Commit Graph

230 Commits

Author SHA1 Message Date
deraadt@openbsd.org 4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
djm@openbsd.org 21da87f439 upstream: fix interaction between ClientAliveInterval and RekeyLimit
that could cause connection to close incorrectly; Report and patch from Jakub
Jelen in bz#2757; ok dtucker@ markus@

OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
2019-03-27 20:30:58 +11:00
dtucker@openbsd.org ab5fee8eb6 upstream: Reset last-seen time when sending a keepalive. Prevents
sending two keepalives successively and prematurely terminating connection
when ClientAliveCount=1.  While there, collapse two similar tests into one.
ok markus@

OpenBSD-Commit-ID: 043670d201dfe222537a2a4bed16ce1087de5ddd
2019-03-08 14:58:30 +11:00
djm@openbsd.org 135e302cfd upstream: fix error in refactor: use ssh_packet_disconnect() instead of
sshpkt_error(). The first one logs the error and exits (what we want) instead
of just logging and blundering on.

OpenBSD-Commit-ID: 39f51b43641dce9ce0f408ea6c0e6e077e2e91ae
2019-01-20 09:45:18 +11:00
djm@openbsd.org 04c091fc19 upstream: remove last references to active_state
with & ok markus@

OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
2019-01-20 09:45:18 +11:00
djm@openbsd.org 7ec5cb4d15 upstream: convert serverloop.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: c92dd19b55457541478f95c0d6b318426d86d885
2019-01-20 09:45:17 +11:00
djm@openbsd.org 0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
dtucker@openbsd.org 73ddb25bae upstream: Remove uid checks from low port binds. Now that ssh
cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave a sanity
check for the !privsep case so long as the code is stil there.  with & ok
djm@

OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
2018-07-31 12:18:49 +10:00
markus@openbsd.org 5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00
markus@openbsd.org c3cb7790e9 upstream: sshd: switch config to sshbuf API; ok djm@
OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
2018-07-10 15:25:25 +10:00
djm@openbsd.org 027607fc2d upstream: fix some over-long lines and __func__ up some debug
messages

OpenBSD-Commit-ID: c70a60b4c8207d9f242fc2351941ba50916bb267
2018-06-09 13:10:59 +10:00
djm@openbsd.org 7c85685760 upstream: switch over to the new authorized_keys options API and
remove the legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2018-03-03 14:37:16 +11:00
Darren Tucker 389125b25d Replace remaining mysignal() with signal().
These seem to have been missed during the replacement of mysignal
with #define signal in commit 5ade9ab.  Both include the requisite
headers to pick up the #define.
2018-02-15 22:06:26 +11:00
dtucker@openbsd.org 05046d907c upstream Don't reset signal handlers inside handlers.
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed.  In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer.  ok deraadt@

OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c
2018-02-13 09:29:09 +11:00
Darren Tucker 3c51143c63 Whitespace sync with upstream. 2018-02-13 09:07:29 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org 7860731ef1 upstream commit
unbreak hostkey rotation; attempting to sign with a
desired signature algorithm of kex->hostkey_alg is incorrect when the key
type isn't capable of making those signatures. ok markus@

OpenBSD-Commit-ID: 35ae46864e1f5859831ec0d115ee5ea50953a906
2017-12-19 15:21:37 +11:00
djm@openbsd.org 04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
dtucker@openbsd.org 48c23a39a8 upstream commit
Put remote client info back into the ClientAlive
connection termination message.  Based in part on diff from  lars.nooden at
gmail, ok djm

OpenBSD-Commit-ID: 80a0f619a29bbf2f32eb5297a69978a0e05d0ee0
2017-12-12 10:32:04 +11:00
djm@openbsd.org b7548b12a6 upstream commit
Expose devices allocated for tun/tap forwarding.

At the client, the device may be obtained from a new %T expansion
for LocalCommand.

At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.

ok markus

Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
2017-10-23 16:14:30 +11:00
Damien Miller 871f1e4374 adapt portable to channels API changes 2017-09-12 18:01:35 +10:00
djm@openbsd.org 9f53229c2a upstream commit
Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
2017-09-12 17:37:03 +10:00
djm@openbsd.org dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org 71e5a536ec upstream commit
pass packet state down to some of the channels function
(more to come...); ok markus@

Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
2017-09-04 09:38:57 +10:00
dtucker@openbsd.org 42a8f8bc28 upstream commit
Tweak previous keepalive commit: if last_time + keepalive
<= now instead of just "<" so client_alive_check will fire if the select
happens to return on exact second of the timeout.  ok djm@

Upstream-ID: e02756bd6038d11bb8522bfd75a4761c3a684fcc
2017-08-12 16:47:10 +10:00
dtucker@openbsd.org b60ff20051 upstream commit
Keep track of the last time we actually heard from the
client and use this to also schedule a client_alive_check().  Prevents
activity on a forwarded port from indefinitely preventing the select timeout
so that client_alive_check() will eventually (although not optimally) be
called.

Analysis by willchan at google com via bz#2756, feedback & ok djm@

Upstream-ID: c08721e0bbda55c6d18e2760f3fe1b17fb71169e
2017-08-12 16:47:10 +10:00
markus@openbsd.org 92e9fe6331 upstream commit
remove now obsolete ctx from ssh_dispatch_run; ok djm@

Upstream-ID: 9870aabf7f4d71660c31fda91b942b19a8e68d29
2017-06-01 14:53:33 +10:00
markus@openbsd.org 2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
dtucker@openbsd.org 858252fb1d upstream commit
Return true reason for port forwarding failures where
feasible rather than always "administratively prohibited".  bz#2674, ok djm@

Upstream-ID: d901d9887951774e604ca970e1827afaaef9e419
2017-02-03 14:23:24 +11:00
djm@openbsd.org 51045869fa upstream commit
unbreak Unix domain socket forwarding for root; ok
markus@

Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
2017-01-30 11:05:18 +11:00
djm@openbsd.org b737e4d743 upstream commit
disable Unix-domain socket forwarding when privsep is
disabled

Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
2016-12-14 11:51:52 +11:00
djm@openbsd.org 7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
dtucker@openbsd.org 1c4ef0b808 upstream commit
Factor out "can bind to low ports" check into its own function.  This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625).  ok djm@, "doesn't offend me too much"
deraadt@.

Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
2016-10-24 10:42:57 +11:00
deraadt@openbsd.org 9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
markus@openbsd.org 6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
Darren Tucker 5f41f030e2 Remove NO_IPPORT_RESERVED_CONCEPT
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have
the same effect without causing problems syncing patches with OpenBSD.
Resync the two affected functions with OpenBSD.  ok djm, sanity checked
by Corinna.
2016-04-08 21:21:27 +10:00
djm@openbsd.org 95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
djm@openbsd.org 988e429d90 upstream commit
fix ClientAliveInterval when a time-based RekeyLimit is
 set; previously keepalive packets were not being sent. bz#2252 report and
 analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@

Upstream-ID: d48f9deadd35fdacdd5106b41bb07630ddd4aa81
2016-03-04 15:12:21 +11:00
djm@openbsd.org 19bcf2ea2d upstream commit
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-08 21:58:32 +11:00
markus@openbsd.org a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
markus@openbsd.org 76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
djm@openbsd.org b1d6b3971e upstream commit
don't include port number in tcpip-forward replies for
 requests that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok
 markus

Upstream-ID: 77efad818addb61ec638b5a2362f1554e21a970a
2015-11-28 17:44:33 +11:00
djm@openbsd.org 44732de068 upstream commit
UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
2015-02-21 09:20:28 +11:00
djm@openbsd.org 523463a3a2 upstream commit
Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@
2015-02-17 09:32:32 +11:00
deraadt@openbsd.org 087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00
markus@openbsd.org 57d10cbe86 upstream commit
adapt kex to sshbuf and struct ssh; ok djm@
2015-01-20 09:19:39 +11:00
markus@openbsd.org 3fdc88a0de upstream commit
move dispatch to struct ssh; ok djm@
2015-01-20 09:14:16 +11:00
markus@openbsd.org 091c302829 upstream commit
update packet.c & isolate, introduce struct ssh a) switch
 packet.c to buffer api and isolate per-connection info into struct ssh b)
 (de)serialization of the state is moved from monitor to packet.c c) the old
 packet.c API is implemented in opacket.[ch] d) compress.c/h is removed and
 integrated into packet.c with and ok djm@
2015-01-20 09:13:01 +11:00
Damien Miller d4e7d59d01 - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen 2014-08-19 11:14:17 +10:00
Damien Miller 7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00