From 68af80e6fdeaeb79432209db614386ff0f37e75f Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 25 Oct 2017 00:19:47 +0000 Subject: upstream commit add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb --- sshd.8 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index a4201146b..c16c433ef 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.291 2017/06/24 06:28:50 jmc Exp $ -.Dd $Mdocdate: June 24 2017 $ +.\" $OpenBSD: sshd.8,v 1.292 2017/10/25 00:19:47 djm Exp $ +.Dd $Mdocdate: October 25 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -109,6 +109,7 @@ The keywords are .Dq host , .Dq laddr , .Dq lport , +.Dq rdomain and .Dq addr . All are required and may be supplied in any order, either with multiple -- cgit v1.2.3 From 0208a48517b5e8e8b091f32fa4addcd67c31ca9e Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org@openbsd.org" Date: Fri, 3 Nov 2017 03:18:53 +0000 Subject: upstream commit When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. ok djm@, man page help jmc@ OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc --- servconf.c | 47 +++++++++++++++++++++++++++-------------------- sshd.8 | 23 ++++++++++++----------- sshd.c | 18 +++++++----------- 3 files changed, 46 insertions(+), 42 deletions(-) (limited to 'sshd.8') diff --git a/servconf.c b/servconf.c index 53d81fb3c..44de35367 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.318 2017/10/25 02:10:39 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.319 2017/11/03 03:18:53 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -927,6 +927,13 @@ out: return result; } +static void +match_test_missing_fatal(const char *criteria, const char *attrib) +{ + fatal("'Match %s' in configuration but '%s' not in connection " + "test specification.", criteria, attrib); +} + /* * All of the attributes on a single Match line are ANDed together, so we need * to check every attribute and set the result to zero if any attribute does @@ -964,20 +971,24 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) return -1; } if (strcasecmp(attrib, "user") == 0) { - if (ci == NULL || ci->user == NULL) { + if (ci == NULL) { result = 0; continue; } + if (ci->user == NULL) + match_test_missing_fatal("User", "user"); if (match_pattern_list(ci->user, arg, 0) != 1) result = 0; else debug("user %.100s matched 'User %.100s' at " "line %d", ci->user, arg, line); } else if (strcasecmp(attrib, "group") == 0) { - if (ci == NULL || ci->user == NULL) { + if (ci == NULL) { result = 0; continue; } + if (ci->user == NULL) + match_test_missing_fatal("Group", "user"); switch (match_cfg_line_group(arg, line, ci->user)) { case -1: return -1; @@ -985,20 +996,24 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) result = 0; } } else if (strcasecmp(attrib, "host") == 0) { - if (ci == NULL || ci->host == NULL) { + if (ci == NULL) { result = 0; continue; } + if (ci->host == NULL) + match_test_missing_fatal("Host", "host"); if (match_hostname(ci->host, arg) != 1) result = 0; else debug("connection from %.100s matched 'Host " "%.100s' at line %d", ci->host, arg, line); } else if (strcasecmp(attrib, "address") == 0) { - if (ci == NULL || ci->address == NULL) { + if (ci == NULL) { result = 0; continue; } + if (ci->address == NULL) + match_test_missing_fatal("Address", "addr"); switch (addr_match_list(ci->address, arg)) { case 1: debug("connection from %.100s matched 'Address " @@ -1012,10 +1027,13 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) return -1; } } else if (strcasecmp(attrib, "localaddress") == 0){ - if (ci == NULL || ci->laddress == NULL) { + if (ci == NULL) { result = 0; continue; } + if (ci->laddress == NULL) + match_test_missing_fatal("LocalAddress", + "laddr"); switch (addr_match_list(ci->laddress, arg)) { case 1: debug("connection from %.100s matched " @@ -1035,10 +1053,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) arg); return -1; } - if (ci == NULL || ci->lport == 0) { + if (ci == NULL) { result = 0; continue; } + if (ci->lport == 0) + match_test_missing_fatal("LocalPort", "lport"); /* TODO support port lists */ if (port == ci->lport) debug("connection from %.100s matched " @@ -2116,19 +2136,6 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec) return 0; } -/* - * returns 1 for a complete spec, 0 for partial spec and -1 for an - * empty spec. - */ -int server_match_spec_complete(struct connection_info *ci) -{ - if (ci->user && ci->host && ci->address) - return 1; /* complete */ - if (!ci->user && !ci->host && !ci->address) - return -1; /* empty */ - return 0; /* partial */ -} - /* * Copy any supported values that are set. * diff --git a/sshd.8 b/sshd.8 index c16c433ef..76a4474ed 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.292 2017/10/25 00:19:47 djm Exp $ -.Dd $Mdocdate: October 25 2017 $ +.\" $OpenBSD: sshd.8,v 1.293 2017/11/03 03:18:53 dtucker Exp $ +.Dd $Mdocdate: November 3 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -100,21 +100,22 @@ Specify the connection parameters to use for the extended test mode. If provided, any .Cm Match -directives in the configuration file -that would apply to the specified user, host, and address will be set before -the configuration is written to standard output. -The connection parameters are supplied as keyword=value pairs. +directives in the configuration file that would apply are applied before the +configuration is written to standard output. +The connection parameters are supplied as keyword=value pairs and may be +supplied in any order, either with multiple +.Fl C +options or as a comma-separated list. The keywords are +.Dq addr, .Dq user , .Dq host , .Dq laddr , .Dq lport , -.Dq rdomain and -.Dq addr . -All are required and may be supplied in any order, either with multiple -.Fl C -options or as a comma-separated list. +.Dq rdomain +and correspond to source address, user, resolved source host name, +local address, local port number and routing domain respectively. .It Fl c Ar host_certificate_file Specifies a path to a certificate file to identify .Nm diff --git a/sshd.c b/sshd.c index 6a8e3762a..73094001b 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.497 2017/10/27 00:18:41 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.498 2017/11/03 03:18:53 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1429,7 +1429,7 @@ main(int ac, char **av) struct sshkey *pubkey; int keytype; Authctxt *authctxt; - struct connection_info *connection_info = get_connection_info(0, 0); + struct connection_info *connection_info = NULL; ssh_malloc_init(); /* must be called before any mallocs */ @@ -1545,6 +1545,7 @@ main(int ac, char **av) test_flag = 2; break; case 'C': + connection_info = get_connection_info(0, 0); if (parse_server_match_testspec(connection_info, optarg) == -1) exit(1); @@ -1613,14 +1614,10 @@ main(int ac, char **av) sensitive_data.have_ssh2_key = 0; /* - * If we're doing an extended config test, make sure we have all of - * the parameters we need. If we're not doing an extended test, - * do not silently ignore connection test params. + * If we're not doing an extended test do not silently ignore connection + * test params. */ - if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0) - fatal("user, host and addr are all required when testing " - "Match configs"); - if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0) + if (test_flag < 2 && connection_info != NULL) fatal("Config test connection parameter (-C) provided without " "test mode (-T)"); @@ -1827,8 +1824,7 @@ main(int ac, char **av) } if (test_flag > 1) { - if (server_match_spec_complete(connection_info) == 1) - parse_server_match_config(&options, connection_info); + parse_server_match_config(&options, connection_info); dump_config(&options); } -- cgit v1.2.3 From 2b428f90ea1b21d7a7c68ec1ee334253b3f9324d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 5 Feb 2018 04:02:53 +0000 Subject: upstream commit I accidentially a word OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a --- sshd.8 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 76a4474ed..80e016fb8 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.293 2017/11/03 03:18:53 dtucker Exp $ -.Dd $Mdocdate: November 3 2017 $ +.\" $OpenBSD: sshd.8,v 1.294 2018/02/05 04:02:53 djm Exp $ +.Dd $Mdocdate: February 5 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -568,6 +568,7 @@ matches any port. .It Cm port-forwarding Enable port forwarding previously disabled by the .Cm restrict +option. .It Cm principals="principals" On a .Cm cert-authority -- cgit v1.2.3 From 88c50a5ae20902715f0fca306bb9c38514f71679 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Feb 2018 02:32:40 +0000 Subject: upstream: stop loading DSA keys by default, remove sshd_config stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09 --- servconf.c | 4 +--- sshd.8 | 7 ++----- sshd_config | 3 +-- sshd_config.5 | 5 ++--- 4 files changed, 6 insertions(+), 13 deletions(-) (limited to 'sshd.8') diff --git a/servconf.c b/servconf.c index f0ab429a1..bf8ad671d 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.323 2018/02/09 02:37:36 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.324 2018/02/16 02:32:40 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -247,8 +247,6 @@ fill_default_server_options(ServerOptions *options) /* fill default hostkeys for protocols */ servconf_add_hostkey("[default]", 0, options, _PATH_HOST_RSA_KEY_FILE); - servconf_add_hostkey("[default]", 0, options, - _PATH_HOST_DSA_KEY_FILE); #ifdef OPENSSL_HAS_ECC servconf_add_hostkey("[default]", 0, options, _PATH_HOST_ECDSA_KEY_FILE); diff --git a/sshd.8 b/sshd.8 index 80e016fb8..0865373f5 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.294 2018/02/05 04:02:53 djm Exp $ -.Dd $Mdocdate: February 5 2018 $ +.\" $OpenBSD: sshd.8,v 1.295 2018/02/16 02:32:40 djm Exp $ +.Dd $Mdocdate: February 16 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -166,7 +166,6 @@ This option must be given if is not run as root (as the normal host key files are normally not readable by anyone but root). The default is -.Pa /etc/ssh/ssh_host_dsa_key , .Pa /etc/ssh/ssh_host_ecdsa_key , .Pa /etc/ssh/ssh_host_ed25519_key and @@ -874,7 +873,6 @@ This file is used in exactly the same way as but allows host-based authentication without permitting login with rlogin/rsh. .Pp -.It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key .It Pa /etc/ssh/ssh_host_ed25519_key .It Pa /etc/ssh/ssh_host_rsa_key @@ -885,7 +883,6 @@ Note that .Nm does not start if these files are group/world-accessible. .Pp -.It Pa /etc/ssh/ssh_host_dsa_key.pub .It Pa /etc/ssh/ssh_host_ecdsa_key.pub .It Pa /etc/ssh/ssh_host_ed25519_key.pub .It Pa /etc/ssh/ssh_host_rsa_key.pub diff --git a/sshd_config b/sshd_config index 4eb2e02e0..3109d5d73 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,7 +16,6 @@ #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key diff --git a/sshd_config.5 b/sshd_config.5 index dff24fd12..fd7ab1a24 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.261 2018/02/10 06:54:38 djm Exp $ -.Dd $Mdocdate: February 10 2018 $ +.\" $OpenBSD: sshd_config.5,v 1.262 2018/02/16 02:32:40 djm Exp $ +.Dd $Mdocdate: February 16 2018 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -714,7 +714,6 @@ is not to load any certificates. Specifies a file containing a private host key used by SSH. The defaults are -.Pa /etc/ssh/ssh_host_dsa_key , .Pa /etc/ssh/ssh_host_ecdsa_key , .Pa /etc/ssh/ssh_host_ed25519_key and -- cgit v1.2.3 From 055e09e2212ff52067786bf6d794ca9512ff7f0c Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Sat, 3 Mar 2018 06:37:53 +0000 Subject: upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18 bumped the minimum from 768 to 1024, update man page accordingly. OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338 --- sshd.8 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 0865373f5..0d52cc50a 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.295 2018/02/16 02:32:40 djm Exp $ -.Dd $Mdocdate: February 16 2018 $ +.\" $OpenBSD: sshd.8,v 1.296 2018/03/03 06:37:53 dtucker Exp $ +.Dd $Mdocdate: March 3 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -453,7 +453,7 @@ or the file and edit it. .Pp .Nm -enforces a minimum RSA key modulus size of 768 bits. +enforces a minimum RSA key modulus size of 1024 bits. .Pp The options (if present) consist of comma-separated option specifications. -- cgit v1.2.3 From bf0fbf2b11a44f06a64b620af7d01ff171c28e13 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 12 Mar 2018 00:52:01 +0000 Subject: upstream: add valid-before="[time]" authorized_keys option. A simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947 --- auth-options.c | 32 +++++++++++++++++++++++++++++--- auth-options.h | 5 ++++- auth.c | 28 +++++++++++++++++++++++----- misc.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- misc.h | 4 +++- ssh-keygen.1 | 8 ++++---- ssh-keygen.c | 44 +++++--------------------------------------- sshd.8 | 8 ++++++-- 8 files changed, 128 insertions(+), 56 deletions(-) (limited to 'sshd.8') diff --git a/auth-options.c b/auth-options.c index 484e44b74..38211fa2a 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.76 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.77 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -311,6 +311,7 @@ sshauthopt_parse(const char *opts, const char **errstrp) int r; struct sshauthopt *ret = NULL; const char *errstr = "unknown error"; + uint64_t valid_before; if (errstrp != NULL) *errstrp = NULL; @@ -366,6 +367,19 @@ sshauthopt_parse(const char *opts, const char **errstrp) &errstr); if (ret->required_from_host_keys == NULL) goto fail; + } else if (opt_match(&opts, "valid-before")) { + if ((opt = opt_dequote(&opts, &errstr)) == NULL) + goto fail; + if (parse_absolute_time(opt, &valid_before) != 0 || + valid_before == 0) { + free(opt); + errstr = "invalid expires time"; + goto fail; + } + free(opt); + if (ret->valid_before == 0 || + valid_before < ret->valid_before) + ret->valid_before = valid_before; } else if (opt_match(&opts, "environment")) { if (ret->nenv > INT_MAX) { errstr = "too many environment strings"; @@ -572,6 +586,13 @@ sshauthopt_merge(const struct sshauthopt *primary, OPTFLAG(permit_user_rc); #undef OPTFLAG + /* Earliest expiry time should win */ + if (primary->valid_before != 0) + ret->valid_before = primary->valid_before; + if (additional->valid_before != 0 && + additional->valid_before < ret->valid_before) + ret->valid_before = additional->valid_before; + /* * When both multiple forced-command are specified, only * proceed if they are identical, otherwise fail. @@ -631,6 +652,7 @@ sshauthopt_copy(const struct sshauthopt *orig) OPTSCALAR(restricted); OPTSCALAR(cert_authority); OPTSCALAR(force_tun_device); + OPTSCALAR(valid_before); #undef OPTSCALAR #define OPTSTRING(x) \ do { \ @@ -751,14 +773,15 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, { int r = SSH_ERR_INTERNAL_ERROR; - /* Flag options */ + /* Flag and simple integer options */ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || (r = sshbuf_put_u8(m, opts->restricted)) != 0 || - (r = sshbuf_put_u8(m, opts->cert_authority)) != 0) + (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || + (r = sshbuf_put_u64(m, opts->valid_before)) != 0) return r; /* tunnel number can be negative to indicate "unset" */ @@ -815,6 +838,9 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) OPT_FLAG(cert_authority); #undef OPT_FLAG + if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) + goto out; + /* tunnel number can be negative to indicate "unset" */ if ((r = sshbuf_get_u8(m, &f)) != 0 || (r = sshbuf_get_u32(m, &tmp)) != 0) diff --git a/auth-options.h b/auth-options.h index 16871d754..bf59b30be 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.25 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: auth-options.h,v 1.26 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller @@ -37,6 +37,9 @@ struct sshauthopt { /* "restrict" keyword was invoked */ int restricted; + /* key/principal expiry date */ + uint64_t valid_before; + /* Certificate-related options */ int cert_authority; char *cert_principals; diff --git a/auth.c b/auth.c index 041a09e3f..63366768a 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.126 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -1004,20 +1004,21 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) int do_permitopen = opts->npermitopen > 0 && (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0; size_t i; - char msg[1024], tbuf[32]; + char msg[1024], buf[64]; - snprintf(tbuf, sizeof(tbuf), "%d", opts->force_tun_device); + snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", + opts->valid_before == 0 ? "" : "expires", do_permitopen ? " permitopen" : "", opts->permit_port_forwarding_flag ? " port-forwarding" : "", opts->cert_principals == NULL ? "" : " principals", opts->permit_pty_flag ? " pty" : "", opts->force_tun_device == -1 ? "" : " tun=", - opts->force_tun_device == -1 ? "" : tbuf, + opts->force_tun_device == -1 ? "" : buf, opts->permit_user_rc ? " user-rc" : "", opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); @@ -1036,6 +1037,10 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) } /* Go into a little more details for the local logs. */ + if (opts->valid_before != 0) { + format_absolute_time(opts->valid_before, buf, sizeof(buf)); + debug("%s: expires at %s", loc, buf); + } if (opts->cert_principals != NULL) { debug("%s: authorized principals: \"%s\"", loc, opts->cert_principals); @@ -1089,7 +1094,20 @@ auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw, const char *remote_ip = ssh_remote_ipaddr(ssh); const char *remote_host = auth_get_canonical_hostname(ssh, options.use_dns); + time_t now = time(NULL); + char buf[64]; + /* + * Check keys/principals file expiry time. + * NB. validity interval in certificate is handled elsewhere. + */ + if (opts->valid_before && now > 0 && + opts->valid_before < (uint64_t)now) { + format_absolute_time(opts->valid_before, buf, sizeof(buf)); + debug("%s: entry expired at %s", loc, buf); + auth_debug_add("%s: entry expired at %s", loc, buf); + return -1; + } /* Consistency checks */ if (opts->cert_principals != NULL && !opts->cert_authority) { debug("%s: principals on non-CA key", loc); diff --git a/misc.c b/misc.c index fbc363100..874dcc8a2 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.126 2018/03/07 23:53:08 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.127 2018/03/12 00:52:01 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -1976,3 +1976,56 @@ atoi_err(const char *nptr, int *val) *val = (int)num; return errstr; } + +int +parse_absolute_time(const char *s, uint64_t *tp) +{ + struct tm tm; + time_t tt; + char buf[32], *fmt; + + *tp = 0; + + /* + * POSIX strptime says "The application shall ensure that there + * is white-space or other non-alphanumeric characters between + * any two conversion specifications" so arrange things this way. + */ + switch (strlen(s)) { + case 8: /* YYYYMMDD */ + fmt = "%Y-%m-%d"; + snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); + break; + case 12: /* YYYYMMDDHHMM */ + fmt = "%Y-%m-%dT%H:%M"; + snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s", + s, s + 4, s + 6, s + 8, s + 10); + break; + case 14: /* YYYYMMDDHHMMSS */ + fmt = "%Y-%m-%dT%H:%M:%S"; + snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s", + s, s + 4, s + 6, s + 8, s + 10, s + 12); + break; + default: + return SSH_ERR_INVALID_FORMAT; + } + + memset(&tm, 0, sizeof(tm)); + if (strptime(buf, fmt, &tm) == NULL) + return SSH_ERR_INVALID_FORMAT; + if ((tt = mktime(&tm)) < 0) + return SSH_ERR_INVALID_FORMAT; + /* success */ + *tp = (uint64_t)tt; + return 0; +} + +void +format_absolute_time(uint64_t t, char *buf, size_t len) +{ + time_t tt = t > INT_MAX ? INT_MAX : t; /* XXX revisit in 2038 :P */ + struct tm tm; + + localtime_r(&tt, &tm); + strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); +} diff --git a/misc.h b/misc.h index 8f7780675..cdafea735 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.70 2018/01/08 15:21:49 markus Exp $ */ +/* $OpenBSD: misc.h,v 1.71 2018/03/12 00:52:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -75,6 +75,8 @@ void lowercase(char *s); int unix_listener(const char *, int, int); int valid_domain(char *, int, const char **); const char *atoi_err(const char *, int *); +int parse_absolute_time(const char *, uint64_t *); +void format_absolute_time(uint64_t, char *, size_t); void sock_set_v6only(int); diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f925eb2d7..3525d7d17 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.146 2018/01/25 03:34:43 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 25 2018 $ +.Dd $Mdocdate: March 12 2018 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -588,13 +588,13 @@ of two times separated by a colon to indicate an explicit time interval. The start time may be specified as the string .Dq always to indicate the certificate has no specified start time, -a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format, +a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format, a relative time (to the current time) consisting of a minus sign followed by an interval in the format described in the TIME FORMATS section of .Xr sshd_config 5 . .Pp -The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time, +The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time, a relative time starting with a plus character or the string .Dq forever to indicate that the certificate has no expirty date. diff --git a/ssh-keygen.c b/ssh-keygen.c index d80930eeb..9aac64fc3 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.313 2018/02/23 15:58:38 markus Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.314 2018/03/12 00:52:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1798,40 +1798,6 @@ parse_relative_time(const char *s, time_t now) return now + (u_int64_t)(secs * mul); } -static u_int64_t -parse_absolute_time(const char *s) -{ - struct tm tm; - time_t tt; - char buf[32], *fmt; - - /* - * POSIX strptime says "The application shall ensure that there - * is white-space or other non-alphanumeric characters between - * any two conversion specifications" so arrange things this way. - */ - switch (strlen(s)) { - case 8: - fmt = "%Y-%m-%d"; - snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); - break; - case 14: - fmt = "%Y-%m-%dT%H:%M:%S"; - snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s", - s, s + 4, s + 6, s + 8, s + 10, s + 12); - break; - default: - fatal("Invalid certificate time format \"%s\"", s); - } - - memset(&tm, 0, sizeof(tm)); - if (strptime(buf, fmt, &tm) == NULL) - fatal("Invalid certificate time %s", s); - if ((tt = mktime(&tm)) < 0) - fatal("Certificate time %s cannot be represented", s); - return (u_int64_t)tt; -} - static void parse_cert_times(char *timespec) { @@ -1867,15 +1833,15 @@ parse_cert_times(char *timespec) cert_valid_from = parse_relative_time(from, now); else if (strcmp(from, "always") == 0) cert_valid_from = 0; - else - cert_valid_from = parse_absolute_time(from); + else if (parse_absolute_time(from, &cert_valid_from) != 0) + fatal("Invalid from time \"%s\"", from); if (*to == '-' || *to == '+') cert_valid_to = parse_relative_time(to, now); else if (strcmp(to, "forever") == 0) cert_valid_to = ~(u_int64_t)0; - else - cert_valid_to = parse_absolute_time(to); + else if (parse_absolute_time(to, &cert_valid_to) != 0) + fatal("Invalid to time \"%s\"", to); if (cert_valid_to <= cert_valid_from) fatal("Empty certificate validity interval"); diff --git a/sshd.8 b/sshd.8 index 0d52cc50a..f973cc383 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.296 2018/03/03 06:37:53 dtucker Exp $ -.Dd $Mdocdate: March 3 2018 $ +.\" $OpenBSD: sshd.8,v 1.297 2018/03/12 00:52:01 djm Exp $ +.Dd $Mdocdate: March 12 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -602,6 +602,10 @@ Enables execution of previously disabled by the .Cm restrict option. +.It Cm valid-before="timespec" +Specifies a time after which the key will not be accepted. +The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time +in the system time-zone. .It Cm X11-forwarding Permits X11 forwarding previously disabled by the .Cm restrict -- cgit v1.2.3 From abc0fa38c9bc136871f28e452c3465c3051fc785 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 14 Mar 2018 05:35:40 +0000 Subject: upstream: rename recently-added "valid-before" key restriction to "expiry-time" as the former is confusing wrt similar terminology in X.509; pointed out by jsing@ OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6 --- auth-options.c | 4 ++-- sshd.8 | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'sshd.8') diff --git a/auth-options.c b/auth-options.c index 38211fa2a..b528c197a 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.77 2018/03/12 00:52:01 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -367,7 +367,7 @@ sshauthopt_parse(const char *opts, const char **errstrp) &errstr); if (ret->required_from_host_keys == NULL) goto fail; - } else if (opt_match(&opts, "valid-before")) { + } else if (opt_match(&opts, "expiry-time")) { if ((opt = opt_dequote(&opts, &errstr)) == NULL) goto fail; if (parse_absolute_time(opt, &valid_before) != 0 || diff --git a/sshd.8 b/sshd.8 index f973cc383..6f5ad0f8b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.297 2018/03/12 00:52:01 djm Exp $ -.Dd $Mdocdate: March 12 2018 $ +.\" $OpenBSD: sshd.8,v 1.298 2018/03/14 05:35:40 djm Exp $ +.Dd $Mdocdate: March 14 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -602,7 +602,7 @@ Enables execution of previously disabled by the .Cm restrict option. -.It Cm valid-before="timespec" +.It Cm expiry-time="timespec" Specifies a time after which the key will not be accepted. The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time in the system time-zone. -- cgit v1.2.3 From 037fdc1dc2d68e1d43f9c9e2586c02cabc8f7cc8 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Wed, 14 Mar 2018 06:56:20 +0000 Subject: upstream: sort expiry-time; OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf --- sshd.8 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 6f5ad0f8b..968ba66bb 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.298 2018/03/14 05:35:40 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.299 2018/03/14 06:56:20 jmc Exp $ .Dd $Mdocdate: March 14 2018 $ .Dt SSHD 8 .Os @@ -513,6 +513,10 @@ Environment processing is disabled by default and is controlled via the .Cm PermitUserEnvironment option. +.It Cm expiry-time="timespec" +Specifies a time after which the key will not be accepted. +The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time +in the system time-zone. .It Cm from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the @@ -602,10 +606,6 @@ Enables execution of previously disabled by the .Cm restrict option. -.It Cm expiry-time="timespec" -Specifies a time after which the key will not be accepted. -The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time -in the system time-zone. .It Cm X11-forwarding Permits X11 forwarding previously disabled by the .Cm restrict -- cgit v1.2.3