move debug("%p", key) to before key is free'd; probable
undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581
Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
reverse the order in which -J/JumpHost proxies are visited to
be more intuitive and document
reported by and manpage bits naddy@
Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
Skip passwords longer than 1k in length so clients can't
easily DoS sshd by sending very long passwords, causing it to spend CPU
hashing them. feedback djm@, ok markus@.
Brought to our attention by tomas.kuthan at oracle.com, shilei-c at
360.cn and coredump at autistici.org
Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
Allow wildcard for PermitOpen hosts as well as ports.
bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok
markus@
Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
Reduce timing attack against obsolete CBC modes by always
computing the MAC over a fixed size of data. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@
Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users. ok djm@
Since adding $(REGRESSLIBS), $? is wrong because it includes only the
changed source files. $< seems like it'd be right however it doesn't
seem to work on some non-GNU makes, so do what works everywhere.
Add some unsigned overflow checks for extra_pad. None of
these are reachable with the amount of padding that we use internally.
bz#2566, pointed out by Torben Hansen. ok markus@
Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer
password and keyboard-interative authentication methods. Should prevent
"sshd ignoring max retries" warnings in the log. ok djm@
It probably won't trigger with keyboard-interactive in the default
configuration because the retry counter is stored in module-private
storage which goes away with the sshd PAM process (see bz#688). On the
other hand, those cases probably won't log a warning either.
support UTF-8 characters in ssh(1) banners using
schwarze@'s safe fmprintf printer; bz#2058
feedback schwarze@ ok dtucker@
Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
Reduce the syslog level of some relatively common protocol
events from LOG_CRIT by replacing fatal() calls with logdie(). Part of
bz#2585, ok djm@
Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
Some AIX compilers unconditionally undefine va_copy but don't set it back
to an internal function, causing link errors. In some compat code we
already use VA_COPY instead so move the two existing instances into the
shared header and use for sshbuf-getput-basic.c too. Should fix building
with at lease some versions of AIX's compiler. bz#2589, ok djm@
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct. This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.
Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client. That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512). This allows
user enumeration by, eg, sending large password strings. This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).
To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system. ok djm@
Add missing "recvfd" pledge promise: Raf Czlonka reported
ssh coredumps when Control* keywords were set in ssh_config. This patch also
fixes similar problems with scp and sftp.
ok deraadt, looks good to millert
Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b
DEBUGLIBS has been broken since the gcc4 switch, so delete
it. CFLAGS contains -g by default anyway
problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
ok millert@ kettenis@ deraadt@
Upstream-Regress-ID: 4a0bb72f95c63f2ae9daa8a040ac23914bddb542
Improve crypto ordering for Encrypt-then-MAC (EtM) mode
MAC algorithms.
Previously we were computing the MAC, decrypting the packet and then
checking the MAC. This gave rise to the possibility of creating a
side-channel oracle in the decryption step, though no such oracle has
been identified.
This adds a mac_check() function that computes and checks the MAC in
one pass, and uses it to advance MAC checking for EtM algorithms to
before payload decryption.
Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. feedback and ok markus@
Upstream-ID: 1999bb67cab47dda5b10b80d8155fe83d4a1867b
DEBUGLIBS has been broken since the gcc4 switch, so
delete it. CFLAGS contains -g by default anyway
problem noted by Edgar Pettijohn (edgar (at) pettijohn-web.com)
ok millert@ kettenis@ deraadt@
Upstream-ID: 96c5054e3e1f170c6276902d5bc65bb3b87a2603
Explicitly check for 100% completion to avoid potential
floating point rounding error, which could cause progressmeter to report 99%
on completion. While there invert the test so the 100% case is clearer. with
& ok djm@
Upstream-ID: a166870c5878e422f3c71ff802e2ccd7032f715d
fix AuthenticationMethods during configuration re-parse;
reported by Juan Francisco Cantero Hurtado
Upstream-ID: 8ffa1dac25c7577eca8238e825317ab20848f9b4
translate OpenSSL error codes to something more
meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@
Upstream-ID: 4cb0795a366381724314e6515d57790c5930ffe5
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication
bz#2398 from Jakub Jelen; ok dtucker@
Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
Damien Miller
djm@openbsd.org
dtucker@openbsd.org
naddy@openbsd.org
jmc@openbsd.org
markus@openbsd.org
Darren Tucker
tb@openbsd.org
tedu@openbsd.org
guenther@openbsd.org