The code required to support it is quite invasive to the mainline
code that is synced with upstream and is an ongoing maintenance burden.
Both the hardware and software are literal museum pieces these days and
we could not find anyone still running OpenSSH on one.
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
Move several subprocess-related functions from various
locations to misc.c. Extend subprocess() to offer a little more control over
stdio disposition.
feedback & ok dtucker@
Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
no need to call log_init to reinitialise logged PID in
child sessions, since we haven't called openlog() in log_init() since 1999;
ok markus@
Upstream-ID: 0906e4002af5d83d3d544df75e1187c932a3cf2e
Switch to recallocarray() for a few operations. Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus
Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip
change as commit 95767262 to the code inside #ifdef LOGIN_NEEDS_UTMPX.
Fixes build on AIX.
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
add a "Close session" log entry (at loglevel=verbose) to
correspond to the existing "Starting session" one. Also include the session
id number to make multiplexed sessions more apparent.
feedback and ok dtucker@
Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
skip "Could not chdir to home directory" message when
chrooted
patch from Christian Hesse in bz#2485 ok dtucker@
Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
Replace <sys/param.h> with <limits.h> and other less
dirty headers where possible. Annotate <sys/param.h> lines with their
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
These are the files confirmed through binary verification. ok guenther,
millert, doug (helped with the verification protocol)
make internal handling of filename arguments of "none"
more consistent with ssh. "none" arguments are now replaced with NULL when
the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
[gss-serv.c session.c ssh-keygen.c]
standardise on NI_MAXHOST for gethostname() string lengths; about
1/2 the cases were using it already. Fixes bz#2239 en passant
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
Id sync only - portable already has this.
[session.c]
explicitly define USE_PIPES to 1 to prevent redefinition warnings in
portable on platforms that use pipes for everything. From redhat @
redhat.
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
[servconf.h session.c sshd.c sshd_config.5]
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@
[session.c]
reintroduce 1.262 without the connection-killing bug:
fatal() when ChrootDirectory specified by running without root privileges;
ok markus@
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
[session.c]
root should always be excluded from the test for /etc/nologin instead
of having it always enforced even when marked as ignorenologin. This
regressed when the logic was incompletely flipped around in rev 1.251
ok halex@ millert@
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
[servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.
bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
ok djm@
[channels.c session.c]
bz#1750: fix requirement for /dev/null inside ChrootDirectory for
internal-sftp accidentally introduced in r1.253 by removing the code
that opens and dup /dev/null to stderr and modifying the channels code
to read stderr but discard it instead; ok markus@
[session.c]
set stderr to /dev/null for subsystems rather than just closing it.
avoids hangs if a subsystem or shell initialisation writes to stderr.
bz#1750; ok markus@
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@
[session.c]
Warn but do not fail if stat()ing the subsystem binary fails. This helps
with chrootdirectory+forcecommand=sftp-server and restricted shells.
bz #1599, ok djm.
[session.c]
bz#1606: error when an attempt is made to connect to a server
with ForceCommand=internal-sftp with a shell session (i.e. not a
subsystem session). Avoids stuck client when attempting to ssh to such a
service. ok dtucker@
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
version of Cygwin. Patch from vinschen at redhat com.
[channels.c channels.h session.c]
make Channel->path an allocated string, saving a few bytes here and
there and fixing bz#1380 in the process; ok markus@
[channels.c channels.h session.c]
don't call isatty() on a pty master, instead pass a flag down to
channel_set_fds() indicating that te fds refer to a tty. Fixes a
hang on exit on Solaris (bz#1463) in portable but is actually
a generic bug; ok dtucker deraadt markus
[session.c]
re-add the USE_PIPES code and enable it.
without pipes shutdown-read from the sshd does not trigger
a SIGPIPE when the forked program does a write.
ok djm@
(Id sync only, USE_PIPES never left portable OpenSSH)
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
[auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
[monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
[ssh.c sshd.c]
Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).
Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.
ok markus@ (as part of a larger diff)
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
chroot. Allows ChrootDirectory to work with selinux support compiled in
but not enabled. Using it with selinux enabled will require some selinux
support inside the chroot. "looks sane" djm@
Darren Tucker
djm@openbsd.org
Damien Miller
deraadt@openbsd.org
markus@openbsd.org
otto@openbsd.org
Darren Tucker
Tim Rice