| Age | Commit message (Collapse) | Author |
|---|
|
spurious warnings from the cfgparse regress test
OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
|
|
SecurityKeyProvider=internal - unbreaks cfgparse regress test
OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
|
|
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
|
|
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
|
|
U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.
feedback & ok markus@
OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
|
|
by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
|
|
-C does not match, which allows it to work when sshd_config contains a Match
directive with or without -C. bz#2858, ok djm@
OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
|
|
OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
|
|
function. This is a no-op on OpenBSD but will make things easier in
-portable, eg on systems where these checks should be case-insensitive. ok
djm@
OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
|
|
The previous revert enabled case-insensitive user names again. This
patch implements the case-insensitive user and group name matching.
To allow Unicode chars, implement the matcher using wchar_t chars in
Cygwin-specific code. Keep the generic code changes as small as possible.
Cygwin: implement case-insensitive Unicode user and group name matching
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
|
|
|
This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
|
*ONLY IF* there's a delimiter. If there's not (the common case) it checked
uninitialized memory, which usually passed, but if not would cause spurious
failures when the uninitialized memory happens to contain "/". ok deraadt.
OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
|
|
host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@
OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
|
|
with & ok markus@
OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
|
|
API, started almost exactly six years ago.
This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.
with & ok markus@
OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
|
|
loading the default hostkeys. Hostkeys explicitly specified in the
configuration or on the command-line are still reported as errors, and
failure to load at least one host key remains a fatal error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Based on patch from Dag-Erling Smørgrav via
https://github.com/openssh/openssh-portable/pull/103
ok markus@
OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
|
|
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
|
|
option
OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
|
|
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.
ok markus@
OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
|
|
deraadt@ markus@
OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
|
|
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
|
|
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
|
|
OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
|
|
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.
ok markus@
OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
|
|
Only delayed compression is supported nowadays.
ok markus@
OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
|
|
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
|
|
pattern-list of whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
|
|
e.g.
PermitListen 2222 8080
is equivalent to:
PermitListen *:2222 *:8080
Some bonus manpage improvements, mostly from markus@
"looks fine" markus@
OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
|
|
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
|
|
static limits noted by gerhard@; ok dtucker@, djm@
OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
|
|
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
|
|
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
|
|
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)
OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
|
|
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
|
jmc@
OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
|
|
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@
OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
|
|
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
|
|
Remove unused sKerberosTgtPassing from enum. From
calestyo via github pull req #11, ok djm@
OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540
|
|
Replace atoi and strtol conversions for integer arguments
to config keywords with a checking wrapper around strtonum. This will
prevent and flag invalid and negative arguments to these keywords. ok djm@
OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
|
|
Add missing break for rdomain. Prevents spurious
"Deprecated option" warnings. ok djm@
OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a
|
|
reuse parse_multistate for parse_flag (yes/no arguments).
Saves a few lines of code and makes the parser more consistent wrt case-
sensitivity. bz#2664 ok dtucker@
OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef
|
|
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria. ok djm@, man page help jmc@
OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
|
|
|
|
uninitialised variable in PermitTunnel printing code
Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a
|
|
|
|
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@
Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
|
|
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
|
|
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
|
|
replace statically-sized arrays in ServerOptions with
dynamic ones managed by xrecallocarray, removing some arbitrary (though
large) limits and saving a bit of memory; "much nicer" markus@
Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
|
