From 23528816dc10165b3bc009f2ab5fdf1653db418c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 22 Apr 2012 11:24:43 +1000 Subject: - djm@cvs.openbsd.org 2012/04/12 02:42:32 [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ --- sshd_config | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sshd_config') diff --git a/sshd_config b/sshd_config index 473e86654..99dbd8580 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ +# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -107,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #MaxStartups 10 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none -- cgit v1.2.3 From 8fef9ebbab6bd68d245edbadedd52600a800c09c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 22 Apr 2012 11:25:10 +1000 Subject: - djm@cvs.openbsd.org 2012/04/12 02:43:55 [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default --- ChangeLog | 3 +++ sshd_config | 4 +++- sshd_config.5 | 6 ++++-- 3 files changed, 10 insertions(+), 3 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index a8312a5ef..5ca22714c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@ + - djm@cvs.openbsd.org 2012/04/12 02:43:55 + [sshd_config sshd_config.5] + mention AuthorizedPrincipalsFile=none default 20120420 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] diff --git a/sshd_config b/sshd_config index 99dbd8580..ec3ca2afc 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.85 2012/04/12 02:42:32 djm Exp $ +# $OpenBSD: sshd_config,v 1.86 2012/04/12 02:43:55 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -49,6 +49,8 @@ # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/sshd_config.5 b/sshd_config.5 index 1522355a8..27ee19146 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.137 2012/04/12 02:42:32 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.138 2012/04/12 02:43:55 djm Exp $ .Dd $Mdocdate: April 12 2012 $ .Dt SSHD_CONFIG 5 .Os @@ -198,7 +198,9 @@ After expansion, is taken to be an absolute path or one relative to the user's home directory. .Pp -The default is not to use a principals file \(en in this case, the username +The default is +.Dq none , +i.e. not to use a principals file \(en in this case, the username of the user must appear in a certificate's principals list for it to be accepted. Note that -- cgit v1.2.3 From 5a5c2b9063fc3d7315424702b01527ccb0d4c0c9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jul 2012 12:21:34 +1000 Subject: - djm@cvs.openbsd.org 2012/07/10 02:19:15 [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. --- ChangeLog | 5 +++++ servconf.c | 9 +++++---- servconf.h | 4 ++-- sshd.c | 4 ++-- sshd_config | 4 ++-- 5 files changed, 16 insertions(+), 10 deletions(-) (limited to 'sshd_config') diff --git a/ChangeLog b/ChangeLog index 885a721ff..911b4b114 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ - jmc@cvs.openbsd.org 2012/07/06 06:38:03 [ssh-keygen.c] missing full stop in usage(); + - djm@cvs.openbsd.org 2012/07/10 02:19:15 + [servconf.c servconf.h sshd.c sshd_config] + Turn on systrace sandboxing of pre-auth sshd by default for new installs + by shipping a config that overrides the current UsePrivilegeSeparation=yes + default. Make it easier to flip the default in the future by adding too. 20120720 - (dtucker) Import regened moduli file. diff --git a/servconf.c b/servconf.c index eccfbad48..427bdeef1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.228 2012/07/10 02:19:15 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -285,7 +285,7 @@ fill_default_server_options(ServerOptions *options) options->version_addendum = xstrdup(""); /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_ON; + use_privsep = PRIVSEP_NOSANDBOX; #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { @@ -770,8 +770,9 @@ static const struct multistate multistate_gatewayports[] = { { NULL, -1 } }; static const struct multistate multistate_privsep[] = { - { "sandbox", PRIVSEP_SANDBOX }, - { "yes", PRIVSEP_ON }, + { "yes", PRIVSEP_NOSANDBOX }, + { "sandbox", PRIVSEP_ON }, + { "nosandbox", PRIVSEP_NOSANDBOX }, { "no", PRIVSEP_OFF }, { NULL, -1 } }; diff --git a/servconf.h b/servconf.h index c2eeed665..096d596d7 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.103 2012/07/10 02:19:15 djm Exp $ */ /* * Author: Tatu Ylonen @@ -39,7 +39,7 @@ /* use_privsep */ #define PRIVSEP_OFF 0 #define PRIVSEP_ON 1 -#define PRIVSEP_SANDBOX 2 +#define PRIVSEP_NOSANDBOX 2 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ diff --git a/sshd.c b/sshd.c index 64b846f6c..9aff5e8af 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.392 2012/06/30 14:35:09 markus Exp $ */ +/* $OpenBSD: sshd.c,v 1.393 2012/07/10 02:19:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -635,7 +635,7 @@ privsep_preauth(Authctxt *authctxt) /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; - if (use_privsep == PRIVSEP_SANDBOX) + if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(); pid = fork(); if (pid == -1) { diff --git a/sshd_config b/sshd_config index ec3ca2afc..9424ee2c6 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.86 2012/04/12 02:43:55 djm Exp $ +# $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -99,7 +99,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 -- cgit v1.2.3