Commit Graph

10496 Commits

Author SHA1 Message Date
djm@openbsd.org f73ab8a811 upstream: unbreak unittests for recent API / source file changes
OpenBSD-Regress-ID: 075a899a01bbf7781d38bf0b33d8366faaf6d3c0
2020-01-26 14:19:43 +11:00
Darren Tucker 0373f9eba2 Include signal.h to prevent redefintion of _NSIG. 2020-01-26 14:09:17 +11:00
Darren Tucker 638a45b5c1 Wrap stdint.h in tests inside HAVE_STDINT_H. 2020-01-26 14:05:40 +11:00
djm@openbsd.org 74dfc2c859 upstream: for UpdateHostKeys, don't report errors for unsupported
key types - just ignore them. spotted by and ok dtucker@

OpenBSD-Commit-ID: 91769e443f6197c983932fc8ae9d39948727d473
2020-01-26 13:25:55 +11:00
djm@openbsd.org b59618246c upstream: downgrade error() for missing subsequent known_hosts
files to debug() as it was intended to be; spotted by dtucker@

OpenBSD-Commit-ID: 18cfea382cb52f2da761be524e309cc3d5354ef9
2020-01-26 13:25:55 +11:00
djm@openbsd.org 469df611f7 upstream: clarify that BatchMode applies to all interactive prompts
(e.g. host key confirmation) and not just password prompts.

OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
2020-01-26 10:34:50 +11:00
djm@openbsd.org de40876c4a upstream: tidy headers; some junk snuck into sshbuf-misc.c and
sshbuf-io.c doesn't need SSHBUF_INTERNAL set

OpenBSD-Commit-ID: 27a724d2e0b2619c1a1490f44093bbd73580d9e6
2020-01-26 10:34:50 +11:00
Damien Miller 6a10760635 depend 2020-01-26 10:28:21 +11:00
djm@openbsd.org 59d01f1d72 upstream: improve the error message for u2f enrollment errors by
making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to a useful
ssherr.h status code. more detail remains visible via -v of course.

also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.

feedback & ok markus@

OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-26 10:18:42 +11:00
djm@openbsd.org 99aa803555 upstream: factor out reading/writing sshbufs to dedicated
functions; feedback and ok markus@

OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
2020-01-26 10:18:42 +11:00
djm@openbsd.org 065064fcf4 upstream: add a comment describing the ranges of channel IDs that
we use; requested by markus@

OpenBSD-Commit-ID: 83a1f09810ffa3a96a55fbe32675b34ba739e56b
2020-01-26 10:15:13 +11:00
djm@openbsd.org 69334996ae upstream: make sshd_config:ClientAliveCountMax=0 disable the
connection killing behaviour, rather than killing the connection after
sending the first liveness test probe (regardless of whether the client was
responsive) bz2627; ok markus

OpenBSD-Commit-ID: 5af79c35f4c9fa280643b6852f524bfcd9bccdaf
2020-01-26 10:15:13 +11:00
djm@openbsd.org bf986a9e27 upstream: clarify order of AllowUsers/DenyUsers vs
AllowGroups/DenyGroups; bz1690, ok markus@

OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
2020-01-26 10:15:13 +11:00
djm@openbsd.org 022ce92fa0 upstream: when AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the comment. bz2564

OpenBSD-Commit-ID: 8dd8ca9340d7017631a27f4ed5358a4cfddec16f
2020-01-25 18:20:01 +11:00
tedu@openbsd.org 0b813436bb upstream: group14-sha1 is no longer a default algorithm
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25 18:20:01 +11:00
djm@openbsd.org 3432b6e05d upstream: reword HashKnownHosts description a little more; some
people found the wording confusing (bz#2560)

OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
2020-01-25 18:20:01 +11:00
djm@openbsd.org f80d7d6aa9 upstream: weaken the language for what HashKnownHosts provides with
regards to known_hosts name privacy, it's not practical for this option to
offer any guarantee that hostnames cannot be recovered from a disclosed
known_hosts file (e.g. by brute force).

OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
2020-01-25 18:20:01 +11:00
djm@openbsd.org 846446bf3e upstream: the GatewayPorts vs -R listen address selection logic is
still confusing people, so add another comment explaining the special
handling of "localhost"; bz#3258

OpenBSD-Commit-ID: e6bf0f0fbf1c7092bf0dbd9c6eab105970b5b53a
2020-01-25 18:20:01 +11:00
djm@openbsd.org 734f2f83f5 upstream: mention that permitopen=/PermitOpen do no name to address
translation; prompted by bz3099

OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25 17:04:14 +11:00
Damien Miller e1e97cae19 include tunnel device path in error message 2020-01-25 16:30:22 +11:00
djm@openbsd.org 0ecd20bc9f upstream: unrevert this:
> revision 1.217
> date: 2019/11/27 03:34:04;  author: dtucker;  state: Exp;  lines: +5 -7;  commitid: wkiMn49XJyjzoJIs;
> Make channel_id u_int32_t and remove unnecessary check and cast that were
> left over from the type conversion.  Noted by t-hashida@amiya.co.jp in
> bz#3098, ok markus@ djm@

Darren was right the first time; ok dtucker@ "agreed" markus@

OpenBSD-Commit-ID: 641dd1b99a6bbd85b7160da462ae1be83432c7c8
2020-01-25 15:51:20 +11:00
dtucker@openbsd.org a0c81d2402 upstream: Move setting $NC into test-exec since it's now used by
multiple tests, and in -portable we use our own local copy to avoid
portability problems.

OpenBSD-Regress-ID: ceb78445fcaac317bec2fc51b3f0d9589048c114
2020-01-25 14:33:53 +11:00
Darren Tucker e16dfa94f8 Put EC key export inside OPENSSL_HAS_ECC.
Fixes link error when building against an OpenSSL that does not have
ECC.
2020-01-25 13:05:42 +11:00
dtucker@openbsd.org 94a2e5951b upstream: Wait a bit longer for the multiplex master to become ready
since on very slow hosts the current delay is not sufficient and the test
will fail.

OpenBSD-Regress-ID: 6d90c7475d67ac3a95610b64af700629ece51a48
2020-01-25 11:51:03 +11:00
dtucker@openbsd.org b2df804f57 upstream: Add a connection test for proxycommand. This would have
caught the problem caused by ssh.c rev 1.507 wherein Host and Hostname were
swapped.  Prompted by beck@

OpenBSD-Regress-ID: d218500ae6aca4c479c27318fb5b09ebc00f7aae
2020-01-25 11:50:34 +11:00
djm@openbsd.org c6f06fd38a upstream: set UpdateKnownHosts=ask by default; bz#2894; ok
markus@

OpenBSD-Commit-ID: f09cb3177f3a14c96428e14f347e976a8a531fee
2020-01-25 11:36:20 +11:00
djm@openbsd.org 7955633a55 upstream: allow UpdateKnownHosts=yes to function when multiple
known_hosts files are in use. When updating host keys, ssh will now search
subsequent known_hosts files, but will add new/changed host keys to the first
specified file only. bz#2738

ok markus@

OpenBSD-Commit-ID: 6ded6d878a03e57d5aa20bab9c31f92e929dbc6c
2020-01-25 11:35:56 +11:00
djm@openbsd.org e5a278a62a upstream: process security key provider via realpath() in agent,
avoids malicious client from being able to cause agent to load arbitrary
libraries into ssh-sk-helper.

reported by puck AT puckipedia.com; ok markus

OpenBSD-Commit-ID: 1086643df1b7eee4870825c687cf0c26a6145d1c
2020-01-25 11:35:56 +11:00
djm@openbsd.org 89a8d4525e upstream: expose PKCS#11 key labels/X.509 subjects as comments
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.

based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church

feedback and ok markus@

OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25 11:35:55 +11:00
djm@openbsd.org a8c05c6408 upstream: tweak proctitle to include sshd arguments, as these are
frequently used to distinguish between multiple independent instances of the
server. New proctitle looks like this:

$ pgrep -lf sshd
12844 sshd: /usr/sbin/sshd -f /etc/ssh/sshd_config [listener] 0 of 10-100 startups

requested by sthen@ and aja@; ok aja@

OpenBSD-Commit-ID: cf235a561c655a3524a82003cf7244ecb48ccc1e
2020-01-25 11:27:29 +11:00
djm@openbsd.org 8075fccbd4 upstream: add xextendf() to extend a string with a format
(reallocating as necessary). ok aja@ as part of a larger diff

OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9
2020-01-25 11:27:29 +11:00
djm@openbsd.org d15c8adf2c upstream: minor tweaks to ssh-keygen -Y find-principals:
emit matched principals one per line to stdout rather than as comma-
separated and with a free-text preamble (easy confusion opportunity)

emit "not found" error to stderr

fix up argument testing for -Y operations and improve error message for
unsupported operations

OpenBSD-Commit-ID: 3d9c9a671ab07fc04a48f543edfa85eae77da69c
2020-01-25 11:27:29 +11:00
djm@openbsd.org c3368a5d5e upstream: remove ssh-rsa (SHA1) from the list of allowed CA
signature algorithms ok markus

OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
2020-01-25 11:27:29 +11:00
djm@openbsd.org 4a41d245d6 upstream: when signing a certificate with an RSA key, default to
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
the user; ok markus@

OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
2020-01-25 11:27:29 +11:00
djm@openbsd.org 8dfb6a202c upstream: allow PEM export of DSA and ECDSA keys; bz3091, patch
from Jakub Jelen ok markus@

OpenBSD-Commit-ID: a58edec8b9f07acab4b962a71a5125830d321b51
2020-01-25 11:27:29 +11:00
djm@openbsd.org 72a8bea2d7 upstream: ssh-keygen -Y find-principals fixes based on feedback
from Markus:

use "principals" instead of principal, as allowed_signers lines may list
multiple.

When the signing key is a certificate, emit only principals that match
the certificate principal list.

NB. the command -Y name changes: "find-principal" => "find-principals"

ok markus@

OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
2020-01-25 11:27:29 +11:00
dtucker@openbsd.org 0585b56972 upstream: Do not warn about permissions on symlinks.
OpenBSD-Regress-ID: 339d4cbae224bd8743ffad9c3afb0cf3cb66c357
2020-01-24 14:23:06 +11:00
dtucker@openbsd.org 415192348a upstream: Handle zlib compression being disabled now that it's
optional.

OpenBSD-Regress-ID: 0af4fbc5168e62f89d0350de524bff1cb00e707a
2020-01-23 22:34:37 +11:00
dtucker@openbsd.org fbce7c1a89 upstream: Fix typo in comment.
OpenBSD-Commit-ID: d1d7a6553208bf439378fd1cf686a828aceb353a
2020-01-23 22:33:18 +11:00
dtucker@openbsd.org ba247af8e9 upstream: When checking for unsafe directories, ignore non-directories
(ie symlinks, where permissions are not relevant).

OpenBSD-Regress-ID: fb6cfc8b022becb62b2dcb99ed3f072b3326e501
2020-01-23 22:20:53 +11:00
Darren Tucker 74deb7029b zlib is now optional. 2020-01-23 22:17:24 +11:00
Darren Tucker 633a2af47e Plumb WITH_ZLIB into configure.
This allows zlib support to be disabled by ./configure --without-zlib.
2020-01-23 22:16:51 +11:00
dtucker@openbsd.org 7f8e66fea8 upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options.  With
feedback from markus@, ok djm@

OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
2020-01-23 21:53:54 +11:00
djm@openbsd.org 69ac4e3302 upstream: remove trailing period characters from pub/priv key
pathnames - they make them needlessly more difficult to cut and paste without
error; ok markus@ & dtucker@

OpenBSD-Commit-ID: abdcfd1a5723fcac0711feee7665edc66ae2335a
2020-01-23 21:46:58 +11:00
Darren Tucker 945bf52c3c Fix a couple of mysig_t leftovers. 2020-01-23 21:06:45 +11:00
Darren Tucker 84226b447d Remove mysignal wrapper.
We switched the main code to use sigaction(), so the wrapper is no
longer used.
2020-01-23 18:55:24 +11:00
jmc@openbsd.org 5533c2fb7e upstream: new sentence, new line;
OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
2020-01-23 18:51:25 +11:00
dtucker@openbsd.org 3bf2a6ac79 upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.

OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23 18:51:25 +11:00
djm@openbsd.org e027c044c7 upstream: missing header change from previous; spotted by dtucker@
OpenBSD-Commit-ID: 321ce74c0a5bbd0f02fa3f20cb5cf2a952c6b96f
2020-01-23 15:56:17 +11:00
dtucker@openbsd.org 7e1323102b upstream: Check for and warn about StrictModes permission problems. ok tb@
OpenBSD-Regress-ID: 4841704ccdee50ee7efc6035bc686695c6ac2991
2020-01-23 15:49:09 +11:00