summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:33:15 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:30 +0100
commitf0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /monitor.c
parent47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7): - sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket (closes: #236718). - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. - sftp(1): Allow resumption of interrupted uploads. - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. - sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. - sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages. - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly (closes: #734553). - Use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}. * Restore TCP wrappers support, removed upstream in 6.7. It is true that dropping this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. * Replace patch to disable OpenSSL version check with an updated version of Kurt Roeckx's patch from #732940 to just avoid checking the status field.
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c33
1 files changed, 30 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 7c105e687..cc15ce486 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,9 +40,10 @@
40#endif 40#endif
41#include <pwd.h> 41#include <pwd.h>
42#include <signal.h> 42#include <signal.h>
43#include <stdarg.h>
44#include <stdlib.h> 43#include <stdlib.h>
45#include <string.h> 44#include <string.h>
45#include <stdarg.h>
46#include <stdio.h>
46#include <unistd.h> 47#include <unistd.h>
47#ifdef HAVE_POLL_H 48#ifdef HAVE_POLL_H
48#include <poll.h> 49#include <poll.h>
@@ -56,7 +57,9 @@
56#include <skey.h> 57#include <skey.h>
57#endif 58#endif
58 59
60#ifdef WITH_OPENSSL
59#include <openssl/dh.h> 61#include <openssl/dh.h>
62#endif
60 63
61#include "openbsd-compat/sys-queue.h" 64#include "openbsd-compat/sys-queue.h"
62#include "atomicio.h" 65#include "atomicio.h"
@@ -84,6 +87,7 @@
84#include "sshlogin.h" 87#include "sshlogin.h"
85#include "canohost.h" 88#include "canohost.h"
86#include "log.h" 89#include "log.h"
90#include "misc.h"
87#include "servconf.h" 91#include "servconf.h"
88#include "monitor.h" 92#include "monitor.h"
89#include "monitor_mm.h" 93#include "monitor_mm.h"
@@ -92,7 +96,6 @@
92#endif 96#endif
93#include "monitor_wrap.h" 97#include "monitor_wrap.h"
94#include "monitor_fdpass.h" 98#include "monitor_fdpass.h"
95#include "misc.h"
96#include "compat.h" 99#include "compat.h"
97#include "ssh2.h" 100#include "ssh2.h"
98#include "roaming.h" 101#include "roaming.h"
@@ -195,7 +198,10 @@ int mm_answer_consolekit_register(int, Buffer *);
195#endif 198#endif
196 199
197static Authctxt *authctxt; 200static Authctxt *authctxt;
201
202#ifdef WITH_SSH1
198static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 203static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
204#endif
199 205
200/* local state for key verify */ 206/* local state for key verify */
201static u_char *key_blob = NULL; 207static u_char *key_blob = NULL;
@@ -225,7 +231,9 @@ struct mon_table {
225#define MON_PERMIT 0x1000 /* Request is permitted */ 231#define MON_PERMIT 0x1000 /* Request is permitted */
226 232
227struct mon_table mon_dispatch_proto20[] = { 233struct mon_table mon_dispatch_proto20[] = {
234#ifdef WITH_OPENSSL
228 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, 235 {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
236#endif
229 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 237 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
230 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 238 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
231 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 239 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -270,7 +278,9 @@ struct mon_table mon_dispatch_postauth20[] = {
270 {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, 278 {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
271 {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, 279 {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
272#endif 280#endif
281#ifdef WITH_OPENSSL
273 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 282 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
283#endif
274 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 284 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
275 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 285 {MONITOR_REQ_PTY, 0, mm_answer_pty},
276 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, 286 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@@ -286,6 +296,7 @@ struct mon_table mon_dispatch_postauth20[] = {
286}; 296};
287 297
288struct mon_table mon_dispatch_proto15[] = { 298struct mon_table mon_dispatch_proto15[] = {
299#ifdef WITH_SSH1
289 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 300 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
290 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, 301 {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
291 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, 302 {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -313,10 +324,12 @@ struct mon_table mon_dispatch_proto15[] = {
313#ifdef SSH_AUDIT_EVENTS 324#ifdef SSH_AUDIT_EVENTS
314 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 325 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
315#endif 326#endif
327#endif /* WITH_SSH1 */
316 {0, 0, NULL} 328 {0, 0, NULL}
317}; 329};
318 330
319struct mon_table mon_dispatch_postauth15[] = { 331struct mon_table mon_dispatch_postauth15[] = {
332#ifdef WITH_SSH1
320 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, 333 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
321 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, 334 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
322 {MONITOR_REQ_TERM, 0, mm_answer_term}, 335 {MONITOR_REQ_TERM, 0, mm_answer_term},
@@ -327,6 +340,7 @@ struct mon_table mon_dispatch_postauth15[] = {
327#ifdef USE_CONSOLEKIT 340#ifdef USE_CONSOLEKIT
328 {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, 341 {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
329#endif 342#endif
343#endif /* WITH_SSH1 */
330 {0, 0, NULL} 344 {0, 0, NULL}
331}; 345};
332 346
@@ -485,6 +499,9 @@ monitor_child_postauth(struct monitor *pmonitor)
485 signal(SIGHUP, &monitor_child_handler); 499 signal(SIGHUP, &monitor_child_handler);
486 signal(SIGTERM, &monitor_child_handler); 500 signal(SIGTERM, &monitor_child_handler);
487 signal(SIGINT, &monitor_child_handler); 501 signal(SIGINT, &monitor_child_handler);
502#ifdef SIGXFSZ
503 signal(SIGXFSZ, SIG_IGN);
504#endif
488 505
489 if (compat20) { 506 if (compat20) {
490 mon_dispatch = mon_dispatch_postauth20; 507 mon_dispatch = mon_dispatch_postauth20;
@@ -665,6 +682,7 @@ monitor_reset_key_state(void)
665 hostbased_chost = NULL; 682 hostbased_chost = NULL;
666} 683}
667 684
685#ifdef WITH_OPENSSL
668int 686int
669mm_answer_moduli(int sock, Buffer *m) 687mm_answer_moduli(int sock, Buffer *m)
670{ 688{
@@ -699,6 +717,7 @@ mm_answer_moduli(int sock, Buffer *m)
699 mm_request_send(sock, MONITOR_ANS_MODULI, m); 717 mm_request_send(sock, MONITOR_ANS_MODULI, m);
700 return (0); 718 return (0);
701} 719}
720#endif
702 721
703extern AuthenticationConnection *auth_conn; 722extern AuthenticationConnection *auth_conn;
704 723
@@ -1225,6 +1244,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1225 cuser, chost); 1244 cuser, chost);
1226 auth_method = "hostbased"; 1245 auth_method = "hostbased";
1227 break; 1246 break;
1247#ifdef WITH_SSH1
1228 case MM_RSAHOSTKEY: 1248 case MM_RSAHOSTKEY:
1229 key->type = KEY_RSA1; /* XXX */ 1249 key->type = KEY_RSA1; /* XXX */
1230 allowed = options.rhosts_rsa_authentication && 1250 allowed = options.rhosts_rsa_authentication &&
@@ -1234,6 +1254,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1234 auth_clear_options(); 1254 auth_clear_options();
1235 auth_method = "rsa"; 1255 auth_method = "rsa";
1236 break; 1256 break;
1257#endif
1237 default: 1258 default:
1238 fatal("%s: unknown key type %d", __func__, type); 1259 fatal("%s: unknown key type %d", __func__, type);
1239 break; 1260 break;
@@ -1570,6 +1591,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
1570 return (0); 1591 return (0);
1571} 1592}
1572 1593
1594#ifdef WITH_SSH1
1573int 1595int
1574mm_answer_sesskey(int sock, Buffer *m) 1596mm_answer_sesskey(int sock, Buffer *m)
1575{ 1597{
@@ -1747,6 +1769,7 @@ mm_answer_rsa_response(int sock, Buffer *m)
1747 1769
1748 return (success); 1770 return (success);
1749} 1771}
1772#endif
1750 1773
1751int 1774int
1752mm_answer_term(int sock, Buffer *req) 1775mm_answer_term(int sock, Buffer *req)
@@ -1851,6 +1874,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
1851 if (options.compression) 1874 if (options.compression)
1852 mm_init_compression(pmonitor->m_zlib); 1875 mm_init_compression(pmonitor->m_zlib);
1853 1876
1877 packet_set_postauth();
1878
1854 if (options.rekey_limit || options.rekey_interval) 1879 if (options.rekey_limit || options.rekey_interval)
1855 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 1880 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
1856 (time_t)options.rekey_interval); 1881 (time_t)options.rekey_interval);
@@ -1887,11 +1912,13 @@ mm_get_kex(Buffer *m)
1887 timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0) 1912 timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
1888 fatal("mm_get_get: internal error: bad session id"); 1913 fatal("mm_get_get: internal error: bad session id");
1889 kex->we_need = buffer_get_int(m); 1914 kex->we_need = buffer_get_int(m);
1915#ifdef WITH_OPENSSL
1890 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 1916 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1891 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; 1917 kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1892 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 1918 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1893 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 1919 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1894 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 1920 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
1921#endif
1895 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 1922 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
1896#ifdef GSSAPI 1923#ifdef GSSAPI
1897 if (options.gss_keyex) { 1924 if (options.gss_keyex) {