Daniil Tatianin [Thu, 27 Feb 2025 08:37:13 +0000 (11:37 +0300)]
Add support for locking memory on Linux
Linux wakes up kcompactd threads in order to make more contiguous memory
available on the system, it does this by migrating live movable pages
(actively modifying live processes' page tables and constantly flooding
them with page invalidation IPIs, which can be up to millions per
second), which causes the process to become unresponsive for up to
seconds or even minutes in some severe cases. In case of sshd, we want
to always be able to connect to the system, even if it's under heavy
kcompactd load.
Introduce an option to protect sshd and its children sessions from being
compacted by kcompactd (this works in cojunction with
compact_unevictable_allowed = 0). Note that we depend on MCL_ONFAULT
being available, which was introduced in linux 4.4. MCL_ONFAULT allows
the system to lock pages lazily, thus drastically reducing memory usage
of a locked process (without MCL_ONFAULT, every existing mapping in the
process is instantly write-faulted).
Daniil Tatianin [Thu, 27 Feb 2025 08:46:25 +0000 (11:46 +0300)]
platform: introduce a way to hook new session start
Previously this was possible via post_fork_child, but ever since sshd
was split into multiple binaries, this is now no longer possible becase
of execv.
tb@openbsd.org [Fri, 14 Mar 2025 09:49:49 +0000 (09:49 +0000)]
upstream: Fix EVP_CIPHER_CTX_ctrl() return checks
While this API tries to translate negative return values (i.e. -1) to 0
in BoringSSL and LibreSSL, it is still possible for it to return negative
values in prinicple. We even incorrectly document that -1 can be returned
while Boring and OpenSSL plead the Fifth.
In OpenSSL 3 there are now code paths that explicitly return -1 and they
started shifting their return checks to <= 0 - of course they do this in
inconsistent and sometimes incorrect manner. While these paths aren't
reachable from ssh right now, who can really tell what happens in the two
hundred lines of inscrutable bloated mess this has become.
So error check with <= 0 to ensure that we don't accidentally translate an
error to success.
djm@openbsd.org [Wed, 12 Mar 2025 22:43:44 +0000 (22:43 +0000)]
upstream: remove assumption that the sshd_config and any configs
included from it can fit in a (possibly enlarged) socket buffer, by having
the sshd listener mainloop actively manage sending the configuration to the
sshd-session subprocess.
work by markus@ w/ a little feedback from me;
ok me and committing on his behalf
upstream: Prime caches for DNS names needed for tests.
When running the SSHFP tests, particularly on an ephemeral VM, the first
query or two can fail for some reason, presumably because something isn't
fully initialized or something. To work around this, issue queries for the
names we'll need before we need them.
Darren Tucker [Tue, 11 Mar 2025 08:17:46 +0000 (19:17 +1100)]
Lazily unmount github workspace at end of workflow.
Sometimes when a test times out the workspace is still busy when we try
to unmount it, which leaves the runner unusable until it's cleaned up
manually. We try to unmount this in the first step, but that usually
doesn't work since it fails during setup before it starts our workflow.
Move it to the end and make it a lazy unmount so it hopefully works
eventually.
upstream: Check if dbclient supports SHA1 before trying SHA1-based
KEX.
Dropbear 2025.87 removed SHA1 support by default, which means
diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a
flag to query supported KEX, so instead check MACs and if it doesn't have
SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted
by anton@.
Darren Tucker [Wed, 26 Feb 2025 07:16:03 +0000 (18:16 +1100)]
Check for le32toh, le64toh, htole64 individually.
It appears that at least some versions of endian.h in glibc do not have
the latter two, so check for and replace each one individually.
bz#3794, ok djm@
Damien Miller [Mon, 24 Feb 2025 06:27:50 +0000 (17:27 +1100)]
Try to fix github tcmalloc target failure
tcmalloc may, depending on the stacktrace generator it uses, create
pipe(2) fds during shared library initialisation. These will later
get clobbered by ssh/sshd calling closefrom() and chaos will ensue.
Tell tcmalloc to use an unwinder that doesn't pull this stuff.
djm@openbsd.org [Sat, 15 Feb 2025 01:50:47 +0000 (01:50 +0000)]
upstream: Add support for "Match sessiontype" to ssh_config. Allows
matching on the type of session requested, either "shell" for interactive
sessions, "exec" for command execution sessions, "subsystem" for subsystem
requests, such as sftp, or "none" for transport/forwarding-only sessions.
upstream: In a section 1 manual, use the plain English words
"standard output" rather than the overly technical abbreviation "stdout" - we
are not talking about a device file or a FILE * object here. Issue reported
by <onf at disroot dot org> on the groff mailing list.
upstream: Call log_init in sshd-auth and sshd-session immediately
after parsing the config file so that any log settings set in the config file
take effect immediately. Move version banners to immediately after that, and
make them distinct per binary. ok djm@
Skip 2038 key expiry test on 64 bit time_t systems.
This allows testing Y2038 with system time set to after that (i.e. 2040),
so that actual Y2038 issues can be exposed, and not masked by key expiry
errors.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
upstream: Prevent integer overflow in x11 port handling. These are
theoretically possible if the admin misconfigures X11DisplayOffset or the
user misconfigures their own $DISPLAY, but don't happen in normal operation.
From Suhov Roman via bz#3730, ok djm@
upstream: Remove fallback to compiled-in gropup for dhgex when the
moduli file exists, but does not contain moduli within the client-requested
range. The fallback behaviour remains for the case where the moduli file does
not exist (typically, running tests prior to installing). From bz#2793, based
in part on patch from Joe Testa, ok djm@
projects / thirdparty / openssh-portable.git / log
