Age | Commit message (Collapse) | Author |
|
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
|
|
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
|
|
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)
OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
|
|
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
|
jmc@
OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
|
|
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@
OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
|
|
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
|
|
Remove unused sKerberosTgtPassing from enum. From
calestyo via github pull req #11, ok djm@
OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540
|
|
Replace atoi and strtol conversions for integer arguments
to config keywords with a checking wrapper around strtonum. This will
prevent and flag invalid and negative arguments to these keywords. ok djm@
OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
|
|
Add missing break for rdomain. Prevents spurious
"Deprecated option" warnings. ok djm@
OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a
|
|
reuse parse_multistate for parse_flag (yes/no arguments).
Saves a few lines of code and makes the parser more consistent wrt case-
sensitivity. bz#2664 ok dtucker@
OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef
|
|
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria. ok djm@, man page help jmc@
OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
|
|
|
|
uninitialised variable in PermitTunnel printing code
Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a
|
|
|
|
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@
Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
|
|
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
|
|
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
|
|
replace statically-sized arrays in ServerOptions with
dynamic ones managed by xrecallocarray, removing some arbitrary (though
large) limits and saving a bit of memory; "much nicer" markus@
Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
|
|
fix (another) problem in PermitOpen introduced during the
channels.c refactor: the third and subsequent arguments to PermitOpen were
being silently ignored; ok markus@
Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
|
|
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@
Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
|
|
Add braces missing after channels refactor. ok markus@
Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
|
|
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
|
|
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
|
|
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717
Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
|
|
remove a static array unused since rev 1.306 spotted by
clang ok djm@
Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
|
|
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
|
|
Remove old null check from config dumper. Patch from
jjelen at redhat.com vi bz#2687, ok djm@
Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
|
|
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@
Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
|
|
allow form-feed characters at EOL; bz#2431 ok dtucker@
Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
|
|
sshd_config is documented to set
GSSAPIStrictAcceptorCheck=yes by default, so actually make it do this.
bz#2637 ok dtucker
Upstream-ID: 99ef8ac51f17f0f7aec166cb2e34228d4d72a665
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
|
|
Remove dead breaks, found via opencoverage.net. ok
deraadt@
Upstream-ID: ad9cc655829d67fad219762810770787ba913069
|
|
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
|
|
Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the 1990s,
but today it's clearly a bad idea in terms of both cryptography (cf. multiple
compression oracle attacks in TLS) and attack surface.
Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.
Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@
NB. pre-auth authentication has been disabled by default in sshd
for >10 years.
Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
|
|
add a sIgnore opcode that silently ignores options and
use it to suppress noisy deprecation warnings for the Protocol directive.
req henning, ok markus
Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
|
|
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
|
|
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.
ok markus@
Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
|
|
fix AuthenticationMethods during configuration re-parse;
reported by Juan Francisco Cantero Hurtado
Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
|
|
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication
bz#2398 from Jakub Jelen; ok dtucker@
Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
|
|
Fix inverted logic for updating StreamLocalBindMask which
would cause the server to set an invalid mask. ok djm@
Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
|
|
fix overriding of StreamLocalBindMask and
StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes
Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
|
|
don't forget to include StreamLocalBindUnlink in the
config dump output
Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
|
|
fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with
better safety checking; feedback and ok markus@
Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
|
|
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
|
|
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
config dump since it'll be reported as UNKNOWN.
|
|
make sandboxed privilege separation the default, not just
for new installs; "absolutely" deraadt@
Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
|
|
Allow RekeyLimits in excess of 4G up to 2**63 bits
(limited by the return type of scan_scaled). Part of bz#2521, ok djm.
Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
|