Age | Commit message (Collapse) | Author |
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2018-08-24
Patch-Name: selinux-role.patch
|
|
OpenBSD-Commit-ID: b5149a6d92b264d35f879d24608087b254857a83
|
|
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
|
|
|
|
OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
|
|
OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
|
|
read_environment_file recently gained an extra argument Some platform
specific code also calls it so add the argument to those too. Fixes
build on Solaris and AIX.
|
|
pattern-list of whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
|
|
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
|
|
read from ~/.ssh/environment (if enabled) do not override SSH_* variables set
by the server.
OpenBSD-Commit-ID: 59f9d4c213cdcef2ef21f4b4ae006594dcf2aa7a
|
|
static limits noted by gerhard@; ok dtucker@, djm@
OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
|
|
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
|
|
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
|
|
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@
OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
|
|
remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.
feedback and ok markus@
OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
|
|
The code required to support it is quite invasive to the mainline
code that is synced with upstream and is an ongoing maintenance burden.
Both the hardware and software are literal museum pieces these days and
we could not find anyone still running OpenSSH on one.
|
|
|
|
|
|
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
|
|
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
|
|
Move several subprocess-related functions from various
locations to misc.c. Extend subprocess() to offer a little more control over
stdio disposition.
feedback & ok dtucker@
Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
|
|
bz#2408; ok dtucker@
|
|
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
|
|
no need to call log_init to reinitialise logged PID in
child sessions, since we haven't called openlog() in log_init() since 1999;
ok markus@
Upstream-ID: 0906e4002af5d83d3d544df75e1187c932a3cf2e
|
|
Switch to recallocarray() for a few operations. Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus
Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
|
|
clear session keys from memory; ok djm@
Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
fix previous, a condition was modified incorrectly; ok
markus@ deraadt@
Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453
|
|
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
|
|
remove ssh1 server code; ok djm@
Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
|
|
Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip
change as commit 95767262 to the code inside #ifdef LOGIN_NEEDS_UTMPX.
Fixes build on AIX.
|
|
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
|
|
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
|
|
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
|
|
add a "Close session" log entry (at loglevel=verbose) to
correspond to the existing "Starting session" one. Also include the session
id number to make multiplexed sessions more apparent.
feedback and ok dtucker@
Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
|
|
skip "Could not chdir to home directory" message when
chrooted
patch from Christian Hesse in bz#2485 ok dtucker@
Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
|
|
rename xrealloc() to xreallocarray() since it follows
that form. ok djm
|
|
Replace <sys/param.h> with <limits.h> and other less
dirty headers where possible. Annotate <sys/param.h> lines with their
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
These are the files confirmed through binary verification. ok guenther,
millert, doug (helped with the verification protocol)
|
|
move authfd.c and its tentacles to the new buffer/key
API; ok markus@
|
|
make internal handling of filename arguments of "none"
more consistent with ssh. "none" arguments are now replaced with NULL when
the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
|
|
[gss-serv.c session.c ssh-keygen.c]
standardise on NI_MAXHOST for gethostname() string lengths; about
1/2 the cases were using it already. Fixes bz#2239 en passant
|
|
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
Id sync only - portable already has this.
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
|
|
|
|
with sftp chroot support. Move set_id call after chroot.
|
|
[session.c]
explicitly define USE_PIPES to 1 to prevent redefinition warnings in
portable on platforms that use pipes for everything. From redhat @
redhat.
|