Commit Graph

317 Commits

Author SHA1 Message Date
mestre@openbsd.org 7adf6c430d upstream: When using a combination of a Yubikey+GnuPG+remote
forwarding the gpg-agent (and options ControlMaster+RemoteForward in
ssh_config(5)) then the codepath taken will call mux_client_request_session
-> mm_send_fd -> sendmsg(2). Since sendmsg(2) is not allowed in that codepath
then pledge(2) kills the process.

The solution is to add "sendfd" to pledge(2), which is not too bad considering
a little bit later we reduce pledge(2) to only "stdio proc tty" in that
codepath.

Problem reported and diff provided by Timothy Brown <tbrown at freeshell.org>

OK deraadt@

OpenBSD-Commit-ID: 7ce38b6542bbec00e441595d0a178e970a9472ac
2019-07-30 15:06:27 +10:00
deraadt@openbsd.org 4d28fa78ab upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0.  errno is only updated in this case.  Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-07-05 11:10:39 +10:00
dtucker@openbsd.org 7959330a55 upstream: Remove unneeded unlink of xauthfile o
=?UTF-8?q?n=20error=20path.=20=20From=20Erik=20Sj=C3=B6lund=20via=20githu?=
=?UTF-8?q?b,=20ok=20djm@=20deraadt@?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 62a4893cf83b29a4bbfedc40e7067c25c203e632
2019-06-27 09:43:39 +10:00
jmc@openbsd.org 7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
dtucker@openbsd.org 3a7db919d5 upstream: Use the LogLevel typdef instead of int where appropriate. Patch from Markus Schmidt via openssh-unix-dev, ok markus@
OpenBSD-Commit-ID: 4c0f0f458e3da7807806b35e3eb5c1e8403c968a
2019-05-08 18:42:03 +10:00
djm@openbsd.org 9d7b2882b0 upstream: when logging/fataling on error, include a bit more detail
than just the function name and the error message

OpenBSD-Commit-ID: dd72d7eba2215fcb89be516c378f633ea5bcca9f
2019-04-03 09:34:03 +11:00
djm@openbsd.org bc5e1169d1 upstream: convert the remainder of clientloop.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: ce2fbbacb86a290f31da1e7bf04cddf2bdae3d1e
2019-01-20 09:45:17 +11:00
djm@openbsd.org 23f22a4aaa upstream: convert clientloop.c to new packet API
with & ok markus@

OpenBSD-Commit-ID: 497b36500191f452a22abf283aa8d4a9abaee7fa
2019-01-20 09:02:36 +11:00
djm@openbsd.org 0fa174ebe1 upstream: begin landing remaining refactoring of packet parsing
API, started almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
2019-01-20 09:02:10 +11:00
djm@openbsd.org b5e412a899 upstream: Allow ssh_config ForwardX11Timeout=0 to disable the
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@

OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
2018-09-21 22:49:27 +10:00
markus@openbsd.org 5467fbcb09 upstream: remove legacy key emulation layer; ok djm@
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
2018-07-12 13:18:25 +10:00
markus@openbsd.org 89dd615b8b upstream: ttymodes: switch to sshbuf API; ok djm@
OpenBSD-Commit-ID: 5df340c5965e822c9da21e19579d08dea3cbe429
2018-07-10 15:19:12 +10:00
markus@openbsd.org cecee2d607 upstream: client: switch to sshbuf API; ok djm@
OpenBSD-Commit-ID: 60cb0356114acc7625ab85105f6f6a7cd44a8d05
2018-07-10 15:14:26 +10:00
djm@openbsd.org 84623e0037 upstream: whitespace
OpenBSD-Commit-ID: 9276951caf4daf555f6d262e95720e7f79244572
2018-06-26 12:03:25 +10:00
djm@openbsd.org 7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00
djm@openbsd.org 001aa55484 upstream: lots of typos in comments/docs. Patch from Karsten Weiss
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)

OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
2018-04-10 10:17:15 +10:00
dtucker@openbsd.org 05046d907c upstream Don't reset signal handlers inside handlers.
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed.  In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer.  ok deraadt@

OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c
2018-02-13 09:29:09 +11:00
djm@openbsd.org 14b5c635d1 upstream commit
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
2018-01-23 16:40:29 +11:00
djm@openbsd.org 7860731ef1 upstream commit
unbreak hostkey rotation; attempting to sign with a
desired signature algorithm of kex->hostkey_alg is incorrect when the key
type isn't capable of making those signatures. ok markus@

OpenBSD-Commit-ID: 35ae46864e1f5859831ec0d115ee5ea50953a906
2017-12-19 15:21:37 +11:00
djm@openbsd.org 04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
dtucker@openbsd.org@openbsd.org 2d638e9860 upstream commit
Remove get_current_time() and replace with calls to
monotime_double() which uses CLOCK_MONOTONIC and works over clock steps.  "I
like" markus@

OpenBSD-Commit-ID: 3ad2f7d2414e2cfcaef99877a7a5b0baf2242952
2017-11-28 11:39:13 +11:00
djm@openbsd.org b7548b12a6 upstream commit
Expose devices allocated for tun/tap forwarding.

At the client, the device may be obtained from a new %T expansion
for LocalCommand.

At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.

ok markus

Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
2017-10-23 16:14:30 +11:00
djm@openbsd.org 5b8da1f538 upstream commit
fix use-after-free in ~^Z escape handler path, introduced
in channels.c refactor; spotted by millert@ "makes sense" deraadt@

Upstream-ID: 8fa2cdc65c23ad6420c1e59444b0c955b0589b22
2017-09-19 14:26:43 +10:00
Damien Miller 871f1e4374 adapt portable to channels API changes 2017-09-12 18:01:35 +10:00
djm@openbsd.org 9f53229c2a upstream commit
Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73
2017-09-12 17:37:03 +10:00
djm@openbsd.org dbee4119b5 upstream commit
refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-09-12 17:37:02 +10:00
djm@openbsd.org 71e5a536ec upstream commit
pass packet state down to some of the channels function
(more to come...); ok markus@

Upstream-ID: d8ce7a94f4059d7ac1e01fb0eb01de0c4b36c81b
2017-09-04 09:38:57 +10:00
dtucker@openbsd.org b1e72df2b8 upstream commit
Make ""Killed by signal 1" LogLevel verbose so it's not
shown at the default level.  Prevents it from appearing during ssh -J and
equivalent ProxyCommand configs. bz#1906, bz#2744, feedback&ok markus@

Upstream-ID: debfaa7e859b272246c2f2633335d288d2e2ae28
2017-07-21 14:17:33 +10:00
mestre@openbsd.org e238645d78 upstream commit
When using the escape sequence &~ the code path is
client_loop() -> client_simple_escape_filter() -> process_escapes() -> fork()
and the pledge for this path lacks the proc promise and therefore aborts the
process. The solution is to just add proc the promise to this specific
pledge.

Reported by Gregoire Jadi gjadi ! omecha.info
Insight with tb@, OK jca@

Upstream-ID: 63c05e30c28209519f476023b65b0b1b0387a05b
2017-06-24 16:48:39 +10:00
deraadt@openbsd.org 9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00
markus@openbsd.org 92e9fe6331 upstream commit
remove now obsolete ctx from ssh_dispatch_run; ok djm@

Upstream-ID: 9870aabf7f4d71660c31fda91b942b19a8e68d29
2017-06-01 14:53:33 +10:00
markus@openbsd.org 2ae666a8fc upstream commit
protocol handlers all get struct ssh passed; ok djm@

Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
2017-05-31 10:50:05 +10:00
naddy@openbsd.org 768405fddf upstream commit
remove miscellaneous SSH1 leftovers; ok markus@

Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
2017-05-08 09:18:27 +10:00
djm@openbsd.org 930e8d2827 upstream commit
obliterate ssh1.h and some dead code that used it

ok markus@

Upstream-ID: 1ca9159a9fb95618f9d51e069ac8e1131a087343
2017-05-01 10:05:06 +10:00
djm@openbsd.org 0516435857 upstream commit
remove SSHv1-related buffers from client code

Upstream-ID: dca5d01108f891861ceaf7ba1c0f2eb274e0c7dd
2017-05-01 10:05:02 +10:00
djm@openbsd.org 873d3e7d9a upstream commit
remove KEY_RSA1

ok markus@

Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01 10:05:01 +10:00
djm@openbsd.org 97f4d3083b upstream commit
remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
2017-05-01 09:42:37 +10:00
djm@openbsd.org 894221a63f upstream commit
When updating hostkeys, accept RSA keys if
HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
dtucker@

Upstream-ID: c5e8cfee15c42f4a05d126158a0766ea06da79d2
2017-03-10 16:02:46 +11:00
dtucker@openbsd.org 9390b0031e upstream commit
Fix typo in ~C error message for bad port forward
cancellation. bz#2672, from Brad Marshall via Colin Watson and Ubuntu's
bugtracker.

Upstream-ID: 0d4a7e5ead6cc59c9a44b4c1e5435ab3aada09af
2017-01-30 11:07:45 +11:00
markus@openbsd.org 8d05784785 upstream commit
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client   and server on different machines. feedback
& ok djm@

Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-10-01 02:45:10 +10:00
tedu@openbsd.org 1036356324 upstream commit
replace two arc4random loops with arc4random_buf ok
deraadt natano

Upstream-ID: e18ede972d1737df54b49f011fa4f3917a403f48
2016-09-21 11:03:55 +10:00
deraadt@openbsd.org 9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
djm@openbsd.org 368dd977ae upstream commit
fix pledge violation with ssh -f; reported by Valentin
Kozamernik ok dtucker@

Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
2016-07-23 13:24:20 +10:00
tb@openbsd.org 372807c206 upstream commit
Add missing "recvfd" pledge promise: Raf Czlonka reported
ssh coredumps when Control* keywords were set in ssh_config. This patch also
fixes similar problems with scp and sftp.

ok deraadt, looks good to millert

Upstream-ID: ca2099eade1ef3e87a79614fefa26a0297ad8a3b
2016-07-14 11:27:56 +10:00
djm@openbsd.org 19bcf2ea2d upstream commit
refactor activation of rekeying

This makes automatic rekeying internal to the packet code (previously
the server and client loops needed to assist). In doing to it makes
application of rekey limits more accurate by accounting for packets
about to be sent as well as packets queued during rekeying events
themselves.

Based on a patch from dtucker@ which was in turn based on a patch
Aleksander Adamowski in bz#2521; ok markus@

Upstream-ID: a441227fd64f9739850ca97b4cf794202860fcd8
2016-02-08 21:58:32 +11:00
millert@openbsd.org 5658ef2501 upstream commit
Avoid ugly "DISPLAY "(null)" invalid; disabling X11
 forwarding" message when DISPLAY is not set.  This could also result in a
 crash on systems with a printf that doesn't handle NULL.  OK djm@

Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
2016-02-05 10:44:42 +11:00
dtucker@openbsd.org 4c6cb83304 upstream commit
Remove leftover roaming dead code.  ok djm markus.

Upstream-ID: 13d1f9c8b65a5109756bcfd3b74df949d53615be
2016-01-30 11:19:16 +11:00
jsg@openbsd.org 458abc2934 upstream commit
Zero a stack buffer with explicit_bzero() instead of
 memset() when returning from client_loop() for consistency with
 buffer_free()/sshbuf_free().

ok dtucker@ deraadt@ djm@

Upstream-ID: bc9975b2095339811c3b954694d7d15ea5c58f66
2016-01-27 16:54:26 +11:00
markus@openbsd.org a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
djm@openbsd.org ed4ce82dbf upstream commit
eliminate fallback from untrusted X11 forwarding to trusted
 forwarding when the X server disables the SECURITY extension; Reported by
 Thomas Hoger; ok deraadt@

Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
2016-01-14 10:06:01 +11:00