Commit Graph

12256 Commits

Author SHA1 Message Date
djm@openbsd.org 6958f00acf
upstream: don't incorrectly truncate logged strings retrieved from
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus

OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
2023-07-28 08:31:01 +10:00
djm@openbsd.org d1ffde6b55
upstream: make sshd_config AuthorizedPrincipalsCommand and
AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection
address/port 4-tuple) as expansion sequences; ok markus

OpenBSD-Commit-ID: ee9a48bf1a74c4ace71b69de69cfdaa2a7388565
2023-07-28 08:29:21 +10:00
djm@openbsd.org 999a2886ca
upstream: increase default KDF work-factor for OpenSSH format
private keys from 16 to 24; { feedback ok } x { deraadt markus }

OpenBSD-Commit-ID: a3afb1383f8ff0a49613d449f02395d9e8d4a9ec
2023-07-28 08:29:20 +10:00
Darren Tucker 0fa803a1dd
Prefer OpenSSL's SHA256 in sk-dummy.so
Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be
built without OpenSSL.  In many cases, however, including both libc's
and OpenSSL's headers together caused conflicting definitions.

We tried working around this (on OpenSSL <1.1 you could define
OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with
varying levels of success.  Since OpenSSL >=1.1 removed OPENSSL_NO_SHA
and including most OpenSSL headers would bring sha.h in, even if it
wasn't used directly this was a constant hassle.

Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at
all.  ok djm@
2023-07-27 10:30:12 +10:00
Darren Tucker 36cdb5dbf5
Retire dfly58 test VM. Add dfly64. 2023-07-27 10:30:12 +10:00
djm@openbsd.org 2d34205dab
upstream: make ssh -f (fork after authentication) work properly in
multiplexed cases (inc. ControlPersist). bz3589 bz3589 Based on patches by
Peter Chubb; ok dtucker@

OpenBSD-Commit-ID: a7a2976a54b93e6767dc846b85647e6ec26969ac
2023-07-27 09:11:22 +10:00
naddy@openbsd.org 076aeda86a
upstream: man page typos; ok jmc@
OpenBSD-Commit-ID: e6ddfef94b0eb867ad88abe07cedc8ed581c07f0
2023-07-27 09:11:21 +10:00
jmc@openbsd.org 135e7d5fe3
upstream: tweak the allow-remote-pkcs11 text;
OpenBSD-Commit-ID: bc965460a89edf76865b7279b45cf9cbdebd558a
2023-07-27 09:11:21 +10:00
Darren Tucker 5f83342b61
Handle a couple more OpenSSL no-ecc cases.
ok djm@
2023-07-25 13:00:22 +10:00
Damien Miller edc2ef4e41
depend 2023-07-20 12:53:44 +10:00
Damien Miller 51fda734e0
Bring back OPENSSL_HAS_ECC to ssh-pkcs11-client 2023-07-20 12:53:21 +10:00
djm@openbsd.org 099cdf59ce
upstream: Separate ssh-pkcs11-helpers for each p11 module
Make ssh-pkcs11-client start an independent helper for each provider,
providing better isolation between modules and reliability if a single
module misbehaves.

This also implements reference counting of PKCS#11-hosted keys,
allowing ssh-pkcs11-helper subprocesses to be automatically reaped
when no remaining keys reference them. This fixes some bugs we have
that make PKCS11 keys unusable after they have been deleted, e.g.
https://bugzilla.mindrot.org/show_bug.cgi?id=3125

ok markus@

OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
2023-07-20 00:31:11 +10:00
djm@openbsd.org 29ef8a0486
upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.

Feedback deraadt; ok markus

OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
2023-07-20 00:21:31 +10:00
djm@openbsd.org 1f2731f5d7
upstream: Disallow remote addition of FIDO/PKCS11 provider
libraries to ssh-agent by default.

The old behaviour of allowing remote clients from loading providers
can be restored using `ssh-agent -O allow-remote-pkcs11`.

Detection of local/remote clients requires a ssh(1) that supports
the `session-bind@openssh.com` extension. Forwarding access to a
ssh-agent socket using non-OpenSSH tools may circumvent this control.

ok markus@

OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
2023-07-20 00:18:27 +10:00
djm@openbsd.org 892506b136
upstream: terminate process if requested to load a PKCS#11 provider
that isn't a PKCS#11 provider; from / ok markus@

OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
2023-07-20 00:18:26 +10:00
Damien Miller f3f56df8ec
agent_fuzz doesn't want stdint.h conditionalised 2023-07-19 12:07:18 +10:00
Damien Miller 750911fd31
conditionalise stdint.h inclusion on HAVE_STDINT_H
fixes build on AIX5 at least
2023-07-18 15:41:12 +10:00
Damien Miller ff047504fa
conditionalise match localnetwork on ifaddrs.h
Fixes build breakage on platforms that lack getifaddrs()
2023-07-18 15:30:45 +10:00
djm@openbsd.org b87b03282e
upstream: missing match localnetwork negation check
OpenBSD-Commit-ID: 9a08ed8dae27d3f38cf280f1b28d4e0ff41a737a
2023-07-17 16:23:03 +10:00
jmc@openbsd.org 6d6e185ba2
upstream: - add -P to usage() - sync the arg name to -J in usage()
with that in ssh.1 - reformat usage() to match what "man ssh" does on 80width

OpenBSD-Commit-ID: 5235dd7aa42e5bf90ae54579d519f92fc107036e
2023-07-17 16:23:03 +10:00
jmc@openbsd.org f1a9898283
upstream: -P before -p in SYNOPSIS;
OpenBSD-Commit-ID: 535f5257c779e26c6a662a038d241b017f8cab7c
2023-07-17 16:23:02 +10:00
jsg@openbsd.org eef4d7e873
upstream: configuation -> configuration
OpenBSD-Commit-ID: 4776ced33b780f1db0b2902faec99312f26a726b
2023-07-17 16:23:02 +10:00
djm@openbsd.org dc1dbe94cf
upstream: move other RCSIDs to before their respective license blocks
too no code change

OpenBSD-Commit-ID: ef5bf46b57726e4260a63b032b0b5ac3b4fe9cd4
2023-07-17 15:33:51 +10:00
djm@openbsd.org ebe1104468
upstream: Move RCSID to before license block and away from #includes,
where it caused merge conflict in -portable for each commit :(

OpenBSD-Commit-ID: 756ebac963df3245258b962e88150ebab9d5fc20
2023-07-17 15:24:14 +10:00
djm@openbsd.org 05c08e5f62
upstream: return SSH_ERR_KRL_BAD_MAGIC when a KRL doesn't contain a
valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed
to fall back to text revocation lists in some cases; fixes t-cert-hostkey.

OpenBSD-Commit-ID: 5c670a6c0f027e99b7774ef29f18ba088549c7e1
2023-07-17 15:22:36 +10:00
Damien Miller c6fad2c3d1
avoid AF_LINK on platforms that don't define it 2023-07-17 14:56:14 +10:00
djm@openbsd.org 919bc3d3b7
upstream: Add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.

ok markus

OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
2023-07-17 14:53:53 +10:00
djm@openbsd.org 3071d85a47
upstream: add a "match localnetwork" predicate.
This allows matching on the addresses of available network interfaces
and may be used to vary the effective client configuration based on
network location (e.g. to use a ProxyJump when not on a particular
network).

ok markus@

OpenBSD-Commit-ID: cffb6ff9a3803abfc52b5cad0aa190c5e424c139
2023-07-17 14:53:53 +10:00
djm@openbsd.org beec17bb31
upstream: remove vestigal support for KRL signatures
When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was never completed in OpenSSH.

Now, some years later, we have SSHSIG support in ssh-keygen that is
more general, well tested and actually works. So this removes the
semi-finished KRL signing/verification support from OpenSSH and
refactors the remaining code to realise the benefit - primarily, we
no longer need to perform multiple parsing passes over KRL objects.

ok markus@

OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804
2023-07-17 14:52:35 +10:00
djm@openbsd.org 449566f64c
upstream: Support for KRL extensions.
This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.

ok markus

OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
2023-07-17 14:52:20 +10:00
dtucker@openbsd.org 18ea857770
upstream: Include stdint.h for SIZE_MAX. Fixes OPENSSL=no build.
OpenBSD-Commit-ID: e7c31034a5434f2ead3579b13a7892960651e6b0
2023-07-17 14:52:03 +10:00
Darren Tucker 20b768fcd1
Fix typo in declaration of nmesg. 2023-07-14 17:07:32 +10:00
Damien Miller 4b94d09542
portable-specific int overflow defence-in-depth
These too are unreachable, but we want the code to be safe regardless of
context. Reported by Yair Mizrahi @ JFrog
2023-07-14 15:34:47 +10:00
djm@openbsd.org 2ee48adb9f
upstream: add defence-in-depth checks for some unreachable integer
overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@

OpenBSD-Commit-ID: 52af085f4e7ef9f9d8423d8c1840a6a88bda90bd
2023-07-14 15:33:30 +10:00
djm@openbsd.org 4b43bc358a
upstream: misplaced debug message
OpenBSD-Commit-ID: d0f12af0a5067a756aa707bc39a83fa6f58bf7e5
2023-07-14 15:33:29 +10:00
Damien Miller 8c7203bcee
replace deprecate selinux matchpathcon function
This function is apparently deprecated. Documentation on what is the
supposed replacement is is non-existent, so this follows the approach
glibc used https://sourceware.org/git/?p=glibc.git;a=patch;h=f278835f59

ok dtucker@
2023-07-12 11:41:19 +10:00
dtucker@openbsd.org 7e8800f5d7
upstream: minleft and maxsign are u_int so cast appropriately. Prompted
by github PR#410, ok deraadt.

OpenBSD-Commit-ID: 0514cd51db3ec60239966622a0d3495b15406ddd
2023-07-07 08:30:58 +10:00
dlg@openbsd.org 94842bfe9b
upstream: add support for unix domain sockets to ssh -W
ok djm@ dtucker@

OpenBSD-Commit-ID: 3e6d47567b895c7c28855c7bd614e106c987a6d8
2023-07-07 08:20:25 +10:00
David Seifert a95fc5eed0
gss-serv.c: `MAXHOSTNAMELEN` -> `HOST_NAME_MAX`
`MAXHOSTNAMELEN` is not defined in POSIX, which breaks on musl:
https://pubs.opengroup.org/onlinepubs/9699919799/functions/gethostname.html

Bug: https://bugs.gentoo.org/834044
2023-07-05 17:54:15 +10:00
Darren Tucker 8a6cd08850
Update runner OS version for hardenedmalloc test.
Hardenedmalloc dropped support for "legacy glibc" versions in their
64dad0a69 so use a newer Ubuntu version for the runner for that test.
2023-06-23 09:49:02 +10:00
Damien Miller cfca6f17e6
handle sysconf(SC_OPEN_MAX) returning > INT_MAX;
bz3581; ok dtucker
2023-06-22 15:04:03 +10:00
djm@openbsd.org c1c2ca1365
upstream: better validate CASignatureAlgorithms in ssh_config and
sshd_config.

Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.

part of bz3577; ok dtucker@

OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
2023-06-21 15:13:56 +10:00
djm@openbsd.org 4e73cd0f4a
upstream: make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was to list all
signing algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@

OpenBSD-Commit-ID: 99c2b072dbac0f44fd1f2269e3ff6c1b5d7d3e59
2023-06-21 15:13:55 +10:00
djm@openbsd.org a69062f169
upstream: handle rlimits > INT_MAX (rlim_t is u64); ok dtucker
bz3581

OpenBSD-Commit-ID: 31cf59c041becc0e5ccb0a77106f812c4cd1cd74
2023-06-21 15:13:54 +10:00
djm@openbsd.org 8d33f2aa6b
upstream: prepare for support for connecting to unix domain sockets
using ssh -W by explicitly decoding PORT_STREAMLOCAL (a negative number) from
the u32 that's passed over the multiplexing socket; previously code would
just cast, which is UB.

OpenBSD-Commit-ID: e5ac5f40d354096c51e8c118a5c1b2d2b7a31384
2023-06-21 15:13:30 +10:00
djm@openbsd.org b4ac435b4e
upstream: reset comment=NULL for each key in do_fingerprint();
fixes "no comment" not showing on when running `ssh-keygen -l` on multiple
keys where one has a comment and other following keys do not. Patch from
Markus Kuhn via GHPR407, bz3580

OpenBSD-Commit-ID: 3cce84456fdcd67dc6b84e369f92c6686d111d9b
2023-06-20 10:07:06 +10:00
millert@openbsd.org b53a809a54
upstream: Store timeouts as int, not u_int as they are limited to
INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type
promotion.  OK djm@

OpenBSD-Commit-ID: 48081e9ad35705c5f1705711704a4c2ff94e87b7
2023-06-20 10:07:06 +10:00
Philip Hands 2709809fd6
fixup! if -s & -p specified, mention 'sftp -P' on
success

SSH-Copy-ID-Upstream: 32686e7c65b4fa2846e474d3315102dfa0f043b0
2023-05-25 18:24:58 +10:00
Darren Tucker 204e0bf051
Make ssh-copy-id(1) consistent with OpenSSH.
This makes the ssh-copy-id man page more consistent with the rest of the
OpenSSH man pages:
- new sentence, new line
- no sentences >80
- N.B. -> NB
- zap unused .Pp
- zap trailing whitespace

Report from Debian via mindrot bz#3331, diff from jmc at openbsd.org.

SSH-Copy-ID-Upstream: d8974cfb6242316460ed22a1ccc662800a50c5d3
2023-05-25 18:24:55 +10:00
Philip Hands 9de79df66d
if -s & -p specified, mention 'sftp -P' on success
This was inspired by this:
 https://github.com/openssh/openssh-portable/pull/321
but I thought that it was better to not do the sed patching.

BTW the reason one can get away with using $SSH_OPTS throughout, despite
the lowercase -p in there, even if sftp is in use, is that the sftp call
is using the already-established ssh master connection, so the port was
passed to the earlier ssh.

SSH-Copy-ID-Upstream: 1c124d9bfafdbe28a00b683367ebf5750ce12eb2
2023-05-25 18:24:53 +10:00