summaryrefslogtreecommitdiff
path: root/servconf.c
AgeCommit message (Collapse)Author
2017-01-16Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
2017-01-16Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2017-01-16GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-24upstream commitmarkus@openbsd.org
allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-06upstream commitdjm@openbsd.org
Validate address ranges for AllowUser/DenyUsers at configuration load time and refuse to accept bad ones. It was previously possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these would always match. Thanks to Laurence Parry for a detailed bug report. ok markus (for a previous diff version) Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
2016-10-26upstream commitdtucker@openbsd.org
Remove dead breaks, found via opencoverage.net. ok deraadt@ Upstream-ID: ad9cc655829d67fad219762810770787ba913069
2016-09-29upstream commitdjm@openbsd.org
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@ Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29upstream commitdjm@openbsd.org
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
2016-08-29upstream commitdjm@openbsd.org
add a sIgnore opcode that silently ignores options and use it to suppress noisy deprecation warnings for the Protocol directive. req henning, ok markus Upstream-ID: 9fe040aca3d6ff393f6f7e60045cdd821dc4cbe0
2016-08-23upstream commitdjm@openbsd.org
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23upstream commitnaddy@openbsd.org
Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. ok markus@ Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2016-06-24upstream commitdjm@openbsd.org
fix AuthenticationMethods during configuration re-parse; reported by Juan Francisco Cantero Hurtado Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
2016-06-24upstream commitdjm@openbsd.org
ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@ Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
2016-05-05upstream commitdtucker@openbsd.org
Fix inverted logic for updating StreamLocalBindMask which would cause the server to set an invalid mask. ok djm@ Upstream-ID: 8a4404c8307a5ef9e07ee2169fc6d8106b527587
2016-05-04upstream commitdjm@openbsd.org
fix overriding of StreamLocalBindMask and StreamLocalBindUnlink in Match blocks; found the hard way Rogan Dawes Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2
2016-05-04upstream commitdjm@openbsd.org
don't forget to include StreamLocalBindUnlink in the config dump output Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
2016-05-02upstream commitdjm@openbsd.org
fix signed/unsigned errors reported by clang-3.7; add sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@ Upstream-ID: 71f926d9bb3f1efed51319a6daf37e93d57c8820
2016-03-08upstream commitdjm@openbsd.org
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-02-24Skip PrintLastLog in config dump mode.Darren Tucker
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the config dump since it'll be reported as UNKNOWN.
2016-02-17upstream commitdjm@openbsd.org
make sandboxed privilege separation the default, not just for new installs; "absolutely" deraadt@ Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
2016-01-30upstream commitdtucker@openbsd.org
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm. Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2015-11-16upstream commitdjm@openbsd.org
Support "none" as an argument for sshd_config ForceCommand and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 ok dtucker@ Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-10-29upstream commitdjm@openbsd.org
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block; ok dtucker@ Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
2015-10-22turn off PrintLastLog when --disable-lastlogDamien Miller
bz#2278 from Brent Paulson
2015-08-22upstream commitdjm@openbsd.org
Fix expansion of HostkeyAlgorithms=+... Reported by Bryan Drewery Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
2015-08-11upstream commitderaadt@openbsd.org
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-02upstream commitchris@openbsd.org
Allow PermitRootLogin to be overridden by config ok markus@ deeradt@ Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
2015-08-02upstream commitderaadt@openbsd.org
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15upstream commitdjm@openbsd.org
twiddle PermitRootLogin back Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
2015-07-01upstream commitdjm@openbsd.org
twiddle; (this commit marks the openssh-6.9 release) Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
2015-07-01upstream commitdjm@openbsd.org
put back default PermitRootLogin=no Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
2015-07-01upstream commitdjm@openbsd.org
reset default PermitRootLogin to 'yes' (momentarily, for release) Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
2015-05-22upstream commitdjm@openbsd.org
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-05-10upstream commitdjm@openbsd.org
a couple of parse targets were missing activep checks, causing them to be misapplied in match context; bz#2272 diagnosis and original patch from Sami Hartikainen ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
make handling of AuthorizedPrincipalsFile=none more consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-04-29upstream commitdtucker@openbsd.org
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
2015-04-29upstream commitdjm@openbsd.org
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
2015-04-29upstream commitderaadt@openbsd.org
rename xrealloc() to xreallocarray() since it follows that form. ok djm
2015-04-29upstream commitdtucker@openbsd.org
Two small fixes for sshd -T: ListenAddress'es are added to a list head so reverse the order when printing them to ensure the behaviour remains the same, and print StreamLocalBindMask as octal with leading zero. ok deraadt@
2015-04-29upstream commitdtucker@openbsd.org
Check for and reject missing arguments for VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com, ok djm@
2015-04-29upstream commitdtucker@openbsd.org
Add some missing options to sshd -T and fix the output of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat com, ok djm.
2015-04-17Format UsePAM setting when using sshd -T.Darren Tucker
Part of bz#2346, patch from jjelen at redhat com.
2015-02-03upstream commitderaadt@openbsd.org
increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
2015-01-16upstream commitderaadt@openbsd.org
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)