / thirdparty / openssh-portable.git / log
