Commit Graph

79 Commits

Author SHA1 Message Date
dtucker@openbsd.org f1f047fb03 upstream commit
ssh_free checks for and handles NULL args, remove NULL
checks from remaining callers.  ok djm@

OpenBSD-Commit-ID: bb926825c53724c069df68a93a2597f9192f7e7b
2018-02-09 20:00:18 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org d45d69f2a9 upstream commit
revert stricter key type / signature type checking in
userauth path; too much software generates inconsistent messages, so we need
a better plan.

OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519
2017-12-21 15:40:19 +11:00
djm@openbsd.org 2788563205 upstream commit
include signature type and CA key (if applicable) in some
debug messages

OpenBSD-Commit-ID: b71615cc20e78cec7105bb6e940c03ce9ae414a5
2017-12-19 15:21:37 +11:00
djm@openbsd.org 04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
djm@openbsd.org abd59663df upstream commit
typo in comment

Upstream-ID: a93b1e6f30f1f9b854b5b964b9fd092d0c422c47
2017-09-12 16:42:20 +10:00
djm@openbsd.org b074c3c3f8 upstream commit
add a "quiet" flag to exited_cleanly() that supresses
errors about exit status (failure due to signal is still reported)

Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
2017-08-23 19:47:06 +10:00
djm@openbsd.org de4ae07f12 upstream commit
Move several subprocess-related functions from various
locations to misc.c. Extend subprocess() to offer a little more control over
stdio disposition.

feedback & ok dtucker@

Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
2017-08-23 19:47:06 +10:00
djm@openbsd.org 8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
markus@openbsd.org 75b8af8de8 upstream commit
make sure we don't pass a NULL string to vfprintf
(triggered by the principals-command regress test); ok bluhm

Upstream-ID: eb49854f274ab37a0b57056a6af379a0b7111990
2017-06-01 14:55:23 +10:00
deraadt@openbsd.org 9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00
markus@openbsd.org eb272ea409 upstream commit
switch auth2 to ssh_dispatch API; ok djm@

Upstream-ID: a752ca19e2782900dd83060b5c6344008106215f
2017-05-31 10:50:33 +10:00
markus@openbsd.org 00ed75c92d upstream commit
switch auth2-pubkey.c to modern APIs; with & ok djm@

Upstream-ID: 8f08d4316eb1b0c4ffe4a206c05cdd45ed1daf07
2017-05-31 10:47:31 +10:00
markus@openbsd.org 54d90ace1d upstream commit
switch from Key typedef with struct sshkey; ok djm@

Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
2017-05-31 10:47:31 +10:00
djm@openbsd.org 52763dd3fe upstream commit
revise keys/principals command hang fix (bz#2655) to
consume entire output, avoiding sending SIGPIPE to subprocesses early; ok
dtucker@

Upstream-ID: 7cb04b31a61f8c78c4e48ceededcd2fd5c4ee1bc
2017-01-30 12:04:10 +11:00
djm@openbsd.org ddd3d34e5c upstream commit
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com

Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
2017-01-03 15:24:42 +11:00
djm@openbsd.org fd6dcef203 upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.

The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.

Pointed out by Jann Horn of Project Zero; ok dtucker@

Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30 19:44:01 +11:00
djm@openbsd.org f83a0cfe16 upstream commit
cast uint64_t for printf

Upstream-ID: 76d23e89419ccbd2320f92792a6d878211666ac1
2016-09-22 03:45:03 +10:00
djm@openbsd.org bfa9d969ab upstream commit
add a way for principals command to get see key ID and serial
too

Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
2016-09-21 11:41:22 +10:00
djm@openbsd.org 00df97ff68 upstream commit
take fingerprint of correct key for
AuthorizedPrincipalsCommand

Upstream-ID: 553581a549cd6a3e73ce9f57559a325cc2cb1f38
2016-09-15 06:13:36 +10:00
djm@openbsd.org e7907c1cb9 upstream commit
add %-escapes to AuthorizedPrincipalsCommand to match those
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
few more to provide access to the certificate's CA key; 'looks ok' dtucker@

Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
2016-09-14 15:43:23 +10:00
djm@openbsd.org ebacd37776 upstream commit
make the debug messages a bit more useful here

Upstream-ID: 478ccd4e897e0af8486b294aa63aa3f90ab78d64
2016-01-27 16:54:26 +11:00
djm@openbsd.org 63d188175a upstream commit
log certificate serial in verbose() messages to match the
 main auth success/fail message; ok dtucker@

Upstream-ID: dfc48b417c320b97c36ff351d303c142f2186288
2015-10-29 19:07:15 +11:00
jsing@openbsd.org 596dbca82f upstream commit
If AuthorizedPrincipalsCommand is specified, however
 AuthorizedPrincipalsFile is not (or is set to "none"), authentication will
 potentially fail due to key_cert_check_authority() failing to locate a
 principal that matches the username, even though an authorized principal has
 already been matched in the output of the subprocess. Fix this by using the
 same logic to determine if pw->pw_name should be passed, as is used to
 determine if a authorized principal must be matched earlier on.

ok djm@

Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
2015-06-17 22:12:05 +10:00
jsing@openbsd.org aff3e94c0d upstream commit
Make the arguments to match_principals_command() similar
 to match_principals_file(), by changing the last argument a struct
 sshkey_cert * and dereferencing key->cert in the caller.

No functional change.

ok djm@

Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
2015-06-17 22:12:04 +10:00
djm@openbsd.org bcc50d8161 upstream commit
add AuthorizedPrincipalsCommand that allows getting
 authorized_principals from a subprocess rather than a file, which is quite
 useful in deployments with large userbases

feedback and ok markus@

Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21 16:45:46 +10:00
djm@openbsd.org 24232a3e5a upstream commit
support arguments to AuthorizedKeysCommand

bz#2081 loosely based on patch by Sami Hartikainen
feedback and ok markus@

Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-05-21 16:44:56 +10:00
djm@openbsd.org 179be0f5e6 upstream commit
prevent authorized_keys options picked up on public key
 tests without a corresponding private key authentication being applied to
 other authentication methods. Reported by halex@, ok markus@
2015-05-10 11:54:10 +10:00
djm@openbsd.org e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
djm@openbsd.org 13a39414d2 upstream commit
Regression: I broke logging of public key fingerprints in
 1.46. Pointed out by Pontus Lundkvist
2015-02-21 09:20:27 +11:00
djm@openbsd.org 9ce86c926d upstream commit
update to new API (key_fingerprint => sshkey_fingerprint)
 check sshkey_fingerprint return values; ok markus
2015-01-29 10:18:56 +11:00
djm@openbsd.org 1f729f0614 upstream commit
add sshd_config HostbasedAcceptedKeyTypes and
 PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
 will be accepted. Currently defaults to all. Feedback & ok markus@
2015-01-13 19:27:18 +11:00
djm@openbsd.org f69b69b862 upstream commit
remember which public keys have been used for
 authentication and refuse to accept previously-used keys.

This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.

ok markus@
2014-12-22 19:06:52 +11:00
djm@openbsd.org 56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
djm@openbsd.org 5e39a49930 upstream commit
add RevokedHostKeys option for the client

Allow textfile or KRL-based revocation of hostkeys.
2014-12-05 09:29:47 +11:00
Damien Miller 7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller 8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller 324541e526 - djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     refuse RSA keys from old proprietary clients/servers that use the
     obsolete RSA+MD5 signature scheme. it will still be possible to connect
     with these clients/servers but only DSA keys will be accepted, and we'll
     deprecate them entirely in a future release. ok markus@
2013-12-31 12:25:40 +11:00
Damien Miller 20bdcd7236 - djm@cvs.openbsd.org 2013/06/21 00:34:49
[auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
     for hostbased authentication, print the client host and user on
     the auth success/failure line; bz#2064, ok dtucker@
2013-07-18 16:10:09 +10:00
Darren Tucker 74836ae0fa - djm@cvs.openbsd.org 2013/05/19 02:38:28
[auth2-pubkey.c]
     fix failure to recognise cert-authority keys if a key of a different type
     appeared in authorized_keys before it; ok markus@
2013-06-02 07:32:00 +10:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller 4ce189d910 - djm@cvs.openbsd.org 2013/03/07 00:19:59
[auth2-pubkey.c monitor.c]
     reconstruct the original username that was sent by the client, which may
     have included a style (e.g. "root:skey") when checking public key
     signatures. Fixes public key and hostbased auth when the client specified
     a style; ok markus@
2013-04-23 15:17:52 +10:00
Damien Miller 4018dc04da - djm@cvs.openbsd.org 2013/02/14 21:35:59
[auth2-pubkey.c]
     Correct error message that had a typo and was logging the wrong thing;
     patch from Petr Lautrbach
2013-02-15 10:28:55 +11:00
Damien Miller 1e85469fcb - djm@cvs.openbsd.org 2012/11/14 02:24:27
[auth2-pubkey.c]
     fix username passed to helper program
     prepare stdio fds before closefrom()

     spotted by landry@
2012-11-14 19:04:02 +11:00
Darren Tucker 737f7aff36 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
don't have it.  Spotted by tim@.
2012-11-05 17:07:43 +11:00
Damien Miller d0d1099b3b - djm@cvs.openbsd.org 2012/11/04 10:38:43
[auth2-pubkey.c sshd.c sshd_config.5]
     Remove default of AuthorizedCommandUser. Administrators are now expected
     to explicitly specify a user. feedback and ok markus@
2012-11-04 22:23:14 +11:00
Damien Miller 09d3e12512 - djm@cvs.openbsd.org 2012/10/30 21:29:55
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
     [sshd.c sshd_config sshd_config.5]
     new sshd_config option AuthorizedKeysCommand to support fetching
     authorized_keys from a command in addition to (or instead of) from
     the filesystem. The command is run as the target server user unless
     another specified via a new AuthorizedKeysCommandUser option.

     patch originally by jchadima AT redhat.com, reworked by me; feedback
     and ok markus@
2012-10-31 08:58:58 +11:00
Darren Tucker af1a60ec4f - djm@cvs.openbsd.org 2011/09/25 05:44:47
[auth2-pubkey.c]
     improve the AuthorizedPrincipalsFile debug log message to include
     file and line number
2011-10-02 18:59:59 +11:00
Damien Miller d8478b6a9b OpenBSD CVS Sync
- djm@cvs.openbsd.org 2011/05/23 03:30:07
     [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
     allow AuthorizedKeysFile to specify multiple files, separated by spaces.
     Bring back authorized_keys2 as a default search path (to avoid breaking
     existing users of this file), but override this in sshd_config so it will
     be no longer used on fresh installs. Maybe in 2015 we can remove it
     entierly :)

     feedback and ok markus@ dtucker@
2011-05-29 21:39:36 +10:00
Damien Miller 7c1b2c4ea8 - djm@cvs.openbsd.org 2011/05/11 04:47:06
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h]
     remove support for authorized_keys2; it is a relic from the early days
     of protocol v.2 support and has been undocumented for many years;
     ok markus@
2011-05-15 08:51:05 +10:00