Age | Commit message (Collapse) | Author |
|
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
|
|
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.
ok markus@
Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
|
|
add AuthorizedPrincipalsCommand that allows getting
authorized_principals from a subprocess rather than a file, which is quite
useful in deployments with large userbases
feedback and ok markus@
Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
|
|
Allow ListenAddress, Port and AddressFamily in any
order. bz#68, ok djm@, jmc@ (for the man page bit).
|
|
add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
will be accepted. Currently defaults to all. Feedback & ok markus@
|
|
Add FingerprintHash option to control algorithm used for
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
base64.
Feedback and ok naddy@ markus@
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
|
|
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
|
|
[servconf.c servconf.h]
bz#2161 - fix AuthorizedKeysCommand inside a Match block and
rearrange things so the same error is harder to make next time;
with and ok dtucker@
|
|
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
|
|
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
[servconf.h session.c sshd.c sshd_config.5]
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@
|
|
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
|
|
[servconf.h]
add a couple of ServerOptions members that should be copied to the privsep
child (for consistency, in this case they happen only to be accessed in
the monitor); ok dtucker@
|
|
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
|
|
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
[sshd_config.5]
Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@
|
|
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
[sshd.c sshd_config sshd_config.5]
new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@
|
|
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
|
|
[servconf.c servconf.h sshd_config.5]
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
|
|
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
[servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
|
|
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
|
|
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c]
[sandbox-systrace.c sandbox.h configure.ac Makefile.in]
introduce sandboxing of the pre-auth privsep child using systrace(4).
This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.
The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.
UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.
feedback dtucker@; ok markus@
|
|
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
|
|
[monitor.c monitor_wrap.c servconf.c servconf.h]
use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering
"this is at once beautiful and horrible" + ok dtucker@
|
|
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@
|
|
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
[servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
|
|
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
[servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.
ok markus@
|
|
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
[key.c servconf.c servconf.h sshd.8 sshd_config.5]
add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
|
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
[authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
[ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).
Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.
feedback and ok markus@
|
|
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
|
[servconf.c servconf.h sshd.c]
avoid run-time failures when specifying hostkeys via a relative
path by prepending the cwd in these cases; bz#1290; ok dtucker@
|
|
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
Remove RoutingDomain from ssh since it's now not needed. It can be
replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
also ensures that trafic such as DNS lookups stays withing the specified
routingdomain. For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3
ok deraadt@ markus@ stevesk@ reyk@
|
|
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
ok markus@
|
|
[clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h]
[serverloop.c ssh-keyscan.c ssh.c sshd.c]
make a2port() return -1 when it encounters an invalid port number
rather than 0, which it will now treat as valid (needed for future work)
adjust current consumers of a2port() to check its return value is <= 0,
which in turn required some things to be converted from u_short => int
make use of int vs. u_short consistent in some other places too
feedback & ok markus@
|
|
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
[readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
[sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
[Makefile.in]
Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
|
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm
|
|
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
|
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
|
|
[servconf.h session.c sshd.c]
rekey arc4random and OpenSSL RNG in postauth child
closefrom fds > 2 before shell/command execution
ok markus@
|
|
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
|
|
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
|
|
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
|
|
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
|
|
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
|
|
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|