merge the rest of the 9.8 changes from upstream
This commit is contained in:
commit
6384372160
15
.depend
15
.depend
|
@ -23,6 +23,7 @@ auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
|
|||
auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h canohost.h
|
||||
auth2-hostbased.o: monitor_wrap.h pathnames.h match.h
|
||||
auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h log.h ssherr.h misc.h servconf.h
|
||||
auth2-methods.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h servconf.h openbsd-compat/sys-queue.h xmalloc.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
|
||||
auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h misc.h servconf.h ssh2.h monitor_wrap.h
|
||||
auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
|
||||
auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
|
||||
|
@ -60,6 +61,7 @@ gss-serv.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp
|
|||
hash.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h
|
||||
hmac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h digest.h hmac.h
|
||||
hostfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h sshkey.h hostfile.h log.h ssherr.h misc.h pathnames.h digest.h hmac.h sshbuf.h
|
||||
kex-names.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h kex.h mac.h crypto_api.h log.h ssherr.h match.h digest.h misc.h xmalloc.h
|
||||
kex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h ssh2.h atomicio.h version.h packet.h openbsd-compat/sys-queue.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h log.h ssherr.h
|
||||
kex.o: match.h misc.h monitor.h myproposal.h sshbuf.h digest.h xmalloc.h
|
||||
kexc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ssherr.h ssh2.h
|
||||
|
@ -82,12 +84,13 @@ monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api
|
|||
monitor.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h openbsd-compat/openssl-compat.h atomicio.h xmalloc.h ssh.h sshkey.h sshbuf.h hostfile.h auth.h auth-pam.h audit.h loginrec.h cipher.h cipher-chachapoly.h
|
||||
monitor_fdpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h monitor_fdpass.h
|
||||
monitor_wrap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h
|
||||
monitor_wrap.o: loginrec.h auth-options.h packet.h dispatch.h log.h ssherr.h monitor.h monitor_wrap.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h
|
||||
monitor_wrap.o: loginrec.h auth-options.h packet.h dispatch.h log.h ssherr.h monitor.h atomicio.h monitor_fdpass.h misc.h channels.h session.h servconf.h monitor_wrap.h srclimit.h
|
||||
msg.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshbuf.h ssherr.h log.h atomicio.h msg.h misc.h
|
||||
mux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h log.h ssherr.h ssh.h ssh2.h pathnames.h misc.h match.h sshbuf.h channels.h msg.h packet.h dispatch.h monitor_fdpass.h sshpty.h sshkey.h readconf.h clientloop.h
|
||||
nchan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h ssh2.h sshbuf.h ssherr.h packet.h dispatch.h channels.h compat.h log.h
|
||||
packet.o: channels.h ssh.h packet.h dispatch.h sshbuf.h
|
||||
packet.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h compat.h ssh2.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h digest.h log.h ssherr.h canohost.h misc.h
|
||||
platform-listen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h
|
||||
platform-misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
platform-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
platform-tracing.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h
|
||||
|
@ -123,7 +126,7 @@ sftp-usergroup.o: includes.h config.h defines.h platform.h openbsd-compat/openbs
|
|||
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sftp-usergroup.h
|
||||
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h
|
||||
srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h servconf.h openbsd-compat/sys-queue.h match.h
|
||||
ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h hostfile.h
|
||||
ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h
|
||||
ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
|
@ -146,7 +149,7 @@ ssh-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat
|
|||
ssh-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
ssh.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h canohost.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h packet.h dispatch.h sshbuf.h channels.h
|
||||
ssh.o: sshkey.h authfd.h authfile.h pathnames.h clientloop.h log.h ssherr.h misc.h readconf.h sshconnect.h kex.h mac.h crypto_api.h sshpty.h match.h msg.h version.h myproposal.h utf8.h
|
||||
ssh_api.o: authfile.h misc.h version.h myproposal.h sshbuf.h openbsd-compat/openssl-compat.h
|
||||
ssh_api.o: authfile.h dh.h misc.h version.h myproposal.h sshbuf.h openbsd-compat/openssl-compat.h
|
||||
ssh_api.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh_api.h openbsd-compat/sys-queue.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h ssh.h ssh2.h packet.h dispatch.h compat.h log.h ssherr.h
|
||||
sshbuf-getput-basic.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h sshbuf.h
|
||||
sshbuf-getput-crypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
|
@ -157,8 +160,10 @@ sshconnect.o: authfd.h kex.h mac.h crypto_api.h
|
|||
sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h sshkey.h sshconnect.h log.h ssherr.h match.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h
|
||||
sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h
|
||||
sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h
|
||||
sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h
|
||||
sshd.o: poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h
|
||||
sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h
|
||||
sshd-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h
|
||||
sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h
|
||||
sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshpty.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h digest.h sshkey.h authfile.h pathnames.h canohost.h hostfile.h auth.h auth-pam.h
|
||||
ssherr.o: ssherr.h
|
||||
sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
sshkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh2.h ssherr.h misc.h sshbuf.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h match.h ssh-sk.h openbsd-compat/openssl-compat.h
|
||||
|
|
|
@ -6,6 +6,10 @@ master :
|
|||
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
|
||||
[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
|
||||
|
||||
9.8 :
|
||||
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
|
||||
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
|
||||
|
||||
9.7 :
|
||||
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
|
||||
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
|
||||
|
|
|
@ -208,6 +208,7 @@ case "$config" in
|
|||
# and hostbased (since valgrind won't let ssh exec keysign).
|
||||
# Slow ones are run separately to increase parallelism.
|
||||
SKIP_LTESTS="agent-timeout connection-timeout hostbased"
|
||||
SKIP_LTESTS="$SKIP_LTESTS penalty-expire"
|
||||
SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
|
||||
;;
|
||||
valgrind-2)
|
||||
|
@ -289,7 +290,7 @@ case "${TARGET_HOST}" in
|
|||
hostkey-agent key-options keyscan knownhosts-command login-timeout
|
||||
reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
|
||||
sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
|
||||
transfer"
|
||||
transfer penalty penalty-expire"
|
||||
SKIP_LTESTS="$(echo $T)"
|
||||
TEST_TARGET=t-exec
|
||||
SUDO=""
|
||||
|
|
|
@ -17,7 +17,6 @@ jobs:
|
|||
target:
|
||||
- ubuntu-20.04
|
||||
- ubuntu-22.04
|
||||
- macos-11
|
||||
- macos-12
|
||||
- macos-13
|
||||
- macos-14
|
||||
|
@ -102,7 +101,6 @@ jobs:
|
|||
- { target: ubuntu-22.04, config: selinux }
|
||||
- { target: ubuntu-22.04, config: kitchensink }
|
||||
- { target: ubuntu-22.04, config: without-openssl }
|
||||
- { target: macos-11, config: pam }
|
||||
- { target: macos-12, config: pam }
|
||||
- { target: macos-13, config: pam }
|
||||
- { target: macos-14, config: pam }
|
||||
|
|
|
@ -3,7 +3,7 @@ name: Upstream self-hosted
|
|||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
paths: [ '**.c', '**.h', '.github/configs', '.github/workflows/upstream.yml' ]
|
||||
paths: [ '**.c', '**.h', '**.sh', '.github/configs', '.github/workflows/upstream.yml' ]
|
||||
|
||||
jobs:
|
||||
selfhosted:
|
||||
|
@ -43,7 +43,7 @@ jobs:
|
|||
- name: make
|
||||
run: vmrun "cd /usr/src/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
|
||||
- name: make install
|
||||
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
|
||||
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install && sudo /etc/rc.d/sshd -f restart"
|
||||
- name: make tests`
|
||||
run: vmrun "cd /usr/src/regress/usr.bin/ssh && case ${{ matrix.config }} in without-openssl) make OPENSSL=no;; ubsan) make DEBUG='-fsanitize-minimal-runtime -fsanitize=undefined';; *) make; esac"
|
||||
env:
|
||||
|
|
|
@ -2,18 +2,14 @@
|
|||
Makefile
|
||||
buildpkg.sh
|
||||
config.h
|
||||
config.h.in
|
||||
config.h.in~
|
||||
config.log
|
||||
config.status
|
||||
configure
|
||||
aclocal.m4
|
||||
openbsd-compat/Makefile
|
||||
openbsd-compat/regress/Makefile
|
||||
openssh.xml
|
||||
opensshd.init
|
||||
survey.sh
|
||||
**/*.0
|
||||
**/*.o
|
||||
**/*.lo
|
||||
**/*.so
|
||||
|
|
|
@ -32,6 +32,11 @@ e1dc11143f83082e3154d6094f9136d0dc2637ad more relinking makefile tweaks
|
|||
ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3 Makefile relinking changes
|
||||
2fe8d707ae35ba23c7916adcb818bb5b66837ba0 ssh-agent relink kit
|
||||
866cfcc1955aef8f3fc32da0b70c353a1b859f2e ssh-agent relink changes
|
||||
8b3820adb4da4e139c4b3cffbcc0bde9f08bf0c6 sshd-session relink kit
|
||||
6d2ded4cd91d4d727c2b26e099b91ea935bed504 relink kit
|
||||
fb39324748824cb0387e9d67c41d1bef945c54ea Makefile change
|
||||
5f378c38ad8976d507786dc4db9283a879ec8cd0 Makefile change
|
||||
112aacedd3b61cc5c34b1fa6d9fb759214179172 Makefile change
|
||||
|
||||
Old upstream tree:
|
||||
|
||||
|
|
25
Makefile.in
25
Makefile.in
|
@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
|
|||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
|
@ -37,6 +38,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
|
||||
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
|
||||
-D_PATH_SSHD_SESSION=\"$(SSHD_SESSION)\" \
|
||||
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
|
||||
-D_PATH_SSH_SK_HELPER=\"$(SSH_SK_HELPER)\" \
|
||||
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
|
||||
|
@ -69,7 +71,7 @@ MKDIR_P=@MKDIR_P@
|
|||
|
||||
.SUFFIXES: .lo
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
|
@ -107,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
|||
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
|
||||
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
||||
hmac.o ed25519.o hash.o \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexgexc.o kexgexs.o \
|
||||
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||
|
@ -118,17 +120,23 @@ SKOBJS= ssh-sk-client.o
|
|||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||
|
||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||
SSHDOBJS=sshd.o \
|
||||
platform-listen.o \
|
||||
servconf.o sshpty.o srclimit.o groupaccess.o auth2-methods.o \
|
||||
dns.o fatal.o compat.o utf8.o authfd.o canohost.o \
|
||||
$(SKOBJS)
|
||||
|
||||
SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
|
||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||
auth.o auth2.o auth-options.o session.o \
|
||||
auth.o auth2.o auth2-methods.o auth-options.o session.o \
|
||||
auth2-chall.o groupaccess.o \
|
||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
|
||||
monitor.o monitor_wrap.o auth-krb5.o \
|
||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
|
||||
srclimit.o sftp-server.o sftp-common.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o uidswap.o $(SKOBJS)
|
||||
|
@ -207,7 +215,10 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
|||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
|
||||
|
||||
sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
|
||||
$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
@ -399,6 +410,7 @@ install-files:
|
|||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
|
@ -741,6 +753,7 @@ interop-tests t-exec file-tests extra-tests: regress-prep regress-binaries $(TAR
|
|||
TEST_SSH_SCP="$(BUILDDIR)/scp" \
|
||||
TEST_SSH_SSH="$(BUILDDIR)/ssh" \
|
||||
TEST_SSH_SSHD="$(BUILDDIR)/sshd" \
|
||||
TEST_SSH_SSHD_SESSION="$(BUILDDIR)/sshd-session" \
|
||||
TEST_SSH_SSHAGENT="$(BUILDDIR)/ssh-agent" \
|
||||
TEST_SSH_SSHADD="$(BUILDDIR)/ssh-add" \
|
||||
TEST_SSH_SSHKEYGEN="$(BUILDDIR)/ssh-keygen" \
|
||||
|
|
2
README
2
README
|
@ -1,4 +1,4 @@
|
|||
See https://www.openssh.com/releasenotes.html#9.7p1 for the release
|
||||
See https://www.openssh.com/releasenotes.html#9.8p1 for the release
|
||||
notes.
|
||||
|
||||
Please read https://www.openssh.com/report.html for bug reporting
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
|
||||
|
||||
# Copyright (C) 1996-2021 Free Software Foundation, Inc.
|
||||
|
||||
# This file is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
# PARTICULAR PURPOSE.
|
||||
|
||||
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
|
||||
m4_include([m4/openssh.m4])
|
29
auth-pam.c
29
auth-pam.c
|
@ -67,11 +67,6 @@
|
|||
#include <pam/pam_appl.h>
|
||||
#endif
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
extern char *__progname;
|
||||
# define SSHD_PAM_SERVICE __progname
|
||||
#endif
|
||||
|
||||
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
|
||||
#ifdef PAM_SUN_CODEBASE
|
||||
# define sshpam_const /* Solaris, HP-UX, SunOS */
|
||||
|
@ -105,6 +100,7 @@ extern char *__progname;
|
|||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "srclimit.h"
|
||||
|
||||
extern ServerOptions options;
|
||||
extern struct sshbuf *loginmsg;
|
||||
|
@ -171,13 +167,13 @@ sshpam_sigchld_handler(int sig)
|
|||
return;
|
||||
}
|
||||
}
|
||||
if (WIFSIGNALED(sshpam_thread_status) &&
|
||||
WTERMSIG(sshpam_thread_status) == SIGTERM)
|
||||
return; /* terminated by pthread_cancel */
|
||||
if (!WIFEXITED(sshpam_thread_status))
|
||||
sigdie("PAM: authentication thread exited unexpectedly");
|
||||
if (WEXITSTATUS(sshpam_thread_status) != 0)
|
||||
sigdie("PAM: authentication thread exited uncleanly");
|
||||
if (sshpam_thread_status == -1)
|
||||
return;
|
||||
if (WIFSIGNALED(sshpam_thread_status)) {
|
||||
if (signal_is_crash(WTERMSIG(sshpam_thread_status)))
|
||||
_exit(EXIT_CHILD_CRASH);
|
||||
} else if (!WIFEXITED(sshpam_thread_status))
|
||||
_exit(EXIT_CHILD_CRASH);
|
||||
}
|
||||
|
||||
/* ARGSUSED */
|
||||
|
@ -694,6 +690,8 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
|
|||
const char **ptr_pam_user = &pam_user;
|
||||
int r;
|
||||
|
||||
if (options.pam_service_name == NULL)
|
||||
fatal_f("internal error: NULL PAM service name");
|
||||
#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
|
||||
/* Protect buggy PAM implementations from excessively long usernames */
|
||||
if (strlen(user) >= PAM_MAX_RESP_SIZE)
|
||||
|
@ -715,9 +713,10 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
|
|||
pam_end(sshpam_handle, sshpam_err);
|
||||
sshpam_handle = NULL;
|
||||
}
|
||||
debug("PAM: initializing for \"%s\"", user);
|
||||
sshpam_err =
|
||||
pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
|
||||
debug("PAM: initializing for \"%s\" with service \"%s\"", user,
|
||||
options.pam_service_name);
|
||||
sshpam_err = pam_start(options.pam_service_name, user,
|
||||
&store_conv, &sshpam_handle);
|
||||
sshpam_authctxt = authctxt;
|
||||
|
||||
if (sshpam_err != PAM_SUCCESS) {
|
||||
|
|
5
auth.h
5
auth.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth.h,v 1.107 2024/05/17 00:30:23 djm Exp $ */
|
||||
/* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
@ -159,8 +159,6 @@ void auth2_record_info(Authctxt *authctxt, const char *, ...)
|
|||
void auth2_update_session_info(Authctxt *, const char *, const char *);
|
||||
|
||||
#ifdef KRB5
|
||||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
int auth_krb5_password(Authctxt *authctxt, const char *password);
|
||||
void krb5_cleanup_proc(Authctxt *authctxt);
|
||||
#endif /* KRB5 */
|
||||
|
@ -219,7 +217,6 @@ int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
|||
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
int auth_activate_options(struct ssh *, struct sshauthopt *);
|
||||
void auth_restrict_session(struct ssh *);
|
||||
void auth_log_authopts(const char *, const struct sshauthopt *, int);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth2-gss.c,v 1.35 2024/05/17 00:30:23 djm Exp $ */
|
||||
/* $OpenBSD: auth2-gss.c,v 1.36 2024/05/17 04:42:13 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
|
@ -255,7 +255,6 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
|||
{
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
int r, authenticated;
|
||||
const char *displayname;
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("No authentication or GSSAPI context");
|
||||
|
@ -287,7 +286,6 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
|
|||
int r, authenticated = 0;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
const char *displayname;
|
||||
u_char *p;
|
||||
size_t len;
|
||||
|
||||
|
|
|
@ -31,13 +31,13 @@
|
|||
extern ServerOptions options;
|
||||
|
||||
/*
|
||||
* Configuration of enabled authentication methods. Separate to the rest of
|
||||
* Configuration of enabled authentication methods. Separate from the rest of
|
||||
* auth2-*.c because we want to query it during server configuration validity
|
||||
* checking in the sshd listener process without pulling all the auth code in
|
||||
* too.
|
||||
*/
|
||||
|
||||
/* "none" is allowed only one time and it cleared by userauth_none() later */
|
||||
/* "none" is allowed only one time and it is cleared by userauth_none() later */
|
||||
int none_enabled = 1;
|
||||
struct authmethod_cfg methodcfg_none = {
|
||||
"none",
|
||||
|
@ -85,7 +85,7 @@ static struct authmethod_cfg *authmethod_cfgs[] = {
|
|||
};
|
||||
|
||||
/*
|
||||
* Check a comma-separated list of methods for validity. Is need_enable is
|
||||
* Check a comma-separated list of methods for validity. If need_enable is
|
||||
* non-zero, then also require that the methods are enabled.
|
||||
* Returns 0 on success or -1 if the methods list is invalid.
|
||||
*/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: channels.h,v 1.154 2023/12/18 14:47:20 djm Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.156 2024/05/23 23:47:16 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -85,7 +85,6 @@
|
|||
struct ssh;
|
||||
struct Channel;
|
||||
typedef struct Channel Channel;
|
||||
struct fwd_perm_list;
|
||||
|
||||
typedef void channel_open_fn(struct ssh *, int, int, void *);
|
||||
typedef void channel_callback_fn(struct ssh *, int, int, void *);
|
||||
|
@ -325,7 +324,6 @@ int channel_input_ieof(int, u_int32_t, struct ssh *);
|
|||
int channel_input_oclose(int, u_int32_t, struct ssh *);
|
||||
int channel_input_open_confirmation(int, u_int32_t, struct ssh *);
|
||||
int channel_input_open_failure(int, u_int32_t, struct ssh *);
|
||||
int channel_input_port_open(int, u_int32_t, struct ssh *);
|
||||
int channel_input_window_adjust(int, u_int32_t, struct ssh *);
|
||||
int channel_input_status_confirm(int, u_int32_t, struct ssh *);
|
||||
|
||||
|
|
4
cipher.c
4
cipher.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: cipher.c,v 1.120 2023/10/10 06:49:54 tb Exp $ */
|
||||
/* $OpenBSD: cipher.c,v 1.121 2024/05/17 02:39:11 jsg Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -372,7 +372,7 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
|
|||
if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
|
||||
1, lastiv))
|
||||
return SSH_ERR_LIBCRYPTO_ERROR;
|
||||
/* set tag on decyption */
|
||||
/* set tag on decryption */
|
||||
if (!cc->encrypt &&
|
||||
!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
|
||||
authlen, (u_char *)src + aadlen + len))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: clientloop.c,v 1.406 2024/05/09 09:46:47 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -193,7 +193,6 @@ TAILQ_HEAD(global_confirms, global_confirm);
|
|||
static struct global_confirms global_confirms =
|
||||
TAILQ_HEAD_INITIALIZER(global_confirms);
|
||||
|
||||
void ssh_process_session2_setup(int, int, int, struct sshbuf *);
|
||||
static void quit_message(const char *fmt, ...)
|
||||
__attribute__((__format__ (printf, 1, 2)));
|
||||
|
||||
|
@ -616,8 +615,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
|
|||
if (timespeccmp(&now, &chaff_until, >=)) {
|
||||
/* Stop if there have been no keystrokes for a while */
|
||||
stop_reason = "chaff time expired";
|
||||
} else if (timespeccmp(&now, &next_interval, >=)) {
|
||||
/* Otherwise if we were due to send, then send chaff */
|
||||
} else if (timespeccmp(&now, &next_interval, >=) &&
|
||||
!ssh_packet_have_data_to_write(ssh)) {
|
||||
/* If due to send but have no data, then send chaff */
|
||||
if (send_chaff(ssh))
|
||||
nchaff++;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: clientloop.h,v 1.37 2020/04/03 02:40:32 djm Exp $ */
|
||||
/* $OpenBSD: clientloop.h,v 1.38 2024/05/17 06:42:04 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -43,7 +43,6 @@ struct ssh;
|
|||
int client_loop(struct ssh *, int, int, int);
|
||||
int client_x11_get_proto(struct ssh *, const char *, const char *,
|
||||
u_int, u_int, char **, char **);
|
||||
void client_global_request_reply_fwd(int, u_int32_t, void *);
|
||||
void client_session2_setup(struct ssh *, int, int, int,
|
||||
const char *, struct termios *, int, struct sshbuf *, char **);
|
||||
char *client_request_tun_fwd(struct ssh *, int, int, int,
|
||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
28
configure.ac
28
configure.ac
|
@ -1348,6 +1348,13 @@ EOD
|
|||
AC_DEFINE([BROKEN_SETVBUF], [1],
|
||||
[LynxOS has broken setvbuf() implementation])
|
||||
;;
|
||||
*-*-gnu*)
|
||||
dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries.
|
||||
dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
|
||||
dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
|
||||
dnl _GNU_SOURCE is needed for setres*id prototypes.
|
||||
CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_MSG_CHECKING([compiler and flags for sanity])
|
||||
|
@ -2078,8 +2085,12 @@ AC_ARG_WITH([security-key-builtin],
|
|||
|
||||
enable_dsa=
|
||||
AC_ARG_ENABLE([dsa-keys],
|
||||
[ --disable-dsa-keys disable DSA key support [no]],
|
||||
[ enable_dsa="$enableval" ]
|
||||
[ --enable-dsa-keys enable DSA key support [no]],
|
||||
[
|
||||
if test "x$enableval" != "xno" ; then
|
||||
enable_dsa=1
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
|
@ -3188,8 +3199,9 @@ if test "x$openssl" = "xyes" ; then
|
|||
AC_MSG_RESULT([no])
|
||||
]
|
||||
)
|
||||
|
||||
openssl_dsa=no
|
||||
if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
|
||||
if test ! -z "$enable_dsa" ; then
|
||||
AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
|
||||
AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
|
||||
[ openssl_dsa=yes ],
|
||||
|
@ -3199,15 +3211,6 @@ if test "x$openssl" = "xyes" ; then
|
|||
[ #include <openssl/opensslconf.h> ]
|
||||
)
|
||||
AC_MSG_CHECKING([whether to enable DSA key support])
|
||||
if test -z "$enable_dsa"; then
|
||||
if test "x$openssl_dsa" = "xno"; then
|
||||
AC_MSG_RESULT([not supported by OpenSSL])
|
||||
else
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([WITH_DSA], [1],
|
||||
[DSA keys enabled by default])
|
||||
fi
|
||||
else
|
||||
if test "x$openssl_dsa" = "xno"; then
|
||||
AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
|
||||
else
|
||||
|
@ -3217,7 +3220,6 @@ if test "x$openssl" = "xyes" ; then
|
|||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# PKCS11/U2F depend on OpenSSL and dlopen().
|
||||
enable_pkcs11=yes
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
%global ver 9.7p1
|
||||
%global ver 9.8p1
|
||||
%global rel 1%{?dist}
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
|
@ -393,6 +393,7 @@ fi
|
|||
%defattr(-,root,root)
|
||||
%dir %attr(0111,root,root) %{_var}/empty/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-session
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 9.7p1
|
||||
Version: 9.8p1
|
||||
URL: https://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
|
@ -211,6 +211,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0755,root,root) %dir %{_libdir}/ssh
|
||||
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
|
||||
%attr(0755,root,root) %{_libdir}/ssh/sshd-session
|
||||
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
|
||||
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
|
||||
%attr(0755,root,root) %{_libdir}/ssh/ssh-sk-helper
|
||||
|
|
|
@ -103,6 +103,7 @@
|
|||
/* Define if your platform needs to skip post auth
|
||||
file descriptor passing */
|
||||
/* #undef DISABLE_FD_PASSING */
|
||||
#define DISABLE_FD_PASSING
|
||||
|
||||
/* Define if you don't want to use lastlog */
|
||||
/* #undef DISABLE_LASTLOG */
|
||||
|
|
|
@ -447,6 +447,7 @@
|
|||
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_sshd.c" />
|
||||
<ClCompile Include="..\..\..\auth2-methods.c" />
|
||||
<ClCompile Include="..\..\..\misc.c" />
|
||||
<ClCompile Include="..\..\..\platform-listen.c" />
|
||||
<ClCompile Include="..\..\..\srclimit.c" />
|
||||
<ClCompile Include="..\..\..\ssh-sk-client.c" />
|
||||
<ClCompile Include="..\..\..\sshkey.c" />
|
||||
|
|
|
@ -93,6 +93,9 @@
|
|||
<ClCompile Include="..\..\..\auth2-methods.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="..\..\..\platform-listen.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ResourceCompile Include="version.rc">
|
||||
|
|
|
@ -33,6 +33,9 @@
|
|||
#define W32_SIGKILL 17
|
||||
#define W32_SIGUSR1 18
|
||||
#define W32_SIGUSR2 19
|
||||
#define W32_SIGBUS 20
|
||||
#define W32_SIGTRAP 21
|
||||
#define W32_SIGSYS 22
|
||||
|
||||
/* singprocmask "how" codes*/
|
||||
#define SIG_BLOCK 0
|
||||
|
@ -96,6 +99,9 @@ int sigaction(int signum, const struct sigaction * act, struct sigaction * oldac
|
|||
#define SIGKILL W32_SIGKILL
|
||||
#define SIGUSR1 W32_SIGUSR1
|
||||
#define SIGUSR2 W32_SIGUSR2
|
||||
#define SIGBUS W32_SIGBUS
|
||||
#define SIGTRAP W32_SIGTRAP
|
||||
#define SIGSYS W32_SIGSYS
|
||||
|
||||
#define SIG_DFL W32_SIG_DFL
|
||||
#define SIG_IGN W32_SIG_IGN
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/bin/sh
|
||||
# $OpenBSD: ed25519.sh,v 1.1 2023/01/15 23:05:32 djm Exp $
|
||||
# $OpenBSD: ed25519.sh,v 1.2 2024/05/17 02:39:11 jsg Exp $
|
||||
# Placed in the Public Domain.
|
||||
#
|
||||
AUTHOR="supercop-20221122/crypto_sign/ed25519/ref/implementors"
|
||||
|
@ -74,7 +74,7 @@ for i in $FILES; do
|
|||
sed -e "s/crypto_sign_open/crypto_sign_ed25519_open/g"
|
||||
;;
|
||||
*/crypto_sign/ed25519/ref/fe25519.*)
|
||||
# avoid a couple of name collions with other files
|
||||
# avoid a couple of name collisions with other files
|
||||
sed -e "s/reduce_add_sub/fe25519_reduce_add_sub/g" \
|
||||
-e "s/ equal[(]/ fe25519_equal(/g" \
|
||||
-e "s/^int /static int /g"
|
||||
|
|
15
log.c
15
log.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: log.c,v 1.61 2023/12/06 21:06:48 djm Exp $ */
|
||||
/* $OpenBSD: log.c,v 1.62 2024/06/27 22:36:44 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -452,19 +452,6 @@ sshlogdie(const char *file, const char *func, int line, int showfunc,
|
|||
cleanup_exit(255);
|
||||
}
|
||||
|
||||
void
|
||||
sshsigdie(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
|
||||
suffix, fmt, args);
|
||||
va_end(args);
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
void
|
||||
sshlogv(const char *file, const char *func, int line, int showfunc,
|
||||
LogLevel level, const char *suffix, const char *fmt, va_list args)
|
||||
|
|
9
log.h
9
log.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: log.h,v 1.33 2021/04/15 16:24:31 markus Exp $ */
|
||||
/* $OpenBSD: log.h,v 1.34 2024/06/27 22:36:44 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -72,9 +72,6 @@ void sshlog(const char *, const char *, int, int,
|
|||
__attribute__((format(printf, 7, 8)));
|
||||
void sshlogv(const char *, const char *, int, int,
|
||||
LogLevel, const char *, const char *, va_list);
|
||||
void sshsigdie(const char *, const char *, int, int,
|
||||
LogLevel, const char *, const char *, ...) __attribute__((noreturn))
|
||||
__attribute__((format(printf, 7, 8)));
|
||||
void sshlogdie(const char *, const char *, int, int,
|
||||
LogLevel, const char *, const char *, ...) __attribute__((noreturn))
|
||||
__attribute__((format(printf, 7, 8)));
|
||||
|
@ -93,7 +90,6 @@ void sshlogdirect(LogLevel, int, const char *, ...)
|
|||
#define error(...) sshlog(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
#define fatal(...) sshfatal(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_FATAL, NULL, __VA_ARGS__)
|
||||
#define logdie(...) sshlogdie(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
#define sigdie(...) sshsigdie(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
|
||||
/* Variants that prepend the caller's function */
|
||||
#define do_log2_f(level, ...) sshlog(__FILE__, __func__, __LINE__, 1, level, NULL, __VA_ARGS__)
|
||||
|
@ -105,7 +101,6 @@ void sshlogdirect(LogLevel, int, const char *, ...)
|
|||
#define error_f(...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
#define fatal_f(...) sshfatal(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_FATAL, NULL, __VA_ARGS__)
|
||||
#define logdie_f(...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
#define sigdie_f(...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__)
|
||||
|
||||
/* Variants that appends a ssh_err message */
|
||||
#define do_log2_r(r, level, ...) sshlog(__FILE__, __func__, __LINE__, 0, level, ssh_err(r), __VA_ARGS__)
|
||||
|
@ -117,7 +112,6 @@ void sshlogdirect(LogLevel, int, const char *, ...)
|
|||
#define error_r(r, ...) sshlog(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
#define fatal_r(r, ...) sshfatal(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_FATAL, ssh_err(r), __VA_ARGS__)
|
||||
#define logdie_r(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
#define sigdie_r(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 0, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
#define do_log2_fr(r, level, ...) sshlog(__FILE__, __func__, __LINE__, 1, level, ssh_err(r), __VA_ARGS__)
|
||||
#define debug3_fr(r, ...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_DEBUG3, ssh_err(r), __VA_ARGS__)
|
||||
#define debug2_fr(r, ...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_DEBUG2, ssh_err(r), __VA_ARGS__)
|
||||
|
@ -127,6 +121,5 @@ void sshlogdirect(LogLevel, int, const char *, ...)
|
|||
#define error_fr(r, ...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
#define fatal_fr(r, ...) sshfatal(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_FATAL, ssh_err(r), __VA_ARGS__)
|
||||
#define logdie_fr(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
#define sigdie_fr(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__)
|
||||
|
||||
#endif
|
||||
|
|
20
misc.c
20
misc.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.c,v 1.194 2024/05/17 00:30:23 djm Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
|
||||
|
@ -621,7 +621,7 @@ int
|
|||
convtime(const char *s)
|
||||
{
|
||||
int secs, total = 0, multiplier;
|
||||
char *p, *os, *np, c;
|
||||
char *p, *os, *np, c = 0;
|
||||
const char *errstr;
|
||||
|
||||
if (s == NULL || *s == '\0')
|
||||
|
@ -3228,3 +3228,19 @@ lib_contains_symbol(const char *path, const char *s)
|
|||
return 0;
|
||||
#endif /* WINDOWS */
|
||||
}
|
||||
|
||||
int
|
||||
signal_is_crash(int sig)
|
||||
{
|
||||
switch (sig) {
|
||||
case SIGSEGV:
|
||||
case SIGBUS:
|
||||
case SIGTRAP:
|
||||
case SIGSYS:
|
||||
case SIGFPE:
|
||||
case SIGILL:
|
||||
case SIGABRT:
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
3
misc.h
3
misc.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.h,v 1.108 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -255,6 +255,7 @@ void notify_complete(struct notifier_ctx *, const char *, ...)
|
|||
|
||||
typedef void (*sshsig_t)(int);
|
||||
sshsig_t ssh_signal(int, sshsig_t);
|
||||
int signal_is_crash(int);
|
||||
|
||||
/* On OpenBSD time_t is int64_t which is long long. */
|
||||
/* #define SSH_TIME_T_MAX LLONG_MAX */
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
MODULI(5) File Formats Manual MODULI(5)
|
||||
|
||||
NAME
|
||||
moduli M-bM-^@M-^S Diffie-Hellman moduli
|
||||
|
||||
DESCRIPTION
|
||||
The /etc/moduli file contains prime numbers and generators for use by
|
||||
sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
|
||||
|
||||
New moduli may be generated with ssh-keygen(1) using a two-step process.
|
||||
An initial candidate generation pass, using ssh-keygen -M generate,
|
||||
calculates numbers that are likely to be useful. A second primality
|
||||
testing pass, using ssh-keygen -M screen, provides a high degree of
|
||||
assurance that the numbers are prime and are safe for use in Diffie-
|
||||
Hellman operations by sshd(8). This moduli format is used as the output
|
||||
from each pass.
|
||||
|
||||
The file consists of newline-separated records, one per modulus,
|
||||
containing seven space-separated fields. These fields are as follows:
|
||||
|
||||
timestamp The time that the modulus was last processed as
|
||||
YYYYMMDDHHMMSS.
|
||||
|
||||
type Decimal number specifying the internal structure of
|
||||
the prime modulus. Supported types are:
|
||||
|
||||
0 Unknown, not tested.
|
||||
2 "Safe" prime; (p-1)/2 is also prime.
|
||||
4 Sophie Germain; 2p+1 is also prime.
|
||||
|
||||
Moduli candidates initially produced by ssh-keygen(1)
|
||||
are Sophie Germain primes (type 4). Further primality
|
||||
testing with ssh-keygen(1) produces safe prime moduli
|
||||
(type 2) that are ready for use in sshd(8). Other
|
||||
types are not used by OpenSSH.
|
||||
|
||||
tests Decimal number indicating the type of primality tests
|
||||
that the number has been subjected to represented as a
|
||||
bitmask of the following values:
|
||||
|
||||
0x00 Not tested.
|
||||
0x01 Composite number M-bM-^@M-^S not prime.
|
||||
0x02 Sieve of Eratosthenes.
|
||||
0x04 Probabilistic Miller-Rabin primality tests.
|
||||
|
||||
The ssh-keygen(1) moduli candidate generation uses the
|
||||
Sieve of Eratosthenes (flag 0x02). Subsequent
|
||||
ssh-keygen(1) primality tests are Miller-Rabin tests
|
||||
(flag 0x04).
|
||||
|
||||
trials Decimal number indicating the number of primality
|
||||
trials that have been performed on the modulus.
|
||||
|
||||
size Decimal number indicating the size of the prime in
|
||||
bits.
|
||||
|
||||
generator The recommended generator for use with this modulus
|
||||
(hexadecimal).
|
||||
|
||||
modulus The modulus itself in hexadecimal.
|
||||
|
||||
When performing Diffie-Hellman Group Exchange, sshd(8) first estimates
|
||||
the size of the modulus required to produce enough Diffie-Hellman output
|
||||
to sufficiently key the selected symmetric cipher. sshd(8) then randomly
|
||||
selects a modulus from /etc/moduli that best meets the size requirement.
|
||||
|
||||
SEE ALSO
|
||||
ssh-keygen(1), sshd(8)
|
||||
|
||||
STANDARDS
|
||||
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
|
||||
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
|
||||
|
||||
OpenBSD 7.5 April 16, 2022 OpenBSD 7.5
|
10
monitor.c
10
monitor.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor.c,v 1.238 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.240 2024/06/06 17:15:25 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -126,8 +126,6 @@ int mm_answer_keyverify(struct ssh *, int, struct sshbuf *);
|
|||
int mm_answer_pty(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_pty_cleanup(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_term(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_sesskey(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_sessid(struct ssh *, int, struct sshbuf *);
|
||||
|
||||
#ifdef USE_PAM
|
||||
int mm_answer_pam_start(struct ssh *, int, struct sshbuf *);
|
||||
|
@ -168,6 +166,7 @@ static u_int session_id2_len = 0;
|
|||
#endif /* WINDOWS */
|
||||
static u_char *session_id2 = NULL;
|
||||
static pid_t monitor_child_pid;
|
||||
int auth_attempted = 0;
|
||||
|
||||
struct mon_table {
|
||||
enum monitor_reqtype type;
|
||||
|
@ -303,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
|||
authenticated = (monitor_read(ssh, pmonitor,
|
||||
mon_dispatch, &ent) == 1);
|
||||
|
||||
/* Record that auth was attempted to set exit status later */
|
||||
if ((ent->flags & MON_AUTH) != 0)
|
||||
auth_attempted = 1;
|
||||
|
||||
/* Special handling for multiple required authentications */
|
||||
if (options.num_auth_methods != 0) {
|
||||
if (authenticated &&
|
||||
|
@ -360,6 +363,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
|||
fatal_f("authentication method name unknown");
|
||||
|
||||
debug_f("user %s authenticated by privileged process", authctxt->user);
|
||||
auth_attempted = 0;
|
||||
ssh->authctxt = NULL;
|
||||
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor_wrap.c,v 1.130 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.c,v 1.136 2024/06/19 23:24:47 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
|
@ -29,6 +29,7 @@
|
|||
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <pwd.h>
|
||||
|
@ -73,6 +74,7 @@
|
|||
#include "session.h"
|
||||
#include "servconf.h"
|
||||
#include "monitor_wrap.h"
|
||||
#include "srclimit.h"
|
||||
|
||||
#include "ssherr.h"
|
||||
|
||||
|
@ -132,6 +134,37 @@ mm_is_monitor(void)
|
|||
return (pmonitor && pmonitor->m_pid > 0);
|
||||
}
|
||||
|
||||
static void
|
||||
mm_reap(void)
|
||||
{
|
||||
int status = -1;
|
||||
|
||||
if (!mm_is_monitor())
|
||||
return;
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1) {
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
pmonitor->m_pid = -1;
|
||||
fatal_f("waitpid: %s", strerror(errno));
|
||||
}
|
||||
if (WIFEXITED(status)) {
|
||||
if (WEXITSTATUS(status) != 0) {
|
||||
debug_f("preauth child exited with status %d",
|
||||
WEXITSTATUS(status));
|
||||
cleanup_exit(255);
|
||||
}
|
||||
} else if (WIFSIGNALED(status)) {
|
||||
error_f("preauth child terminated by signal %d",
|
||||
WTERMSIG(status));
|
||||
cleanup_exit(signal_is_crash(WTERMSIG(status)) ?
|
||||
EXIT_CHILD_CRASH : 255);
|
||||
} else {
|
||||
error_f("preauth child terminated abnormally (status=0x%x)",
|
||||
status);
|
||||
cleanup_exit(EXIT_CHILD_CRASH);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
|
||||
{
|
||||
|
@ -144,24 +177,30 @@ mm_request_send(int sock, enum monitor_reqtype type, struct sshbuf *m)
|
|||
fatal_f("bad length %zu", mlen);
|
||||
POKE_U32(buf, mlen + 1);
|
||||
buf[4] = (u_char) type; /* 1st byte of payload is mesg-type */
|
||||
if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
|
||||
fatal_f("write: %s", strerror(errno));
|
||||
if (atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen)
|
||||
if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf) ||
|
||||
atomicio(vwrite, sock, sshbuf_mutable_ptr(m), mlen) != mlen) {
|
||||
if (errno == EPIPE) {
|
||||
debug3_f("monitor fd closed");
|
||||
mm_reap();
|
||||
cleanup_exit(255);
|
||||
}
|
||||
fatal_f("write: %s", strerror(errno));
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
mm_request_receive(int sock, struct sshbuf *m)
|
||||
{
|
||||
u_char buf[4], *p = NULL;
|
||||
u_int msg_len;
|
||||
int r;
|
||||
int oerrno, r;
|
||||
|
||||
debug3_f("entering");
|
||||
|
||||
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
|
||||
if (errno == EPIPE) {
|
||||
debug3_f("monitor fd closed");
|
||||
mm_reap();
|
||||
cleanup_exit(255);
|
||||
}
|
||||
fatal_f("read: %s", strerror(errno));
|
||||
|
@ -172,8 +211,13 @@ mm_request_receive(int sock, struct sshbuf *m)
|
|||
sshbuf_reset(m);
|
||||
if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
|
||||
fatal_fr(r, "reserve");
|
||||
if (atomicio(read, sock, p, msg_len) != msg_len)
|
||||
fatal_f("read: %s", strerror(errno));
|
||||
if (atomicio(read, sock, p, msg_len) != msg_len) {
|
||||
oerrno = errno;
|
||||
error_f("read: %s", strerror(errno));
|
||||
if (oerrno == EPIPE)
|
||||
mm_reap();
|
||||
cleanup_exit(255);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: monitor_wrap.h,v 1.50 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: monitor_wrap.h,v 1.51 2024/05/17 06:42:04 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
|
@ -88,10 +88,6 @@ void mm_terminate(void);
|
|||
int mm_pty_allocate(int *, int *, char *, size_t);
|
||||
void mm_session_pty_cleanup2(struct Session *);
|
||||
|
||||
/* Key export functions */
|
||||
struct newkeys *mm_newkeys_from_blob(u_char *, int);
|
||||
int mm_newkeys_to_blob(int, u_char **, u_int *);
|
||||
|
||||
void mm_send_keystate(struct ssh *, struct monitor*);
|
||||
|
||||
/* bsdauth */
|
||||
|
|
|
@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
|
|||
error_f("socket \"%s\": %s", path, strerror(errno));
|
||||
goto out;
|
||||
}
|
||||
if (connect(fd, &addr, sizeof(addr)) != 0) {
|
||||
if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
|
||||
error_f("socket \"%s\" connect: %s", path, strerror(errno));
|
||||
goto out;
|
||||
}
|
||||
|
|
4
packet.c
4
packet.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: packet.c,v 1.314 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: packet.c,v 1.315 2024/05/31 08:49:35 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -539,7 +539,7 @@ ssh_remote_ipaddr(struct ssh *ssh)
|
|||
* be freed. NB. this will usually trigger a DNS query. Return value is on
|
||||
* heap and no caching is performed.
|
||||
* This function does additional checks on the hostname to mitigate some
|
||||
* attacks on based on conflation of hostnames and addresses and will
|
||||
* attacks based on conflation of hostnames and addresses and will
|
||||
* fall back to returning an address on error.
|
||||
*/
|
||||
|
||||
|
|
4
packet.h
4
packet.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: packet.h,v 1.97 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: packet.h,v 1.98 2024/05/17 06:42:04 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -124,14 +124,12 @@ int ssh_packet_send2_wrapped(struct ssh *);
|
|||
int ssh_packet_send2(struct ssh *);
|
||||
|
||||
int ssh_packet_read(struct ssh *);
|
||||
int ssh_packet_read_poll(struct ssh *);
|
||||
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
|
||||
int ssh_packet_process_read(struct ssh *, int);
|
||||
int ssh_packet_read_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||
int ssh_packet_read_poll_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||
|
||||
const void *ssh_packet_get_string_ptr(struct ssh *, u_int *length_ptr);
|
||||
void ssh_packet_disconnect(struct ssh *, const char *fmt, ...)
|
||||
__attribute__((format(printf, 2, 3)))
|
||||
__attribute__((noreturn));
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
/*
|
||||
* Copyright (c) 2006 Darren Tucker. All rights reserved.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "misc.h"
|
||||
#include "platform.h"
|
||||
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
{
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
/* Adjust out-of-memory killer so listening process is not killed */
|
||||
oom_adjust_setup();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_listen(void)
|
||||
{
|
||||
#ifdef SYSTEMD_NOTIFY
|
||||
ssh_systemd_notify_ready();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_pre_fork(void)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_pre_fork();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_pre_restart(void)
|
||||
{
|
||||
#ifdef SYSTEMD_NOTIFY
|
||||
ssh_systemd_notify_reload();
|
||||
#endif
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
oom_adjust_restore();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_fork_parent(pid_t child_pid)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_post_fork_parent(child_pid);
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_fork_child(void)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_post_fork_child();
|
||||
#endif
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
oom_adjust_restore();
|
||||
#endif
|
||||
}
|
||||
|
60
platform.c
60
platform.c
|
@ -32,64 +32,8 @@
|
|||
|
||||
#include "openbsd-compat/openbsd-compat.h"
|
||||
|
||||
extern int use_privsep;
|
||||
extern ServerOptions options;
|
||||
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
{
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
/* Adjust out-of-memory killer so listening process is not killed */
|
||||
oom_adjust_setup();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_listen(void)
|
||||
{
|
||||
#ifdef SYSTEMD_NOTIFY
|
||||
ssh_systemd_notify_ready();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_pre_fork(void)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_pre_fork();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_pre_restart(void)
|
||||
{
|
||||
#ifdef SYSTEMD_NOTIFY
|
||||
ssh_systemd_notify_reload();
|
||||
#endif
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
oom_adjust_restore();
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_fork_parent(pid_t child_pid)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_post_fork_parent(child_pid);
|
||||
#endif
|
||||
}
|
||||
|
||||
void
|
||||
platform_post_fork_child(void)
|
||||
{
|
||||
#ifdef USE_SOLARIS_PROCESS_CONTRACTS
|
||||
solaris_contract_post_fork_child();
|
||||
#endif
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
oom_adjust_restore();
|
||||
#endif
|
||||
}
|
||||
|
||||
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
|
||||
int
|
||||
platform_privileged_uidswap(void)
|
||||
|
@ -136,7 +80,7 @@ platform_setusercontext(struct passwd *pw)
|
|||
*/
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(use_privsep);
|
||||
do_pam_setcred();
|
||||
}
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
|
@ -164,7 +108,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
|
|||
* Reestablish them here.
|
||||
*/
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(use_privsep);
|
||||
do_pam_setcred();
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.386 2024/03/04 04:13:18 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.387 2024/05/17 02:39:11 jsg Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -3363,7 +3363,7 @@ parse_ssh_uri(const char *uri, char **userp, char **hostp, int *portp)
|
|||
return r;
|
||||
}
|
||||
|
||||
/* XXX the following is a near-vebatim copy from servconf.c; refactor */
|
||||
/* XXX the following is a near-verbatim copy from servconf.c; refactor */
|
||||
static const char *
|
||||
fmt_multistate_int(int val, const struct multistate *m)
|
||||
{
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $
|
||||
# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $
|
||||
|
||||
tests: prep file-tests t-exec unit
|
||||
|
||||
|
@ -109,7 +109,9 @@ LTESTS= connect \
|
|||
connection-timeout \
|
||||
match-subsystem \
|
||||
agent-pkcs11-restrict \
|
||||
agent-pkcs11-cert
|
||||
agent-pkcs11-cert \
|
||||
penalty \
|
||||
penalty-expire
|
||||
|
||||
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
|
||||
INTEROP_TESTS+= dropbear-ciphers dropbear-kex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
|
||||
# $OpenBSD: dropbear-ciphers.sh,v 1.3 2024/06/20 08:23:18 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="dropbear ciphers"
|
||||
|
@ -7,13 +7,18 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
|
|||
skip "dropbear interop tests not enabled"
|
||||
fi
|
||||
|
||||
# Enable all support algorithms
|
||||
algs=`$SSH -Q key-sig | tr '\n' ,`
|
||||
cat >>$OBJ/sshd_proxy <<EOD
|
||||
PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
|
||||
HostkeyAlgorithms +ssh-rsa,ssh-dss
|
||||
PubkeyAcceptedAlgorithms $algs
|
||||
HostkeyAlgorithms $algs
|
||||
EOD
|
||||
|
||||
ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
|
||||
macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
|
||||
ciphers=`$DBCLIENT -c help hst 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
|
||||
macs=`$DBCLIENT -m help hst 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
|
||||
if [ -z "$macs" ] || [ -z "$ciphers" ]; then
|
||||
skip "dbclient query ciphers '$ciphers' or macs '$macs' failed"
|
||||
fi
|
||||
keytype=`(cd $OBJ/.dropbear && ls id_*)`
|
||||
|
||||
for c in $ciphers ; do
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
|
||||
# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="dropbear kex"
|
||||
|
@ -7,21 +7,19 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
|
|||
skip "dropbear interop tests not enabled"
|
||||
fi
|
||||
|
||||
cat >>$OBJ/sshd_proxy <<EOD
|
||||
PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
|
||||
HostkeyAlgorithms +ssh-rsa,ssh-dss
|
||||
EOD
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
|
||||
|
||||
kex="curve25519-sha256 curve25519-sha256@libssh.org
|
||||
diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
|
||||
kex="curve25519-sha256 curve25519-sha256@libssh.org"
|
||||
if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then
|
||||
kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
|
||||
fi
|
||||
|
||||
for k in $kex; do
|
||||
verbose "$tid: kex $k"
|
||||
rm -f ${COPY}
|
||||
# dbclient doesn't have switch for kex, so force in server
|
||||
(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
|
||||
env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \
|
||||
env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
|
||||
-J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "ssh cat $DATA failed"
|
||||
|
|
|
@ -112,7 +112,6 @@ reset_idtab(void)
|
|||
idtab_init();
|
||||
// Load keys.
|
||||
add_key(PRIV_RSA, CERT_RSA);
|
||||
add_key(PRIV_DSA, CERT_DSA);
|
||||
add_key(PRIV_ECDSA, CERT_ECDSA);
|
||||
add_key(PRIV_ED25519, CERT_ED25519);
|
||||
add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK);
|
||||
|
|
|
@ -144,7 +144,6 @@ static int
|
|||
prepare_keys(struct shared_state *st)
|
||||
{
|
||||
if (prepare_key(st, KEY_RSA, 2048) != 0 ||
|
||||
prepare_key(st, KEY_DSA, 1024) != 0 ||
|
||||
prepare_key(st, KEY_ECDSA, 256) != 0 ||
|
||||
prepare_key(st, KEY_ED25519, 256) != 0) {
|
||||
error_f("key prepare failed");
|
||||
|
@ -264,10 +263,6 @@ prepare_key(struct shared_state *st, int kt, int bits)
|
|||
pubstr = PUB_RSA;
|
||||
privstr = PRIV_RSA;
|
||||
break;
|
||||
case KEY_DSA:
|
||||
pubstr = PUB_DSA;
|
||||
privstr = PRIV_DSA;
|
||||
break;
|
||||
case KEY_ECDSA:
|
||||
pubstr = PUB_ECDSA;
|
||||
privstr = PRIV_ECDSA;
|
||||
|
@ -325,7 +320,7 @@ int main(void)
|
|||
{
|
||||
static struct shared_state *st;
|
||||
struct test_state *ts;
|
||||
const int keytypes[] = { KEY_RSA, KEY_DSA, KEY_ECDSA, KEY_ED25519, -1 };
|
||||
const int keytypes[] = { KEY_RSA, KEY_ECDSA, KEY_ED25519, -1 };
|
||||
static const char * const kextypes[] = {
|
||||
"sntrup761x25519-sha512@openssh.com",
|
||||
"curve25519-sha256@libssh.org",
|
||||
|
@ -399,7 +394,6 @@ static void
|
|||
do_kex(struct shared_state *st, struct test_state *ts, const char *kex)
|
||||
{
|
||||
do_kex_with_key(st, ts, kex, KEY_RSA);
|
||||
do_kex_with_key(st, ts, kex, KEY_DSA);
|
||||
do_kex_with_key(st, ts, kex, KEY_ECDSA);
|
||||
do_kex_with_key(st, ts, kex, KEY_ED25519);
|
||||
}
|
||||
|
|
|
@ -26,7 +26,6 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
|
|||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
|
||||
static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
|
||||
static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
|
||||
static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
|
||||
static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
|
||||
|
@ -41,19 +40,20 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
|
|||
sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
details = NULL;
|
||||
sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
details = NULL;
|
||||
|
||||
sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
details = NULL;
|
||||
|
||||
sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
details = NULL;
|
||||
|
||||
sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
details = NULL;
|
||||
#endif
|
||||
|
||||
sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
|
||||
sshkey_sig_details_free(details);
|
||||
return 0;
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
# $OpenBSD
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="penalties"
|
||||
|
||||
grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
|
||||
cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
|
||||
|
||||
conf() {
|
||||
test -z "$PIDFILE" || stop_sshd
|
||||
(cat $OBJ/sshd_config.bak ;
|
||||
echo "PerSourcePenalties $@") > $OBJ/sshd_config
|
||||
cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
|
||||
start_sshd
|
||||
}
|
||||
|
||||
conf "noauth:10s authfail:10s max:20s min:1s"
|
||||
|
||||
verbose "test connect"
|
||||
${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
|
||||
|
||||
verbose "penalty expiry"
|
||||
|
||||
# Incur a penalty
|
||||
cat /dev/null > $OBJ/authorized_keys_${USER}
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
|
||||
sleep 2
|
||||
|
||||
# Check denied
|
||||
cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
|
||||
|
||||
# Let it expire and try again.
|
||||
sleep 11
|
||||
${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
|
|
@ -0,0 +1,52 @@
|
|||
# $OpenBSD
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="penalties"
|
||||
|
||||
grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
|
||||
cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
|
||||
|
||||
conf() {
|
||||
test -z "$PIDFILE" || stop_sshd
|
||||
(cat $OBJ/sshd_config.bak ;
|
||||
echo "PerSourcePenalties $@") > $OBJ/sshd_config
|
||||
cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
|
||||
start_sshd
|
||||
}
|
||||
|
||||
conf "authfail:300s min:350s max:900s"
|
||||
|
||||
verbose "test connect"
|
||||
${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
|
||||
|
||||
verbose "penalty for authentication failure"
|
||||
|
||||
# Fail authentication once
|
||||
cat /dev/null > $OBJ/authorized_keys_${USER}
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
|
||||
cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
|
||||
sleep 2
|
||||
|
||||
# Should be below penalty threshold
|
||||
${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
|
||||
sleep 2
|
||||
|
||||
# Fail authentication again; penalty should activate
|
||||
cat /dev/null > $OBJ/authorized_keys_${USER}
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
|
||||
cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
|
||||
sleep 2
|
||||
|
||||
# These should be refused by the active penalty
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
|
||||
${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
|
||||
|
||||
conf "noauth:100s"
|
||||
${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
|
||||
verbose "penalty for no authentication"
|
||||
${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
|
||||
sleep 2
|
||||
|
||||
# Repeat attempt should be penalised
|
||||
${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: rekey.sh,v 1.19 2021/07/19 05:08:54 dtucker Exp $
|
||||
# $OpenBSD: rekey.sh,v 1.20 2024/05/22 04:20:00 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="rekey"
|
||||
|
@ -14,7 +14,7 @@ ssh_data_rekeying()
|
|||
{
|
||||
_kexopt=$1 ; shift
|
||||
_opts="$@"
|
||||
if ! test -z "$_kexopts" ; then
|
||||
if ! test -z "$_kexopt" ; then
|
||||
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||
echo "$_kexopt" >> $OBJ/sshd_proxy
|
||||
_opts="$_opts -o$_kexopt"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sftp-cmds.sh,v 1.19 2024/03/29 10:40:07 dtucker Exp $
|
||||
# $OpenBSD: sftp-cmds.sh,v 1.20 2024/07/01 03:10:19 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
# XXX - TODO:
|
||||
|
@ -32,7 +32,7 @@ rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
|
|||
mkdir ${COPY}.dd
|
||||
|
||||
verbose "$tid: lls"
|
||||
printf "cd ${OBJ}\nlls\n" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
|
||||
printf "lcd ${OBJ}\nlls\n" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
|
||||
grep copy.dd >/dev/null || fail "lls failed"
|
||||
|
||||
verbose "$tid: lls w/path"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: test-exec.sh,v 1.109 2024/03/25 01:28:29 dtucker Exp $
|
||||
# $OpenBSD: test-exec.sh,v 1.119 2024/06/20 08:18:34 dtucker Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
#SUDO=sudo
|
||||
|
@ -96,6 +96,7 @@ SSHKEYGEN=ssh-keygen
|
|||
SSHKEYSCAN=ssh-keyscan
|
||||
SFTP=sftp
|
||||
SFTPSERVER=/usr/libexec/openssh/sftp-server
|
||||
SSHD_SESSION=/usr/libexec/sshd-session
|
||||
SCP=scp
|
||||
|
||||
# Set by make_tmpdir() on demand (below).
|
||||
|
@ -121,6 +122,9 @@ NC=$OBJ/netcat
|
|||
if [ "x$TEST_SSH_SSH" != "x" ]; then
|
||||
SSH="${TEST_SSH_SSH}"
|
||||
fi
|
||||
if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then
|
||||
SSHD_SESSION="${TEST_SSH_SSHD_SESSION}"
|
||||
fi
|
||||
if [ "x$TEST_SSH_SSHD" != "x" ]; then
|
||||
SSHD="${TEST_SSH_SSHD}"
|
||||
fi
|
||||
|
@ -370,7 +374,7 @@ ssh_logfile ()
|
|||
# [kbytes] to ensure the file is at least that large.
|
||||
DATANAME=data
|
||||
DATA=$OBJ/${DATANAME}
|
||||
cat ${SSHAGENT_BIN} >${DATA}
|
||||
cat ${SSH_BIN} >${DATA}
|
||||
chmod u+w ${DATA}
|
||||
COPY=$OBJ/copy
|
||||
rm -f ${COPY}
|
||||
|
@ -381,7 +385,7 @@ fi
|
|||
increase_datafile_size()
|
||||
{
|
||||
while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
|
||||
cat ${SSHAGENT_BIN} >>${DATA}
|
||||
cat ${SSH_BIN} >>${DATA}
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -493,14 +497,16 @@ stop_sshd ()
|
|||
if [ "$os" == "windows" ]; then
|
||||
powershell.exe /c "stop-process -Name sshd -Force" >/dev/null 2>&1
|
||||
else
|
||||
if [ -f $PIDFILE ]; then
|
||||
[ -z $PIDFILE ] && return
|
||||
[ -f $PIDFILE ] || return
|
||||
pid=`$SUDO cat $PIDFILE`
|
||||
if [ "X$pid" = "X" ]; then
|
||||
echo no sshd running
|
||||
else
|
||||
if [ $pid -lt 2 ]; then
|
||||
echo bad pid for sshd: $pid
|
||||
else
|
||||
echo "no sshd running" 1>&2
|
||||
return
|
||||
elif [ $pid -lt 2 ]; then
|
||||
echo "bad pid for sshd: $pid" 1>&2
|
||||
return
|
||||
fi
|
||||
$SUDO kill $pid
|
||||
trace "wait for sshd to exit"
|
||||
i=0;
|
||||
|
@ -510,17 +516,13 @@ stop_sshd ()
|
|||
done
|
||||
if test -f $PIDFILE; then
|
||||
if $SUDO kill -0 $pid; then
|
||||
echo "sshd didn't exit " \
|
||||
"port $PORT pid $pid"
|
||||
echo "sshd didn't exit port $PORT pid $pid" 1>&2
|
||||
else
|
||||
echo "sshd died without cleanup"
|
||||
echo "sshd died without cleanup" 1>&2
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
PIDFILE=""
|
||||
}
|
||||
|
||||
# helper
|
||||
|
@ -667,6 +669,8 @@ cat << EOF > $OBJ/sshd_config
|
|||
AcceptEnv _XXX_TEST_*
|
||||
AcceptEnv _XXX_TEST
|
||||
Subsystem sftp $SFTPSERVER
|
||||
SshdSessionPath $SSHD_SESSION
|
||||
PerSourcePenalties no
|
||||
EOF
|
||||
|
||||
if [ "$os" != "windows" ]; then
|
||||
|
@ -923,15 +927,25 @@ esac
|
|||
if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
|
||||
trace Create dropbear keys and add to authorized_keys
|
||||
mkdir -p $OBJ/.dropbear
|
||||
for i in rsa ecdsa ed25519 dss; do
|
||||
if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
|
||||
($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i
|
||||
$DROPBEARCONVERT dropbear openssh \
|
||||
$OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i
|
||||
) > /dev/null 2>&1
|
||||
kt="ed25519"
|
||||
for i in dss rsa ecdsa; do
|
||||
if $SSH -Q key-plain | grep "$i" >/dev/null; then
|
||||
kt="$kt $i"
|
||||
else
|
||||
rm -f "$OBJ/.dropbear/id_$i"
|
||||
fi
|
||||
done
|
||||
for i in $kt; do
|
||||
if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
|
||||
verbose Create dropbear key type $i
|
||||
$DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \
|
||||
>/dev/null 2>&1
|
||||
fi
|
||||
$DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \
|
||||
$OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1
|
||||
$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
|
||||
>>$OBJ/authorized_keys_$USER
|
||||
rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i
|
||||
done
|
||||
fi
|
||||
|
||||
|
@ -958,6 +972,7 @@ chmod a+x $OBJ/ssh_proxy.sh
|
|||
|
||||
start_sshd ()
|
||||
{
|
||||
PIDFILE=$OBJ/pidfile
|
||||
# start sshd
|
||||
logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log"
|
||||
$SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
|
||||
|
@ -977,6 +992,7 @@ start_sshd ()
|
|||
i=`expr $i + 1`
|
||||
sleep $i
|
||||
done
|
||||
ln -f -s ${logfile} $TEST_SSHD_LOGFILE
|
||||
|
||||
test -f $PIDFILE || fatal "no sshd running on port $PORT"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: Makefile,v 1.14 2023/02/02 12:12:52 djm Exp $
|
||||
# $OpenBSD: Makefile,v 1.15 2024/05/19 19:10:01 anton Exp $
|
||||
|
||||
PROG=test_kex
|
||||
SRCS=tests.c test_kex.c test_proposal.c
|
||||
|
@ -14,6 +14,7 @@ SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
|
|||
SRCS+=ssh-ed25519-sk.c sk-usbhid.c
|
||||
|
||||
SRCS+= kex.c
|
||||
SRCS+= kex-names.c
|
||||
SRCS+= dh.c
|
||||
SRCS+= kexdh.c
|
||||
SRCS+= kexecdh.c
|
||||
|
|
|
@ -0,0 +1,232 @@
|
|||
SCP(1) General Commands Manual SCP(1)
|
||||
|
||||
NAME
|
||||
scp M-bM-^@M-^S OpenSSH secure file copy
|
||||
|
||||
SYNOPSIS
|
||||
scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]
|
||||
[-i identity_file] [-J destination] [-l limit] [-o ssh_option]
|
||||
[-P port] [-S program] [-X sftp_option] source ... target
|
||||
|
||||
DESCRIPTION
|
||||
scp copies files between hosts on a network.
|
||||
|
||||
scp uses the SFTP protocol over a ssh(1) connection for data transfer,
|
||||
and uses the same authentication and provides the same security as a
|
||||
login session.
|
||||
|
||||
scp will ask for passwords or passphrases if they are needed for
|
||||
authentication.
|
||||
|
||||
The source and target may be specified as a local pathname, a remote host
|
||||
with optional path in the form [user@]host:[path], or a URI in the form
|
||||
scp://[user@]host[:port][/path]. Local file names can be made explicit
|
||||
using absolute or relative pathnames to avoid scp treating file names
|
||||
containing M-bM-^@M-^X:M-bM-^@M-^Y as host specifiers.
|
||||
|
||||
When copying between two remote hosts, if the URI format is used, a port
|
||||
cannot be specified on the target if the -R option is used.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-3 Copies between two remote hosts are transferred through the local
|
||||
host. Without this option the data is copied directly between
|
||||
the two remote hosts. Note that, when using the legacy SCP
|
||||
protocol (via the -O flag), this option selects batch mode for
|
||||
the second host as scp cannot ask for passwords or passphrases
|
||||
for both hosts. This mode is the default.
|
||||
|
||||
-4 Forces scp to use IPv4 addresses only.
|
||||
|
||||
-6 Forces scp to use IPv6 addresses only.
|
||||
|
||||
-A Allows forwarding of ssh-agent(1) to the remote system. The
|
||||
default is not to forward an authentication agent.
|
||||
|
||||
-B Selects batch mode (prevents asking for passwords or
|
||||
passphrases).
|
||||
|
||||
-C Compression enable. Passes the -C flag to ssh(1) to enable
|
||||
compression.
|
||||
|
||||
-c cipher
|
||||
Selects the cipher to use for encrypting the data transfer. This
|
||||
option is directly passed to ssh(1).
|
||||
|
||||
-D sftp_server_path
|
||||
Connect directly to a local SFTP server program rather than a
|
||||
remote one via ssh(1). This option may be useful in debugging
|
||||
the client and server.
|
||||
|
||||
-F ssh_config
|
||||
Specifies an alternative per-user configuration file for ssh.
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-i identity_file
|
||||
Selects the file from which the identity (private key) for public
|
||||
key authentication is read. This option is directly passed to
|
||||
ssh(1).
|
||||
|
||||
-J destination
|
||||
Connect to the target host by first making an scp connection to
|
||||
the jump host described by destination and then establishing a
|
||||
TCP forwarding to the ultimate destination from there. Multiple
|
||||
jump hops may be specified separated by comma characters. This
|
||||
is a shortcut to specify a ProxyJump configuration directive.
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-l limit
|
||||
Limits the used bandwidth, specified in Kbit/s.
|
||||
|
||||
-O Use the legacy SCP protocol for file transfers instead of the
|
||||
SFTP protocol. Forcing the use of the SCP protocol may be
|
||||
necessary for servers that do not implement SFTP, for backwards-
|
||||
compatibility for particular filename wildcard patterns and for
|
||||
expanding paths with a M-bM-^@M-^X~M-bM-^@M-^Y prefix for older SFTP servers.
|
||||
|
||||
-o ssh_option
|
||||
Can be used to pass options to ssh in the format used in
|
||||
ssh_config(5). This is useful for specifying options for which
|
||||
there is no separate scp command-line flag. For full details of
|
||||
the options listed below, and their possible values, see
|
||||
ssh_config(5).
|
||||
|
||||
AddressFamily
|
||||
BatchMode
|
||||
BindAddress
|
||||
BindInterface
|
||||
CanonicalDomains
|
||||
CanonicalizeFallbackLocal
|
||||
CanonicalizeHostname
|
||||
CanonicalizeMaxDots
|
||||
CanonicalizePermittedCNAMEs
|
||||
CASignatureAlgorithms
|
||||
CertificateFile
|
||||
CheckHostIP
|
||||
Ciphers
|
||||
Compression
|
||||
ConnectionAttempts
|
||||
ConnectTimeout
|
||||
ControlMaster
|
||||
ControlPath
|
||||
ControlPersist
|
||||
GlobalKnownHostsFile
|
||||
GSSAPIAuthentication
|
||||
GSSAPIDelegateCredentials
|
||||
HashKnownHosts
|
||||
Host
|
||||
HostbasedAcceptedAlgorithms
|
||||
HostbasedAuthentication
|
||||
HostKeyAlgorithms
|
||||
HostKeyAlias
|
||||
Hostname
|
||||
IdentitiesOnly
|
||||
IdentityAgent
|
||||
IdentityFile
|
||||
IPQoS
|
||||
KbdInteractiveAuthentication
|
||||
KbdInteractiveDevices
|
||||
KexAlgorithms
|
||||
KnownHostsCommand
|
||||
LogLevel
|
||||
MACs
|
||||
NoHostAuthenticationForLocalhost
|
||||
NumberOfPasswordPrompts
|
||||
PasswordAuthentication
|
||||
PKCS11Provider
|
||||
Port
|
||||
PreferredAuthentications
|
||||
ProxyCommand
|
||||
ProxyJump
|
||||
PubkeyAcceptedAlgorithms
|
||||
PubkeyAuthentication
|
||||
RekeyLimit
|
||||
RequiredRSASize
|
||||
SendEnv
|
||||
ServerAliveInterval
|
||||
ServerAliveCountMax
|
||||
SetEnv
|
||||
StrictHostKeyChecking
|
||||
TCPKeepAlive
|
||||
UpdateHostKeys
|
||||
User
|
||||
UserKnownHostsFile
|
||||
VerifyHostKeyDNS
|
||||
|
||||
-P port
|
||||
Specifies the port to connect to on the remote host. Note that
|
||||
this option is written with a capital M-bM-^@M-^XPM-bM-^@M-^Y, because -p is already
|
||||
reserved for preserving the times and mode bits of the file.
|
||||
|
||||
-p Preserves modification times, access times, and file mode bits
|
||||
from the source file.
|
||||
|
||||
-q Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from ssh(1).
|
||||
|
||||
-R Copies between two remote hosts are performed by connecting to
|
||||
the origin host and executing scp there. This requires that scp
|
||||
running on the origin host can authenticate to the destination
|
||||
host without requiring a password.
|
||||
|
||||
-r Recursively copy entire directories. Note that scp follows
|
||||
symbolic links encountered in the tree traversal.
|
||||
|
||||
-S program
|
||||
Name of program to use for the encrypted connection. The program
|
||||
must understand ssh(1) options.
|
||||
|
||||
-T Disable strict filename checking. By default when copying files
|
||||
from a remote host to a local directory scp checks that the
|
||||
received filenames match those requested on the command-line to
|
||||
prevent the remote end from sending unexpected or unwanted files.
|
||||
Because of differences in how various operating systems and
|
||||
shells interpret filename wildcards, these checks may cause
|
||||
wanted files to be rejected. This option disables these checks
|
||||
at the expense of fully trusting that the server will not send
|
||||
unexpected filenames.
|
||||
|
||||
-v Verbose mode. Causes scp and ssh(1) to print debugging messages
|
||||
about their progress. This is helpful in debugging connection,
|
||||
authentication, and configuration problems.
|
||||
|
||||
-X sftp_option
|
||||
Specify an option that controls aspects of SFTP protocol
|
||||
behaviour. The valid options are:
|
||||
|
||||
nrequests=value
|
||||
Controls how many concurrent SFTP read or write requests
|
||||
may be in progress at any point in time during a download
|
||||
or upload. By default 64 requests may be active
|
||||
concurrently.
|
||||
|
||||
buffer=value
|
||||
Controls the maximum buffer size for a single SFTP
|
||||
read/write operation used during download or upload. By
|
||||
default a 32KB buffer is used.
|
||||
|
||||
EXIT STATUS
|
||||
The scp utility exitsM-BM- 0 on success, andM-BM- >0 if an error occurs.
|
||||
|
||||
SEE ALSO
|
||||
sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5),
|
||||
sftp-server(8), sshd(8)
|
||||
|
||||
HISTORY
|
||||
scp is based on the rcp program in BSD source code from the Regents of
|
||||
the University of California.
|
||||
|
||||
Since OpenSSH 9.0, scp has used the SFTP protocol for transfers by
|
||||
default.
|
||||
|
||||
AUTHORS
|
||||
Timo Rinne <tri@iki.fi>
|
||||
Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
||||
CAVEATS
|
||||
The legacy SCP protocol (selected by the -O flag) requires execution of
|
||||
the remote user's shell to perform glob(3) pattern matching. This
|
||||
requires careful quoting of any characters that have special meaning to
|
||||
the remote shell, such as quote characters.
|
||||
|
||||
OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
|
4
scp.c
4
scp.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: scp.c,v 1.260 2023/10/11 05:42:08 djm Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.261 2024/06/26 23:14:14 deraadt Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
|
@ -234,9 +234,11 @@ suspone(int pid, int signo)
|
|||
static void
|
||||
suspchild(int signo)
|
||||
{
|
||||
int save_errno = errno;
|
||||
suspone(do_cmd_pid, signo);
|
||||
suspone(do_cmd_pid2, signo);
|
||||
kill(getpid(), SIGSTOP);
|
||||
errno = save_errno;
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
186
servconf.c
186
servconf.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.c,v 1.406 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.411 2024/06/12 22:36:00 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
|
@ -69,6 +69,10 @@
|
|||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
|
||||
#if !defined(SSHD_PAM_SERVICE)
|
||||
# define SSHD_PAM_SERVICE "sshd"
|
||||
#endif
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, const char *,
|
||||
|
@ -88,6 +92,7 @@ initialize_server_options(ServerOptions *options)
|
|||
|
||||
/* Portable-specific options */
|
||||
options->use_pam = -1;
|
||||
options->pam_service_name = NULL;
|
||||
|
||||
/* Standard Options */
|
||||
options->num_ports = 0;
|
||||
|
@ -163,6 +168,18 @@ initialize_server_options(ServerOptions *options)
|
|||
options->per_source_max_startups = -1;
|
||||
options->per_source_masklen_ipv4 = -1;
|
||||
options->per_source_masklen_ipv6 = -1;
|
||||
options->per_source_penalty_exempt = NULL;
|
||||
options->per_source_penalty.enabled = -1;
|
||||
options->per_source_penalty.max_sources4 = -1;
|
||||
options->per_source_penalty.max_sources6 = -1;
|
||||
options->per_source_penalty.overflow_mode = -1;
|
||||
options->per_source_penalty.overflow_mode6 = -1;
|
||||
options->per_source_penalty.penalty_crash = -1;
|
||||
options->per_source_penalty.penalty_authfail = -1;
|
||||
options->per_source_penalty.penalty_noauth = -1;
|
||||
options->per_source_penalty.penalty_grace = -1;
|
||||
options->per_source_penalty.penalty_max = -1;
|
||||
options->per_source_penalty.penalty_min = -1;
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
|
@ -281,6 +298,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
/* Portable-specific options */
|
||||
if (options->use_pam == -1)
|
||||
options->use_pam = 0;
|
||||
if (options->pam_service_name == NULL)
|
||||
options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
|
||||
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
|
@ -404,6 +423,28 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->per_source_masklen_ipv4 = 32;
|
||||
if (options->per_source_masklen_ipv6 == -1)
|
||||
options->per_source_masklen_ipv6 = 128;
|
||||
if (options->per_source_penalty.enabled == -1)
|
||||
options->per_source_penalty.enabled = 1;
|
||||
if (options->per_source_penalty.max_sources4 == -1)
|
||||
options->per_source_penalty.max_sources4 = 65536;
|
||||
if (options->per_source_penalty.max_sources6 == -1)
|
||||
options->per_source_penalty.max_sources6 = 65536;
|
||||
if (options->per_source_penalty.overflow_mode == -1)
|
||||
options->per_source_penalty.overflow_mode = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
|
||||
if (options->per_source_penalty.overflow_mode6 == -1)
|
||||
options->per_source_penalty.overflow_mode6 = options->per_source_penalty.overflow_mode;
|
||||
if (options->per_source_penalty.penalty_crash == -1)
|
||||
options->per_source_penalty.penalty_crash = 90;
|
||||
if (options->per_source_penalty.penalty_grace == -1)
|
||||
options->per_source_penalty.penalty_grace = 20;
|
||||
if (options->per_source_penalty.penalty_authfail == -1)
|
||||
options->per_source_penalty.penalty_authfail = 5;
|
||||
if (options->per_source_penalty.penalty_noauth == -1)
|
||||
options->per_source_penalty.penalty_noauth = 1;
|
||||
if (options->per_source_penalty.penalty_min == -1)
|
||||
options->per_source_penalty.penalty_min = 15;
|
||||
if (options->per_source_penalty.penalty_max == -1)
|
||||
options->per_source_penalty.penalty_max = 600;
|
||||
if (options->max_authtries == -1)
|
||||
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
||||
if (options->max_sessions == -1)
|
||||
|
@ -481,6 +522,7 @@ fill_default_server_options(ServerOptions *options)
|
|||
CLEAR_ON_NONE(options->chroot_directory);
|
||||
CLEAR_ON_NONE(options->routing_domain);
|
||||
CLEAR_ON_NONE(options->host_key_agent);
|
||||
CLEAR_ON_NONE(options->per_source_penalty_exempt);
|
||||
|
||||
for (i = 0; i < options->num_host_key_files; i++)
|
||||
CLEAR_ON_NONE(options->host_key_files[i]);
|
||||
|
@ -497,7 +539,7 @@ fill_default_server_options(ServerOptions *options)
|
|||
typedef enum {
|
||||
sBadOption, /* == unknown option */
|
||||
/* Portable-specific options */
|
||||
sUsePAM,
|
||||
sUsePAM, sPAMServiceName,
|
||||
/* Standard Options */
|
||||
sPort, sHostKeyFile, sLoginGraceTime,
|
||||
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||
|
@ -515,6 +557,7 @@ typedef enum {
|
|||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
|
||||
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||
sPerSourcePenalties, sPerSourcePenaltyExemptList,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
|
@ -530,7 +573,7 @@ typedef enum {
|
|||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
||||
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
|
||||
sSshdMonitorPath,
|
||||
sSshdSessionPath,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
|
@ -549,8 +592,10 @@ static struct {
|
|||
/* Portable-specific options */
|
||||
#ifdef USE_PAM
|
||||
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
|
||||
#else
|
||||
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "pamservicename", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
|
||||
/* Standard Options */
|
||||
|
@ -647,6 +692,8 @@ static struct {
|
|||
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
|
||||
{ "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
|
||||
{ "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
|
||||
{ "persourcepenalties", sPerSourcePenalties, SSHCFG_GLOBAL },
|
||||
{ "persourcepenaltyexemptlist", sPerSourcePenaltyExemptList, SSHCFG_GLOBAL },
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
|
@ -693,7 +740,7 @@ static struct {
|
|||
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
|
||||
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
|
||||
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
|
||||
{ "sshdmonitorpath", sSshdMonitorPath, SSHCFG_GLOBAL },
|
||||
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
|
@ -1284,6 +1331,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
case sUsePAM:
|
||||
intptr = &options->use_pam;
|
||||
goto parse_flag;
|
||||
case sPAMServiceName:
|
||||
charptr = &options->pam_service_name;
|
||||
arg = argv_next(&ac, &av);
|
||||
if (!arg || *arg == '\0') {
|
||||
fatal("%s line %d: missing argument.",
|
||||
filename, linenum);
|
||||
}
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
/* Standard Options */
|
||||
case sBadOption:
|
||||
|
@ -1949,6 +2006,100 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
options->per_source_max_startups = value;
|
||||
break;
|
||||
|
||||
case sPerSourcePenaltyExemptList:
|
||||
charptr = &options->per_source_penalty_exempt;
|
||||
arg = argv_next(&ac, &av);
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: missing argument.",
|
||||
filename, linenum);
|
||||
if (addr_match_list(NULL, arg) != 0) {
|
||||
fatal("%s line %d: keyword %s "
|
||||
"invalid address argument.",
|
||||
filename, linenum, keyword);
|
||||
}
|
||||
if (*activep && *charptr == NULL)
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
case sPerSourcePenalties:
|
||||
while ((arg = argv_next(&ac, &av)) != NULL) {
|
||||
found = 1;
|
||||
value = -1;
|
||||
value2 = 0;
|
||||
p = NULL;
|
||||
/* Allow no/yes only in first position */
|
||||
if (strcasecmp(arg, "no") == 0 ||
|
||||
(value2 = (strcasecmp(arg, "yes") == 0))) {
|
||||
if (ac > 0) {
|
||||
fatal("%s line %d: keyword %s \"%s\" "
|
||||
"argument must appear alone.",
|
||||
filename, linenum, keyword, arg);
|
||||
}
|
||||
if (*activep &&
|
||||
options->per_source_penalty.enabled == -1)
|
||||
options->per_source_penalty.enabled = value2;
|
||||
continue;
|
||||
} else if (strncmp(arg, "crash:", 6) == 0) {
|
||||
p = arg + 6;
|
||||
intptr = &options->per_source_penalty.penalty_crash;
|
||||
} else if (strncmp(arg, "authfail:", 9) == 0) {
|
||||
p = arg + 9;
|
||||
intptr = &options->per_source_penalty.penalty_authfail;
|
||||
} else if (strncmp(arg, "noauth:", 7) == 0) {
|
||||
p = arg + 7;
|
||||
intptr = &options->per_source_penalty.penalty_noauth;
|
||||
} else if (strncmp(arg, "grace-exceeded:", 15) == 0) {
|
||||
p = arg + 15;
|
||||
intptr = &options->per_source_penalty.penalty_grace;
|
||||
} else if (strncmp(arg, "max:", 4) == 0) {
|
||||
p = arg + 4;
|
||||
intptr = &options->per_source_penalty.penalty_max;
|
||||
} else if (strncmp(arg, "min:", 4) == 0) {
|
||||
p = arg + 4;
|
||||
intptr = &options->per_source_penalty.penalty_min;
|
||||
} else if (strncmp(arg, "max-sources4:", 13) == 0) {
|
||||
intptr = &options->per_source_penalty.max_sources4;
|
||||
if ((errstr = atoi_err(arg+13, &value)) != NULL)
|
||||
fatal("%s line %d: %s value %s.",
|
||||
filename, linenum, keyword, errstr);
|
||||
} else if (strncmp(arg, "max-sources6:", 13) == 0) {
|
||||
intptr = &options->per_source_penalty.max_sources6;
|
||||
if ((errstr = atoi_err(arg+13, &value)) != NULL)
|
||||
fatal("%s line %d: %s value %s.",
|
||||
filename, linenum, keyword, errstr);
|
||||
} else if (strcmp(arg, "overflow:deny-all") == 0) {
|
||||
intptr = &options->per_source_penalty.overflow_mode;
|
||||
value = PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL;
|
||||
} else if (strcmp(arg, "overflow:permissive") == 0) {
|
||||
intptr = &options->per_source_penalty.overflow_mode;
|
||||
value = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
|
||||
} else if (strcmp(arg, "overflow6:deny-all") == 0) {
|
||||
intptr = &options->per_source_penalty.overflow_mode6;
|
||||
value = PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL;
|
||||
} else if (strcmp(arg, "overflow6:permissive") == 0) {
|
||||
intptr = &options->per_source_penalty.overflow_mode6;
|
||||
value = PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE;
|
||||
} else {
|
||||
fatal("%s line %d: unsupported %s keyword %s",
|
||||
filename, linenum, keyword, arg);
|
||||
}
|
||||
/* If no value was parsed above, assume it's a time */
|
||||
if (value == -1 && (value = convtime(p)) == -1) {
|
||||
fatal("%s line %d: invalid %s time value.",
|
||||
filename, linenum, keyword);
|
||||
}
|
||||
if (*activep && *intptr == -1) {
|
||||
*intptr = value;
|
||||
/* any option implicitly enables penalties */
|
||||
options->per_source_penalty.enabled = 1;
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
fatal("%s line %d: no %s specified",
|
||||
filename, linenum, keyword);
|
||||
}
|
||||
break;
|
||||
|
||||
case sMaxAuthTries:
|
||||
intptr = &options->max_authtries;
|
||||
goto parse_int;
|
||||
|
@ -2514,7 +2665,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
}
|
||||
goto parse_time;
|
||||
|
||||
case sSshdMonitorPath:
|
||||
case sSshdSessionPath:
|
||||
charptr = &options->sshd_session_path;
|
||||
goto parse_filename;
|
||||
|
||||
|
@ -3062,6 +3213,7 @@ dump_config(ServerOptions *o)
|
|||
/* integer arguments */
|
||||
#ifdef USE_PAM
|
||||
dump_cfg_fmtint(sUsePAM, o->use_pam);
|
||||
dump_cfg_string(sPAMServiceName, o->pam_service_name);
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
|
@ -3147,7 +3299,8 @@ dump_config(ServerOptions *o)
|
|||
#if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
|
||||
dump_cfg_string(sRDomain, o->routing_domain);
|
||||
#endif
|
||||
dump_cfg_string(sSshdMonitorPath, o->sshd_session_path);
|
||||
dump_cfg_string(sSshdSessionPath, o->sshd_session_path);
|
||||
dump_cfg_string(sPerSourcePenaltyExemptList, o->per_source_penalty_exempt);
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
|
@ -3235,4 +3388,25 @@ dump_config(ServerOptions *o)
|
|||
if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
|
||||
printf(" verify-required");
|
||||
printf("\n");
|
||||
|
||||
if (o->per_source_penalty.enabled) {
|
||||
printf("persourcepenalties crash:%d authfail:%d noauth:%d "
|
||||
"grace-exceeded:%d max:%d min:%d max-sources4:%d "
|
||||
"max-sources6:%d overflow:%s overflow6:%s\n",
|
||||
o->per_source_penalty.penalty_crash,
|
||||
o->per_source_penalty.penalty_authfail,
|
||||
o->per_source_penalty.penalty_noauth,
|
||||
o->per_source_penalty.penalty_grace,
|
||||
o->per_source_penalty.penalty_max,
|
||||
o->per_source_penalty.penalty_min,
|
||||
o->per_source_penalty.max_sources4,
|
||||
o->per_source_penalty.max_sources6,
|
||||
o->per_source_penalty.overflow_mode ==
|
||||
PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL ?
|
||||
"deny-all" : "permissive",
|
||||
o->per_source_penalty.overflow_mode6 ==
|
||||
PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL ?
|
||||
"deny-all" : "permissive");
|
||||
} else
|
||||
printf("persourcepenalties no\n");
|
||||
}
|
||||
|
|
25
servconf.h
25
servconf.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.161 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.165 2024/06/12 22:36:00 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -47,7 +47,6 @@
|
|||
#define PUBKEYAUTH_VERIFY_REQUIRED (1<<1)
|
||||
|
||||
struct ssh;
|
||||
struct fwd_perm_list;
|
||||
|
||||
/*
|
||||
* Used to store addresses from ListenAddr directives. These may be
|
||||
|
@ -66,6 +65,22 @@ struct listenaddr {
|
|||
struct addrinfo *addrs;
|
||||
};
|
||||
|
||||
#define PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL 1
|
||||
#define PER_SOURCE_PENALTY_OVERFLOW_PERMISSIVE 2
|
||||
struct per_source_penalty {
|
||||
int enabled;
|
||||
int max_sources4;
|
||||
int max_sources6;
|
||||
int overflow_mode;
|
||||
int overflow_mode6;
|
||||
int penalty_crash;
|
||||
int penalty_grace;
|
||||
int penalty_authfail;
|
||||
int penalty_noauth;
|
||||
int penalty_max;
|
||||
int penalty_min;
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
u_int num_ports;
|
||||
u_int ports_from_cmdline;
|
||||
|
@ -173,6 +188,8 @@ typedef struct {
|
|||
int per_source_max_startups;
|
||||
int per_source_masklen_ipv4;
|
||||
int per_source_masklen_ipv6;
|
||||
char *per_source_penalty_exempt;
|
||||
struct per_source_penalty per_source_penalty;
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
|
@ -193,6 +210,7 @@ typedef struct {
|
|||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
char *pam_service_name;
|
||||
|
||||
int permit_tun;
|
||||
|
||||
|
@ -277,6 +295,7 @@ TAILQ_HEAD(include_list, include_item);
|
|||
M_CP_STROPT(ca_sign_algorithms); \
|
||||
M_CP_STROPT(routing_domain); \
|
||||
M_CP_STROPT(permit_user_env_allowlist); \
|
||||
M_CP_STROPT(pam_service_name); \
|
||||
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
|
||||
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
|
||||
M_CP_STRARRAYOPT(deny_users, num_deny_users); \
|
||||
|
@ -303,9 +322,7 @@ void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
|
|||
struct include_list *includes, struct connection_info *, int);
|
||||
void parse_server_match_config(ServerOptions *,
|
||||
struct include_list *includes, struct connection_info *);
|
||||
int parse_channel_timeout(const char *, char **, u_int *);
|
||||
int parse_server_match_testspec(struct connection_info *, char *);
|
||||
int server_match_spec_complete(struct connection_info *);
|
||||
void servconf_merge_subsystems(ServerOptions *, ServerOptions *);
|
||||
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
|
||||
void dump_config(ServerOptions *);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: serverloop.c,v 1.239 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: serverloop.c,v 1.240 2024/06/17 08:28:31 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -266,11 +266,11 @@ process_input(struct ssh *ssh, int connection_in)
|
|||
if (errno == EAGAIN || errno == EINTR || errno == EWOULDBLOCK)
|
||||
return 0;
|
||||
if (errno == EPIPE) {
|
||||
verbose("Connection closed by %.100s port %d",
|
||||
logit("Connection closed by %.100s port %d",
|
||||
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
|
||||
return -1;
|
||||
}
|
||||
verbose("Read error from remote host %s port %d: %s",
|
||||
logit("Read error from remote host %s port %d: %s",
|
||||
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
|
||||
strerror(errno));
|
||||
cleanup_exit(255);
|
||||
|
|
15
session.c
15
session.c
|
@ -104,9 +104,16 @@
|
|||
#include <selinux/selinux.h>
|
||||
#endif
|
||||
|
||||
#ifdef WINDOWS
|
||||
/*
|
||||
* Hack for systems that do not support FD passing: allocate PTYs directly
|
||||
* without calling into the monitor. This requires either the post-auth
|
||||
* privsep process retain root privileges (see the comment in
|
||||
* sshd-session.c:privsep_postauth) or that PTY allocation doesn't require
|
||||
* privileges to begin with (e.g. Cygwin).
|
||||
*/
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
#define mm_pty_allocate pty_allocate
|
||||
#endif /* WINDOWS */
|
||||
#endif
|
||||
|
||||
#define IS_INTERNAL_SFTP(c) \
|
||||
(!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \
|
||||
|
@ -716,13 +723,13 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
|
|||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (command != NULL)
|
||||
PRIVSEP(audit_run_command(command));
|
||||
mm_audit_run_command(command);
|
||||
else if (s->ttyfd == -1) {
|
||||
char *shell = s->pw->pw_shell;
|
||||
|
||||
if (shell[0] == '\0') /* empty shell means /bin/sh */
|
||||
shell =_PATH_BSHELL;
|
||||
PRIVSEP(audit_run_command(shell));
|
||||
mm_audit_run_command(shell);
|
||||
}
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp-client.c,v 1.175 2023/11/13 09:18:19 tobhe Exp $ */
|
||||
/* $OpenBSD: sftp-client.c,v 1.176 2024/05/17 02:39:11 jsg Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -2449,7 +2449,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
|
|||
* server not to have reordered replies that could have
|
||||
* inserted holes where none existed in the source file.
|
||||
*
|
||||
* XXX we could get a more accutate progress bar if we updated
|
||||
* XXX we could get a more accurate progress bar if we updated
|
||||
* the counter based on the reply from the destination...
|
||||
*/
|
||||
(*nreqsp)--;
|
||||
|
|
|
@ -0,0 +1,98 @@
|
|||
SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8)
|
||||
|
||||
NAME
|
||||
sftp-server M-bM-^@M-^S OpenSSH SFTP server subsystem
|
||||
|
||||
SYNOPSIS
|
||||
sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
|
||||
[-P denied_requests] [-p allowed_requests] [-u umask]
|
||||
sftp-server -Q protocol_feature
|
||||
|
||||
DESCRIPTION
|
||||
sftp-server is a program that speaks the server side of SFTP protocol to
|
||||
stdout and expects client requests from stdin. sftp-server is not
|
||||
intended to be called directly, but from sshd(8) using the Subsystem
|
||||
option.
|
||||
|
||||
Command-line flags to sftp-server should be specified in the Subsystem
|
||||
declaration. See sshd_config(5) for more information.
|
||||
|
||||
Valid options are:
|
||||
|
||||
-d start_directory
|
||||
Specifies an alternate starting directory for users. The
|
||||
pathname may contain the following tokens that are expanded at
|
||||
runtime: %% is replaced by a literal '%', %d is replaced by the
|
||||
home directory of the user being authenticated, and %u is
|
||||
replaced by the username of that user. The default is to use the
|
||||
user's home directory. This option is useful in conjunction with
|
||||
the sshd_config(5) ChrootDirectory option.
|
||||
|
||||
-e Causes sftp-server to print logging information to stderr instead
|
||||
of syslog for debugging.
|
||||
|
||||
-f log_facility
|
||||
Specifies the facility code that is used when logging messages
|
||||
from sftp-server. The possible values are: DAEMON, USER, AUTH,
|
||||
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
|
||||
-h Displays sftp-server usage information.
|
||||
|
||||
-l log_level
|
||||
Specifies which messages will be logged by sftp-server. The
|
||||
possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
|
||||
DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions
|
||||
that sftp-server performs on behalf of the client. DEBUG and
|
||||
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
|
||||
levels of debugging output. The default is ERROR.
|
||||
|
||||
-P denied_requests
|
||||
Specifies a comma-separated list of SFTP protocol requests that
|
||||
are banned by the server. sftp-server will reply to any denied
|
||||
request with a failure. The -Q flag can be used to determine the
|
||||
supported request types. If both denied and allowed lists are
|
||||
specified, then the denied list is applied before the allowed
|
||||
list.
|
||||
|
||||
-p allowed_requests
|
||||
Specifies a comma-separated list of SFTP protocol requests that
|
||||
are permitted by the server. All request types that are not on
|
||||
the allowed list will be logged and replied to with a failure
|
||||
message.
|
||||
|
||||
Care must be taken when using this feature to ensure that
|
||||
requests made implicitly by SFTP clients are permitted.
|
||||
|
||||
-Q protocol_feature
|
||||
Queries protocol features supported by sftp-server. At present
|
||||
the only feature that may be queried is M-bM-^@M-^\requestsM-bM-^@M-^], which may be
|
||||
used to deny or allow specific requests (flags -P and -p
|
||||
respectively).
|
||||
|
||||
-R Places this instance of sftp-server into a read-only mode.
|
||||
Attempts to open files for writing, as well as other operations
|
||||
that change the state of the filesystem, will be denied.
|
||||
|
||||
-u umask
|
||||
Sets an explicit umask(2) to be applied to newly-created files
|
||||
and directories, instead of the user's default mask.
|
||||
|
||||
On some systems, sftp-server must be able to access /dev/log for logging
|
||||
to work, and use of sftp-server in a chroot configuration therefore
|
||||
requires that syslogd(8) establish a logging socket inside the chroot
|
||||
directory.
|
||||
|
||||
SEE ALSO
|
||||
sftp(1), ssh(1), sshd_config(5), sshd(8)
|
||||
|
||||
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
|
||||
filexfer-02.txt, October 2001, work in progress material.
|
||||
|
||||
HISTORY
|
||||
sftp-server first appeared in OpenBSD 2.8.
|
||||
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 7.5 July 27, 2021 OpenBSD 7.5
|
|
@ -0,0 +1,438 @@
|
|||
SFTP(1) General Commands Manual SFTP(1)
|
||||
|
||||
NAME
|
||||
sftp M-bM-^@M-^S OpenSSH secure file transfer
|
||||
|
||||
SYNOPSIS
|
||||
sftp [-46AaCfNpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
|
||||
[-D sftp_server_command] [-F ssh_config] [-i identity_file]
|
||||
[-J destination] [-l limit] [-o ssh_option] [-P port]
|
||||
[-R num_requests] [-S program] [-s subsystem | sftp_server]
|
||||
[-X sftp_option] destination
|
||||
|
||||
DESCRIPTION
|
||||
sftp is a file transfer program, similar to ftp(1), which performs all
|
||||
operations over an encrypted ssh(1) transport. It may also use many
|
||||
features of ssh, such as public key authentication and compression.
|
||||
|
||||
The destination may be specified either as [user@]host[:path] or as a URI
|
||||
in the form sftp://[user@]host[:port][/path].
|
||||
|
||||
If the destination includes a path and it is not a directory, sftp will
|
||||
retrieve files automatically if a non-interactive authentication method
|
||||
is used; otherwise it will do so after successful interactive
|
||||
authentication.
|
||||
|
||||
If no path is specified, or if the path is a directory, sftp will log in
|
||||
to the specified host and enter interactive command mode, changing to the
|
||||
remote directory if one was specified. An optional trailing slash can be
|
||||
used to force the path to be interpreted as a directory.
|
||||
|
||||
Since the destination formats use colon characters to delimit host names
|
||||
from path names or port numbers, IPv6 addresses must be enclosed in
|
||||
square brackets to avoid ambiguity.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-4 Forces sftp to use IPv4 addresses only.
|
||||
|
||||
-6 Forces sftp to use IPv6 addresses only.
|
||||
|
||||
-A Allows forwarding of ssh-agent(1) to the remote system. The
|
||||
default is not to forward an authentication agent.
|
||||
|
||||
-a Attempt to continue interrupted transfers rather than overwriting
|
||||
existing partial or complete copies of files. If the partial
|
||||
contents differ from those being transferred, then the resultant
|
||||
file is likely to be corrupt.
|
||||
|
||||
-B buffer_size
|
||||
Specify the size of the buffer that sftp uses when transferring
|
||||
files. Larger buffers require fewer round trips at the cost of
|
||||
higher memory consumption. The default is 32768 bytes.
|
||||
|
||||
-b batchfile
|
||||
Batch mode reads a series of commands from an input batchfile
|
||||
instead of stdin. Since it lacks user interaction, it should be
|
||||
used in conjunction with non-interactive authentication to
|
||||
obviate the need to enter a password at connection time (see
|
||||
sshd(8) and ssh-keygen(1) for details).
|
||||
|
||||
A batchfile of M-bM-^@M-^X-M-bM-^@M-^Y may be used to indicate standard input. sftp
|
||||
will abort if any of the following commands fail: get, put,
|
||||
reget, reput, rename, ln, rm, mkdir, chdir, ls, lchdir, copy, cp,
|
||||
chmod, chown, chgrp, lpwd, df, symlink, and lmkdir.
|
||||
|
||||
Termination on error can be suppressed on a command by command
|
||||
basis by prefixing the command with a M-bM-^@M-^X-M-bM-^@M-^Y character (for example,
|
||||
-rm /tmp/blah*). Echo of the command may be suppressed by
|
||||
prefixing the command with a M-bM-^@M-^X@M-bM-^@M-^Y character. These two prefixes
|
||||
may be combined in any order, for example -@ls /bsd.
|
||||
|
||||
-C Enables compression (via ssh's -C flag).
|
||||
|
||||
-c cipher
|
||||
Selects the cipher to use for encrypting the data transfers.
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-D sftp_server_command
|
||||
Connect directly to a local sftp server (rather than via ssh(1)).
|
||||
A command and arguments may be specified, for example
|
||||
"/path/sftp-server -el debug3". This option may be useful in
|
||||
debugging the client and server.
|
||||
|
||||
-F ssh_config
|
||||
Specifies an alternative per-user configuration file for ssh(1).
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-f Requests that files be flushed to disk immediately after
|
||||
transfer. When uploading files, this feature is only enabled if
|
||||
the server implements the "fsync@openssh.com" extension.
|
||||
|
||||
-i identity_file
|
||||
Selects the file from which the identity (private key) for public
|
||||
key authentication is read. This option is directly passed to
|
||||
ssh(1).
|
||||
|
||||
-J destination
|
||||
Connect to the target host by first making an sftp connection to
|
||||
the jump host described by destination and then establishing a
|
||||
TCP forwarding to the ultimate destination from there. Multiple
|
||||
jump hops may be specified separated by comma characters. This
|
||||
is a shortcut to specify a ProxyJump configuration directive.
|
||||
This option is directly passed to ssh(1).
|
||||
|
||||
-l limit
|
||||
Limits the used bandwidth, specified in Kbit/s.
|
||||
|
||||
-N Disables quiet mode, e.g. to override the implicit quiet mode set
|
||||
by the -b flag.
|
||||
|
||||
-o ssh_option
|
||||
Can be used to pass options to ssh in the format used in
|
||||
ssh_config(5). This is useful for specifying options for which
|
||||
there is no separate sftp command-line flag. For example, to
|
||||
specify an alternate port use: sftp -oPort=24. For full details
|
||||
of the options listed below, and their possible values, see
|
||||
ssh_config(5).
|
||||
|
||||
AddressFamily
|
||||
BatchMode
|
||||
BindAddress
|
||||
BindInterface
|
||||
CanonicalDomains
|
||||
CanonicalizeFallbackLocal
|
||||
CanonicalizeHostname
|
||||
CanonicalizeMaxDots
|
||||
CanonicalizePermittedCNAMEs
|
||||
CASignatureAlgorithms
|
||||
CertificateFile
|
||||
CheckHostIP
|
||||
Ciphers
|
||||
Compression
|
||||
ConnectionAttempts
|
||||
ConnectTimeout
|
||||
ControlMaster
|
||||
ControlPath
|
||||
ControlPersist
|
||||
GlobalKnownHostsFile
|
||||
GSSAPIAuthentication
|
||||
GSSAPIDelegateCredentials
|
||||
HashKnownHosts
|
||||
Host
|
||||
HostbasedAcceptedAlgorithms
|
||||
HostbasedAuthentication
|
||||
HostKeyAlgorithms
|
||||
HostKeyAlias
|
||||
Hostname
|
||||
IdentitiesOnly
|
||||
IdentityAgent
|
||||
IdentityFile
|
||||
IPQoS
|
||||
KbdInteractiveAuthentication
|
||||
KbdInteractiveDevices
|
||||
KexAlgorithms
|
||||
KnownHostsCommand
|
||||
LogLevel
|
||||
MACs
|
||||
NoHostAuthenticationForLocalhost
|
||||
NumberOfPasswordPrompts
|
||||
PasswordAuthentication
|
||||
PKCS11Provider
|
||||
Port
|
||||
PreferredAuthentications
|
||||
ProxyCommand
|
||||
ProxyJump
|
||||
PubkeyAcceptedAlgorithms
|
||||
PubkeyAuthentication
|
||||
RekeyLimit
|
||||
RequiredRSASize
|
||||
SendEnv
|
||||
ServerAliveInterval
|
||||
ServerAliveCountMax
|
||||
SetEnv
|
||||
StrictHostKeyChecking
|
||||
TCPKeepAlive
|
||||
UpdateHostKeys
|
||||
User
|
||||
UserKnownHostsFile
|
||||
VerifyHostKeyDNS
|
||||
|
||||
-P port
|
||||
Specifies the port to connect to on the remote host.
|
||||
|
||||
-p Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
|
||||
-q Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from ssh(1).
|
||||
|
||||
-R num_requests
|
||||
Specify how many requests may be outstanding at any one time.
|
||||
Increasing this may slightly improve file transfer speed but will
|
||||
increase memory usage. The default is 64 outstanding requests.
|
||||
|
||||
-r Recursively copy entire directories when uploading and
|
||||
downloading. Note that sftp does not follow symbolic links
|
||||
encountered in the tree traversal.
|
||||
|
||||
-S program
|
||||
Name of the program to use for the encrypted connection. The
|
||||
program must understand ssh(1) options.
|
||||
|
||||
-s subsystem | sftp_server
|
||||
Specifies the SSH2 subsystem or the path for an sftp server on
|
||||
the remote host. A path is useful when the remote sshd(8) does
|
||||
not have an sftp subsystem configured.
|
||||
|
||||
-v Raise logging level. This option is also passed to ssh.
|
||||
|
||||
-X sftp_option
|
||||
Specify an option that controls aspects of SFTP protocol
|
||||
behaviour. The valid options are:
|
||||
|
||||
nrequests=value
|
||||
Controls how many concurrent SFTP read or write requests
|
||||
may be in progress at any point in time during a download
|
||||
or upload. By default 64 requests may be active
|
||||
concurrently.
|
||||
|
||||
buffer=value
|
||||
Controls the maximum buffer size for a single SFTP
|
||||
read/write operation used during download or upload. By
|
||||
default a 32KB buffer is used.
|
||||
|
||||
INTERACTIVE COMMANDS
|
||||
Once in interactive mode, sftp understands a set of commands similar to
|
||||
those of ftp(1). Commands are case insensitive. Pathnames that contain
|
||||
spaces must be enclosed in quotes. Any special characters contained
|
||||
within pathnames that are recognized by glob(3) must be escaped with
|
||||
backslashes (M-bM-^@M-^X\M-bM-^@M-^Y).
|
||||
|
||||
bye Quit sftp.
|
||||
|
||||
cd [path]
|
||||
Change remote directory to path. If path is not specified, then
|
||||
change directory to the one the session started in.
|
||||
|
||||
chgrp [-h] grp path
|
||||
Change group of file path to grp. path may contain glob(7)
|
||||
characters and may match multiple files. grp must be a numeric
|
||||
GID.
|
||||
|
||||
If the -h flag is specified, then symlinks will not be followed.
|
||||
Note that this is only supported by servers that implement the
|
||||
"lsetstat@openssh.com" extension.
|
||||
|
||||
chmod [-h] mode path
|
||||
Change permissions of file path to mode. path may contain
|
||||
glob(7) characters and may match multiple files.
|
||||
|
||||
If the -h flag is specified, then symlinks will not be followed.
|
||||
Note that this is only supported by servers that implement the
|
||||
"lsetstat@openssh.com" extension.
|
||||
|
||||
chown [-h] own path
|
||||
Change owner of file path to own. path may contain glob(7)
|
||||
characters and may match multiple files. own must be a numeric
|
||||
UID.
|
||||
|
||||
If the -h flag is specified, then symlinks will not be followed.
|
||||
Note that this is only supported by servers that implement the
|
||||
"lsetstat@openssh.com" extension.
|
||||
|
||||
copy oldpath newpath
|
||||
Copy remote file from oldpath to newpath.
|
||||
|
||||
Note that this is only supported by servers that implement the
|
||||
"copy-data" extension.
|
||||
|
||||
cp oldpath newpath
|
||||
Alias to copy command.
|
||||
|
||||
df [-hi] [path]
|
||||
Display usage information for the filesystem holding the current
|
||||
directory (or path if specified). If the -h flag is specified,
|
||||
the capacity information will be displayed using "human-readable"
|
||||
suffixes. The -i flag requests display of inode information in
|
||||
addition to capacity information. This command is only supported
|
||||
on servers that implement the M-bM-^@M-^\statvfs@openssh.comM-bM-^@M-^] extension.
|
||||
|
||||
exit Quit sftp.
|
||||
|
||||
get [-afpR] remote-path [local-path]
|
||||
Retrieve the remote-path and store it on the local machine. If
|
||||
the local path name is not specified, it is given the same name
|
||||
it has on the remote machine. remote-path may contain glob(7)
|
||||
characters and may match multiple files. If it does and
|
||||
local-path is specified, then local-path must specify a
|
||||
directory.
|
||||
|
||||
If the -a flag is specified, then attempt to resume partial
|
||||
transfers of existing files. Note that resumption assumes that
|
||||
any partial copy of the local file matches the remote copy. If
|
||||
the remote file contents differ from the partial local copy then
|
||||
the resultant file is likely to be corrupt.
|
||||
|
||||
If the -f flag is specified, then fsync(2) will be called after
|
||||
the file transfer has completed to flush the file to disk.
|
||||
|
||||
If the -p flag is specified, then full file permissions and
|
||||
access times are copied too.
|
||||
|
||||
If the -R flag is specified then directories will be copied
|
||||
recursively. Note that sftp does not follow symbolic links when
|
||||
performing recursive transfers.
|
||||
|
||||
help Display help text.
|
||||
|
||||
lcd [path]
|
||||
Change local directory to path. If path is not specified, then
|
||||
change directory to the local user's home directory.
|
||||
|
||||
lls [ls-options [path]]
|
||||
Display local directory listing of either path or current
|
||||
directory if path is not specified. ls-options may contain any
|
||||
flags supported by the local system's ls(1) command. path may
|
||||
contain glob(7) characters and may match multiple files.
|
||||
|
||||
lmkdir path
|
||||
Create local directory specified by path.
|
||||
|
||||
ln [-s] oldpath newpath
|
||||
Create a link from oldpath to newpath. If the -s flag is
|
||||
specified the created link is a symbolic link, otherwise it is a
|
||||
hard link.
|
||||
|
||||
lpwd Print local working directory.
|
||||
|
||||
ls [-1afhlnrSt] [path]
|
||||
Display a remote directory listing of either path or the current
|
||||
directory if path is not specified. path may contain glob(7)
|
||||
characters and may match multiple files.
|
||||
|
||||
The following flags are recognized and alter the behaviour of ls
|
||||
accordingly:
|
||||
|
||||
-1 Produce single columnar output.
|
||||
|
||||
-a List files beginning with a dot (M-bM-^@M-^X.M-bM-^@M-^Y).
|
||||
|
||||
-f Do not sort the listing. The default sort order is
|
||||
lexicographical.
|
||||
|
||||
-h When used with a long format option, use unit suffixes:
|
||||
Byte, Kilobyte, Megabyte, Gigabyte, Terabyte, Petabyte,
|
||||
and Exabyte in order to reduce the number of digits to
|
||||
four or fewer using powers of 2 for sizes (K=1024,
|
||||
M=1048576, etc.).
|
||||
|
||||
-l Display additional details including permissions and
|
||||
ownership information.
|
||||
|
||||
-n Produce a long listing with user and group information
|
||||
presented numerically.
|
||||
|
||||
-r Reverse the sort order of the listing.
|
||||
|
||||
-S Sort the listing by file size.
|
||||
|
||||
-t Sort the listing by last modification time.
|
||||
|
||||
lumask umask
|
||||
Set local umask to umask.
|
||||
|
||||
mkdir path
|
||||
Create remote directory specified by path.
|
||||
|
||||
progress
|
||||
Toggle display of progress meter.
|
||||
|
||||
put [-afpR] local-path [remote-path]
|
||||
Upload local-path and store it on the remote machine. If the
|
||||
remote path name is not specified, it is given the same name it
|
||||
has on the local machine. local-path may contain glob(7)
|
||||
characters and may match multiple files. If it does and
|
||||
remote-path is specified, then remote-path must specify a
|
||||
directory.
|
||||
|
||||
If the -a flag is specified, then attempt to resume partial
|
||||
transfers of existing files. Note that resumption assumes that
|
||||
any partial copy of the remote file matches the local copy. If
|
||||
the local file contents differ from the remote local copy then
|
||||
the resultant file is likely to be corrupt.
|
||||
|
||||
If the -f flag is specified, then a request will be sent to the
|
||||
server to call fsync(2) after the file has been transferred.
|
||||
Note that this is only supported by servers that implement the
|
||||
"fsync@openssh.com" extension.
|
||||
|
||||
If the -p flag is specified, then full file permissions and
|
||||
access times are copied too.
|
||||
|
||||
If the -R flag is specified then directories will be copied
|
||||
recursively. Note that sftp does not follow symbolic links when
|
||||
performing recursive transfers.
|
||||
|
||||
pwd Display remote working directory.
|
||||
|
||||
quit Quit sftp.
|
||||
|
||||
reget [-fpR] remote-path [local-path]
|
||||
Resume download of remote-path. Equivalent to get with the -a
|
||||
flag set.
|
||||
|
||||
reput [-fpR] local-path [remote-path]
|
||||
Resume upload of local-path. Equivalent to put with the -a flag
|
||||
set.
|
||||
|
||||
rename oldpath newpath
|
||||
Rename remote file from oldpath to newpath.
|
||||
|
||||
rm path
|
||||
Delete remote file specified by path.
|
||||
|
||||
rmdir path
|
||||
Remove remote directory specified by path.
|
||||
|
||||
symlink oldpath newpath
|
||||
Create a symbolic link from oldpath to newpath.
|
||||
|
||||
version
|
||||
Display the sftp protocol version.
|
||||
|
||||
!command
|
||||
Execute command in local shell.
|
||||
|
||||
! Escape to local shell.
|
||||
|
||||
? Synonym for help.
|
||||
|
||||
SEE ALSO
|
||||
ftp(1), ls(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5),
|
||||
glob(7), sftp-server(8), sshd(8)
|
||||
|
||||
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
|
||||
filexfer-00.txt, January 2001, work in progress material.
|
||||
|
||||
OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
|
4
sftp.c
4
sftp.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sftp.c,v 1.238 2024/04/30 06:16:55 djm Exp $ */
|
||||
/* $OpenBSD: sftp.c,v 1.239 2024/06/26 23:14:14 deraadt Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
|
@ -238,12 +238,14 @@ killchild(int signo)
|
|||
static void
|
||||
suspchild(int signo)
|
||||
{
|
||||
int save_errno = errno;
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, signo);
|
||||
while (waitpid(sshpid, NULL, WUNTRACED) == -1 && errno == EINTR)
|
||||
continue;
|
||||
}
|
||||
kill(getpid(), SIGSTOP);
|
||||
errno = save_errno;
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
398
srclimit.c
398
srclimit.c
|
@ -1,5 +1,6 @@
|
|||
/*
|
||||
* Copyright (c) 2020 Darren Tucker <dtucker@openbsd.org>
|
||||
* Copyright (c) 2024 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
|
@ -18,11 +19,13 @@
|
|||
|
||||
#include <sys/socket.h>
|
||||
#include <sys/types.h>
|
||||
#include <openbsd-compat/sys-tree.h>
|
||||
|
||||
#include <limits.h>
|
||||
#include <netdb.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "addr.h"
|
||||
#include "canohost.h"
|
||||
|
@ -30,17 +33,71 @@
|
|||
#include "misc.h"
|
||||
#include "srclimit.h"
|
||||
#include "xmalloc.h"
|
||||
#include "servconf.h"
|
||||
#include "match.h"
|
||||
|
||||
static int max_children, max_persource, ipv4_masklen, ipv6_masklen;
|
||||
static struct per_source_penalty penalty_cfg;
|
||||
static char *penalty_exempt;
|
||||
|
||||
/* Per connection state, used to enforce unauthenticated connection limit. */
|
||||
static struct child_info {
|
||||
int id;
|
||||
struct xaddr addr;
|
||||
} *child;
|
||||
} *children;
|
||||
|
||||
/*
|
||||
* Penalised addresses, active entries here prohibit connections until expired.
|
||||
* Entries become active when more than penalty_min seconds of penalty are
|
||||
* outstanding.
|
||||
*/
|
||||
struct penalty {
|
||||
struct xaddr addr;
|
||||
time_t expiry;
|
||||
int active;
|
||||
const char *reason;
|
||||
RB_ENTRY(penalty) by_addr;
|
||||
RB_ENTRY(penalty) by_expiry;
|
||||
};
|
||||
static int penalty_addr_cmp(struct penalty *a, struct penalty *b);
|
||||
static int penalty_expiry_cmp(struct penalty *a, struct penalty *b);
|
||||
RB_HEAD(penalties_by_addr, penalty) penalties_by_addr4, penalties_by_addr6;
|
||||
RB_HEAD(penalties_by_expiry, penalty) penalties_by_expiry4, penalties_by_expiry6;
|
||||
RB_GENERATE_STATIC(penalties_by_addr, penalty, by_addr, penalty_addr_cmp)
|
||||
RB_GENERATE_STATIC(penalties_by_expiry, penalty, by_expiry, penalty_expiry_cmp)
|
||||
static size_t npenalties4, npenalties6;
|
||||
|
||||
static int
|
||||
srclimit_mask_addr(const struct xaddr *addr, int bits, struct xaddr *masked)
|
||||
{
|
||||
struct xaddr xmask;
|
||||
|
||||
/* Mask address off address to desired size. */
|
||||
if (addr_netmask(addr->af, bits, &xmask) != 0 ||
|
||||
addr_and(masked, addr, &xmask) != 0) {
|
||||
debug3_f("%s: invalid mask %d bits", __func__, bits);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
srclimit_peer_addr(int sock, struct xaddr *addr)
|
||||
{
|
||||
struct sockaddr_storage storage;
|
||||
socklen_t addrlen = sizeof(storage);
|
||||
struct sockaddr *sa = (struct sockaddr *)&storage;
|
||||
|
||||
if (getpeername(sock, sa, &addrlen) != 0)
|
||||
return 1; /* not remote socket? */
|
||||
if (addr_sa_to_xaddr(sa, addrlen, addr) != 0)
|
||||
return 1; /* unknown address family? */
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
srclimit_init(int max, int persource, int ipv4len, int ipv6len)
|
||||
srclimit_init(int max, int persource, int ipv4len, int ipv6len,
|
||||
struct per_source_penalty *penalty_conf, const char *penalty_exempt_conf)
|
||||
{
|
||||
int i;
|
||||
|
||||
|
@ -48,25 +105,31 @@ srclimit_init(int max, int persource, int ipv4len, int ipv6len)
|
|||
ipv4_masklen = ipv4len;
|
||||
ipv6_masklen = ipv6len;
|
||||
max_persource = persource;
|
||||
penalty_cfg = *penalty_conf;
|
||||
if (penalty_cfg.max_sources4 < 0 || penalty_cfg.max_sources6 < 0)
|
||||
fatal_f("invalid max_sources"); /* shouldn't happen */
|
||||
penalty_exempt = penalty_exempt_conf == NULL ?
|
||||
NULL : xstrdup(penalty_exempt_conf);
|
||||
RB_INIT(&penalties_by_addr4);
|
||||
RB_INIT(&penalties_by_expiry4);
|
||||
RB_INIT(&penalties_by_addr6);
|
||||
RB_INIT(&penalties_by_expiry6);
|
||||
if (max_persource == INT_MAX) /* no limit */
|
||||
return;
|
||||
debug("%s: max connections %d, per source %d, masks %d,%d", __func__,
|
||||
max, persource, ipv4len, ipv6len);
|
||||
if (max <= 0)
|
||||
fatal("%s: invalid number of sockets: %d", __func__, max);
|
||||
child = xcalloc(max_children, sizeof(*child));
|
||||
children = xcalloc(max_children, sizeof(*children));
|
||||
for (i = 0; i < max_children; i++)
|
||||
child[i].id = -1;
|
||||
children[i].id = -1;
|
||||
}
|
||||
|
||||
/* returns 1 if connection allowed, 0 if not allowed. */
|
||||
int
|
||||
srclimit_check_allow(int sock, int id)
|
||||
{
|
||||
struct xaddr xa, xb, xmask;
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen = sizeof(addr);
|
||||
struct sockaddr *sa = (struct sockaddr *)&addr;
|
||||
struct xaddr xa, xb;
|
||||
int i, bits, first_unused, count = 0;
|
||||
char xas[NI_MAXHOST];
|
||||
|
||||
|
@ -74,26 +137,19 @@ srclimit_check_allow(int sock, int id)
|
|||
return 1;
|
||||
|
||||
debug("%s: sock %d id %d limit %d", __func__, sock, id, max_persource);
|
||||
if (getpeername(sock, sa, &addrlen) != 0)
|
||||
return 1; /* not remote socket? */
|
||||
if (addr_sa_to_xaddr(sa, addrlen, &xa) != 0)
|
||||
return 1; /* unknown address family? */
|
||||
|
||||
/* Mask address off address to desired size. */
|
||||
bits = xa.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
if (addr_netmask(xa.af, bits, &xmask) != 0 ||
|
||||
addr_and(&xb, &xa, &xmask) != 0) {
|
||||
debug3("%s: invalid mask %d bits", __func__, bits);
|
||||
if (srclimit_peer_addr(sock, &xa) != 0)
|
||||
return 1;
|
||||
bits = xa.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
if (srclimit_mask_addr(&xa, bits, &xb) != 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
first_unused = max_children;
|
||||
/* Count matching entries and find first unused one. */
|
||||
for (i = 0; i < max_children; i++) {
|
||||
if (child[i].id == -1) {
|
||||
if (children[i].id == -1) {
|
||||
if (i < first_unused)
|
||||
first_unused = i;
|
||||
} else if (addr_cmp(&child[i].addr, &xb) == 0) {
|
||||
} else if (addr_cmp(&children[i].addr, &xb) == 0) {
|
||||
count++;
|
||||
}
|
||||
}
|
||||
|
@ -116,8 +172,8 @@ srclimit_check_allow(int sock, int id)
|
|||
return 0;
|
||||
|
||||
/* Connection allowed, store masked address. */
|
||||
child[first_unused].id = id;
|
||||
memcpy(&child[first_unused].addr, &xb, sizeof(xb));
|
||||
children[first_unused].id = id;
|
||||
memcpy(&children[first_unused].addr, &xb, sizeof(xb));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -132,9 +188,301 @@ srclimit_done(int id)
|
|||
debug("%s: id %d", __func__, id);
|
||||
/* Clear corresponding state entry. */
|
||||
for (i = 0; i < max_children; i++) {
|
||||
if (child[i].id == id) {
|
||||
child[i].id = -1;
|
||||
if (children[i].id == id) {
|
||||
children[i].id = -1;
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
penalty_addr_cmp(struct penalty *a, struct penalty *b)
|
||||
{
|
||||
return addr_cmp(&a->addr, &b->addr);
|
||||
/* Addresses must be unique in by_addr, so no need to tiebreak */
|
||||
}
|
||||
|
||||
static int
|
||||
penalty_expiry_cmp(struct penalty *a, struct penalty *b)
|
||||
{
|
||||
if (a->expiry != b->expiry)
|
||||
return a->expiry < b->expiry ? -1 : 1;
|
||||
/* Tiebreak on addresses */
|
||||
return addr_cmp(&a->addr, &b->addr);
|
||||
}
|
||||
|
||||
static void
|
||||
expire_penalties_from_tree(time_t now, const char *t,
|
||||
struct penalties_by_expiry *by_expiry,
|
||||
struct penalties_by_addr *by_addr, size_t *npenaltiesp)
|
||||
{
|
||||
struct penalty *penalty, *tmp;
|
||||
|
||||
/* XXX avoid full scan of tree, e.g. min-heap */
|
||||
RB_FOREACH_SAFE(penalty, penalties_by_expiry, by_expiry, tmp) {
|
||||
if (penalty->expiry >= now)
|
||||
break;
|
||||
if (RB_REMOVE(penalties_by_expiry, by_expiry,
|
||||
penalty) != penalty ||
|
||||
RB_REMOVE(penalties_by_addr, by_addr,
|
||||
penalty) != penalty)
|
||||
fatal_f("internal error: %s penalty table corrupt", t);
|
||||
free(penalty);
|
||||
if ((*npenaltiesp)-- == 0)
|
||||
fatal_f("internal error: %s npenalties underflow", t);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
expire_penalties(time_t now)
|
||||
{
|
||||
expire_penalties_from_tree(now, "ipv4",
|
||||
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4);
|
||||
expire_penalties_from_tree(now, "ipv6",
|
||||
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6);
|
||||
}
|
||||
|
||||
static void
|
||||
addr_masklen_ntop(struct xaddr *addr, int masklen, char *s, size_t slen)
|
||||
{
|
||||
size_t o;
|
||||
|
||||
if (addr_ntop(addr, s, slen) != 0) {
|
||||
strlcpy(s, "UNKNOWN", slen);
|
||||
return;
|
||||
}
|
||||
if ((o = strlen(s)) < slen)
|
||||
snprintf(s + o, slen - o, "/%d", masklen);
|
||||
}
|
||||
|
||||
int
|
||||
srclimit_penalty_check_allow(int sock, const char **reason)
|
||||
{
|
||||
struct xaddr addr;
|
||||
struct penalty find, *penalty;
|
||||
time_t now;
|
||||
int bits, max_sources, overflow_mode;
|
||||
char addr_s[NI_MAXHOST];
|
||||
struct penalties_by_addr *by_addr;
|
||||
size_t npenalties;
|
||||
|
||||
if (!penalty_cfg.enabled)
|
||||
return 1;
|
||||
if (srclimit_peer_addr(sock, &addr) != 0)
|
||||
return 1;
|
||||
if (penalty_exempt != NULL) {
|
||||
if (addr_ntop(&addr, addr_s, sizeof(addr_s)) != 0)
|
||||
return 1; /* shouldn't happen */
|
||||
if (addr_match_list(addr_s, penalty_exempt) == 1) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
now = monotime();
|
||||
expire_penalties(now);
|
||||
by_addr = addr.af == AF_INET ?
|
||||
&penalties_by_addr4 : &penalties_by_addr6;
|
||||
max_sources = addr.af == AF_INET ?
|
||||
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
||||
overflow_mode = addr.af == AF_INET ?
|
||||
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
||||
npenalties = addr.af == AF_INET ? npenalties4 : npenalties6;
|
||||
if (npenalties >= (size_t)max_sources &&
|
||||
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
||||
*reason = "too many penalised addresses";
|
||||
return 0;
|
||||
}
|
||||
bits = addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
memset(&find, 0, sizeof(find));
|
||||
if (srclimit_mask_addr(&addr, bits, &find.addr) != 0)
|
||||
return 1;
|
||||
if ((penalty = RB_FIND(penalties_by_addr, by_addr, &find)) == NULL)
|
||||
return 1; /* no penalty */
|
||||
if (penalty->expiry < now) {
|
||||
expire_penalties(now);
|
||||
return 1; /* expired penalty */
|
||||
}
|
||||
if (!penalty->active)
|
||||
return 1; /* Penalty hasn't hit activation threshold yet */
|
||||
*reason = penalty->reason;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
srclimit_early_expire_penalties_from_tree(const char *t,
|
||||
struct penalties_by_expiry *by_expiry,
|
||||
struct penalties_by_addr *by_addr, size_t *npenaltiesp, size_t max_sources)
|
||||
{
|
||||
struct penalty *p = NULL;
|
||||
int bits;
|
||||
char s[NI_MAXHOST + 4];
|
||||
|
||||
/* Delete the soonest-to-expire penalties. */
|
||||
while (*npenaltiesp > max_sources) {
|
||||
if ((p = RB_MIN(penalties_by_expiry, by_expiry)) == NULL)
|
||||
fatal_f("internal error: %s table corrupt (find)", t);
|
||||
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
||||
debug3_f("%s overflow, remove %s", t, s);
|
||||
if (RB_REMOVE(penalties_by_expiry, by_expiry, p) != p ||
|
||||
RB_REMOVE(penalties_by_addr, by_addr, p) != p)
|
||||
fatal_f("internal error: %s table corrupt (remove)", t);
|
||||
free(p);
|
||||
(*npenaltiesp)--;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
srclimit_early_expire_penalties(void)
|
||||
{
|
||||
srclimit_early_expire_penalties_from_tree("ipv4",
|
||||
&penalties_by_expiry4, &penalties_by_addr4, &npenalties4,
|
||||
(size_t)penalty_cfg.max_sources4);
|
||||
srclimit_early_expire_penalties_from_tree("ipv6",
|
||||
&penalties_by_expiry6, &penalties_by_addr6, &npenalties6,
|
||||
(size_t)penalty_cfg.max_sources6);
|
||||
}
|
||||
|
||||
void
|
||||
srclimit_penalise(struct xaddr *addr, int penalty_type)
|
||||
{
|
||||
struct xaddr masked;
|
||||
struct penalty *penalty = NULL, *existing = NULL;
|
||||
time_t now;
|
||||
int bits, penalty_secs, max_sources = 0, overflow_mode;
|
||||
char addrnetmask[NI_MAXHOST + 4];
|
||||
const char *reason = NULL, *t;
|
||||
size_t *npenaltiesp = NULL;
|
||||
struct penalties_by_addr *by_addr = NULL;
|
||||
struct penalties_by_expiry *by_expiry = NULL;
|
||||
|
||||
if (!penalty_cfg.enabled)
|
||||
return;
|
||||
if (penalty_exempt != NULL) {
|
||||
if (addr_ntop(addr, addrnetmask, sizeof(addrnetmask)) != 0)
|
||||
return; /* shouldn't happen */
|
||||
if (addr_match_list(addrnetmask, penalty_exempt) == 1) {
|
||||
debug3_f("address %s is exempt", addrnetmask);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
switch (penalty_type) {
|
||||
case SRCLIMIT_PENALTY_NONE:
|
||||
return;
|
||||
case SRCLIMIT_PENALTY_CRASH:
|
||||
penalty_secs = penalty_cfg.penalty_crash;
|
||||
reason = "penalty: caused crash";
|
||||
break;
|
||||
case SRCLIMIT_PENALTY_AUTHFAIL:
|
||||
penalty_secs = penalty_cfg.penalty_authfail;
|
||||
reason = "penalty: failed authentication";
|
||||
break;
|
||||
case SRCLIMIT_PENALTY_NOAUTH:
|
||||
penalty_secs = penalty_cfg.penalty_noauth;
|
||||
reason = "penalty: connections without attempting authentication";
|
||||
break;
|
||||
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
|
||||
penalty_secs = penalty_cfg.penalty_crash;
|
||||
reason = "penalty: exceeded LoginGraceTime";
|
||||
break;
|
||||
default:
|
||||
fatal_f("internal error: unknown penalty %d", penalty_type);
|
||||
}
|
||||
bits = addr->af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
if (srclimit_mask_addr(addr, bits, &masked) != 0)
|
||||
return;
|
||||
addr_masklen_ntop(addr, bits, addrnetmask, sizeof(addrnetmask));
|
||||
|
||||
now = monotime();
|
||||
expire_penalties(now);
|
||||
by_expiry = addr->af == AF_INET ?
|
||||
&penalties_by_expiry4 : &penalties_by_expiry6;
|
||||
by_addr = addr->af == AF_INET ?
|
||||
&penalties_by_addr4 : &penalties_by_addr6;
|
||||
max_sources = addr->af == AF_INET ?
|
||||
penalty_cfg.max_sources4 : penalty_cfg.max_sources6;
|
||||
overflow_mode = addr->af == AF_INET ?
|
||||
penalty_cfg.overflow_mode : penalty_cfg.overflow_mode6;
|
||||
npenaltiesp = addr->af == AF_INET ? &npenalties4 : &npenalties6;
|
||||
t = addr->af == AF_INET ? "ipv4" : "ipv6";
|
||||
if (*npenaltiesp >= (size_t)max_sources &&
|
||||
overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
|
||||
verbose_f("%s penalty table full, cannot penalise %s for %s", t,
|
||||
addrnetmask, reason);
|
||||
return;
|
||||
}
|
||||
|
||||
penalty = xcalloc(1, sizeof(*penalty));
|
||||
penalty->addr = masked;
|
||||
penalty->expiry = now + penalty_secs;
|
||||
penalty->reason = reason;
|
||||
if ((existing = RB_INSERT(penalties_by_addr, by_addr,
|
||||
penalty)) == NULL) {
|
||||
/* penalty didn't previously exist */
|
||||
if (penalty_secs > penalty_cfg.penalty_min)
|
||||
penalty->active = 1;
|
||||
if (RB_INSERT(penalties_by_expiry, by_expiry, penalty) != NULL)
|
||||
fatal_f("internal error: %s penalty tables corrupt", t);
|
||||
verbose_f("%s: new %s %s penalty of %d seconds for %s", t,
|
||||
addrnetmask, penalty->active ? "active" : "deferred",
|
||||
penalty_secs, reason);
|
||||
if (++(*npenaltiesp) > (size_t)max_sources)
|
||||
srclimit_early_expire_penalties(); /* permissive */
|
||||
return;
|
||||
}
|
||||
debug_f("%s penalty for %s %s already exists, %lld seconds remaining",
|
||||
existing->active ? "active" : "inactive", t,
|
||||
addrnetmask, (long long)(existing->expiry - now));
|
||||
/* Expiry information is about to change, remove from tree */
|
||||
if (RB_REMOVE(penalties_by_expiry, by_expiry, existing) != existing)
|
||||
fatal_f("internal error: %s penalty table corrupt (remove)", t);
|
||||
/* An entry already existed. Accumulate penalty up to maximum */
|
||||
existing->expiry += penalty_secs;
|
||||
if (existing->expiry - now > penalty_cfg.penalty_max)
|
||||
existing->expiry = now + penalty_cfg.penalty_max;
|
||||
if (existing->expiry - now > penalty_cfg.penalty_min &&
|
||||
!existing->active) {
|
||||
verbose_f("%s: activating %s penalty of %lld seconds for %s",
|
||||
addrnetmask, t, (long long)(existing->expiry - now),
|
||||
reason);
|
||||
existing->active = 1;
|
||||
}
|
||||
existing->reason = penalty->reason;
|
||||
free(penalty);
|
||||
penalty = NULL;
|
||||
/* Re-insert into expiry tree */
|
||||
if (RB_INSERT(penalties_by_expiry, by_expiry, existing) != NULL)
|
||||
fatal_f("internal error: %s penalty table corrupt (insert)", t);
|
||||
}
|
||||
|
||||
static void
|
||||
srclimit_penalty_info_for_tree(const char *t,
|
||||
struct penalties_by_expiry *by_expiry, size_t npenalties)
|
||||
{
|
||||
struct penalty *p = NULL;
|
||||
int bits;
|
||||
char s[NI_MAXHOST + 4];
|
||||
time_t now;
|
||||
|
||||
now = monotime();
|
||||
logit("%zu active %s penalties", npenalties, t);
|
||||
RB_FOREACH(p, penalties_by_expiry, by_expiry) {
|
||||
bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;
|
||||
addr_masklen_ntop(&p->addr, bits, s, sizeof(s));
|
||||
if (p->expiry < now)
|
||||
logit("client %s %s (expired)", s, p->reason);
|
||||
else {
|
||||
logit("client %s %s (%llu secs left)", s, p->reason,
|
||||
(long long)(p->expiry - now));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
srclimit_penalty_info(void)
|
||||
{
|
||||
srclimit_penalty_info_for_tree("ipv4",
|
||||
&penalties_by_expiry4, npenalties4);
|
||||
srclimit_penalty_info_for_tree("ipv6",
|
||||
&penalties_by_expiry6, npenalties6);
|
||||
}
|
||||
|
|
22
srclimit.h
22
srclimit.h
|
@ -13,6 +13,26 @@
|
|||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
void srclimit_init(int, int, int, int);
|
||||
struct xaddr;
|
||||
|
||||
struct per_source_penalty;
|
||||
|
||||
void srclimit_init(int, int, int, int,
|
||||
struct per_source_penalty *, const char *);
|
||||
int srclimit_check_allow(int, int);
|
||||
void srclimit_done(int);
|
||||
|
||||
#define SRCLIMIT_PENALTY_NONE 0
|
||||
#define SRCLIMIT_PENALTY_CRASH 1
|
||||
#define SRCLIMIT_PENALTY_AUTHFAIL 2
|
||||
#define SRCLIMIT_PENALTY_GRACE_EXCEEDED 3
|
||||
#define SRCLIMIT_PENALTY_NOAUTH 4
|
||||
|
||||
/* meaningful exit values, used by sshd listener for penalties */
|
||||
#define EXIT_LOGIN_GRACE 3 /* login grace period exceeded */
|
||||
#define EXIT_CHILD_CRASH 4 /* preauth child crashed */
|
||||
#define EXIT_AUTH_ATTEMPTED 5 /* at least one auth attempt made */
|
||||
|
||||
void srclimit_penalise(struct xaddr *, int);
|
||||
int srclimit_penalty_check_allow(int, const char **);
|
||||
void srclimit_penalty_info(void);
|
||||
|
|
|
@ -0,0 +1,209 @@
|
|||
SSH-ADD(1) General Commands Manual SSH-ADD(1)
|
||||
|
||||
NAME
|
||||
ssh-add M-bM-^@M-^S adds private key identities to the OpenSSH authentication agent
|
||||
|
||||
SYNOPSIS
|
||||
ssh-add [-CcDdKkLlqvXx] [-E fingerprint_hash] [-H hostkey_file]
|
||||
[-h destination_constraint] [-S provider] [-t life] [file ...]
|
||||
ssh-add -s pkcs11 [-Cv] [certificate ...]
|
||||
ssh-add -e pkcs11
|
||||
ssh-add -T pubkey ...
|
||||
|
||||
DESCRIPTION
|
||||
ssh-add adds private key identities to the authentication agent,
|
||||
ssh-agent(1). When run without arguments, it adds the files
|
||||
~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519 and
|
||||
~/.ssh/id_ed25519_sk. After loading a private key, ssh-add will try to
|
||||
load corresponding certificate information from the filename obtained by
|
||||
appending -cert.pub to the name of the private key file. Alternative
|
||||
file names can be given on the command line.
|
||||
|
||||
If any file requires a passphrase, ssh-add asks for the passphrase from
|
||||
the user. The passphrase is read from the user's tty. ssh-add retries
|
||||
the last passphrase if multiple identity files are given.
|
||||
|
||||
The authentication agent must be running and the SSH_AUTH_SOCK
|
||||
environment variable must contain the name of its socket for ssh-add to
|
||||
work.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-C When loading keys into or deleting keys from the agent, process
|
||||
certificates only and skip plain keys.
|
||||
|
||||
-c Indicates that added identities should be subject to confirmation
|
||||
before being used for authentication. Confirmation is performed
|
||||
by ssh-askpass(1). Successful confirmation is signaled by a zero
|
||||
exit status from ssh-askpass(1), rather than text entered into
|
||||
the requester.
|
||||
|
||||
-D Deletes all identities from the agent.
|
||||
|
||||
-d Instead of adding identities, removes identities from the agent.
|
||||
If ssh-add has been run without arguments, the keys for the
|
||||
default identities and their corresponding certificates will be
|
||||
removed. Otherwise, the argument list will be interpreted as a
|
||||
list of paths to public key files to specify keys and
|
||||
certificates to be removed from the agent. If no public key is
|
||||
found at a given path, ssh-add will append .pub and retry. If
|
||||
the argument list consists of M-bM-^@M-^\-M-bM-^@M-^] then ssh-add will read public
|
||||
keys to be removed from standard input.
|
||||
|
||||
-E fingerprint_hash
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The
|
||||
default is M-bM-^@M-^\sha256M-bM-^@M-^].
|
||||
|
||||
-e pkcs11
|
||||
Remove keys provided by the PKCS#11 shared library pkcs11.
|
||||
|
||||
-H hostkey_file
|
||||
Specifies a known hosts file to look up hostkeys when using
|
||||
destination-constrained keys via the -h flag. This option may be
|
||||
specified multiple times to allow multiple files to be searched.
|
||||
If no files are specified, ssh-add will use the default
|
||||
ssh_config(5) known hosts files: ~/.ssh/known_hosts,
|
||||
~/.ssh/known_hosts2, /etc/ssh/ssh_known_hosts, and
|
||||
/etc/ssh/ssh_known_hosts2.
|
||||
|
||||
-h destination_constraint
|
||||
When adding keys, constrain them to be usable only through
|
||||
specific hosts or to specific destinations.
|
||||
|
||||
Destination constraints of the form M-bM-^@M-^X[user@]dest-hostnameM-bM-^@M-^Y permit
|
||||
use of the key only from the origin host (the one running
|
||||
ssh-agent(1)) to the listed destination host, with optional user
|
||||
name.
|
||||
|
||||
Constraints of the form M-bM-^@M-^Xsrc-hostname>[user@]dst-hostnameM-bM-^@M-^Y allow
|
||||
a key available on a forwarded ssh-agent(1) to be used through a
|
||||
particular host (as specified by M-bM-^@M-^Xsrc-hostnameM-bM-^@M-^Y) to authenticate
|
||||
to a further host, specified by M-bM-^@M-^Xdst-hostnameM-bM-^@M-^Y.
|
||||
|
||||
Multiple destination constraints may be added when loading keys.
|
||||
When attempting authentication with a key that has destination
|
||||
constraints, the whole connection path, including ssh-agent(1)
|
||||
forwarding, is tested against those constraints and each hop must
|
||||
be permitted for the attempt to succeed. For example, if key is
|
||||
forwarded to a remote host, M-bM-^@M-^Xhost-bM-bM-^@M-^Y, and is attempting
|
||||
authentication to another host, M-bM-^@M-^Xhost-cM-bM-^@M-^Y, then the operation will
|
||||
be successful only if M-bM-^@M-^Xhost-bM-bM-^@M-^Y was permitted from the origin host
|
||||
and the subsequent M-bM-^@M-^Xhost-b>host-cM-bM-^@M-^Y hop is also permitted by
|
||||
destination constraints.
|
||||
|
||||
Hosts are identified by their host keys, and are looked up from
|
||||
known hosts files by ssh-add. Wildcards patterns may be used for
|
||||
hostnames and certificate host keys are supported. By default,
|
||||
keys added by ssh-add are not destination constrained.
|
||||
|
||||
Destination constraints were added in OpenSSH release 8.9.
|
||||
Support in both the remote SSH client and server is required when
|
||||
using destination-constrained keys over a forwarded ssh-agent(1)
|
||||
channel.
|
||||
|
||||
It is also important to note that destination constraints can
|
||||
only be enforced by ssh-agent(1) when a key is used, or when it
|
||||
is forwarded by a cooperating ssh(1). Specifically, it does not
|
||||
prevent an attacker with access to a remote SSH_AUTH_SOCK from
|
||||
forwarding it again and using it on a different host (but only to
|
||||
a permitted destination).
|
||||
|
||||
-K Load resident keys from a FIDO authenticator.
|
||||
|
||||
-k When loading keys into or deleting keys from the agent, process
|
||||
plain private keys only and skip certificates.
|
||||
|
||||
-L Lists public key parameters of all identities currently
|
||||
represented by the agent.
|
||||
|
||||
-l Lists fingerprints of all identities currently represented by the
|
||||
agent.
|
||||
|
||||
-q Be quiet after a successful operation.
|
||||
|
||||
-S provider
|
||||
Specifies a path to a library that will be used when adding FIDO
|
||||
authenticator-hosted keys, overriding the default of using the
|
||||
internal USB HID support.
|
||||
|
||||
-s pkcs11
|
||||
Add keys provided by the PKCS#11 shared library pkcs11.
|
||||
Certificate files may optionally be listed as command-line
|
||||
arguments. If these are present, then they will be loaded into
|
||||
the agent using any corresponding private keys loaded from the
|
||||
PKCS#11 token.
|
||||
|
||||
-T pubkey ...
|
||||
Tests whether the private keys that correspond to the specified
|
||||
pubkey files are usable by performing sign and verify operations
|
||||
on each.
|
||||
|
||||
-t life
|
||||
Set a maximum lifetime when adding identities to an agent. The
|
||||
lifetime may be specified in seconds or in a time format
|
||||
specified in sshd_config(5).
|
||||
|
||||
-v Verbose mode. Causes ssh-add to print debugging messages about
|
||||
its progress. This is helpful in debugging problems. Multiple
|
||||
-v options increase the verbosity. The maximum is 3.
|
||||
|
||||
-X Unlock the agent.
|
||||
|
||||
-x Lock the agent with a password.
|
||||
|
||||
ENVIRONMENT
|
||||
DISPLAY, SSH_ASKPASS and SSH_ASKPASS_REQUIRE
|
||||
If ssh-add needs a passphrase, it will read the passphrase from
|
||||
the current terminal if it was run from a terminal. If ssh-add
|
||||
does not have a terminal associated with it but DISPLAY and
|
||||
SSH_ASKPASS are set, it will execute the program specified by
|
||||
SSH_ASKPASS (by default M-bM-^@M-^\ssh-askpassM-bM-^@M-^]) and open an X11 window to
|
||||
read the passphrase. This is particularly useful when calling
|
||||
ssh-add from a .xsession or related script.
|
||||
|
||||
SSH_ASKPASS_REQUIRE allows further control over the use of an
|
||||
askpass program. If this variable is set to M-bM-^@M-^\neverM-bM-^@M-^] then ssh-add
|
||||
will never attempt to use one. If it is set to M-bM-^@M-^\preferM-bM-^@M-^], then
|
||||
ssh-add will prefer to use the askpass program instead of the TTY
|
||||
when requesting passwords. Finally, if the variable is set to
|
||||
M-bM-^@M-^\forceM-bM-^@M-^], then the askpass program will be used for all passphrase
|
||||
input regardless of whether DISPLAY is set.
|
||||
|
||||
SSH_AUTH_SOCK
|
||||
Identifies the path of a UNIX-domain socket used to communicate
|
||||
with the agent.
|
||||
|
||||
SSH_SK_PROVIDER
|
||||
Specifies a path to a library that will be used when loading any
|
||||
FIDO authenticator-hosted keys, overriding the default of using
|
||||
the built-in USB HID support.
|
||||
|
||||
FILES
|
||||
~/.ssh/id_ecdsa
|
||||
~/.ssh/id_ecdsa_sk
|
||||
~/.ssh/id_ed25519
|
||||
~/.ssh/id_ed25519_sk
|
||||
~/.ssh/id_rsa
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of
|
||||
the user.
|
||||
|
||||
Identity files should not be readable by anyone but the user. Note that
|
||||
ssh-add ignores identity files if they are accessible by others.
|
||||
|
||||
EXIT STATUS
|
||||
Exit status is 0 on success, 1 if the specified command fails, and 2 if
|
||||
ssh-add is unable to contact the authentication agent.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-agent(1), ssh-askpass(1), ssh-keygen(1), sshd(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
|
12
ssh-add.1
12
ssh-add.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -35,7 +35,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: December 19 2023 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-ADD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -67,10 +67,9 @@ When run without arguments, it adds the files
|
|||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk ,
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
After loading a private key,
|
||||
.Nm
|
||||
will try to load corresponding certificate information from the
|
||||
|
@ -314,13 +313,12 @@ the built-in USB HID support.
|
|||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
.It Pa ~/.ssh/id_ed25519_sk
|
||||
.It Pa ~/.ssh/id_rsa
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
||||
.El
|
||||
.Pp
|
||||
|
|
|
@ -0,0 +1,140 @@
|
|||
SSH-AGENT(1) General Commands Manual SSH-AGENT(1)
|
||||
|
||||
NAME
|
||||
ssh-agent M-bM-^@M-^S OpenSSH authentication agent
|
||||
|
||||
SYNOPSIS
|
||||
ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]
|
||||
[-O option] [-P allowed_providers] [-t life]
|
||||
ssh-agent [-a bind_address] [-E fingerprint_hash] [-O option]
|
||||
[-P allowed_providers] [-t life] command [arg ...]
|
||||
ssh-agent [-c | -s] -k
|
||||
|
||||
DESCRIPTION
|
||||
ssh-agent is a program to hold private keys used for public key
|
||||
authentication. Through use of environment variables the agent can be
|
||||
located and automatically used for authentication when logging in to
|
||||
other machines using ssh(1).
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-a bind_address
|
||||
Bind the agent to the UNIX-domain socket bind_address. The
|
||||
default is $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>.
|
||||
|
||||
-c Generate C-shell commands on stdout. This is the default if
|
||||
SHELL looks like it's a csh style of shell.
|
||||
|
||||
-D Foreground mode. When this option is specified, ssh-agent will
|
||||
not fork.
|
||||
|
||||
-d Debug mode. When this option is specified, ssh-agent will not
|
||||
fork and will write debug information to standard error.
|
||||
|
||||
-E fingerprint_hash
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The
|
||||
default is M-bM-^@M-^\sha256M-bM-^@M-^].
|
||||
|
||||
-k Kill the current agent (given by the SSH_AGENT_PID environment
|
||||
variable).
|
||||
|
||||
-O option
|
||||
Specify an option when starting ssh-agent. Currently two options
|
||||
are supported: allow-remote-pkcs11 and no-restrict-websafe.
|
||||
|
||||
The allow-remote-pkcs11 option allows clients of a forwarded
|
||||
ssh-agent to load PKCS#11 or FIDO provider libraries. By default
|
||||
only local clients may perform this operation. Note that
|
||||
signalling that an ssh-agent client is remote is performed by
|
||||
ssh(1), and use of other tools to forward access to the agent
|
||||
socket may circumvent this restriction.
|
||||
|
||||
The no-restrict-websafe option instructs ssh-agent to permit
|
||||
signatures using FIDO keys that might be web authentication
|
||||
requests. By default, ssh-agent refuses signature requests for
|
||||
FIDO keys where the key application string does not start with
|
||||
M-bM-^@M-^\ssh:M-bM-^@M-^] and when the data to be signed does not appear to be a
|
||||
ssh(1) user authentication request or a ssh-keygen(1) signature.
|
||||
The default behaviour prevents forwarded access to a FIDO key
|
||||
from also implicitly forwarding the ability to authenticate to
|
||||
websites.
|
||||
|
||||
-P allowed_providers
|
||||
Specify a pattern-list of acceptable paths for PKCS#11 provider
|
||||
and FIDO authenticator middleware shared libraries that may be
|
||||
used with the -S or -s options to ssh-add(1). Libraries that do
|
||||
not match the pattern list will be refused. See PATTERNS in
|
||||
ssh_config(5) for a description of pattern-list syntax. The
|
||||
default list is M-bM-^@M-^\usr/lib*/*,/usr/local/lib*/*M-bM-^@M-^].
|
||||
|
||||
-s Generate Bourne shell commands on stdout. This is the default if
|
||||
SHELL does not look like it's a csh style of shell.
|
||||
|
||||
-t life
|
||||
Set a default value for the maximum lifetime of identities added
|
||||
to the agent. The lifetime may be specified in seconds or in a
|
||||
time format specified in sshd_config(5). A lifetime specified
|
||||
for an identity with ssh-add(1) overrides this value. Without
|
||||
this option the default maximum lifetime is forever.
|
||||
|
||||
command [arg ...]
|
||||
If a command (and optional arguments) is given, this is executed
|
||||
as a subprocess of the agent. The agent exits automatically when
|
||||
the command given on the command line terminates.
|
||||
|
||||
There are two main ways to get an agent set up. The first is at the
|
||||
start of an X session, where all other windows or programs are started as
|
||||
children of the ssh-agent program. The agent starts a command under
|
||||
which its environment variables are exported, for example ssh-agent xterm
|
||||
&. When the command terminates, so does the agent.
|
||||
|
||||
The second method is used for a login session. When ssh-agent is
|
||||
started, it prints the shell commands required to set its environment
|
||||
variables, which in turn can be evaluated in the calling shell, for
|
||||
example eval `ssh-agent -s`.
|
||||
|
||||
In both cases, ssh(1) looks at these environment variables and uses them
|
||||
to establish a connection to the agent.
|
||||
|
||||
The agent initially does not have any private keys. Keys are added using
|
||||
ssh-add(1) or by ssh(1) when AddKeysToAgent is set in ssh_config(5).
|
||||
Multiple identities may be stored in ssh-agent concurrently and ssh(1)
|
||||
will automatically use them if present. ssh-add(1) is also used to
|
||||
remove keys from ssh-agent and to query the keys that are held in one.
|
||||
|
||||
Connections to ssh-agent may be forwarded from further remote hosts using
|
||||
the -A option to ssh(1) (but see the caveats documented therein),
|
||||
avoiding the need for authentication data to be stored on other machines.
|
||||
Authentication passphrases and private keys never go over the network:
|
||||
the connection to the agent is forwarded over SSH remote connections and
|
||||
the result is returned to the requester, allowing the user access to
|
||||
their identities anywhere in the network in a secure fashion.
|
||||
|
||||
ENVIRONMENT
|
||||
SSH_AGENT_PID When ssh-agent starts, it stores the name of the agent's
|
||||
process ID (PID) in this variable.
|
||||
|
||||
SSH_AUTH_SOCK When ssh-agent starts, it creates a UNIX-domain socket and
|
||||
stores its pathname in this variable. It is accessible
|
||||
only to the current user, but is easily abused by root or
|
||||
another instance of the same user.
|
||||
|
||||
FILES
|
||||
$TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|
||||
UNIX-domain sockets used to contain the connection to the
|
||||
authentication agent. These sockets should only be readable by
|
||||
the owner. The sockets should get automatically removed when the
|
||||
agent exits.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sshd(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 7.5 August 10, 2023 OpenBSD 7.5
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
|
||||
/* $OpenBSD: ssh-gss.h,v 1.16 2024/05/17 06:42:04 jsg Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
*
|
||||
|
@ -103,7 +103,6 @@ int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
|
|||
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
|
||||
void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
|
||||
void ssh_gssapi_supported_oids(gss_OID_set *);
|
||||
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
|
||||
void ssh_gssapi_prepare_supported_oids(void);
|
||||
OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
|
||||
|
||||
|
|
|
@ -0,0 +1,907 @@
|
|||
SSH-KEYGEN(1) General Commands Manual SSH-KEYGEN(1)
|
||||
|
||||
NAME
|
||||
ssh-keygen M-bM-^@M-^S OpenSSH authentication key utility
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
|
||||
[-m format] [-N new_passphrase] [-O option]
|
||||
[-t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
|
||||
[-w provider] [-Z cipher]
|
||||
ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]
|
||||
[-P old_passphrase] [-Z cipher]
|
||||
ssh-keygen -i [-f input_keyfile] [-m key_format]
|
||||
ssh-keygen -e [-f input_keyfile] [-m key_format]
|
||||
ssh-keygen -y [-f input_keyfile]
|
||||
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
|
||||
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
|
||||
ssh-keygen -B [-f input_keyfile]
|
||||
ssh-keygen -D pkcs11
|
||||
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
|
||||
ssh-keygen -H [-f known_hosts_file]
|
||||
ssh-keygen -K [-a rounds] [-w provider]
|
||||
ssh-keygen -R hostname [-f known_hosts_file]
|
||||
ssh-keygen -r hostname [-g] [-f input_keyfile]
|
||||
ssh-keygen -M generate [-O option] output_file
|
||||
ssh-keygen -M screen [-f input_file] [-O option] output_file
|
||||
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
|
||||
[-n principals] [-O option] [-V validity_interval]
|
||||
[-z serial_number] file ...
|
||||
ssh-keygen -L [-f input_keyfile]
|
||||
ssh-keygen -A [-a rounds] [-f prefix_path]
|
||||
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
|
||||
file ...
|
||||
ssh-keygen -Q [-l] -f krl_file file ...
|
||||
ssh-keygen -Y find-principals [-O option] -s signature_file
|
||||
-f allowed_signers_file
|
||||
ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file
|
||||
ssh-keygen -Y check-novalidate [-O option] -n namespace -s signature_file
|
||||
ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
|
||||
ssh-keygen -Y verify [-O option] -f allowed_signers_file
|
||||
-I signer_identity -n namespace -s signature_file
|
||||
[-r revocation_file]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keygen generates, manages and converts authentication keys for
|
||||
ssh(1). ssh-keygen can create keys for use by SSH protocol version 2.
|
||||
|
||||
The type of key to be generated is specified with the -t option. If
|
||||
invoked without any arguments, ssh-keygen will generate an Ed25519 key.
|
||||
|
||||
ssh-keygen is also used to generate groups for use in Diffie-Hellman
|
||||
group exchange (DH-GEX). See the MODULI GENERATION section for details.
|
||||
|
||||
Finally, ssh-keygen can be used to generate and update Key Revocation
|
||||
Lists, and to test whether given keys have been revoked by one. See the
|
||||
KEY REVOCATION LISTS section for details.
|
||||
|
||||
Normally each user wishing to use SSH with public key authentication runs
|
||||
this once to create the authentication key in ~/.ssh/id_ecdsa,
|
||||
~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk or
|
||||
~/.ssh/id_rsa. Additionally, the system administrator may use this to
|
||||
generate host keys, as seen in /etc/rc.
|
||||
|
||||
Normally this program generates the key and asks for a file in which to
|
||||
store the private key. The public key is stored in a file with the same
|
||||
name but M-bM-^@M-^\.pubM-bM-^@M-^] appended. The program also asks for a passphrase. The
|
||||
passphrase may be empty to indicate no passphrase (host keys must have an
|
||||
empty passphrase), or it may be a string of arbitrary length. A
|
||||
passphrase is similar to a password, except it can be a phrase with a
|
||||
series of words, punctuation, numbers, whitespace, or any string of
|
||||
characters you want. Good passphrases are 10-30 characters long, are not
|
||||
simple sentences or otherwise easily guessable (English prose has only
|
||||
1-2 bits of entropy per character, and provides very bad passphrases),
|
||||
and contain a mix of upper and lowercase letters, numbers, and non-
|
||||
alphanumeric characters. The passphrase can be changed later by using
|
||||
the -p option.
|
||||
|
||||
There is no way to recover a lost passphrase. If the passphrase is lost
|
||||
or forgotten, a new key must be generated and the corresponding public
|
||||
key copied to other machines.
|
||||
|
||||
ssh-keygen will by default write keys in an OpenSSH-specific format.
|
||||
This format is preferred as it offers better protection for keys at rest
|
||||
as well as allowing storage of key comments within the private key file
|
||||
itself. The key comment may be useful to help identify the key. The
|
||||
comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is created, but can be
|
||||
changed using the -c option.
|
||||
|
||||
It is still possible for ssh-keygen to write the previously-used PEM
|
||||
format private keys using the -m flag. This may be used when generating
|
||||
new keys, and existing new-format keys may be converted using this option
|
||||
in conjunction with the -p (change passphrase) flag.
|
||||
|
||||
After a key is generated, ssh-keygen will ask where the keys should be
|
||||
placed to be activated.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-A Generate host keys of all default key types (rsa, ecdsa, and
|
||||
ed25519) if they do not already exist. The host keys are
|
||||
generated with the default key file path, an empty passphrase,
|
||||
default bits for the key type, and default comment. If -f has
|
||||
also been specified, its argument is used as a prefix to the
|
||||
default path for the resulting host key files. This is used by
|
||||
/etc/rc to generate new host keys.
|
||||
|
||||
-a rounds
|
||||
When saving a private key, this option specifies the number of
|
||||
KDF (key derivation function, currently bcrypt_pbkdf(3)) rounds
|
||||
used. Higher numbers result in slower passphrase verification
|
||||
and increased resistance to brute-force password cracking (should
|
||||
the keys be stolen). The default is 16 rounds.
|
||||
|
||||
-B Show the bubblebabble digest of specified private or public key
|
||||
file.
|
||||
|
||||
-b bits
|
||||
Specifies the number of bits in the key to create. For RSA keys,
|
||||
the minimum size is 1024 bits and the default is 3072 bits.
|
||||
Generally, 3072 bits is considered sufficient. For ECDSA keys,
|
||||
the -b flag determines the key length by selecting from one of
|
||||
three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
|
||||
use bit lengths other than these three values for ECDSA keys will
|
||||
fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length
|
||||
and the -b flag will be ignored.
|
||||
|
||||
-C comment
|
||||
Provides a new comment.
|
||||
|
||||
-c Requests changing the comment in the private and public key
|
||||
files. The program will prompt for the file containing the
|
||||
private keys, for the passphrase if the key has one, and for the
|
||||
new comment.
|
||||
|
||||
-D pkcs11
|
||||
Download the public keys provided by the PKCS#11 shared library
|
||||
pkcs11. When used in combination with -s, this option indicates
|
||||
that a CA key resides in a PKCS#11 token (see the CERTIFICATES
|
||||
section for details).
|
||||
|
||||
-E fingerprint_hash
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: M-bM-^@M-^\md5M-bM-^@M-^] and M-bM-^@M-^\sha256M-bM-^@M-^]. The
|
||||
default is M-bM-^@M-^\sha256M-bM-^@M-^].
|
||||
|
||||
-e This option will read a private or public OpenSSH key file and
|
||||
print to stdout a public key in one of the formats specified by
|
||||
the -m option. The default export format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. This
|
||||
option allows exporting OpenSSH keys for use by other programs,
|
||||
including several commercial SSH implementations.
|
||||
|
||||
-F hostname | [hostname]:port
|
||||
Search for the specified hostname (with optional port number) in
|
||||
a known_hosts file, listing any occurrences found. This option
|
||||
is useful to find hashed host names or addresses and may also be
|
||||
used in conjunction with the -H option to print found keys in a
|
||||
hashed format.
|
||||
|
||||
-f filename
|
||||
Specifies the filename of the key file.
|
||||
|
||||
-g Use generic DNS format when printing fingerprint resource records
|
||||
using the -r command.
|
||||
|
||||
-H Hash a known_hosts file. This replaces all hostnames and
|
||||
addresses with hashed representations within the specified file;
|
||||
the original content is moved to a file with a .old suffix.
|
||||
These hashes may be used normally by ssh and sshd, but they do
|
||||
not reveal identifying information should the file's contents be
|
||||
disclosed. This option will not modify existing hashed hostnames
|
||||
and is therefore safe to use on files that mix hashed and non-
|
||||
hashed names.
|
||||
|
||||
-h When signing a key, create a host certificate instead of a user
|
||||
certificate. See the CERTIFICATES section for details.
|
||||
|
||||
-I certificate_identity
|
||||
Specify the key identity when signing a public key. See the
|
||||
CERTIFICATES section for details.
|
||||
|
||||
-i This option will read an unencrypted private (or public) key file
|
||||
in the format specified by the -m option and print an OpenSSH
|
||||
compatible private (or public) key to stdout. This option allows
|
||||
importing keys from other software, including several commercial
|
||||
SSH implementations. The default import format is M-bM-^@M-^\RFC4716M-bM-^@M-^].
|
||||
|
||||
-K Download resident keys from a FIDO authenticator. Public and
|
||||
private key files will be written to the current directory for
|
||||
each downloaded key. If multiple FIDO authenticators are
|
||||
attached, keys will be downloaded from the first touched
|
||||
authenticator. See the FIDO AUTHENTICATOR section for more
|
||||
information.
|
||||
|
||||
-k Generate a KRL file. In this mode, ssh-keygen will generate a
|
||||
KRL file at the location specified via the -f flag that revokes
|
||||
every key or certificate presented on the command line.
|
||||
Keys/certificates to be revoked may be specified by public key
|
||||
file or using the format described in the KEY REVOCATION LISTS
|
||||
section.
|
||||
|
||||
-L Prints the contents of one or more certificates.
|
||||
|
||||
-l Show fingerprint of specified public key file. ssh-keygen will
|
||||
try to find the matching public key file and prints its
|
||||
fingerprint. If combined with -v, a visual ASCII art
|
||||
representation of the key is supplied with the fingerprint.
|
||||
|
||||
-M generate
|
||||
Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
|
||||
parameters for eventual use by the
|
||||
M-bM-^@M-^Xdiffie-hellman-group-exchange-*M-bM-^@M-^Y key exchange methods. The
|
||||
numbers generated by this operation must be further screened
|
||||
before use. See the MODULI GENERATION section for more
|
||||
information.
|
||||
|
||||
-M screen
|
||||
Screen candidate parameters for Diffie-Hellman Group Exchange.
|
||||
This will accept a list of candidate numbers and test that they
|
||||
are safe (Sophie Germain) primes with acceptable group
|
||||
generators. The results of this operation may be added to the
|
||||
/etc/moduli file. See the MODULI GENERATION section for more
|
||||
information.
|
||||
|
||||
-m key_format
|
||||
Specify a key format for key generation, the -i (import), -e
|
||||
(export) conversion options, and the -p change passphrase
|
||||
operation. The latter may be used to convert between OpenSSH
|
||||
private key and PEM private key formats. The supported key
|
||||
formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key),
|
||||
M-bM-^@M-^\PKCS8M-bM-^@M-^] (PKCS8 public or private key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key).
|
||||
By default OpenSSH will write newly-generated private keys in its
|
||||
own format, but when converting public keys for export the
|
||||
default format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when
|
||||
generating or updating a supported private key type will cause
|
||||
the key to be stored in the legacy PEM private key format.
|
||||
|
||||
-N new_passphrase
|
||||
Provides the new passphrase.
|
||||
|
||||
-n principals
|
||||
Specify one or more principals (user or host names) to be
|
||||
included in a certificate when signing a key. Multiple
|
||||
principals may be specified, separated by commas. See the
|
||||
CERTIFICATES section for details.
|
||||
|
||||
-O option
|
||||
Specify a key/value option. These are specific to the operation
|
||||
that ssh-keygen has been requested to perform.
|
||||
|
||||
When signing certificates, one of the options listed in the
|
||||
CERTIFICATES section may be specified here.
|
||||
|
||||
When performing moduli generation or screening, one of the
|
||||
options listed in the MODULI GENERATION section may be specified.
|
||||
|
||||
When generating FIDO authenticator-backed keys, the options
|
||||
listed in the FIDO AUTHENTICATOR section may be specified.
|
||||
|
||||
When performing signature-related options using the -Y flag, the
|
||||
following options are accepted:
|
||||
|
||||
hashalg=algorithm
|
||||
Selects the hash algorithm to use for hashing the message
|
||||
to be signed. Valid algorithms are M-bM-^@M-^\sha256M-bM-^@M-^] and
|
||||
M-bM-^@M-^\sha512.M-bM-^@M-^] The default is M-bM-^@M-^\sha512.M-bM-^@M-^]
|
||||
|
||||
print-pubkey
|
||||
Print the full public key to standard output after
|
||||
signature verification.
|
||||
|
||||
verify-time=timestamp
|
||||
Specifies a time to use when validating signatures
|
||||
instead of the current time. The time may be specified
|
||||
as a date or time in the YYYYMMDD[Z] or in
|
||||
YYYYMMDDHHMM[SS][Z] formats. Dates and times will be
|
||||
interpreted in the current system time zone unless
|
||||
suffixed with a Z character, which causes them to be
|
||||
interpreted in the UTC time zone.
|
||||
|
||||
When generating SSHFP DNS records from public keys using the -r
|
||||
flag, the following options are accepted:
|
||||
|
||||
hashalg=algorithm
|
||||
Selects a hash algorithm to use when printing SSHFP
|
||||
records using the -D flag. Valid algorithms are M-bM-^@M-^\sha1M-bM-^@M-^]
|
||||
and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is to print both.
|
||||
|
||||
The -O option may be specified multiple times.
|
||||
|
||||
-P passphrase
|
||||
Provides the (old) passphrase.
|
||||
|
||||
-p Requests changing the passphrase of a private key file instead of
|
||||
creating a new private key. The program will prompt for the file
|
||||
containing the private key, for the old passphrase, and twice for
|
||||
the new passphrase.
|
||||
|
||||
-Q Test whether keys have been revoked in a KRL. If the -l option
|
||||
is also specified then the contents of the KRL will be printed.
|
||||
|
||||
-q Silence ssh-keygen.
|
||||
|
||||
-R hostname | [hostname]:port
|
||||
Removes all keys belonging to the specified hostname (with
|
||||
optional port number) from a known_hosts file. This option is
|
||||
useful to delete hashed hosts (see the -H option above).
|
||||
|
||||
-r hostname
|
||||
Print the SSHFP fingerprint resource record named hostname for
|
||||
the specified public key file.
|
||||
|
||||
-s ca_key
|
||||
Certify (sign) a public key using the specified CA key. See the
|
||||
CERTIFICATES section for details.
|
||||
|
||||
When generating a KRL, -s specifies a path to a CA public key
|
||||
file used to revoke certificates directly by key ID or serial
|
||||
number. See the KEY REVOCATION LISTS section for details.
|
||||
|
||||
-t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
Specifies the type of key to create. The possible values are
|
||||
M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ecdsa-skM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], M-bM-^@M-^\ed25519-skM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^].
|
||||
|
||||
This flag may also be used to specify the desired signature type
|
||||
when signing certificates using an RSA CA key. The available RSA
|
||||
signature variants are M-bM-^@M-^\ssh-rsaM-bM-^@M-^] (SHA1 signatures, not
|
||||
recommended), M-bM-^@M-^\rsa-sha2-256M-bM-^@M-^], and M-bM-^@M-^\rsa-sha2-512M-bM-^@M-^] (the default).
|
||||
|
||||
-U When used in combination with -s or -Y sign, this option
|
||||
indicates that a CA key resides in a ssh-agent(1). See the
|
||||
CERTIFICATES section for more information.
|
||||
|
||||
-u Update a KRL. When specified with -k, keys listed via the
|
||||
command line are added to the existing KRL rather than a new KRL
|
||||
being created.
|
||||
|
||||
-V validity_interval
|
||||
Specify a validity interval when signing a certificate. A
|
||||
validity interval may consist of a single time, indicating that
|
||||
the certificate is valid beginning now and expiring at that time,
|
||||
or may consist of two times separated by a colon to indicate an
|
||||
explicit time interval.
|
||||
|
||||
The start time may be specified as:
|
||||
M-bM-^@M-M-bM-^@M-" The string M-bM-^@M-^\alwaysM-bM-^@M-^] to indicate the certificate has no
|
||||
specified start time.
|
||||
M-bM-^@M-M-bM-^@M-" A date or time in the system time zone formatted as YYYYMMDD
|
||||
or YYYYMMDDHHMM[SS].
|
||||
M-bM-^@M-M-bM-^@M-" A date or time in the UTC time zone as YYYYMMDDZ or
|
||||
YYYYMMDDHHMM[SS]Z.
|
||||
M-bM-^@M-M-bM-^@M-" A relative time before the current system time consisting of
|
||||
a minus sign followed by an interval in the format described
|
||||
in the TIME FORMATS section of sshd_config(5).
|
||||
M-bM-^@M-M-bM-^@M-" A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a
|
||||
hexadecimal number beginning with M-bM-^@M-^\0xM-bM-^@M-^].
|
||||
|
||||
The end time may be specified similarly to the start time:
|
||||
M-bM-^@M-M-bM-^@M-" The string M-bM-^@M-^\foreverM-bM-^@M-^] to indicate the certificate has no
|
||||
specified end time.
|
||||
M-bM-^@M-M-bM-^@M-" A date or time in the system time zone formatted as YYYYMMDD
|
||||
or YYYYMMDDHHMM[SS].
|
||||
M-bM-^@M-M-bM-^@M-" A date or time in the UTC time zone as YYYYMMDDZ or
|
||||
YYYYMMDDHHMM[SS]Z.
|
||||
M-bM-^@M-M-bM-^@M-" A relative time after the current system time consisting of a
|
||||
plus sign followed by an interval in the format described in
|
||||
the TIME FORMATS section of sshd_config(5).
|
||||
M-bM-^@M-M-bM-^@M-" A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a
|
||||
hexadecimal number beginning with M-bM-^@M-^\0xM-bM-^@M-^].
|
||||
|
||||
For example:
|
||||
|
||||
+52w1d Valid from now to 52 weeks and one day from now.
|
||||
|
||||
-4w:+4w
|
||||
Valid from four weeks ago to four weeks from now.
|
||||
|
||||
20100101123000:20110101123000
|
||||
Valid from 12:30 PM, January 1st, 2010 to 12:30 PM,
|
||||
January 1st, 2011.
|
||||
|
||||
20100101123000Z:20110101123000Z
|
||||
Similar, but interpreted in the UTC time zone rather than
|
||||
the system time zone.
|
||||
|
||||
-1d:20110101
|
||||
Valid from yesterday to midnight, January 1st, 2011.
|
||||
|
||||
0x1:0x2000000000
|
||||
Valid from roughly early 1970 to May 2033.
|
||||
|
||||
-1m:forever
|
||||
Valid from one minute ago and never expiring.
|
||||
|
||||
-v Verbose mode. Causes ssh-keygen to print debugging messages
|
||||
about its progress. This is helpful for debugging moduli
|
||||
generation. Multiple -v options increase the verbosity. The
|
||||
maximum is 3.
|
||||
|
||||
-w provider
|
||||
Specifies a path to a library that will be used when creating
|
||||
FIDO authenticator-hosted keys, overriding the default of using
|
||||
the internal USB HID support.
|
||||
|
||||
-Y find-principals
|
||||
Find the principal(s) associated with the public key of a
|
||||
signature, provided using the -s flag in an authorized signers
|
||||
file provided using the -f flag. The format of the allowed
|
||||
signers file is documented in the ALLOWED SIGNERS section below.
|
||||
If one or more matching principals are found, they are returned
|
||||
on standard output.
|
||||
|
||||
-Y match-principals
|
||||
Find principal matching the principal name provided using the -I
|
||||
flag in the authorized signers file specified using the -f flag.
|
||||
If one or more matching principals are found, they are returned
|
||||
on standard output.
|
||||
|
||||
-Y check-novalidate
|
||||
Checks that a signature generated using ssh-keygen -Y sign has a
|
||||
valid structure. This does not validate if a signature comes
|
||||
from an authorized signer. When testing a signature, ssh-keygen
|
||||
accepts a message on standard input and a signature namespace
|
||||
using -n. A file containing the corresponding signature must
|
||||
also be supplied using the -s flag. Successful testing of the
|
||||
signature is signalled by ssh-keygen returning a zero exit
|
||||
status.
|
||||
|
||||
-Y sign
|
||||
Cryptographically sign a file or some data using an SSH key.
|
||||
When signing, ssh-keygen accepts zero or more files to sign on
|
||||
the command-line - if no files are specified then ssh-keygen will
|
||||
sign data presented on standard input. Signatures are written to
|
||||
the path of the input file with M-bM-^@M-^\.sigM-bM-^@M-^] appended, or to standard
|
||||
output if the message to be signed was read from standard input.
|
||||
|
||||
The key used for signing is specified using the -f option and may
|
||||
refer to either a private key, or a public key with the private
|
||||
half available via ssh-agent(1). An additional signature
|
||||
namespace, used to prevent signature confusion across different
|
||||
domains of use (e.g. file signing vs email signing) must be
|
||||
provided via the -n flag. Namespaces are arbitrary strings, and
|
||||
may include: M-bM-^@M-^\fileM-bM-^@M-^] for file signing, M-bM-^@M-^\emailM-bM-^@M-^] for email signing.
|
||||
For custom uses, it is recommended to use names following a
|
||||
NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
|
||||
|
||||
-Y verify
|
||||
Request to verify a signature generated using ssh-keygen -Y sign
|
||||
as described above. When verifying a signature, ssh-keygen
|
||||
accepts a message on standard input and a signature namespace
|
||||
using -n. A file containing the corresponding signature must
|
||||
also be supplied using the -s flag, along with the identity of
|
||||
the signer using -I and a list of allowed signers via the -f
|
||||
flag. The format of the allowed signers file is documented in
|
||||
the ALLOWED SIGNERS section below. A file containing revoked
|
||||
keys can be passed using the -r flag. The revocation file may be
|
||||
a KRL or a one-per-line list of public keys. Successful
|
||||
verification by an authorized signer is signalled by ssh-keygen
|
||||
returning a zero exit status.
|
||||
|
||||
-y This option will read a private OpenSSH format file and print an
|
||||
OpenSSH public key to stdout.
|
||||
|
||||
-Z cipher
|
||||
Specifies the cipher to use for encryption when writing an
|
||||
OpenSSH-format private key file. The list of available ciphers
|
||||
may be obtained using "ssh -Q cipher". The default is
|
||||
M-bM-^@M-^\aes256-ctrM-bM-^@M-^].
|
||||
|
||||
-z serial_number
|
||||
Specifies a serial number to be embedded in the certificate to
|
||||
distinguish this certificate from others from the same CA. If
|
||||
the serial_number is prefixed with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
|
||||
serial number will be incremented for each certificate signed on
|
||||
a single command-line. The default serial number is zero.
|
||||
|
||||
When generating a KRL, the -z flag is used to specify a KRL
|
||||
version number.
|
||||
|
||||
MODULI GENERATION
|
||||
ssh-keygen may be used to generate groups for the Diffie-Hellman Group
|
||||
Exchange (DH-GEX) protocol. Generating these groups is a two-step
|
||||
process: first, candidate primes are generated using a fast, but memory
|
||||
intensive process. These candidate primes are then tested for
|
||||
suitability (a CPU-intensive process).
|
||||
|
||||
Generation of primes is performed using the -M generate option. The
|
||||
desired length of the primes may be specified by the -O bits option. For
|
||||
example:
|
||||
|
||||
# ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
|
||||
|
||||
By default, the search for primes begins at a random point in the desired
|
||||
length range. This may be overridden using the -O start option, which
|
||||
specifies a different start point (in hex).
|
||||
|
||||
Once a set of candidates have been generated, they must be screened for
|
||||
suitability. This may be performed using the -M screen option. In this
|
||||
mode ssh-keygen will read candidates from standard input (or a file
|
||||
specified using the -f option). For example:
|
||||
|
||||
# ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
|
||||
|
||||
By default, each candidate will be subjected to 100 primality tests.
|
||||
This may be overridden using the -O prime-tests option. The DH generator
|
||||
value will be chosen automatically for the prime under consideration. If
|
||||
a specific generator is desired, it may be requested using the -O
|
||||
generator option. Valid generator values are 2, 3, and 5.
|
||||
|
||||
Screened DH groups may be installed in /etc/moduli. It is important that
|
||||
this file contains moduli of a range of bit lengths.
|
||||
|
||||
A number of options are available for moduli generation and screening via
|
||||
the -O flag:
|
||||
|
||||
lines=number
|
||||
Exit after screening the specified number of lines while
|
||||
performing DH candidate screening.
|
||||
|
||||
start-line=line-number
|
||||
Start screening at the specified line number while performing DH
|
||||
candidate screening.
|
||||
|
||||
checkpoint=filename
|
||||
Write the last line processed to the specified file while
|
||||
performing DH candidate screening. This will be used to skip
|
||||
lines in the input file that have already been processed if the
|
||||
job is restarted.
|
||||
|
||||
memory=mbytes
|
||||
Specify the amount of memory to use (in megabytes) when
|
||||
generating candidate moduli for DH-GEX.
|
||||
|
||||
start=hex-value
|
||||
Specify start point (in hex) when generating candidate moduli for
|
||||
DH-GEX.
|
||||
|
||||
generator=value
|
||||
Specify desired generator (in decimal) when testing candidate
|
||||
moduli for DH-GEX.
|
||||
|
||||
CERTIFICATES
|
||||
ssh-keygen supports signing of keys to produce certificates that may be
|
||||
used for user or host authentication. Certificates consist of a public
|
||||
key, some identity information, zero or more principal (user or host)
|
||||
names and a set of options that are signed by a Certification Authority
|
||||
(CA) key. Clients or servers may then trust only the CA key and verify
|
||||
its signature on a certificate rather than trusting many user/host keys.
|
||||
Note that OpenSSH certificates are a different, and much simpler, format
|
||||
to the X.509 certificates used in ssl(8).
|
||||
|
||||
ssh-keygen supports two types of certificates: user and host. User
|
||||
certificates authenticate users to servers, whereas host certificates
|
||||
authenticate server hosts to users. To generate a user certificate:
|
||||
|
||||
$ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
|
||||
|
||||
The resultant certificate will be placed in /path/to/user_key-cert.pub.
|
||||
A host certificate requires the -h option:
|
||||
|
||||
$ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
|
||||
|
||||
The host certificate will be output to /path/to/host_key-cert.pub.
|
||||
|
||||
It is possible to sign using a CA key stored in a PKCS#11 token by
|
||||
providing the token library using -D and identifying the CA key by
|
||||
providing its public half as an argument to -s:
|
||||
|
||||
$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
|
||||
|
||||
Similarly, it is possible for the CA key to be hosted in a ssh-agent(1).
|
||||
This is indicated by the -U flag and, again, the CA key must be
|
||||
identified by its public half.
|
||||
|
||||
$ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
|
||||
|
||||
In all cases, key_id is a "key identifier" that is logged by the server
|
||||
when the certificate is used for authentication.
|
||||
|
||||
Certificates may be limited to be valid for a set of principal
|
||||
(user/host) names. By default, generated certificates are valid for all
|
||||
users or hosts. To generate a certificate for a specified set of
|
||||
principals:
|
||||
|
||||
$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
|
||||
$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
|
||||
|
||||
Additional limitations on the validity and use of user certificates may
|
||||
be specified through certificate options. A certificate option may
|
||||
disable features of the SSH session, may be valid only when presented
|
||||
from particular source addresses or may force the use of a specific
|
||||
command.
|
||||
|
||||
The options that are valid for user certificates are:
|
||||
|
||||
clear Clear all enabled permissions. This is useful for clearing the
|
||||
default set of permissions so permissions may be added
|
||||
individually.
|
||||
|
||||
critical:name[=contents]
|
||||
extension:name[=contents]
|
||||
Includes an arbitrary certificate critical option or extension.
|
||||
The specified name should include a domain suffix, e.g.
|
||||
M-bM-^@M-^\name@example.comM-bM-^@M-^]. If contents is specified then it is included
|
||||
as the contents of the extension/option encoded as a string,
|
||||
otherwise the extension/option is created with no contents
|
||||
(usually indicating a flag). Extensions may be ignored by a
|
||||
client or server that does not recognise them, whereas unknown
|
||||
critical options will cause the certificate to be refused.
|
||||
|
||||
force-command=command
|
||||
Forces the execution of command instead of any shell or command
|
||||
specified by the user when the certificate is used for
|
||||
authentication.
|
||||
|
||||
no-agent-forwarding
|
||||
Disable ssh-agent(1) forwarding (permitted by default).
|
||||
|
||||
no-port-forwarding
|
||||
Disable port forwarding (permitted by default).
|
||||
|
||||
no-pty Disable PTY allocation (permitted by default).
|
||||
|
||||
no-user-rc
|
||||
Disable execution of ~/.ssh/rc by sshd(8) (permitted by default).
|
||||
|
||||
no-x11-forwarding
|
||||
Disable X11 forwarding (permitted by default).
|
||||
|
||||
permit-agent-forwarding
|
||||
Allows ssh-agent(1) forwarding.
|
||||
|
||||
permit-port-forwarding
|
||||
Allows port forwarding.
|
||||
|
||||
permit-pty
|
||||
Allows PTY allocation.
|
||||
|
||||
permit-user-rc
|
||||
Allows execution of ~/.ssh/rc by sshd(8).
|
||||
|
||||
permit-X11-forwarding
|
||||
Allows X11 forwarding.
|
||||
|
||||
no-touch-required
|
||||
Do not require signatures made using this key include
|
||||
demonstration of user presence (e.g. by having the user touch the
|
||||
authenticator). This option only makes sense for the FIDO
|
||||
authenticator algorithms ecdsa-sk and ed25519-sk.
|
||||
|
||||
source-address=address_list
|
||||
Restrict the source addresses from which the certificate is
|
||||
considered valid. The address_list is a comma-separated list of
|
||||
one or more address/netmask pairs in CIDR format.
|
||||
|
||||
verify-required
|
||||
Require signatures made using this key indicate that the user was
|
||||
first verified. This option only makes sense for the FIDO
|
||||
authenticator algorithms ecdsa-sk and ed25519-sk. Currently PIN
|
||||
authentication is the only supported verification method, but
|
||||
other methods may be supported in the future.
|
||||
|
||||
At present, no standard options are valid for host keys.
|
||||
|
||||
Finally, certificates may be defined with a validity lifetime. The -V
|
||||
option allows specification of certificate start and end times. A
|
||||
certificate that is presented at a time outside this range will not be
|
||||
considered valid. By default, certificates are valid from the UNIX Epoch
|
||||
to the distant future.
|
||||
|
||||
For certificates to be used for user or host authentication, the CA
|
||||
public key must be trusted by sshd(8) or ssh(1). Refer to those manual
|
||||
pages for details.
|
||||
|
||||
FIDO AUTHENTICATOR
|
||||
ssh-keygen is able to generate FIDO authenticator-backed keys, after
|
||||
which they may be used much like any other key type supported by OpenSSH,
|
||||
so long as the hardware authenticator is attached when the keys are used.
|
||||
FIDO authenticators generally require the user to explicitly authorise
|
||||
operations by touching or tapping them. FIDO keys consist of two parts:
|
||||
a key handle part stored in the private key file on disk, and a per-
|
||||
device private key that is unique to each FIDO authenticator and that
|
||||
cannot be exported from the authenticator hardware. These are combined
|
||||
by the hardware at authentication time to derive the real key that is
|
||||
used to sign authentication challenges. Supported key types are ecdsa-sk
|
||||
and ed25519-sk.
|
||||
|
||||
The options that are valid for FIDO keys are:
|
||||
|
||||
application
|
||||
Override the default FIDO application/origin string of M-bM-^@M-^\ssh:M-bM-^@M-^].
|
||||
This may be useful when generating host or domain-specific
|
||||
resident keys. The specified application string must begin with
|
||||
M-bM-^@M-^\ssh:M-bM-^@M-^].
|
||||
|
||||
challenge=path
|
||||
Specifies a path to a challenge string that will be passed to the
|
||||
FIDO authenticator during key generation. The challenge string
|
||||
may be used as part of an out-of-band protocol for key enrollment
|
||||
(a random challenge is used by default).
|
||||
|
||||
device Explicitly specify a fido(4) device to use, rather than letting
|
||||
the authenticator middleware select one.
|
||||
|
||||
no-touch-required
|
||||
Indicate that the generated private key should not require touch
|
||||
events (user presence) when making signatures. Note that sshd(8)
|
||||
will refuse such signatures by default, unless overridden via an
|
||||
authorized_keys option.
|
||||
|
||||
resident
|
||||
Indicate that the key handle should be stored on the FIDO
|
||||
authenticator itself. This makes it easier to use the
|
||||
authenticator on multiple computers. Resident keys may be
|
||||
supported on FIDO2 authenticators and typically require that a
|
||||
PIN be set on the authenticator prior to generation. Resident
|
||||
keys may be loaded off the authenticator using ssh-add(1).
|
||||
Storing both parts of a key on a FIDO authenticator increases the
|
||||
likelihood of an attacker being able to use a stolen
|
||||
authenticator device.
|
||||
|
||||
user A username to be associated with a resident key, overriding the
|
||||
empty default username. Specifying a username may be useful when
|
||||
generating multiple resident keys for the same application name.
|
||||
|
||||
verify-required
|
||||
Indicate that this private key should require user verification
|
||||
for each signature. Not all FIDO authenticators support this
|
||||
option. Currently PIN authentication is the only supported
|
||||
verification method, but other methods may be supported in the
|
||||
future.
|
||||
|
||||
write-attestation=path
|
||||
May be used at key generation time to record the attestation data
|
||||
returned from FIDO authenticators during key generation. This
|
||||
information is potentially sensitive. By default, this
|
||||
information is discarded.
|
||||
|
||||
KEY REVOCATION LISTS
|
||||
ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
|
||||
These binary files specify keys or certificates to be revoked using a
|
||||
compact format, taking as little as one bit per certificate if they are
|
||||
being revoked by serial number.
|
||||
|
||||
KRLs may be generated using the -k flag. This option reads one or more
|
||||
files from the command line and generates a new KRL. The files may
|
||||
either contain a KRL specification (see below) or public keys, listed one
|
||||
per line. Plain public keys are revoked by listing their hash or
|
||||
contents in the KRL and certificates revoked by serial number or key ID
|
||||
(if the serial is zero or not available).
|
||||
|
||||
Revoking keys using a KRL specification offers explicit control over the
|
||||
types of record used to revoke keys and may be used to directly revoke
|
||||
certificates by serial number or key ID without having the complete
|
||||
original certificate on hand. A KRL specification consists of lines
|
||||
containing one of the following directives followed by a colon and some
|
||||
directive-specific information.
|
||||
|
||||
serial: serial_number[-serial_number]
|
||||
Revokes a certificate with the specified serial number. Serial
|
||||
numbers are 64-bit values, not including zero and may be
|
||||
expressed in decimal, hex or octal. If two serial numbers are
|
||||
specified separated by a hyphen, then the range of serial numbers
|
||||
including and between each is revoked. The CA key must have been
|
||||
specified on the ssh-keygen command line using the -s option.
|
||||
|
||||
id: key_id
|
||||
Revokes a certificate with the specified key ID string. The CA
|
||||
key must have been specified on the ssh-keygen command line using
|
||||
the -s option.
|
||||
|
||||
key: public_key
|
||||
Revokes the specified key. If a certificate is listed, then it
|
||||
is revoked as a plain public key.
|
||||
|
||||
sha1: public_key
|
||||
Revokes the specified key by including its SHA1 hash in the KRL.
|
||||
|
||||
sha256: public_key
|
||||
Revokes the specified key by including its SHA256 hash in the
|
||||
KRL. KRLs that revoke keys by SHA256 hash are not supported by
|
||||
OpenSSH versions prior to 7.9.
|
||||
|
||||
hash: fingerprint
|
||||
Revokes a key using a fingerprint hash, as obtained from a
|
||||
sshd(8) authentication log message or the ssh-keygen -l flag.
|
||||
Only SHA256 fingerprints are supported here and resultant KRLs
|
||||
are not supported by OpenSSH versions prior to 7.9.
|
||||
|
||||
KRLs may be updated using the -u flag in addition to -k. When this
|
||||
option is specified, keys listed via the command line are merged into the
|
||||
KRL, adding to those already there.
|
||||
|
||||
It is also possible, given a KRL, to test whether it revokes a particular
|
||||
key (or keys). The -Q flag will query an existing KRL, testing each key
|
||||
specified on the command line. If any key listed on the command line has
|
||||
been revoked (or an error encountered) then ssh-keygen will exit with a
|
||||
non-zero exit status. A zero exit status will only be returned if no key
|
||||
was revoked.
|
||||
|
||||
ALLOWED SIGNERS
|
||||
When verifying signatures, ssh-keygen uses a simple list of identities
|
||||
and keys to determine whether a signature comes from an authorized
|
||||
source. This "allowed signers" file uses a format patterned after the
|
||||
AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file
|
||||
contains the following space-separated fields: principals, options,
|
||||
keytype, base64-encoded key. Empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y
|
||||
are ignored as comments.
|
||||
|
||||
The principals field is a pattern-list (see PATTERNS in ssh_config(5))
|
||||
consisting of one or more comma-separated USER@DOMAIN identity patterns
|
||||
that are accepted for signing. When verifying, the identity presented
|
||||
via the -I option must match a principals pattern in order for the
|
||||
corresponding key to be considered acceptable for verification.
|
||||
|
||||
The options (if present) consist of comma-separated option
|
||||
specifications. No spaces are permitted, except within double quotes.
|
||||
The following option specifications are supported (note that option
|
||||
keywords are case-insensitive):
|
||||
|
||||
cert-authority
|
||||
Indicates that this key is accepted as a certificate authority
|
||||
(CA) and that certificates signed by this CA may be accepted for
|
||||
verification.
|
||||
|
||||
namespaces=namespace-list
|
||||
Specifies a pattern-list of namespaces that are accepted for this
|
||||
key. If this option is present, the signature namespace embedded
|
||||
in the signature object and presented on the verification
|
||||
command-line must match the specified list before the key will be
|
||||
considered acceptable.
|
||||
|
||||
valid-after=timestamp
|
||||
Indicates that the key is valid for use at or after the specified
|
||||
timestamp, which may be a date or time in the YYYYMMDD[Z] or
|
||||
YYYYMMDDHHMM[SS][Z] formats. Dates and times will be interpreted
|
||||
in the current system time zone unless suffixed with a Z
|
||||
character, which causes them to be interpreted in the UTC time
|
||||
zone.
|
||||
|
||||
valid-before=timestamp
|
||||
Indicates that the key is valid for use at or before the
|
||||
specified timestamp.
|
||||
|
||||
When verifying signatures made by certificates, the expected principal
|
||||
name must match both the principals pattern in the allowed signers file
|
||||
and the principals embedded in the certificate itself.
|
||||
|
||||
An example allowed signers file:
|
||||
|
||||
# Comments allowed at start of line
|
||||
user1@example.com,user2@example.com ssh-rsa AAAAX1...
|
||||
# A certificate authority, trusted for all principals in a domain.
|
||||
*@example.com cert-authority ssh-ed25519 AAAB4...
|
||||
# A key that is accepted only for file signing.
|
||||
user2@example.com namespaces="file" ssh-ed25519 AAA41...
|
||||
|
||||
ENVIRONMENT
|
||||
SSH_SK_PROVIDER
|
||||
Specifies a path to a library that will be used when loading any
|
||||
FIDO authenticator-hosted keys, overriding the default of using
|
||||
the built-in USB HID support.
|
||||
|
||||
FILES
|
||||
~/.ssh/id_ecdsa
|
||||
~/.ssh/id_ecdsa_sk
|
||||
~/.ssh/id_ed25519
|
||||
~/.ssh/id_ed25519_sk
|
||||
~/.ssh/id_rsa
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of
|
||||
the user. This file should not be readable by anyone but the
|
||||
user. It is possible to specify a passphrase when generating the
|
||||
key; that passphrase will be used to encrypt the private part of
|
||||
this file using 128-bit AES. This file is not automatically
|
||||
accessed by ssh-keygen but it is offered as the default file for
|
||||
the private key. ssh(1) will read this file when a login attempt
|
||||
is made.
|
||||
|
||||
~/.ssh/id_ecdsa.pub
|
||||
~/.ssh/id_ecdsa_sk.pub
|
||||
~/.ssh/id_ed25519.pub
|
||||
~/.ssh/id_ed25519_sk.pub
|
||||
~/.ssh/id_rsa.pub
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA public key for
|
||||
authentication. The contents of this file should be added to
|
||||
~/.ssh/authorized_keys on all machines where the user wishes to
|
||||
log in using public key authentication. There is no need to keep
|
||||
the contents of this file secret.
|
||||
|
||||
/etc/moduli
|
||||
Contains Diffie-Hellman groups used for DH-GEX. The file format
|
||||
is described in moduli(5).
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
|
||||
|
||||
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0.
|
||||
|
||||
OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
|
20
ssh-keygen.1
20
ssh-keygen.1
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.232 2024/06/17 13:50:18 naddy Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -35,7 +35,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: September 4 2023 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -51,7 +51,7 @@
|
|||
.Op Fl m Ar format
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl O Ar option
|
||||
.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.Op Fl w Ar provider
|
||||
.Op Fl Z Ar cipher
|
||||
.Nm ssh-keygen
|
||||
|
@ -205,7 +205,6 @@ section for details.
|
|||
Normally each user wishing to use SSH
|
||||
with public key authentication runs this once to create the authentication
|
||||
key in
|
||||
.Pa ~/.ssh/id_dsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
|
@ -296,7 +295,6 @@ Show the bubblebabble digest of specified private or public key file.
|
|||
Specifies the number of bits in the key to create.
|
||||
For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
|
||||
Generally, 3072 bits is considered sufficient.
|
||||
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
|
||||
For ECDSA keys, the
|
||||
.Fl b
|
||||
flag determines the key length by selecting from one of three elliptic
|
||||
|
@ -414,9 +412,8 @@ section.
|
|||
Prints the contents of one or more certificates.
|
||||
.It Fl l
|
||||
Show fingerprint of specified public key file.
|
||||
For RSA and DSA keys
|
||||
.Nm
|
||||
tries to find the matching public key file and prints its fingerprint.
|
||||
will try to find the matching public key file and prints its fingerprint.
|
||||
If combined with
|
||||
.Fl v ,
|
||||
a visual ASCII art representation of the key is supplied with the
|
||||
|
@ -579,10 +576,9 @@ by key ID or serial number.
|
|||
See the
|
||||
.Sx KEY REVOCATION LISTS
|
||||
section for details.
|
||||
.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
Specifies the type of key to create.
|
||||
The possible values are
|
||||
.Dq dsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ecdsa-sk ,
|
||||
.Dq ed25519 ,
|
||||
|
@ -1290,13 +1286,12 @@ the built-in USB HID support.
|
|||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
.It Pa ~/.ssh/id_ed25519_sk
|
||||
.It Pa ~/.ssh/id_rsa
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
||||
This file should not be readable by anyone but the user.
|
||||
It is possible to
|
||||
|
@ -1308,13 +1303,12 @@ but it is offered as the default file for the private key.
|
|||
.Xr ssh 1
|
||||
will read this file when a login attempt is made.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
.It Pa ~/.ssh/id_ed25519.pub
|
||||
.It Pa ~/.ssh/id_ed25519_sk.pub
|
||||
.It Pa ~/.ssh/id_rsa.pub
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA public key for authentication.
|
||||
The contents of this file should be added to
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
|
|
|
@ -0,0 +1,123 @@
|
|||
SSH-KEYSCAN(1) General Commands Manual SSH-KEYSCAN(1)
|
||||
|
||||
NAME
|
||||
ssh-keyscan M-bM-^@M-^S gather SSH public keys from servers
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keyscan [-46cDHqv] [-f file] [-O option] [-p port] [-T timeout]
|
||||
[-t type] [host | addrlist namelist]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keyscan is a utility for gathering the public SSH host keys of a
|
||||
number of hosts. It was designed to aid in building and verifying
|
||||
ssh_known_hosts files, the format of which is documented in sshd(8).
|
||||
ssh-keyscan provides a minimal interface suitable for use by shell and
|
||||
perl scripts.
|
||||
|
||||
ssh-keyscan uses non-blocking socket I/O to contact as many hosts as
|
||||
possible in parallel, so it is very efficient. The keys from a domain of
|
||||
1,000 hosts can be collected in tens of seconds, even when some of those
|
||||
hosts are down or do not run sshd(8). For scanning, one does not need
|
||||
login access to the machines that are being scanned, nor does the
|
||||
scanning process involve any encryption.
|
||||
|
||||
Hosts to be scanned may be specified by hostname, address or by CIDR
|
||||
network range (e.g. 192.168.16/28). If a network range is specified,
|
||||
then all addresses in that range will be scanned.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-4 Force ssh-keyscan to use IPv4 addresses only.
|
||||
|
||||
-6 Force ssh-keyscan to use IPv6 addresses only.
|
||||
|
||||
-c Request certificates from target hosts instead of plain keys.
|
||||
|
||||
-D Print keys found as SSHFP DNS records. The default is to print
|
||||
keys in a format usable as a ssh(1) known_hosts file.
|
||||
|
||||
-f file
|
||||
Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line.
|
||||
If M-bM-^@M-^X-M-bM-^@M-^Y is supplied instead of a filename, ssh-keyscan will read
|
||||
from the standard input. Names read from a file must start with
|
||||
an address, hostname or CIDR network range to be scanned.
|
||||
Addresses and hostnames may optionally be followed by comma-
|
||||
separated name or address aliases that will be copied to the
|
||||
output. For example:
|
||||
|
||||
192.168.11.0/24
|
||||
10.20.1.1
|
||||
happy.example.org
|
||||
10.0.0.1,sad.example.org
|
||||
|
||||
-H Hash all hostnames and addresses in the output. Hashed names may
|
||||
be used normally by ssh(1) and sshd(8), but they do not reveal
|
||||
identifying information should the file's contents be disclosed.
|
||||
|
||||
-O option
|
||||
Specify a key/value option. At present, only a single option is
|
||||
supported:
|
||||
|
||||
hashalg=algorithm
|
||||
Selects a hash algorithm to use when printing SSHFP
|
||||
records using the -D flag. Valid algorithms are M-bM-^@M-^\sha1M-bM-^@M-^]
|
||||
and M-bM-^@M-^\sha256M-bM-^@M-^]. The default is to print both.
|
||||
|
||||
-p port
|
||||
Connect to port on the remote host.
|
||||
|
||||
-q Quiet mode: do not print server host name and banners in
|
||||
comments.
|
||||
|
||||
-T timeout
|
||||
Set the timeout for connection attempts. If timeout seconds have
|
||||
elapsed since a connection was initiated to a host or since the
|
||||
last time anything was read from that host, the connection is
|
||||
closed and the host in question considered unavailable. The
|
||||
default is 5 seconds.
|
||||
|
||||
-t type
|
||||
Specify the type of the key to fetch from the scanned hosts. The
|
||||
possible values are M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], M-bM-^@M-^\ecdsa-skM-bM-^@M-^], M-bM-^@M-^\ed25519-skM-bM-^@M-^],
|
||||
or M-bM-^@M-^\rsaM-bM-^@M-^]. Multiple values may be specified by separating them
|
||||
with commas. The default is to fetch all the above key types.
|
||||
|
||||
-v Verbose mode: print debugging messages about progress.
|
||||
|
||||
If an ssh_known_hosts file is constructed using ssh-keyscan without
|
||||
verifying the keys, users will be vulnerable to man in the middle
|
||||
attacks. On the other hand, if the security model allows such a risk,
|
||||
ssh-keyscan can help in the detection of tampered keyfiles or man in the
|
||||
middle attacks which have begun after the ssh_known_hosts file was
|
||||
created.
|
||||
|
||||
FILES
|
||||
/etc/ssh/ssh_known_hosts
|
||||
|
||||
EXAMPLES
|
||||
Print the RSA host key for machine hostname:
|
||||
|
||||
$ ssh-keyscan -t rsa hostname
|
||||
|
||||
Search a network range, printing all supported key types:
|
||||
|
||||
$ ssh-keyscan 192.168.0.64/25
|
||||
|
||||
Find all hosts from the file ssh_hosts which have new or different keys
|
||||
from those in the sorted file ssh_known_hosts:
|
||||
|
||||
$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \
|
||||
sort -u - ssh_known_hosts | diff ssh_known_hosts -
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), sshd(8)
|
||||
|
||||
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, RFC
|
||||
4255, 2006.
|
||||
|
||||
AUTHORS
|
||||
David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
|
||||
Davison <wayned@users.sourceforge.net> added support for protocol version
|
||||
2.
|
||||
|
||||
OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
|
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keyscan.1,v 1.49 2023/02/10 06:41:53 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
.\"
|
||||
|
@ -6,7 +6,7 @@
|
|||
.\" permitted provided that due credit is given to the author and the
|
||||
.\" OpenBSD project by leaving this copyright notice intact.
|
||||
.\"
|
||||
.Dd $Mdocdate: February 10 2023 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYSCAN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -14,7 +14,7 @@
|
|||
.Nd gather SSH public keys from servers
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-keyscan
|
||||
.Op Fl 46cDHv
|
||||
.Op Fl 46cDHqv
|
||||
.Op Fl f Ar file
|
||||
.Op Fl O Ar option
|
||||
.Op Fl p Ar port
|
||||
|
@ -116,6 +116,9 @@ The default is to print both.
|
|||
Connect to
|
||||
.Ar port
|
||||
on the remote host.
|
||||
.It Fl q
|
||||
Quiet mode:
|
||||
do not print server host name and banners in comments.
|
||||
.It Fl T Ar timeout
|
||||
Set the timeout for connection attempts.
|
||||
If
|
||||
|
@ -127,7 +130,6 @@ The default is 5 seconds.
|
|||
.It Fl t Ar type
|
||||
Specify the type of the key to fetch from the scanned hosts.
|
||||
The possible values are
|
||||
.Dq dsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ed25519 ,
|
||||
.Dq ecdsa-sk ,
|
||||
|
@ -135,14 +137,7 @@ The possible values are
|
|||
or
|
||||
.Dq rsa .
|
||||
Multiple values may be specified by separating them with commas.
|
||||
The default is to fetch
|
||||
.Dq rsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ed25519 ,
|
||||
.Dq ecdsa-sk ,
|
||||
and
|
||||
.Dq ed25519-sk
|
||||
keys.
|
||||
The default is to fetch all the above key types.
|
||||
.It Fl v
|
||||
Verbose mode:
|
||||
print debugging messages about progress.
|
||||
|
@ -174,7 +169,7 @@ Find all hosts from the file
|
|||
which have new or different keys from those in the sorted file
|
||||
.Pa ssh_known_hosts :
|
||||
.Bd -literal -offset indent
|
||||
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
|
||||
$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e
|
||||
sort -u - ssh_known_hosts | diff ssh_known_hosts -
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keyscan.c,v 1.157 2024/05/06 19:26:17 tobias Exp $ */
|
||||
/* $OpenBSD: ssh-keyscan.c,v 1.158 2024/06/14 00:25:25 djm Exp $ */
|
||||
/*
|
||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
*
|
||||
|
@ -84,6 +84,8 @@ int found_one = 0; /* Successfully found a key */
|
|||
|
||||
int hashalg = -1; /* Hash for SSHFP records or -1 for all */
|
||||
|
||||
int quiet = 0; /* Don't print key comment lines */
|
||||
|
||||
#define MAXMAXFD 256
|
||||
|
||||
/* The number of seconds after which to give up on a TCP connection */
|
||||
|
@ -542,8 +544,10 @@ congreet(int s)
|
|||
confree(s);
|
||||
return;
|
||||
}
|
||||
fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
|
||||
if (!quiet) {
|
||||
fprintf(stdout, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
|
||||
c->c_name, ssh_port, chop(buf));
|
||||
}
|
||||
keygrab_ssh2(c);
|
||||
confree(s);
|
||||
}
|
||||
|
@ -665,7 +669,7 @@ static void
|
|||
usage(void)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"usage: ssh-keyscan [-46cDHv] [-f file] [-O option] [-p port] [-T timeout]\n"
|
||||
"usage: ssh-keyscan [-46cDHqv] [-f file] [-O option] [-p port] [-T timeout]\n"
|
||||
" [-t type] [host | addrlist namelist]\n");
|
||||
exit(1);
|
||||
}
|
||||
|
@ -692,7 +696,7 @@ main(int argc, char **argv)
|
|||
if (argc <= 1)
|
||||
usage();
|
||||
|
||||
while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) {
|
||||
while ((opt = getopt(argc, argv, "cDHqv46O:p:T:t:f:")) != -1) {
|
||||
switch (opt) {
|
||||
case 'H':
|
||||
hash_hosts = 1;
|
||||
|
@ -727,6 +731,9 @@ main(int argc, char **argv)
|
|||
else
|
||||
fatal("Too high debugging level.");
|
||||
break;
|
||||
case 'q':
|
||||
quiet = 1;
|
||||
break;
|
||||
case 'f':
|
||||
if (strcmp(optarg, "-") == 0)
|
||||
optarg = NULL;
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8)
|
||||
|
||||
NAME
|
||||
ssh-keysign M-bM-^@M-^S OpenSSH helper for host-based authentication
|
||||
|
||||
SYNOPSIS
|
||||
ssh-keysign
|
||||
|
||||
DESCRIPTION
|
||||
ssh-keysign is used by ssh(1) to access the local host keys and generate
|
||||
the digital signature required during host-based authentication.
|
||||
|
||||
ssh-keysign is disabled by default and can only be enabled in the global
|
||||
client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign
|
||||
to M-bM-^@M-^\yesM-bM-^@M-^].
|
||||
|
||||
ssh-keysign is not intended to be invoked by the user, but from ssh(1).
|
||||
See ssh(1) and sshd(8) for more information about host-based
|
||||
authentication.
|
||||
|
||||
FILES
|
||||
/etc/ssh/ssh_config
|
||||
Controls whether ssh-keysign is enabled.
|
||||
|
||||
/etc/ssh/ssh_host_ecdsa_key
|
||||
/etc/ssh/ssh_host_ed25519_key
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
These files contain the private parts of the host keys used to
|
||||
generate the digital signature. They should be owned by root,
|
||||
readable only by root, and not accessible to others. Since they
|
||||
are readable only by root, ssh-keysign must be set-uid root if
|
||||
host-based authentication is used.
|
||||
|
||||
/etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
/etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
/etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
If these files exist, they are assumed to contain public
|
||||
certificate information corresponding with the private keys
|
||||
above.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
|
||||
|
||||
HISTORY
|
||||
ssh-keysign first appeared in OpenBSD 3.2.
|
||||
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
|
|
@ -1,4 +1,4 @@
|
|||
.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.18 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
|
@ -22,7 +22,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYSIGN 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -61,7 +61,6 @@ Controls whether
|
|||
.Nm
|
||||
is enabled.
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key
|
||||
|
@ -73,7 +72,6 @@ Since they are readable only by root,
|
|||
.Nm
|
||||
must be set-uid root if host-based authentication is used.
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
SSH-PKCS11-HELPER(8) System Manager's Manual SSH-PKCS11-HELPER(8)
|
||||
|
||||
NAME
|
||||
ssh-pkcs11-helper M-bM-^@M-^S OpenSSH helper for PKCS#11 support
|
||||
|
||||
SYNOPSIS
|
||||
ssh-pkcs11-helper [-v]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-pkcs11-helper is used by ssh(1), ssh-agent(1), and ssh-keygen(1) to
|
||||
access keys provided by a PKCS#11 token.
|
||||
|
||||
ssh-pkcs11-helper is not intended to be invoked directly by the user.
|
||||
|
||||
A single option is supported:
|
||||
|
||||
-v Verbose mode. Causes ssh-pkcs11-helper to print debugging
|
||||
messages about its progress. This is helpful in debugging
|
||||
problems. Multiple -v options increase the verbosity. The
|
||||
maximum is 3.
|
||||
|
||||
Note that ssh(1), ssh-agent(1), and ssh-keygen(1) will
|
||||
automatically pass the -v flag to ssh-pkcs11-helper when they
|
||||
have themselves been placed in debug mode.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-agent(1), ssh-keygen(1)
|
||||
|
||||
HISTORY
|
||||
ssh-pkcs11-helper first appeared in OpenBSD 4.7.
|
||||
|
||||
AUTHORS
|
||||
Markus Friedl <markus@openbsd.org>
|
||||
|
||||
OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
|
|
@ -0,0 +1,34 @@
|
|||
SSH-SK-HELPER(8) System Manager's Manual SSH-SK-HELPER(8)
|
||||
|
||||
NAME
|
||||
ssh-sk-helper M-bM-^@M-^S OpenSSH helper for FIDO authenticator support
|
||||
|
||||
SYNOPSIS
|
||||
ssh-sk-helper [-v]
|
||||
|
||||
DESCRIPTION
|
||||
ssh-sk-helper is used by ssh(1), ssh-agent(1), and ssh-keygen(1) to
|
||||
access keys provided by a FIDO authenticator.
|
||||
|
||||
ssh-sk-helper is not intended to be invoked directly by the user.
|
||||
|
||||
A single option is supported:
|
||||
|
||||
-v Verbose mode. Causes ssh-sk-helper to print debugging messages
|
||||
about its progress. This is helpful in debugging problems.
|
||||
Multiple -v options increase the verbosity. The maximum is 3.
|
||||
|
||||
Note that ssh(1), ssh-agent(1), and ssh-keygen(1) will
|
||||
automatically pass the -v flag to ssh-sk-helper when they have
|
||||
themselves been placed in debug mode.
|
||||
|
||||
SEE ALSO
|
||||
ssh(1), ssh-agent(1), ssh-keygen(1)
|
||||
|
||||
HISTORY
|
||||
ssh-sk-helper first appeared in OpenBSD 6.7.
|
||||
|
||||
AUTHORS
|
||||
Damien Miller <djm@openbsd.org>
|
||||
|
||||
OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
|
24
ssh.1
24
ssh.1
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.439 2024/03/14 06:23:14 job Exp $
|
||||
.Dd $Mdocdate: March 14 2024 $
|
||||
.\" $OpenBSD: ssh.1,v 1.442 2024/06/27 21:02:16 jmc Exp $
|
||||
.Dd $Mdocdate: June 27 2024 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -304,10 +304,9 @@ The default is
|
|||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
Identity files may also be specified on
|
||||
a per-host basis in the configuration file.
|
||||
It is possible to have multiple
|
||||
|
@ -929,10 +928,7 @@ key pair for authentication purposes.
|
|||
The server knows the public key, and only the user knows the private key.
|
||||
.Nm
|
||||
implements public key authentication protocol automatically,
|
||||
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
|
||||
The HISTORY section of
|
||||
.Xr ssl 8
|
||||
contains a brief discussion of the DSA and RSA algorithms.
|
||||
using one of the ECDSA, Ed25519 or RSA algorithms.
|
||||
.Pp
|
||||
The file
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
|
@ -959,8 +955,6 @@ flag).
|
|||
The user creates their key pair by running
|
||||
.Xr ssh-keygen 1 .
|
||||
This stores the private key in
|
||||
.Pa ~/.ssh/id_dsa
|
||||
(DSA),
|
||||
.Pa ~/.ssh/id_ecdsa
|
||||
(ECDSA),
|
||||
.Pa ~/.ssh/id_ecdsa_sk
|
||||
|
@ -973,8 +967,6 @@ or
|
|||
.Pa ~/.ssh/id_rsa
|
||||
(RSA)
|
||||
and stores the public key in
|
||||
.Pa ~/.ssh/id_dsa.pub
|
||||
(DSA),
|
||||
.Pa ~/.ssh/id_ecdsa.pub
|
||||
(ECDSA),
|
||||
.Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
|
@ -1556,7 +1548,7 @@ secret, but the recommended permissions are read/write/execute for the user,
|
|||
and not accessible by others.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/authorized_keys
|
||||
Lists the public keys (DSA, ECDSA, Ed25519, RSA)
|
||||
Lists the public keys (ECDSA, Ed25519, RSA)
|
||||
that can be used for logging in as this user.
|
||||
The format of this file is described in the
|
||||
.Xr sshd 8
|
||||
|
@ -1576,7 +1568,6 @@ Contains additional definitions for environment variables; see
|
|||
.Sx ENVIRONMENT ,
|
||||
above.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
|
@ -1592,7 +1583,6 @@ It is possible to specify a passphrase when
|
|||
generating the key which will be used to encrypt the
|
||||
sensitive part of this file using AES-128.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
.It Pa ~/.ssh/id_ed25519.pub
|
||||
|
@ -1633,8 +1623,6 @@ Systemwide configuration file.
|
|||
The file format and configuration options are described in
|
||||
.Xr ssh_config 5 .
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_key
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key
|
||||
|
|
File diff suppressed because it is too large
Load Diff
20
ssh_config.5
20
ssh_config.5
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.394 2024/02/21 06:01:13 djm Exp $
|
||||
.Dd $Mdocdate: February 21 2024 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.396 2024/06/17 08:30:29 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1114,7 +1114,7 @@ section and environment variables as described in the
|
|||
.Sx ENVIRONMENT VARIABLES
|
||||
section.
|
||||
.It Cm IdentityFile
|
||||
Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
|
||||
Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA,
|
||||
Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
|
||||
You can also specify a public key file to use the corresponding
|
||||
private key that is loaded in
|
||||
|
@ -1124,10 +1124,9 @@ The default is
|
|||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
Additionally, any identities represented by the authentication agent
|
||||
will be used for authentication unless
|
||||
.Cm IdentitiesOnly
|
||||
|
@ -1261,8 +1260,12 @@ it may be zero or more of:
|
|||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||
their preference order.
|
||||
The selected algorithm will the the first algorithm in this list that
|
||||
the server also supports.
|
||||
Multiple algorithms must be comma-separated.
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
|
@ -1275,6 +1278,7 @@ If the specified list begins with a
|
|||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
default set.
|
||||
.Pp
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
|
@ -1286,7 +1290,7 @@ diffie-hellman-group18-sha512,
|
|||
diffie-hellman-group14-sha256
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
.It Cm KnownHostsCommand
|
||||
Specifies a command to use to obtain a list of host keys, in addition to
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshconnect2.c,v 1.372 2024/01/08 00:34:34 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.373 2024/05/17 06:38:00 jsg Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
|
@ -84,8 +84,6 @@
|
|||
#endif
|
||||
|
||||
/* import */
|
||||
extern char *client_version_string;
|
||||
extern char *server_version_string;
|
||||
extern Options options;
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd-session.c,v 1.1 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: sshd-session.c,v 1.4 2024/06/26 23:16:52 deraadt Exp $ */
|
||||
/*
|
||||
* SSH2 implementation:
|
||||
* Privilege Separation:
|
||||
|
@ -554,23 +554,32 @@ privsep_child_cmdline(int authenticated)
|
|||
|
||||
/*
|
||||
* Signal handler for the alarm after the login grace period has expired.
|
||||
* As usual, this may only take signal-safe actions, even though it is
|
||||
* terminal.
|
||||
*/
|
||||
static void
|
||||
grace_alarm_handler(int sig)
|
||||
{
|
||||
#ifdef WINDOWS
|
||||
// TODO: figure out if we need to kill any child processes
|
||||
#else /* WINDOWS */
|
||||
/*
|
||||
* Try to kill any processes that we have spawned, E.g. authorized
|
||||
* keys command helpers or privsep children.
|
||||
*/
|
||||
if (getpgid(0) == getpid()) {
|
||||
ssh_signal(SIGTERM, SIG_IGN);
|
||||
struct sigaction sa;
|
||||
|
||||
/* mask all other signals while in handler */
|
||||
memset(&sa, 0, sizeof(sa));
|
||||
sa.sa_handler = SIG_IGN;
|
||||
sigfillset(&sa.sa_mask);
|
||||
sa.sa_flags = SA_RESTART;
|
||||
(void)sigaction(SIGTERM, &sa, NULL);
|
||||
kill(0, SIGTERM);
|
||||
}
|
||||
|
||||
/* Log error and exit. */
|
||||
sigdie("Timeout before authentication for %s port %d",
|
||||
ssh_remote_ipaddr(the_active_state),
|
||||
ssh_remote_port(the_active_state));
|
||||
#endif /* WINDOWS */
|
||||
_exit(EXIT_LOGIN_GRACE);
|
||||
}
|
||||
|
||||
/* Destroy the host and server keys. They will no longer be needed. */
|
||||
|
@ -815,6 +824,21 @@ privsep_preauth(struct ssh *ssh)
|
|||
static void
|
||||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
{
|
||||
int skip_privdrop = 0;
|
||||
|
||||
/*
|
||||
* Hack for systems that don't support FD passing: retain privileges
|
||||
* in the post-auth privsep process so it can allocate PTYs directly.
|
||||
* This is basically equivalent to what we did <= 9.7, which was to
|
||||
* disable post-auth privsep entriely.
|
||||
* Cygwin doesn't need to drop privs here although it doesn't support
|
||||
* fd passing, as AFAIK PTY allocation on this platform doesn't require
|
||||
* special privileges to begin with.
|
||||
*/
|
||||
#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
|
||||
skip_privdrop = 1;
|
||||
#endif
|
||||
|
||||
/* New socket pair */
|
||||
#ifdef WINDOWS
|
||||
monitor_reinit_withlogs(pmonitor);
|
||||
|
@ -909,6 +933,7 @@ skip:
|
|||
reseed_prngs();
|
||||
|
||||
/* Drop privileges */
|
||||
if (!skip_privdrop)
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
/* It is safe now to apply the key state */
|
||||
|
@ -1569,25 +1594,10 @@ main(int ac, char **av)
|
|||
|
||||
debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
privsep_chroot = (getuid() == 0 || geteuid() == 0);
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
if (privsep_chroot || options.kerberos_authentication)
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
SSH_PRIVSEP_USER);
|
||||
} else {
|
||||
privsep_pw = pwcopy(privsep_pw);
|
||||
freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
|
||||
privsep_pw->pw_passwd = xstrdup("*");
|
||||
}
|
||||
endpwent();
|
||||
|
||||
/* Fetch our configuration */
|
||||
if ((cfg = sshbuf_new()) == NULL)
|
||||
fatal("sshbuf_new config buf failed");
|
||||
|
||||
setproctitle("%s", "[rexeced]");
|
||||
|
||||
#ifdef WINDOWS
|
||||
if (privsep_unauth_child || privsep_auth_child) {
|
||||
recv_rexec_state(PRIVSEP_MONITOR_FD, cfg, &timing_secret); //TODO - should starup_pipe be closed as above ?B
|
||||
|
@ -1600,12 +1610,24 @@ main(int ac, char **av)
|
|||
recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg, &timing_secret);
|
||||
close(REEXEC_CONFIG_PASS_FD);
|
||||
#endif /* WINDOWS */
|
||||
|
||||
parse_server_config(&options, "rexec", cfg, &includes, NULL, 1);
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
fill_default_server_options(&options);
|
||||
options.timing_secret = timing_secret;
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
privsep_chroot = (getuid() == 0 || geteuid() == 0);
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
if (privsep_chroot || options.kerberos_authentication)
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
SSH_PRIVSEP_USER);
|
||||
} else {
|
||||
privsep_pw = pwcopy(privsep_pw);
|
||||
freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
|
||||
privsep_pw->pw_passwd = xstrdup("*");
|
||||
}
|
||||
endpwent();
|
||||
|
||||
#ifdef WINDOWS
|
||||
if (!debug_flag && !privsep_unauth_child && !privsep_auth_child) {
|
||||
#else /* WINDOWS */
|
||||
|
@ -1678,7 +1700,7 @@ main(int ac, char **av)
|
|||
}
|
||||
}
|
||||
if (!have_key)
|
||||
fatal("internal error: monitor recieved no hostkeys");
|
||||
fatal("internal error: monitor received no hostkeys");
|
||||
|
||||
/* Ensure that umask disallows at least group and world write */
|
||||
new_umask = umask(0077) | 0022;
|
||||
|
@ -1873,6 +1895,8 @@ idexch_done:
|
|||
ssh_signal(SIGALRM, SIG_DFL);
|
||||
authctxt->authenticated = 1;
|
||||
if (startup_pipe != -1) {
|
||||
/* signal listener that authentication completed successfully */
|
||||
(void)atomicio(vwrite, startup_pipe, "\001", 1);
|
||||
close(startup_pipe);
|
||||
startup_pipe = -1;
|
||||
}
|
||||
|
@ -2021,6 +2045,8 @@ do_ssh2_kex(struct ssh *ssh)
|
|||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
extern int auth_attempted; /* monitor.c */
|
||||
|
||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||
do_cleanup(the_active_state, the_authctxt);
|
||||
if (privsep_is_preauth &&
|
||||
|
@ -2033,9 +2059,12 @@ cleanup_exit(int i)
|
|||
}
|
||||
}
|
||||
}
|
||||
/* Override default fatal exit value when auth was attempted */
|
||||
if (i == 255 && auth_attempted)
|
||||
_exit(EXIT_AUTH_ATTEMPTED);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
if (the_active_state != NULL && (!use_privsep || mm_is_monitor()))
|
||||
if (the_active_state != NULL && mm_is_monitor())
|
||||
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
|
|
|
@ -0,0 +1,685 @@
|
|||
SSHD(8) System Manager's Manual SSHD(8)
|
||||
|
||||
NAME
|
||||
sshd M-bM-^@M-^S OpenSSH daemon
|
||||
|
||||
SYNOPSIS
|
||||
sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_certificate_file]
|
||||
[-E log_file] [-f config_file] [-g login_grace_time]
|
||||
[-h host_key_file] [-o option] [-p port] [-u len]
|
||||
|
||||
DESCRIPTION
|
||||
sshd (OpenSSH Daemon) is the daemon program for ssh(1). It provides
|
||||
secure encrypted communications between two untrusted hosts over an
|
||||
insecure network.
|
||||
|
||||
sshd listens for connections from clients. It is normally started at
|
||||
boot from /etc/rc. It forks a new daemon for each incoming connection.
|
||||
The forked daemons handle key exchange, encryption, authentication,
|
||||
command execution, and data exchange.
|
||||
|
||||
sshd can be configured using command-line options or a configuration file
|
||||
(by default sshd_config(5)); command-line options override values
|
||||
specified in the configuration file. sshd rereads its configuration file
|
||||
when it receives a hangup signal, SIGHUP, by executing itself with the
|
||||
name and options it was started with, e.g. /usr/sbin/sshd.
|
||||
|
||||
The options are as follows:
|
||||
|
||||
-4 Forces sshd to use IPv4 addresses only.
|
||||
|
||||
-6 Forces sshd to use IPv6 addresses only.
|
||||
|
||||
-C connection_spec
|
||||
Specify the connection parameters to use for the -T extended test
|
||||
mode. If provided, any Match directives in the configuration
|
||||
file that would apply are applied before the configuration is
|
||||
written to standard output. The connection parameters are
|
||||
supplied as keyword=value pairs and may be supplied in any order,
|
||||
either with multiple -C options or as a comma-separated list.
|
||||
The keywords are M-bM-^@M-^\addrM-bM-^@M-^], M-bM-^@M-^\userM-bM-^@M-^], M-bM-^@M-^\hostM-bM-^@M-^], M-bM-^@M-^\laddrM-bM-^@M-^], M-bM-^@M-^\lportM-bM-^@M-^], and
|
||||
M-bM-^@M-^\rdomainM-bM-^@M-^] and correspond to source address, user, resolved source
|
||||
host name, local address, local port number and routing domain
|
||||
respectively.
|
||||
|
||||
-c host_certificate_file
|
||||
Specifies a path to a certificate file to identify sshd during
|
||||
key exchange. The certificate file must match a host key file
|
||||
specified using the -h option or the HostKey configuration
|
||||
directive.
|
||||
|
||||
-D When this option is specified, sshd will not detach and does not
|
||||
become a daemon. This allows easy monitoring of sshd.
|
||||
|
||||
-d Debug mode. The server sends verbose debug output to standard
|
||||
error, and does not put itself in the background. The server
|
||||
also will not fork(2) and will only process one connection. This
|
||||
option is only intended for debugging for the server. Multiple
|
||||
-d options increase the debugging level. Maximum is 3.
|
||||
|
||||
-E log_file
|
||||
Append debug logs to log_file instead of the system log.
|
||||
|
||||
-e Write debug logs to standard error instead of the system log.
|
||||
|
||||
-f config_file
|
||||
Specifies the name of the configuration file. The default is
|
||||
/etc/ssh/sshd_config. sshd refuses to start if there is no
|
||||
configuration file.
|
||||
|
||||
-G Parse and print configuration file. Check the validity of the
|
||||
configuration file, output the effective configuration to stdout
|
||||
and then exit. Optionally, Match rules may be applied by
|
||||
specifying the connection parameters using one or more -C
|
||||
options.
|
||||
|
||||
-g login_grace_time
|
||||
Gives the grace time for clients to authenticate themselves
|
||||
(default 120 seconds). If the client fails to authenticate the
|
||||
user within this many seconds, the server disconnects and exits.
|
||||
A value of zero indicates no limit.
|
||||
|
||||
-h host_key_file
|
||||
Specifies a file from which a host key is read. This option must
|
||||
be given if sshd is not run as root (as the normal host key files
|
||||
are normally not readable by anyone but root). The default is
|
||||
/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
|
||||
/etc/ssh/ssh_host_rsa_key. It is possible to have multiple host
|
||||
key files for the different host key algorithms.
|
||||
|
||||
-i Specifies that sshd is being run from inetd(8).
|
||||
|
||||
-o option
|
||||
Can be used to give options in the format used in the
|
||||
configuration file. This is useful for specifying options for
|
||||
which there is no separate command-line flag. For full details
|
||||
of the options, and their values, see sshd_config(5).
|
||||
|
||||
-p port
|
||||
Specifies the port on which the server listens for connections
|
||||
(default 22). Multiple port options are permitted. Ports
|
||||
specified in the configuration file with the Port option are
|
||||
ignored when a command-line port is specified. Ports specified
|
||||
using the ListenAddress option override command-line ports.
|
||||
|
||||
-q Quiet mode. Nothing is sent to the system log. Normally the
|
||||
beginning, authentication, and termination of each connection is
|
||||
logged.
|
||||
|
||||
-T Extended test mode. Check the validity of the configuration
|
||||
file, output the effective configuration to stdout and then exit.
|
||||
Optionally, Match rules may be applied by specifying the
|
||||
connection parameters using one or more -C options. This is
|
||||
similar to the -G flag, but it includes the additional testing
|
||||
performed by the -t flag.
|
||||
|
||||
-t Test mode. Only check the validity of the configuration file and
|
||||
sanity of the keys. This is useful for updating sshd reliably as
|
||||
configuration options may change.
|
||||
|
||||
-u len This option is used to specify the size of the field in the utmp
|
||||
structure that holds the remote host name. If the resolved host
|
||||
name is longer than len, the dotted decimal value will be used
|
||||
instead. This allows hosts with very long host names that
|
||||
overflow this field to still be uniquely identified. Specifying
|
||||
-u0 indicates that only dotted decimal addresses should be put
|
||||
into the utmp file. -u0 may also be used to prevent sshd from
|
||||
making DNS requests unless the authentication mechanism or
|
||||
configuration requires it. Authentication mechanisms that may
|
||||
require DNS include HostbasedAuthentication and using a
|
||||
from="pattern-list" option in a key file. Configuration options
|
||||
that require DNS include using a USER@HOST pattern in AllowUsers
|
||||
or DenyUsers.
|
||||
|
||||
-V Display the version number and exit.
|
||||
|
||||
AUTHENTICATION
|
||||
The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
|
||||
host-specific key, used to identify the host. Whenever a client
|
||||
connects, the daemon responds with its public host key. The client
|
||||
compares the host key against its own database to verify that it has not
|
||||
changed. Forward secrecy is provided through a Diffie-Hellman key
|
||||
agreement. This key agreement results in a shared session key. The rest
|
||||
of the session is encrypted using a symmetric cipher. The client selects
|
||||
the encryption algorithm to use from those offered by the server.
|
||||
Additionally, session integrity is provided through a cryptographic
|
||||
message authentication code (MAC).
|
||||
|
||||
Finally, the server and the client enter an authentication dialog. The
|
||||
client tries to authenticate itself using host-based authentication,
|
||||
public key authentication, challenge-response authentication, or password
|
||||
authentication.
|
||||
|
||||
Regardless of the authentication type, the account is checked to ensure
|
||||
that it is accessible. An account is not accessible if it is locked,
|
||||
listed in DenyUsers or its group is listed in DenyGroups . The
|
||||
definition of a locked account is system dependent. Some platforms have
|
||||
their own account database (eg AIX) and some modify the passwd field (
|
||||
M-bM-^@M-^X*LK*M-bM-^@M-^Y on Solaris and UnixWare, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on
|
||||
Tru64, a leading M-bM-^@M-^X*LOCKED*M-bM-^@M-^Y on FreeBSD and a leading M-bM-^@M-^X!M-bM-^@M-^Y on most
|
||||
Linuxes). If there is a requirement to disable password authentication
|
||||
for the account while allowing still public-key, then the passwd field
|
||||
should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or M-bM-^@M-^X*NP*M-bM-^@M-^Y ).
|
||||
|
||||
If the client successfully authenticates itself, a dialog for preparing
|
||||
the session is entered. At this time the client may request things like
|
||||
allocating a pseudo-tty, forwarding X11 connections, forwarding TCP
|
||||
connections, or forwarding the authentication agent connection over the
|
||||
secure channel.
|
||||
|
||||
After this, the client either requests an interactive shell or execution
|
||||
of a non-interactive command, which sshd will execute via the user's
|
||||
shell using its -c option. The sides then enter session mode. In this
|
||||
mode, either side may send data at any time, and such data is forwarded
|
||||
to/from the shell or command on the server side, and the user terminal in
|
||||
the client side.
|
||||
|
||||
When the user program terminates and all forwarded X11 and other
|
||||
connections have been closed, the server sends command exit status to the
|
||||
client, and both sides exit.
|
||||
|
||||
LOGIN PROCESS
|
||||
When a user successfully logs in, sshd does the following:
|
||||
|
||||
1. If the login is on a tty, and no command has been specified,
|
||||
prints last login time and /etc/motd (unless prevented in the
|
||||
configuration file or by ~/.hushlogin; see the FILES section).
|
||||
|
||||
2. If the login is on a tty, records login time.
|
||||
|
||||
3. Checks /etc/nologin; if it exists, prints contents and quits
|
||||
(unless root).
|
||||
|
||||
4. Changes to run with normal user privileges.
|
||||
|
||||
5. Sets up basic environment.
|
||||
|
||||
6. Reads the file ~/.ssh/environment, if it exists, and users are
|
||||
allowed to change their environment. See the
|
||||
PermitUserEnvironment option in sshd_config(5).
|
||||
|
||||
7. Changes to user's home directory.
|
||||
|
||||
8. If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option
|
||||
is set, runs it; else if /etc/ssh/sshrc exists, runs it;
|
||||
otherwise runs xauth(1). The M-bM-^@M-^\rcM-bM-^@M-^] files are given the X11
|
||||
authentication protocol and cookie in standard input. See
|
||||
SSHRC, below.
|
||||
|
||||
9. Runs user's shell or command. All commands are run under the
|
||||
user's login shell as specified in the system password
|
||||
database.
|
||||
|
||||
SSHRC
|
||||
If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
|
||||
files but before starting the user's shell or command. It must not
|
||||
produce any output on stdout; stderr must be used instead. If X11
|
||||
forwarding is in use, it will receive the "proto cookie" pair in its
|
||||
standard input (and DISPLAY in its environment). The script must call
|
||||
xauth(1) because sshd will not run xauth automatically to add X11
|
||||
cookies.
|
||||
|
||||
The primary purpose of this file is to run any initialization routines
|
||||
which may be needed before the user's home directory becomes accessible;
|
||||
AFS is a particular example of such an environment.
|
||||
|
||||
This file will probably contain some initialization code followed by
|
||||
something similar to:
|
||||
|
||||
if read proto cookie && [ -n "$DISPLAY" ]; then
|
||||
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
|
||||
# X11UseLocalhost=yes
|
||||
echo add unix:`echo $DISPLAY |
|
||||
cut -c11-` $proto $cookie
|
||||
else
|
||||
# X11UseLocalhost=no
|
||||
echo add $DISPLAY $proto $cookie
|
||||
fi | xauth -q -
|
||||
fi
|
||||
|
||||
If this file does not exist, /etc/ssh/sshrc is run, and if that does not
|
||||
exist either, xauth is used to add the cookie.
|
||||
|
||||
AUTHORIZED_KEYS FILE FORMAT
|
||||
AuthorizedKeysFile specifies the files containing public keys for public
|
||||
key authentication; if this option is not specified, the default is
|
||||
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
|
||||
file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
|
||||
ignored as comments). Public keys consist of the following space-
|
||||
separated fields: options, keytype, base64-encoded key, comment. The
|
||||
options field is optional. The supported key types are:
|
||||
|
||||
sk-ecdsa-sha2-nistp256@openssh.com
|
||||
ecdsa-sha2-nistp256
|
||||
ecdsa-sha2-nistp384
|
||||
ecdsa-sha2-nistp521
|
||||
sk-ssh-ed25519@openssh.com
|
||||
ssh-ed25519
|
||||
ssh-rsa
|
||||
|
||||
The comment field is not used for anything (but may be convenient for the
|
||||
user to identify the key).
|
||||
|
||||
Note that lines in this file can be several hundred bytes long (because
|
||||
of the size of the public key encoding) up to a limit of 8 kilobytes,
|
||||
which permits RSA keys up to 16 kilobits. You don't want to type them
|
||||
in; instead, copy the id_ecdsa.pub, id_ecdsa_sk.pub, id_ed25519.pub,
|
||||
id_ed25519_sk.pub, or the id_rsa.pub file and edit it.
|
||||
|
||||
sshd enforces a minimum RSA key modulus size of 1024 bits.
|
||||
|
||||
The options (if present) consist of comma-separated option
|
||||
specifications. No spaces are permitted, except within double quotes.
|
||||
The following option specifications are supported (note that option
|
||||
keywords are case-insensitive):
|
||||
|
||||
agent-forwarding
|
||||
Enable authentication agent forwarding previously disabled by the
|
||||
restrict option.
|
||||
|
||||
cert-authority
|
||||
Specifies that the listed key is a certification authority (CA)
|
||||
that is trusted to validate signed certificates for user
|
||||
authentication.
|
||||
|
||||
Certificates may encode access restrictions similar to these key
|
||||
options. If both certificate restrictions and key options are
|
||||
present, the most restrictive union of the two is applied.
|
||||
|
||||
command="command"
|
||||
Specifies that the command is executed whenever this key is used
|
||||
for authentication. The command supplied by the user (if any) is
|
||||
ignored. The command is run on a pty if the client requests a
|
||||
pty; otherwise it is run without a tty. If an 8-bit clean
|
||||
channel is required, one must not request a pty or should specify
|
||||
no-pty. A quote may be included in the command by quoting it
|
||||
with a backslash.
|
||||
|
||||
This option might be useful to restrict certain public keys to
|
||||
perform just a specific operation. An example might be a key
|
||||
that permits remote backups but nothing else. Note that the
|
||||
client may specify TCP and/or X11 forwarding unless they are
|
||||
explicitly prohibited, e.g. using the restrict key option.
|
||||
|
||||
The command originally supplied by the client is available in the
|
||||
SSH_ORIGINAL_COMMAND environment variable. Note that this option
|
||||
applies to shell, command or subsystem execution. Also note that
|
||||
this command may be superseded by a sshd_config(5) ForceCommand
|
||||
directive.
|
||||
|
||||
If a command is specified and a forced-command is embedded in a
|
||||
certificate used for authentication, then the certificate will be
|
||||
accepted only if the two commands are identical.
|
||||
|
||||
environment="NAME=value"
|
||||
Specifies that the string is to be added to the environment when
|
||||
logging in using this key. Environment variables set this way
|
||||
override other default environment values. Multiple options of
|
||||
this type are permitted. Environment processing is disabled by
|
||||
default and is controlled via the PermitUserEnvironment option.
|
||||
|
||||
expiry-time="timespec"
|
||||
Specifies a time after which the key will not be accepted. The
|
||||
time may be specified as a YYYYMMDD[Z] date or a
|
||||
YYYYMMDDHHMM[SS][Z] time. Dates and times will be interpreted in
|
||||
the system time zone unless suffixed by a Z character, in which
|
||||
case they will be interpreted in the UTC time zone.
|
||||
|
||||
from="pattern-list"
|
||||
Specifies that in addition to public key authentication, either
|
||||
the canonical name of the remote host or its IP address must be
|
||||
present in the comma-separated list of patterns. See PATTERNS in
|
||||
ssh_config(5) for more information on patterns.
|
||||
|
||||
In addition to the wildcard matching that may be applied to
|
||||
hostnames or addresses, a from stanza may match IP addresses
|
||||
using CIDR address/masklen notation.
|
||||
|
||||
The purpose of this option is to optionally increase security:
|
||||
public key authentication by itself does not trust the network or
|
||||
name servers or anything (but the key); however, if somebody
|
||||
somehow steals the key, the key permits an intruder to log in
|
||||
from anywhere in the world. This additional option makes using a
|
||||
stolen key more difficult (name servers and/or routers would have
|
||||
to be compromised in addition to just the key).
|
||||
|
||||
no-agent-forwarding
|
||||
Forbids authentication agent forwarding when this key is used for
|
||||
authentication.
|
||||
|
||||
no-port-forwarding
|
||||
Forbids TCP forwarding when this key is used for authentication.
|
||||
Any port forward requests by the client will return an error.
|
||||
This might be used, e.g. in connection with the command option.
|
||||
|
||||
no-pty Prevents tty allocation (a request to allocate a pty will fail).
|
||||
|
||||
no-user-rc
|
||||
Disables execution of ~/.ssh/rc.
|
||||
|
||||
no-X11-forwarding
|
||||
Forbids X11 forwarding when this key is used for authentication.
|
||||
Any X11 forward requests by the client will return an error.
|
||||
|
||||
permitlisten="[host:]port"
|
||||
Limit remote port forwarding with the ssh(1) -R option such that
|
||||
it may only listen on the specified host (optional) and port.
|
||||
IPv6 addresses can be specified by enclosing the address in
|
||||
square brackets. Multiple permitlisten options may be applied
|
||||
separated by commas. Hostnames may include wildcards as
|
||||
described in the PATTERNS section in ssh_config(5). A port
|
||||
specification of * matches any port. Note that the setting of
|
||||
GatewayPorts may further restrict listen addresses. Note that
|
||||
ssh(1) will send a hostname of M-bM-^@M-^\localhostM-bM-^@M-^] if a listen host was
|
||||
not specified when the forwarding was requested, and that this
|
||||
name is treated differently to the explicit localhost addresses
|
||||
M-bM-^@M-^\127.0.0.1M-bM-^@M-^] and M-bM-^@M-^\::1M-bM-^@M-^].
|
||||
|
||||
permitopen="host:port"
|
||||
Limit local port forwarding with the ssh(1) -L option such that
|
||||
it may only connect to the specified host and port. IPv6
|
||||
addresses can be specified by enclosing the address in square
|
||||
brackets. Multiple permitopen options may be applied separated
|
||||
by commas. No pattern matching or name lookup is performed on
|
||||
the specified hostnames, they must be literal host names and/or
|
||||
addresses. A port specification of * matches any port.
|
||||
|
||||
port-forwarding
|
||||
Enable port forwarding previously disabled by the restrict
|
||||
option.
|
||||
|
||||
principals="principals"
|
||||
On a cert-authority line, specifies allowed principals for
|
||||
certificate authentication as a comma-separated list. At least
|
||||
one name from the list must appear in the certificate's list of
|
||||
principals for the certificate to be accepted. This option is
|
||||
ignored for keys that are not marked as trusted certificate
|
||||
signers using the cert-authority option.
|
||||
|
||||
pty Permits tty allocation previously disabled by the restrict
|
||||
option.
|
||||
|
||||
no-touch-required
|
||||
Do not require demonstration of user presence for signatures made
|
||||
using this key. This option only makes sense for the FIDO
|
||||
authenticator algorithms ecdsa-sk and ed25519-sk.
|
||||
|
||||
verify-required
|
||||
Require that signatures made using this key attest that they
|
||||
verified the user, e.g. via a PIN. This option only makes sense
|
||||
for the FIDO authenticator algorithms ecdsa-sk and ed25519-sk.
|
||||
|
||||
restrict
|
||||
Enable all restrictions, i.e. disable port, agent and X11
|
||||
forwarding, as well as disabling PTY allocation and execution of
|
||||
~/.ssh/rc. If any future restriction capabilities are added to
|
||||
authorized_keys files, they will be included in this set.
|
||||
|
||||
tunnel="n"
|
||||
Force a tun(4) device on the server. Without this option, the
|
||||
next available device will be used if the client requests a
|
||||
tunnel.
|
||||
|
||||
user-rc
|
||||
Enables execution of ~/.ssh/rc previously disabled by the
|
||||
restrict option.
|
||||
|
||||
X11-forwarding
|
||||
Permits X11 forwarding previously disabled by the restrict
|
||||
option.
|
||||
|
||||
An example authorized_keys file:
|
||||
|
||||
# Comments are allowed at start of line. Blank lines are allowed.
|
||||
# Plain key, no restrictions
|
||||
ssh-rsa ...
|
||||
# Forced command, disable PTY and all forwarding
|
||||
restrict,command="dump /home" ssh-rsa ...
|
||||
# Restriction of ssh -L forwarding destinations
|
||||
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
|
||||
# Restriction of ssh -R forwarding listeners
|
||||
permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
|
||||
# Configuration for tunnel forwarding
|
||||
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
|
||||
# Override of restriction to allow PTY allocation
|
||||
restrict,pty,command="nethack" ssh-rsa ...
|
||||
# Allow FIDO key without requiring touch
|
||||
no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
|
||||
# Require user-verification (e.g. PIN or biometric) for FIDO key
|
||||
verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
|
||||
# Trust CA key, allow touch-less FIDO if requested in certificate
|
||||
cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
|
||||
|
||||
SSH_KNOWN_HOSTS FILE FORMAT
|
||||
The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
|
||||
public keys for all known hosts. The global file should be prepared by
|
||||
the administrator (optional), and the per-user file is maintained
|
||||
automatically: whenever the user connects to an unknown host, its key is
|
||||
added to the per-user file.
|
||||
|
||||
Each line in these files contains the following fields: marker
|
||||
(optional), hostnames, keytype, base64-encoded key, comment. The fields
|
||||
are separated by spaces.
|
||||
|
||||
The marker is optional, but if it is present then it must be one of
|
||||
M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification
|
||||
authority (CA) key, or M-bM-^@M-^\@revokedM-bM-^@M-^], to indicate that the key contained on
|
||||
the line is revoked and must not ever be accepted. Only one marker
|
||||
should be used on a key line.
|
||||
|
||||
Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as
|
||||
wildcards); each pattern in turn is matched against the host name. When
|
||||
sshd is authenticating a client, such as when using
|
||||
HostbasedAuthentication, this will be the canonical client host name.
|
||||
When ssh(1) is authenticating a server, this will be the host name given
|
||||
by the user, the value of the ssh(1) HostkeyAlias if it was specified, or
|
||||
the canonical server hostname if the ssh(1) CanonicalizeHostname option
|
||||
was used.
|
||||
|
||||
A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indicate negation: if the host
|
||||
name matches a negated pattern, it is not accepted (by that line) even if
|
||||
it matched another pattern on the line. A hostname or address may
|
||||
optionally be enclosed within M-bM-^@M-^X[M-bM-^@M-^Y and M-bM-^@M-^X]M-bM-^@M-^Y brackets then followed by M-bM-^@M-^X:M-bM-^@M-^Y
|
||||
and a non-standard port number.
|
||||
|
||||
Alternately, hostnames may be stored in a hashed form which hides host
|
||||
names and addresses should the file's contents be disclosed. Hashed
|
||||
hostnames start with a M-bM-^@M-^X|M-bM-^@M-^Y character. Only one hashed hostname may
|
||||
appear on a single line and none of the above negation or wildcard
|
||||
operators may be applied.
|
||||
|
||||
The keytype and base64-encoded key are taken directly from the host key;
|
||||
they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub.
|
||||
The optional comment field continues to the end of the line, and is not
|
||||
used.
|
||||
|
||||
Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
|
||||
|
||||
When performing host authentication, authentication is accepted if any
|
||||
matching line has the proper key; either one that matches exactly or, if
|
||||
the server has presented a certificate for authentication, the key of the
|
||||
certification authority that signed the certificate. For a key to be
|
||||
trusted as a certification authority, it must use the M-bM-^@M-^\@cert-authorityM-bM-^@M-^]
|
||||
marker described above.
|
||||
|
||||
The known hosts file also provides a facility to mark keys as revoked,
|
||||
for example when it is known that the associated private key has been
|
||||
stolen. Revoked keys are specified by including the M-bM-^@M-^\@revokedM-bM-^@M-^] marker at
|
||||
the beginning of the key line, and are never accepted for authentication
|
||||
or as certification authorities, but instead will produce a warning from
|
||||
ssh(1) when they are encountered.
|
||||
|
||||
It is permissible (but not recommended) to have several lines or
|
||||
different host keys for the same names. This will inevitably happen when
|
||||
short forms of host names from different domains are put in the file. It
|
||||
is possible that the files contain conflicting information;
|
||||
authentication is accepted if valid information can be found from either
|
||||
file.
|
||||
|
||||
Note that the lines in these files are typically hundreds of characters
|
||||
long, and you definitely don't want to type in the host keys by hand.
|
||||
Rather, generate them by a script, ssh-keyscan(1) or by taking, for
|
||||
example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
|
||||
front. ssh-keygen(1) also offers some basic automated editing for
|
||||
~/.ssh/known_hosts including removing hosts matching a host name and
|
||||
converting all host names to their hashed representations.
|
||||
|
||||
An example ssh_known_hosts file:
|
||||
|
||||
# Comments allowed at start of line
|
||||
cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
|
||||
# A hashed hostname
|
||||
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
|
||||
AAAA1234.....=
|
||||
# A revoked key
|
||||
@revoked * ssh-rsa AAAAB5W...
|
||||
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
|
||||
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
|
||||
|
||||
FILES
|
||||
~/.hushlogin
|
||||
This file is used to suppress printing the last login time and
|
||||
/etc/motd, if PrintLastLog and PrintMotd, respectively, are
|
||||
enabled. It does not suppress printing of the banner specified
|
||||
by Banner.
|
||||
|
||||
~/.rhosts
|
||||
This file is used for host-based authentication (see ssh(1) for
|
||||
more information). On some machines this file may need to be
|
||||
world-readable if the user's home directory is on an NFS
|
||||
partition, because sshd reads it as root. Additionally, this
|
||||
file must be owned by the user, and must not have write
|
||||
permissions for anyone else. The recommended permission for most
|
||||
machines is read/write for the user, and not accessible by
|
||||
others.
|
||||
|
||||
~/.shosts
|
||||
This file is used in exactly the same way as .rhosts, but allows
|
||||
host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
~/.ssh/
|
||||
This directory is the default location for all user-specific
|
||||
configuration and authentication information. There is no
|
||||
general requirement to keep the entire contents of this directory
|
||||
secret, but the recommended permissions are read/write/execute
|
||||
for the user, and not accessible by others.
|
||||
|
||||
~/.ssh/authorized_keys
|
||||
Lists the public keys (ECDSA, Ed25519, RSA) that can be used for
|
||||
logging in as this user. The format of this file is described
|
||||
above. The content of the file is not highly sensitive, but the
|
||||
recommended permissions are read/write for the user, and not
|
||||
accessible by others.
|
||||
|
||||
If this file, the ~/.ssh directory, or the user's home directory
|
||||
are writable by other users, then the file could be modified or
|
||||
replaced by unauthorized users. In this case, sshd will not
|
||||
allow it to be used unless the StrictModes option has been set to
|
||||
M-bM-^@M-^\noM-bM-^@M-^].
|
||||
|
||||
~/.ssh/environment
|
||||
This file is read into the environment at login (if it exists).
|
||||
It can only contain empty lines, comment lines (that start with
|
||||
M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file
|
||||
should be writable only by the user; it need not be readable by
|
||||
anyone else. Environment processing is disabled by default and
|
||||
is controlled via the PermitUserEnvironment option.
|
||||
|
||||
~/.ssh/known_hosts
|
||||
Contains a list of host keys for all hosts the user has logged
|
||||
into that are not already in the systemwide list of known host
|
||||
keys. The format of this file is described above. This file
|
||||
should be writable only by root/the owner and can, but need not
|
||||
be, world-readable.
|
||||
|
||||
~/.ssh/rc
|
||||
Contains initialization routines to be run before the user's home
|
||||
directory becomes accessible. This file should be writable only
|
||||
by the user, and need not be readable by anyone else.
|
||||
|
||||
/etc/hosts.equiv
|
||||
This file is for host-based authentication (see ssh(1)). It
|
||||
should only be writable by root.
|
||||
|
||||
/etc/moduli
|
||||
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
|
||||
Exchange" key exchange method. The file format is described in
|
||||
moduli(5). If no usable groups are found in this file then fixed
|
||||
internal groups will be used.
|
||||
|
||||
/etc/motd
|
||||
See motd(5).
|
||||
|
||||
/etc/nologin
|
||||
If this file exists, sshd refuses to let anyone except root log
|
||||
in. The contents of the file are displayed to anyone trying to
|
||||
log in, and non-root connections are refused. The file should be
|
||||
world-readable.
|
||||
|
||||
/etc/shosts.equiv
|
||||
This file is used in exactly the same way as hosts.equiv, but
|
||||
allows host-based authentication without permitting login with
|
||||
rlogin/rsh.
|
||||
|
||||
/etc/ssh/ssh_host_ecdsa_key
|
||||
/etc/ssh/ssh_host_ed25519_key
|
||||
/etc/ssh/ssh_host_rsa_key
|
||||
These files contain the private parts of the host keys. These
|
||||
files should only be owned by root, readable only by root, and
|
||||
not accessible to others. Note that sshd does not start if these
|
||||
files are group/world-accessible.
|
||||
|
||||
/etc/ssh/ssh_host_ecdsa_key.pub
|
||||
/etc/ssh/ssh_host_ed25519_key.pub
|
||||
/etc/ssh/ssh_host_rsa_key.pub
|
||||
These files contain the public parts of the host keys. These
|
||||
files should be world-readable but writable only by root. Their
|
||||
contents should match the respective private parts. These files
|
||||
are not really used for anything; they are provided for the
|
||||
convenience of the user so their contents can be copied to known
|
||||
hosts files. These files are created using ssh-keygen(1).
|
||||
|
||||
/etc/ssh/ssh_known_hosts
|
||||
Systemwide list of known host keys. This file should be prepared
|
||||
by the system administrator to contain the public host keys of
|
||||
all machines in the organization. The format of this file is
|
||||
described above. This file should be writable only by root/the
|
||||
owner and should be world-readable.
|
||||
|
||||
/etc/ssh/sshd_config
|
||||
Contains configuration data for sshd. The file format and
|
||||
configuration options are described in sshd_config(5).
|
||||
|
||||
/etc/ssh/sshrc
|
||||
Similar to ~/.ssh/rc, it can be used to specify machine-specific
|
||||
login-time initializations globally. This file should be
|
||||
writable only by root, and should be world-readable.
|
||||
|
||||
/var/empty
|
||||
chroot(2) directory used by sshd during privilege separation in
|
||||
the pre-authentication phase. The directory should not contain
|
||||
any files and must be owned by root and not group or world-
|
||||
writable.
|
||||
|
||||
/var/run/sshd.pid
|
||||
Contains the process ID of the sshd listening for connections (if
|
||||
there are several daemons running concurrently for different
|
||||
ports, this contains the process ID of the one started last).
|
||||
The content of this file is not sensitive; it can be world-
|
||||
readable.
|
||||
|
||||
SEE ALSO
|
||||
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
|
||||
ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
|
||||
inetd(8), sftp-server(8)
|
||||
|
||||
AUTHORS
|
||||
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
|
||||
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
|
||||
de Raadt and Dug Song removed many bugs, re-added newer features and
|
||||
created OpenSSH. Markus Friedl contributed the support for SSH protocol
|
||||
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
|
||||
for privilege separation.
|
||||
|
||||
OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
|
9
sshd.8
9
sshd.8
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $
|
||||
.Dd $Mdocdate: September 19 2023 $
|
||||
.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -465,8 +465,6 @@ sk-ssh-ed25519@openssh.com
|
|||
.It
|
||||
ssh-ed25519
|
||||
.It
|
||||
ssh-dss
|
||||
.It
|
||||
ssh-rsa
|
||||
.El
|
||||
.Pp
|
||||
|
@ -477,7 +475,6 @@ Note that lines in this file can be several hundred bytes long
|
|||
(because of the size of the public key encoding) up to a limit of
|
||||
8 kilobytes, which permits RSA keys up to 16 kilobits.
|
||||
You don't want to type them in; instead, copy the
|
||||
.Pa id_dsa.pub ,
|
||||
.Pa id_ecdsa.pub ,
|
||||
.Pa id_ecdsa_sk.pub ,
|
||||
.Pa id_ed25519.pub ,
|
||||
|
@ -881,7 +878,7 @@ secret, but the recommended permissions are read/write/execute for the user,
|
|||
and not accessible by others.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/authorized_keys
|
||||
Lists the public keys (DSA, ECDSA, Ed25519, RSA)
|
||||
Lists the public keys (ECDSA, Ed25519, RSA)
|
||||
that can be used for logging in as this user.
|
||||
The format of this file is described above.
|
||||
The content of the file is not highly sensitive, but the recommended
|
||||
|
|
466
sshd.c
466
sshd.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshd.c,v 1.603 2024/05/17 00:30:24 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.609 2024/06/27 23:01:15 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2002 Niels Provos. All rights reserved.
|
||||
|
@ -93,6 +93,7 @@
|
|||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
#include "sk-api.h"
|
||||
#include "addr.h"
|
||||
#include "srclimit.h"
|
||||
|
||||
/* Re-exec fds */
|
||||
|
@ -157,6 +158,8 @@ struct {
|
|||
} sensitive_data;
|
||||
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_siginfo = 0;
|
||||
static volatile sig_atomic_t received_sigchld = 0;
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
|
||||
|
@ -164,8 +167,9 @@ static volatile sig_atomic_t received_sigterm = 0;
|
|||
u_int utmp_len = HOST_NAME_MAX+1;
|
||||
|
||||
/*
|
||||
* startup_pipes/flags are used for tracking children of the listening sshd
|
||||
* process early in their lifespans. This tracking is needed for three things:
|
||||
* The early_child/children array below is used for tracking children of the
|
||||
* listening sshd process early in their lifespans, before they have
|
||||
* completed authentication. This tracking is needed for four things:
|
||||
*
|
||||
* 1) Implementing the MaxStartups limit of concurrent unauthenticated
|
||||
* connections.
|
||||
|
@ -174,14 +178,31 @@ u_int utmp_len = HOST_NAME_MAX+1;
|
|||
* after it restarts.
|
||||
* 3) Ensuring that rexec'd sshd processes have received their initial state
|
||||
* from the parent listen process before handling SIGHUP.
|
||||
* 4) Tracking and logging unsuccessful exits from the preauth sshd monitor,
|
||||
* including and especially those for LoginGraceTime timeouts.
|
||||
*
|
||||
* Child processes signal that they have completed closure of the listen_socks
|
||||
* and (if applicable) received their rexec state by sending a char over their
|
||||
* sock. Child processes signal that authentication has completed by closing
|
||||
* the sock (or by exiting).
|
||||
* sock.
|
||||
*
|
||||
* Child processes signal that authentication has completed by sending a
|
||||
* second char over the socket before closing it, otherwise the listener will
|
||||
* continue tracking the child (and using up a MaxStartups slot) until the
|
||||
* preauth subprocess exits, whereupon the listener will log its exit status.
|
||||
* preauth processes will exit with a status of EXIT_LOGIN_GRACE to indicate
|
||||
* they did not authenticate before the LoginGraceTime alarm fired.
|
||||
*/
|
||||
static int *startup_pipes = NULL;
|
||||
static int *startup_flags = NULL; /* Indicates child closed listener */
|
||||
struct early_child {
|
||||
int pipefd;
|
||||
int early; /* Indicates child closed listener */
|
||||
char *id; /* human readable connection identifier */
|
||||
pid_t pid;
|
||||
struct xaddr addr;
|
||||
int have_addr;
|
||||
int status, have_status;
|
||||
};
|
||||
static struct early_child *children;
|
||||
static int children_active;
|
||||
static int startup_pipe = -1; /* in child */
|
||||
|
||||
/* sshd_config buffer */
|
||||
|
@ -211,15 +232,255 @@ close_listen_socks(void)
|
|||
num_listen_socks = 0;
|
||||
}
|
||||
|
||||
/* Allocate and initialise the children array */
|
||||
static void
|
||||
child_alloc(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
children = xcalloc(options.max_startups, sizeof(*children));
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
children[i].pipefd = -1;
|
||||
children[i].pid = -1;
|
||||
}
|
||||
}
|
||||
|
||||
/* Register a new connection in the children array; child pid comes later */
|
||||
static struct early_child *
|
||||
child_register(int pipefd, int sockfd)
|
||||
{
|
||||
int i, lport, rport;
|
||||
char *laddr = NULL, *raddr = NULL;
|
||||
struct early_child *child = NULL;
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen = sizeof(addr);
|
||||
struct sockaddr *sa = (struct sockaddr *)&addr;
|
||||
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (children[i].pipefd != -1 || children[i].pid > 0)
|
||||
continue;
|
||||
child = &(children[i]);
|
||||
break;
|
||||
}
|
||||
if (child == NULL) {
|
||||
fatal_f("error: accepted connection when all %d child "
|
||||
" slots full", options.max_startups);
|
||||
}
|
||||
child->pipefd = pipefd;
|
||||
child->early = 1;
|
||||
/* record peer address, if available */
|
||||
if (getpeername(sockfd, sa, &addrlen) == 0 &&
|
||||
addr_sa_to_xaddr(sa, addrlen, &child->addr) == 0)
|
||||
child->have_addr = 1;
|
||||
/* format peer address string for logs */
|
||||
if ((lport = get_local_port(sockfd)) == 0 ||
|
||||
(rport = get_peer_port(sockfd)) == 0) {
|
||||
/* Not a TCP socket */
|
||||
raddr = get_peer_ipaddr(sockfd);
|
||||
xasprintf(&child->id, "connection from %s", raddr);
|
||||
} else {
|
||||
laddr = get_local_ipaddr(sockfd);
|
||||
raddr = get_peer_ipaddr(sockfd);
|
||||
xasprintf(&child->id, "connection from %s to %s", laddr, raddr);
|
||||
}
|
||||
free(laddr);
|
||||
free(raddr);
|
||||
if (++children_active > options.max_startups)
|
||||
fatal_f("internal error: more children than max_startups");
|
||||
|
||||
return child;
|
||||
}
|
||||
|
||||
/*
|
||||
* Finally free a child entry. Don't call this directly.
|
||||
*/
|
||||
static void
|
||||
child_finish(struct early_child *child)
|
||||
{
|
||||
if (children_active == 0)
|
||||
fatal_f("internal error: children_active underflow");
|
||||
if (child->pipefd != -1)
|
||||
close(child->pipefd);
|
||||
free(child->id);
|
||||
memset(child, '\0', sizeof(*child));
|
||||
child->pipefd = -1;
|
||||
child->pid = -1;
|
||||
children_active--;
|
||||
}
|
||||
|
||||
/*
|
||||
* Close a child's pipe. This will not stop tracking the child immediately
|
||||
* (it will still be tracked for waitpid()) unless force_final is set, or
|
||||
* child has already exited.
|
||||
*/
|
||||
static void
|
||||
child_close(struct early_child *child, int force_final, int quiet)
|
||||
{
|
||||
if (!quiet)
|
||||
debug_f("enter%s", force_final ? " (forcing)" : "");
|
||||
if (child->pipefd != -1) {
|
||||
close(child->pipefd);
|
||||
child->pipefd = -1;
|
||||
}
|
||||
if (child->pid == -1 || force_final)
|
||||
child_finish(child);
|
||||
}
|
||||
|
||||
/* Record a child exit. Safe to call from signal handlers */
|
||||
static void
|
||||
child_exit(pid_t pid, int status)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (children == NULL || pid <= 0)
|
||||
return;
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (children[i].pid == pid) {
|
||||
children[i].have_status = 1;
|
||||
children[i].status = status;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Reap a child entry that has exited, as previously flagged
|
||||
* using child_exit().
|
||||
* Handles logging of exit condition and will finalise the child if its pipe
|
||||
* had already been closed.
|
||||
*/
|
||||
static void
|
||||
child_reap(struct early_child *child)
|
||||
{
|
||||
LogLevel level = SYSLOG_LEVEL_DEBUG1;
|
||||
int was_crash, penalty_type = SRCLIMIT_PENALTY_NONE;
|
||||
|
||||
/* Log exit information */
|
||||
if (WIFSIGNALED(child->status)) {
|
||||
/*
|
||||
* Increase logging for signals potentially associated
|
||||
* with serious conditions.
|
||||
*/
|
||||
if ((was_crash = signal_is_crash(WTERMSIG(child->status))))
|
||||
level = SYSLOG_LEVEL_ERROR;
|
||||
do_log2(level, "session process %ld for %s killed by "
|
||||
"signal %d%s", (long)child->pid, child->id,
|
||||
WTERMSIG(child->status), child->early ? " (early)" : "");
|
||||
if (was_crash)
|
||||
penalty_type = SRCLIMIT_PENALTY_CRASH;
|
||||
} else if (!WIFEXITED(child->status)) {
|
||||
penalty_type = SRCLIMIT_PENALTY_CRASH;
|
||||
error("session process %ld for %s terminated abnormally, "
|
||||
"status=0x%x%s", (long)child->pid, child->id, child->status,
|
||||
child->early ? " (early)" : "");
|
||||
} else {
|
||||
/* Normal exit. We care about the status */
|
||||
switch (WEXITSTATUS(child->status)) {
|
||||
case 0:
|
||||
debug3_f("preauth child %ld for %s completed "
|
||||
"normally %s", (long)child->pid, child->id,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
case EXIT_LOGIN_GRACE:
|
||||
penalty_type = SRCLIMIT_PENALTY_GRACE_EXCEEDED;
|
||||
logit("Timeout before authentication for %s, "
|
||||
"pid = %ld%s", child->id, (long)child->pid,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
case EXIT_CHILD_CRASH:
|
||||
penalty_type = SRCLIMIT_PENALTY_CRASH;
|
||||
logit("Session process %ld unpriv child crash for %s%s",
|
||||
(long)child->pid, child->id,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
case EXIT_AUTH_ATTEMPTED:
|
||||
penalty_type = SRCLIMIT_PENALTY_AUTHFAIL;
|
||||
debug_f("preauth child %ld for %s exited "
|
||||
"after unsuccessful auth attempt %s",
|
||||
(long)child->pid, child->id,
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
default:
|
||||
penalty_type = SRCLIMIT_PENALTY_NOAUTH;
|
||||
debug_f("preauth child %ld for %s exited "
|
||||
"with status %d%s", (long)child->pid, child->id,
|
||||
WEXITSTATUS(child->status),
|
||||
child->early ? " (early)" : "");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (child->have_addr)
|
||||
srclimit_penalise(&child->addr, penalty_type);
|
||||
|
||||
child->pid = -1;
|
||||
child->have_status = 0;
|
||||
if (child->pipefd == -1)
|
||||
child_finish(child);
|
||||
}
|
||||
|
||||
/* Reap all children that have exited; called after SIGCHLD */
|
||||
static void
|
||||
child_reap_all_exited(void)
|
||||
{
|
||||
int i;
|
||||
pid_t pid;
|
||||
int status;
|
||||
|
||||
if (children == NULL)
|
||||
return;
|
||||
|
||||
for (;;) {
|
||||
if ((pid = waitpid(-1, &status, WNOHANG)) == 0)
|
||||
break;
|
||||
else if (pid == -1) {
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
continue;
|
||||
if (errno != ECHILD)
|
||||
error_f("waitpid: %s", strerror(errno));
|
||||
break;
|
||||
}
|
||||
child_exit(pid, status);
|
||||
}
|
||||
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (!children[i].have_status)
|
||||
continue;
|
||||
child_reap(&(children[i]));
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (startup_pipes)
|
||||
for (i = 0; i < options.max_startups; i++)
|
||||
if (startup_pipes[i] != -1)
|
||||
close(startup_pipes[i]);
|
||||
if (children == NULL)
|
||||
return;
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (children[i].pipefd != -1)
|
||||
child_close(&(children[i]), 1, 1);
|
||||
}
|
||||
}
|
||||
|
||||
/* Called after SIGINFO */
|
||||
static void
|
||||
show_info(void)
|
||||
{
|
||||
int i;
|
||||
|
||||
/* XXX print listening sockets here too */
|
||||
if (children == NULL)
|
||||
return;
|
||||
logit("%d active startups", children_active);
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (children[i].pipefd == -1 && children[i].pid <= 0)
|
||||
continue;
|
||||
logit("child %d: fd=%d pid=%ld %s%s", i, children[i].pipefd,
|
||||
(long)children[i].pid, children[i].id,
|
||||
children[i].early ? " (early)" : "");
|
||||
}
|
||||
srclimit_penalty_info();
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -265,21 +526,18 @@ sigterm_handler(int sig)
|
|||
received_sigterm = sig;
|
||||
}
|
||||
|
||||
/*
|
||||
* SIGCHLD handler. This is called whenever a child dies. This will then
|
||||
* reap any zombies left by exited children.
|
||||
*/
|
||||
#ifdef SIGINFO
|
||||
static void
|
||||
siginfo_handler(int sig)
|
||||
{
|
||||
received_siginfo = 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
main_sigchld_handler(int sig)
|
||||
{
|
||||
int save_errno = errno;
|
||||
pid_t pid;
|
||||
int status;
|
||||
|
||||
while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
|
||||
(pid == -1 && errno == EINTR))
|
||||
;
|
||||
errno = save_errno;
|
||||
received_sigchld = 1;
|
||||
}
|
||||
|
||||
#ifdef WINDOWS
|
||||
|
@ -365,7 +623,7 @@ should_drop_connection(int startups)
|
|||
}
|
||||
|
||||
/*
|
||||
* Check whether connection should be accepted by MaxStartups.
|
||||
* Check whether connection should be accepted by MaxStartups or for penalty.
|
||||
* Returns 0 if the connection is accepted. If the connection is refused,
|
||||
* returns 1 and attempts to send notification to client.
|
||||
* Logs when the MaxStartups condition is entered or exited, and periodically
|
||||
|
@ -375,12 +633,17 @@ static int
|
|||
drop_connection(int sock, int startups, int notify_pipe)
|
||||
{
|
||||
char *laddr, *raddr;
|
||||
const char msg[] = "Exceeded MaxStartups\r\n";
|
||||
const char *reason = NULL, msg[] = "Not allowed at this time\r\n";
|
||||
static time_t last_drop, first_drop;
|
||||
static u_int ndropped;
|
||||
LogLevel drop_level = SYSLOG_LEVEL_VERBOSE;
|
||||
time_t now;
|
||||
|
||||
if (!srclimit_penalty_check_allow(sock, &reason)) {
|
||||
drop_level = SYSLOG_LEVEL_INFO;
|
||||
goto handle;
|
||||
}
|
||||
|
||||
now = monotime();
|
||||
if (!should_drop_connection(startups) &&
|
||||
srclimit_check_allow(sock, notify_pipe) == 1) {
|
||||
|
@ -410,12 +673,16 @@ drop_connection(int sock, int startups, int notify_pipe)
|
|||
}
|
||||
last_drop = now;
|
||||
ndropped++;
|
||||
reason = "past Maxstartups";
|
||||
|
||||
handle:
|
||||
laddr = get_local_ipaddr(sock);
|
||||
raddr = get_peer_ipaddr(sock);
|
||||
do_log2(drop_level, "drop connection #%d from [%s]:%d on [%s]:%d "
|
||||
"past MaxStartups", startups, raddr, get_peer_port(sock),
|
||||
laddr, get_local_port(sock));
|
||||
do_log2(drop_level, "drop connection #%d from [%s]:%d on [%s]:%d %s",
|
||||
startups,
|
||||
raddr, get_peer_port(sock),
|
||||
laddr, get_local_port(sock),
|
||||
reason);
|
||||
free(laddr);
|
||||
free(raddr);
|
||||
/* best-effort notification to client */
|
||||
|
@ -624,8 +891,12 @@ server_listen(void)
|
|||
u_int i;
|
||||
|
||||
/* Initialise per-source limit tracking. */
|
||||
srclimit_init(options.max_startups, options.per_source_max_startups,
|
||||
options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
|
||||
srclimit_init(options.max_startups,
|
||||
options.per_source_max_startups,
|
||||
options.per_source_masklen_ipv4,
|
||||
options.per_source_masklen_ipv6,
|
||||
&options.per_source_penalty,
|
||||
options.per_source_penalty_exempt);
|
||||
|
||||
for (i = 0; i < options.num_listen_addrs; i++) {
|
||||
listen_on_addrs(&options.listen_addrs[i]);
|
||||
|
@ -651,32 +922,32 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
int log_stderr)
|
||||
{
|
||||
struct pollfd *pfd = NULL;
|
||||
int i, j, ret, npfd;
|
||||
int ostartups = -1, startups = 0, listening = 0, lameduck = 0;
|
||||
int i, ret, npfd;
|
||||
int oactive = -1, listening = 0, lameduck = 0;
|
||||
int startup_p[2] = { -1 , -1 }, *startup_pollfd;
|
||||
char c = 0;
|
||||
struct sockaddr_storage from;
|
||||
struct early_child *child;
|
||||
socklen_t fromlen;
|
||||
pid_t pid;
|
||||
u_char rnd[256];
|
||||
sigset_t nsigset, osigset;
|
||||
|
||||
/* pipes connected to unauthenticated child sshd processes */
|
||||
startup_pipes = xcalloc(options.max_startups, sizeof(int));
|
||||
startup_flags = xcalloc(options.max_startups, sizeof(int));
|
||||
child_alloc();
|
||||
startup_pollfd = xcalloc(options.max_startups, sizeof(int));
|
||||
for (i = 0; i < options.max_startups; i++)
|
||||
startup_pipes[i] = -1;
|
||||
|
||||
/*
|
||||
* Prepare signal mask that we use to block signals that might set
|
||||
* received_sigterm or received_sighup, so that we are guaranteed
|
||||
* received_sigterm/hup/chld/info, so that we are guaranteed
|
||||
* to immediately wake up the ppoll if a signal is received after
|
||||
* the flag is checked.
|
||||
*/
|
||||
sigemptyset(&nsigset);
|
||||
sigaddset(&nsigset, SIGHUP);
|
||||
sigaddset(&nsigset, SIGCHLD);
|
||||
#ifdef SIGINFO
|
||||
sigaddset(&nsigset, SIGINFO);
|
||||
#endif
|
||||
sigaddset(&nsigset, SIGTERM);
|
||||
sigaddset(&nsigset, SIGQUIT);
|
||||
|
||||
|
@ -698,11 +969,19 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
unlink(options.pid_file);
|
||||
exit(received_sigterm == SIGTERM ? 0 : 255);
|
||||
}
|
||||
if (ostartups != startups) {
|
||||
if (received_sigchld) {
|
||||
child_reap_all_exited();
|
||||
received_sigchld = 0;
|
||||
}
|
||||
if (received_siginfo) {
|
||||
show_info();
|
||||
received_siginfo = 0;
|
||||
}
|
||||
if (oactive != children_active) {
|
||||
setproctitle("%s [listener] %d of %d-%d startups",
|
||||
listener_proctitle, startups,
|
||||
listener_proctitle, children_active,
|
||||
options.max_startups_begin, options.max_startups);
|
||||
ostartups = startups;
|
||||
oactive = children_active;
|
||||
}
|
||||
if (received_sighup) {
|
||||
if (!lameduck) {
|
||||
|
@ -723,8 +1002,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
npfd = num_listen_socks;
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
startup_pollfd[i] = -1;
|
||||
if (startup_pipes[i] != -1) {
|
||||
pfd[npfd].fd = startup_pipes[i];
|
||||
if (children[i].pipefd != -1) {
|
||||
pfd[npfd].fd = children[i].pipefd;
|
||||
pfd[npfd].events = POLLIN;
|
||||
startup_pollfd[i] = npfd++;
|
||||
}
|
||||
|
@ -742,34 +1021,46 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
continue;
|
||||
|
||||
for (i = 0; i < options.max_startups; i++) {
|
||||
if (startup_pipes[i] == -1 ||
|
||||
if (children[i].pipefd == -1 ||
|
||||
startup_pollfd[i] == -1 ||
|
||||
!(pfd[startup_pollfd[i]].revents & (POLLIN|POLLHUP)))
|
||||
continue;
|
||||
switch (read(startup_pipes[i], &c, sizeof(c))) {
|
||||
switch (read(children[i].pipefd, &c, sizeof(c))) {
|
||||
case -1:
|
||||
if (errno == EINTR || errno == EAGAIN)
|
||||
continue;
|
||||
if (errno != EPIPE) {
|
||||
error_f("startup pipe %d (fd=%d): "
|
||||
"read %s", i, startup_pipes[i],
|
||||
"read %s", i, children[i].pipefd,
|
||||
strerror(errno));
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
case 0:
|
||||
/* child exited or completed auth */
|
||||
close(startup_pipes[i]);
|
||||
srclimit_done(startup_pipes[i]);
|
||||
startup_pipes[i] = -1;
|
||||
startups--;
|
||||
if (startup_flags[i])
|
||||
/* child exited preauth */
|
||||
if (children[i].early)
|
||||
listening--;
|
||||
srclimit_done(children[i].pipefd);
|
||||
child_close(&(children[i]), 0, 0);
|
||||
break;
|
||||
case 1:
|
||||
if (children[i].early && c == '\0') {
|
||||
/* child has finished preliminaries */
|
||||
if (startup_flags[i]) {
|
||||
listening--;
|
||||
startup_flags[i] = 0;
|
||||
children[i].early = 0;
|
||||
debug2_f("child %lu for %s received "
|
||||
"config", (long)children[i].pid,
|
||||
children[i].id);
|
||||
} else if (!children[i].early && c == '\001') {
|
||||
/* child has completed auth */
|
||||
debug2_f("child %lu for %s auth done",
|
||||
(long)children[i].pid,
|
||||
children[i].id);
|
||||
child_close(&(children[i]), 1, 0);
|
||||
} else {
|
||||
error_f("unexpected message 0x%02x "
|
||||
"child %ld for %s in state %d",
|
||||
(int)c, (long)children[i].pid,
|
||||
children[i].id, children[i].early);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -798,7 +1089,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
close(*newsock);
|
||||
continue;
|
||||
}
|
||||
if (drop_connection(*newsock, startups, startup_p[0])) {
|
||||
if (drop_connection(*newsock,
|
||||
children_active, startup_p[0])) {
|
||||
close(*newsock);
|
||||
close(startup_p[0]);
|
||||
close(startup_p[1]);
|
||||
|
@ -815,20 +1107,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
continue;
|
||||
}
|
||||
|
||||
fcntl(startup_p[0], F_SETFD, FD_CLOEXEC);
|
||||
fcntl(startup_p[1], F_SETFD, FD_CLOEXEC);
|
||||
fcntl(config_s[0], F_SETFD, FD_CLOEXEC);
|
||||
fcntl(config_s[1], F_SETFD, FD_CLOEXEC);
|
||||
|
||||
|
||||
for (j = 0; j < options.max_startups; j++)
|
||||
if (startup_pipes[j] == -1) {
|
||||
startup_pipes[j] = startup_p[0];
|
||||
startups++;
|
||||
startup_flags[j] = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Got connection. Fork a child to handle it, unless
|
||||
* we are in debugging mode.
|
||||
|
@ -846,7 +1124,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
close(startup_p[0]);
|
||||
close(startup_p[1]);
|
||||
startup_pipe = -1;
|
||||
pid = getpid();
|
||||
#ifndef WINDOWS
|
||||
send_rexec_state(config_s[0], cfg);
|
||||
#endif /* !WINDOWS */
|
||||
|
@ -869,6 +1146,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
posix_spawnattr_setpgroup(&attributes, 0) != 0)
|
||||
error("posix_spawn initialization failed");
|
||||
else {
|
||||
pid_t pid;
|
||||
if (posix_spawn(&pid, rexec_argv[0], &actions, &attributes, rexec_argv, NULL) != 0)
|
||||
error("%s, posix_spawn failed", __func__);
|
||||
posix_spawn_file_actions_destroy(&actions);
|
||||
|
@ -883,7 +1161,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
*/
|
||||
platform_pre_fork();
|
||||
listening++;
|
||||
if ((pid = fork()) == 0) {
|
||||
child = child_register(startup_p[0], *newsock);
|
||||
if ((child->pid = fork()) == 0) {
|
||||
/*
|
||||
* Child. Close the listening and
|
||||
* max_startup sockets. Start using
|
||||
|
@ -908,11 +1187,11 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
|
|||
}
|
||||
|
||||
/* Parent. Stay in the loop. */
|
||||
platform_post_fork_parent(pid);
|
||||
if (pid == -1)
|
||||
platform_post_fork_parent(child->pid);
|
||||
if (child->pid == -1)
|
||||
error("fork: %.100s", strerror(errno));
|
||||
else
|
||||
debug("Forked child %ld.", (long)pid);
|
||||
debug("Forked child %ld.", (long)child->pid);
|
||||
|
||||
#endif /* fork unsupported */
|
||||
close(startup_p[1]);
|
||||
|
@ -1006,8 +1285,8 @@ main(int ac, char **av)
|
|||
char *config_file_name = _PATH_SERVER_CONFIG_FILE;
|
||||
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
|
||||
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
|
||||
int config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
||||
int need_privsep = 1;
|
||||
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
|
||||
int need_chroot = 1;
|
||||
#ifdef WINDOWS
|
||||
// rexec_argv is still defined globally for use in server_accept_loop
|
||||
char* fp, * line, * logfile = NULL;
|
||||
|
@ -1094,7 +1373,7 @@ main(int ac, char **av)
|
|||
inetd_flag = 1;
|
||||
break;
|
||||
case 'r':
|
||||
/* ignored */
|
||||
logit("-r option is deprecated");
|
||||
break;
|
||||
case 'R':
|
||||
fatal("-R not supported here");
|
||||
|
@ -1169,9 +1448,17 @@ main(int ac, char **av)
|
|||
}
|
||||
}
|
||||
if (!test_flag && !do_dump_cfg && !path_absolute(av[0]))
|
||||
fatal("sshd re-exec requires execution with an absolute path");
|
||||
fatal("sshd requires execution with an absolute path");
|
||||
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
/* Reserve fds we'll need later for reexec things */
|
||||
if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)
|
||||
fatal("open %s: %s", _PATH_DEVNULL, strerror(errno));
|
||||
while (devnull < REEXEC_MIN_FREE_FD) {
|
||||
if ((devnull = dup(devnull)) == -1)
|
||||
fatal("dup %s: %s", _PATH_DEVNULL, strerror(errno));
|
||||
}
|
||||
|
||||
seed_rng();
|
||||
|
||||
|
@ -1419,15 +1706,15 @@ main(int ac, char **av)
|
|||
}
|
||||
|
||||
/* Ensure privsep directory is correctly configured. */
|
||||
need_privsep = ((getuid() == 0 || geteuid() == 0) ||
|
||||
need_chroot = ((getuid() == 0 || geteuid() == 0) ||
|
||||
options.kerberos_authentication);
|
||||
if ((getpwnam(SSH_PRIVSEP_USER)) == NULL && need_privsep) {
|
||||
if ((getpwnam(SSH_PRIVSEP_USER)) == NULL && need_chroot) {
|
||||
fatal("Privilege separation user %s does not exist",
|
||||
SSH_PRIVSEP_USER);
|
||||
}
|
||||
endpwent();
|
||||
|
||||
if (need_privsep) {
|
||||
if (need_chroot) {
|
||||
if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &sb) == -1) ||
|
||||
(S_ISDIR(sb.st_mode) == 0))
|
||||
fatal("Missing privilege separation directory: %s",
|
||||
|
@ -1533,6 +1820,9 @@ main(int ac, char **av)
|
|||
ssh_signal(SIGCHLD, main_sigchld_handler);
|
||||
ssh_signal(SIGTERM, sigterm_handler);
|
||||
ssh_signal(SIGQUIT, sigterm_handler);
|
||||
#ifdef SIGINFO
|
||||
ssh_signal(SIGINFO, siginfo_handler);
|
||||
#endif
|
||||
|
||||
platform_post_listen();
|
||||
|
||||
|
@ -1573,22 +1863,26 @@ main(int ac, char **av)
|
|||
sock_in, sock_out, newsock, startup_pipe, config_s[0], config_s[1]);
|
||||
if (!inetd_flag) {
|
||||
if (dup2(newsock, STDIN_FILENO) == -1)
|
||||
debug3("dup2 stdin: %s", strerror(errno));
|
||||
fatal("dup2 stdin: %s", strerror(errno));
|
||||
if (dup2(STDIN_FILENO, STDOUT_FILENO) == -1)
|
||||
debug3("dup2 stdout: %s", strerror(errno));
|
||||
fatal("dup2 stdout: %s", strerror(errno));
|
||||
if (newsock > STDOUT_FILENO)
|
||||
close(newsock);
|
||||
}
|
||||
if (config_s[1] != REEXEC_CONFIG_PASS_FD) {
|
||||
if (dup2(config_s[1], REEXEC_CONFIG_PASS_FD) == -1)
|
||||
debug3("dup2 config_s: %s", strerror(errno));
|
||||
fatal("dup2 config_s: %s", strerror(errno));
|
||||
close(config_s[1]);
|
||||
}
|
||||
if (startup_pipe == -1)
|
||||
close(REEXEC_STARTUP_PIPE_FD);
|
||||
else if (startup_pipe != REEXEC_STARTUP_PIPE_FD) {
|
||||
if (dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD) == -1)
|
||||
debug3("dup2 startup_p: %s", strerror(errno));
|
||||
fatal("dup2 startup_p: %s", strerror(errno));
|
||||
close(startup_pipe);
|
||||
}
|
||||
log_redirect_stderr_to(NULL);
|
||||
closefrom(REEXEC_MIN_FREE_FD);
|
||||
|
||||
ssh_signal(SIGHUP, SIG_IGN); /* avoid reset to SIG_DFL */
|
||||
execv(rexec_argv[0], rexec_argv);
|
||||
|
|
File diff suppressed because it is too large
Load Diff
112
sshd_config.5
112
sshd_config.5
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.355 2024/02/21 06:17:29 djm Exp $
|
||||
.Dd $Mdocdate: February 21 2024 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.365 2024/06/24 06:59:39 jmc Exp $
|
||||
.Dd $Mdocdate: June 24 2024 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -1003,9 +1003,13 @@ file on logout.
|
|||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||
offer to clients.
|
||||
The ordering of this list is not important, as the client specifies the
|
||||
preference order.
|
||||
Multiple algorithms must be comma-separated.
|
||||
Alternately if the specified list begins with a
|
||||
.Pp
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
instead of replacing them.
|
||||
|
@ -1017,6 +1021,7 @@ If the specified list begins with a
|
|||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
default set.
|
||||
.Pp
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
.Bl -item -compact -offset indent
|
||||
|
@ -1058,7 +1063,7 @@ diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
|||
diffie-hellman-group14-sha256
|
||||
.Ed
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
The list of supported key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
Specifies the local addresses
|
||||
|
@ -1302,6 +1307,7 @@ Available keywords are
|
|||
.Cm LogLevel ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PAMServiceName ,
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitListen ,
|
||||
|
@ -1368,10 +1374,17 @@ and
|
|||
key exchange methods.
|
||||
The default is
|
||||
.Pa /etc/moduli .
|
||||
.It Cm PAMServiceName
|
||||
Specifies the service name used for Pluggable Authentication Modules (PAM)
|
||||
authentication, authorisation and session controls when
|
||||
.Cm UsePAM
|
||||
is enabled.
|
||||
The default is
|
||||
.Cm sshd .
|
||||
.It Cm PasswordAuthentication
|
||||
Specifies whether password authentication is allowed.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.Cm sshd .
|
||||
.It Cm PermitEmptyPasswords
|
||||
When password authentication is allowed, it specifies whether the
|
||||
server allows login to accounts with empty password strings.
|
||||
|
@ -1557,6 +1570,86 @@ Values for IPv4 and optionally IPv6 may be specified, separated by a colon.
|
|||
The default is
|
||||
.Cm 32:128 ,
|
||||
which means each address is considered individually.
|
||||
.It Cm PerSourcePenalties
|
||||
Controls penalties for various conditions that may represent attacks on
|
||||
.Xr sshd 8 .
|
||||
If a penalty is enforced against a client then its source address and any
|
||||
others in the same network, as defined by
|
||||
.Cm PerSourceNetBlockSize ,
|
||||
will be refused connection for a period.
|
||||
.Pp
|
||||
A penalty doesn't affect concurrent connections in progress, but multiple
|
||||
penalties from the same source from concurrent connections will accumulate
|
||||
up to a maximum.
|
||||
Conversely, penalties are not applied until a minimum threshold time has been
|
||||
accumulated.
|
||||
.Pp
|
||||
Penalties are enabled by default with the default settings listed below
|
||||
but may disabled using the
|
||||
.Cm no
|
||||
keyword.
|
||||
The defaults may be overridden by specifying one or more of the keywords below,
|
||||
separated by whitespace.
|
||||
All keywords accept arguments, e.g.\&
|
||||
.Qq crash:2m .
|
||||
.Bl -tag -width Ds
|
||||
.It Cm crash:duration
|
||||
Specifies how long to refuse clients that cause a crash of
|
||||
.Xr sshd 8 (default: 90s).
|
||||
.It Cm authfail:duration
|
||||
Specifies how long to refuse clients that disconnect after making one or more
|
||||
unsuccessful authentication attempts (default: 5s).
|
||||
.It Cm noauth:duration
|
||||
Specifies how long to refuse clients that disconnect without attempting
|
||||
authentication (default: 1s).
|
||||
This timeout should be used cautiously otherwise it may penalise legitimate
|
||||
scanning tools such as
|
||||
.Xr ssh-keyscan 1 .
|
||||
.It Cm grace-exceeded:duration
|
||||
Specifies how long to refuse clients that fail to authenticate after
|
||||
.Cm LoginGraceTime
|
||||
(default: 20s).
|
||||
.It Cm max:duration
|
||||
Specifies the maximum time a particular source address range will be refused
|
||||
access for (default: 10m).
|
||||
Repeated penalties will accumulate up to this maximum.
|
||||
.It Cm min:duration
|
||||
Specifies the minimum penalty that must accrue before enforcement begins
|
||||
(default: 15s).
|
||||
.It Cm max-sources4:number , max-sources6:number
|
||||
Specifies the maximum number of client IPv4 and IPv6 address ranges to
|
||||
track for penalties (default: 65536 for both).
|
||||
.It Cm overflow:mode
|
||||
Controls how the server behaves when
|
||||
.Cm max-sources4
|
||||
or
|
||||
.Cm max-sources6
|
||||
is exceeded.
|
||||
There are two operating modes:
|
||||
.Cm deny-all ,
|
||||
which denies all incoming connections other than those exempted via
|
||||
.Cm PerSourcePenaltyExemptList
|
||||
until a penalty expires, and
|
||||
.Cm permissive ,
|
||||
which allows new connections by removing existing penalties early
|
||||
(default: permissive).
|
||||
Note that client penalties below the
|
||||
.Cm min
|
||||
threshold count against the total number of tracked penalties.
|
||||
IPv4 and IPv6 addresses are tracked separately, so an overflow in one will
|
||||
not affect the other.
|
||||
.It Cm overflow6:mode
|
||||
Allows specifying a different overflow mode for IPv6 addresses.
|
||||
The default it to use the same overflow mode as was specified for IPv4.
|
||||
.El
|
||||
.It Cm PerSourcePenaltyExemptList
|
||||
Specifies a comma-separated list of addresses to exempt from penalties.
|
||||
This list may contain wildcards and CIDR address/masklen ranges.
|
||||
Note that the mask length provided must be consistent with the address -
|
||||
it is an error to specify a mask length that is too long for the address
|
||||
or one with bits set in this host portion of the address.
|
||||
For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
|
||||
The default is not to exempt any addresses.
|
||||
.It Cm PidFile
|
||||
Specifies the file that contains the process ID of the
|
||||
SSH daemon, or
|
||||
|
@ -1738,6 +1831,13 @@ via
|
|||
.Cm AcceptEnv
|
||||
or
|
||||
.Cm PermitUserEnvironment .
|
||||
.It Cm SshdSessionPath
|
||||
Overrides the default path to the
|
||||
.Cm sshd-session
|
||||
binary that is invoked to handle each connection.
|
||||
The default is
|
||||
.Pa /usr/libexec/sshd-session .
|
||||
This option is intended for use by tests.
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
|
|
3
sshkey.h
3
sshkey.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshkey.h,v 1.62 2023/06/21 05:10:26 djm Exp $ */
|
||||
/* $OpenBSD: sshkey.h,v 1.63 2024/05/17 06:42:04 jsg Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
@ -316,7 +316,6 @@ int ssh_rsa_complete_crt_parameters(struct sshkey *, const BIGNUM *);
|
|||
int sshkey_set_filename(struct sshkey *, const char *);
|
||||
int sshkey_enable_maxsign(struct sshkey *, u_int32_t);
|
||||
u_int32_t sshkey_signatures_left(const struct sshkey *);
|
||||
int sshkey_forward_state(const struct sshkey *, u_int32_t, int);
|
||||
int sshkey_private_serialize_maxsign(struct sshkey *key,
|
||||
struct sshbuf *buf, u_int32_t maxsign, int);
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* $OpenBSD: version.h,v 1.101 2024/03/11 04:59:47 djm Exp $ */
|
||||
/* $OpenBSD: version.h,v 1.102 2024/07/01 04:31:59 djm Exp $ */
|
||||
|
||||
#define SSH_VERSION "OpenSSH_for_Windows_9.7"
|
||||
#define SSH_VERSION "OpenSSH_for_Windows_9.8"
|
||||
|
||||
#define SSH_PORTABLE "p1"
|
||||
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
|
|
Loading…
Reference in New Issue