Record failed attempts to session-bind a connection and refuse signing
operations on that connection henceforth.
Prevents a future situation where we add a new hostkey type that is not
recognised by an older ssh-agent, that consequently causes session-bind
to fail (this situation is only likely to arise when people mix ssh(1)
and ssh-agent(1) of different versions on the same host). Previously,
after such a failure the agent socket would be considered unbound and
not subject to restriction.
Spotted by Jann Horn
OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.
ok markus@
OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.
feedback/ok markus@
OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
host key algorithms to request, ensure that the hostname passed to the
command is decorated with the port number for ports other than 22.
This matches the behaviour of KnownHostsCommand when invoked to look
up the actual host key.
bz3643, ok dtucker@
OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
It turns out that gcc also has some problems with -fzero-call-used-regs,
at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE
was sufficient to catch it with "=all", but not sufficient for "=used".
Expand the testcase and include it in the other tests for good measure.
See bz#3629. ok djm@.
... since it seems to be problematic with several different versions of
clang. Only use -fzero-call-used-regs=used which is less
problematic, except with Apple's clang where we don't use it at all.
bz#3629, ok djm@
addresses by AddressFamily if one was specified. Fixes the case where, if
CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
dtucker
OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
obfuscation, only consider enabling it when a channel with a tty is open.
Avoids turning on the obfucation when X11 forwarding only is in use,
which slows it right down. Reported by Roger Marsh
OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
was initialized. This fixes a potential uninitialized use of 'limits' in
sftp_init() if sftp_get_limits() returned early because of an unexpected
message type.
ok djm@
OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
... instead of relying on installed one. Fixes test failures in -portable
when running tests prior to installation.
OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
Some of the selfhosted test targets take a long time to run for various
reasons, so label them for "libvirt-hipri" runners so that they can
start immediately. This should reduce the time to complete all tests.
We still need to check if we're using sudo since we don't want to chown
unecessarily, as on some platforms this causes an error which pollutes
stderr. We also don't want to unnecessarily invoke sudo, since it's
running in the context of the proxycommand, on *other* platforms it
may not be able to authenticate, and if we're using SUDO then it should
already be privileged.
OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
Replace the use of a perl script to delete the controlling TTY with a
SSH_ASKPASS script to directly load the PIN.
Move PKCS#11 setup code to functions in anticipation of it being used
elsewhere in additional tests.
Reduce stdout spam
OpenBSD-Regress-ID: 07705c31de30bab9601a95daf1ee6bef821dd262
Damien Miller
djm@openbsd.org
markus@openbsd.org
Darren Tucker
dtucker@openbsd.org
tobhe@openbsd.org
anton@openbsd.org