Age | Commit message (Collapse) | Author |
|
Hi,
So I screwed up when writing the support for the curve25519 KEX method
that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
leading zero bytes where they should have been skipped. The impact of
this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
peer that implements curve25519-sha256@libssh.org properly about 0.2%
of the time (one in every 512ish connections).
We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
key exchange for previous versions, but I'd recommend distributors
of OpenSSH apply this patch so the affected code doesn't become
too entrenched in LTS releases.
The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
to distinguish itself from the incorrect versions so the compatibility
code to disable the affected KEX isn't activated.
I've committed this on the 6.6 branch too.
Apologies for the hassle.
-d
Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
Forwarded: not-needed
Last-Update: 2014-04-21
Patch-Name: curve25519-sha256-bignum-encoding.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-03-19
Patch-Name: gssapi.patch
|
|
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
[buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
[kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
[monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
[ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
[sshd.c]
convert memset of potentially-private data to explicit_bzero()
|
|
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
[channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
[kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
[sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
[openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker
|
|
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
|
|
[digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
[kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
[kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
[schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@
|
|
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
|
|
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
use curve25519 for default key exchange (curve25519-sha256@libssh.org);
initial patch from Aris Adamantiadis; ok djm@
|
|
[sshconnect2.c]
Fix memory leaks found by Zhenbo Xu and the Melton tool. bz#1967, ok djm
|
|
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
dns.c packet.c readpass.c authfd.c moduli.c]
bye, bye xfree(); ok markus@
|
|
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
ssh_config.5 packet.h]
Add an optional second argument to RekeyLimit in the client to allow
rekeying based on elapsed time in addition to amount of traffic.
with djm@ jmc@, ok djm
|
|
[sshconnect2.c]
fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
|
|
[auth2-gss.c krl.c sshconnect2.c]
hush some {unused, printf type} warnings
|
|
- markus@cvs.openbsd.org 2013/03/05 20:16:09
[sshconnect2.c]
reset pubkey order on partial success; ok djm@
|
|
[readconf.c ssh.c readconf.h sshconnect2.c]
Keep track of which IndentityFile options were manually supplied and which
were default options, and don't warn if the latter are missing.
ok markus@
|
|
[openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
so mark it as broken. Patch from des AT des.no
|
|
[sshconnect2.c]
Warn more loudly if an IdentityFile provided by the user cannot be read.
bz #1981, ok djm@
|
|
[ssh_config.5 sshconnect2.c]
Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
This allows control of which keys are offered from tokens using
IdentityFile. ok markus@
|
|
[monitor.c sshconnect2.c]
remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@
|
|
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
Remove undocumented legacy options UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
accept multiple paths per line and making their defaults include
known_hosts2; ok markus
|
|
[sshconnect2.c]
fix memory leak; bz#1849 ok dtucker@
|
|
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
[sshconnect.h sshconnect2.c]
automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@
|
|
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
[servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.
ok markus@
|
|
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
[authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
[monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
[ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
[ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
[ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
[uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be
subject to change.
feedback and ok markus@
|
|
[sshconnect2.c]
bz#1502: authctxt.success is declared as an int, but passed by
reference to function that accepts sig_atomic_t*. Convert it to
the latter; ok markus@ dtucker@
|
|
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
|
[sshconnect2.c]
show the key type that we are offering in debug(), helps distinguish
between certs and plain keys as the path to the private key is usually
the same.
|
|
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
|
[canohost.c ssh-keysign.c sshconnect2.c]
Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@
|
|
[authfile.c sshconnect2.c]
Do not prompt for a passphrase if we fail to open a keyfile, and log the
reason the open failed to debug.
bz #1693, found by tj AT castaglia org, ok djm@
|
|
[sshconnect2.c]
Don't escape backslashes in the SSH2 banner. bz#1533, patch from
Michal Gorny via Gentoo.
|
|
[sshconnect2.c]
zap unused variable and strlen; from Steve McClellan, ok djm
|
|
[sshconnect2.c]
Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
|
|
[sshconnect2.c channels.c sshconnect.c]
Set close-on-exec on various descriptors so they don't get leaked to
child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
|
|
[sshconnect2.c kex.h kex.c]
Let the client detect if the server supports roaming by looking
for the resume@appgate.com kex algorithm.
ok markus@
|
|
[sshconnect2.c]
disallow a hostile server from checking jpake auth by sending an
out-of-sequence success message. (doesn't affect code enabled by default)
|
|
[auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
[sshconnect2.c]
refactor the (disabled) Schnorr proof code to make it a little more
generally useful
|
|
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
[readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
[sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
[Makefile.in]
Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
|
[sshconnect2.c]
sprinkle ARGSUSED on dispatch handlers
nuke stale unusued prototype
|
|
[sshconnect2.c]
Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the
function.
spotted by des@freebsd, who commited an incorrect fix to the freebsd tree
and (as is fairly typical) did not report the problem to us. But this fix
is correct.
ok djm
|
|
[sshconnect2.c]
don't allocate space for empty banners; report t8m at centrum.cz;
ok deraadt
|
|
|
|
[sshconnect2.c]
strnvis preauth banner; pointed out by mpf@ ok markus@
|
|
[readconf.c readconf.h sshconnect2.c]
promote rekeylimit to a int64 so it can hold the maximum useful limit
of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@
|
|
[sshconnect2.c]
djm owes me a vb and a tism cd for breaking ssh compilation
|
|
[sshconnect2.c]
fall back to gethostname() when the outgoing connection is not
on a socket, such as is the case when ProxyCommand is used.
Gives hostbased auth an opportunity to work; bz#616, report
and feedback stuart AT kaloram.com; ok markus@
|
|
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
[auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
[cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
[dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
[md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
[scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
[sshconnect1.c sshconnect2.c sshd.c rc4.diff]
[openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
[openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
[openbsd-compat/port-uw.c]
Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
compile problems reported by rac AT tenzing.org
|
|
[sshconnect2.c]
Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
|
|
[gss-genr.c ssh-gss.h sshconnect2.c]
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
|
|
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
[auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
[auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
[buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
[cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
[compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
[groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
[kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
[key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
[monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
[monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
[readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
[serverloop.c session.c session.h sftp-client.c sftp-common.c]
[sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
[ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
[ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
[sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
[uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
[loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step
NB. portable commit contains everything *except* removing includes.h, as
that will take a fair bit more work as we move headers that are required
for portability workarounds to defines.h. (also, this step wasn't "easy")
|