- Logic to support conpty (currently disabled until validation is complete)
- fdopen() and fchmod() support for file handles
- support for auto updating known_hosts via ssh and ssh-keygen
- Support for dynamic Windows-size changes with PTY
- Changes to support OneCore SDK
- Test cases
Modified user principal name lookup to default to the implicit form (SamAccountName@DnsDomainName) if no explicit user principal name attribute is found on the account.
https://github.com/PowerShell/Win32-OpenSSH/issues/1213
Fix descriptor leaks in win32 fstat implementation
PowerShell/Win32-OpenSSH#1209
According to the docs for _open_osfhandle, _close will close the underlying handle:
"To close a file opened with , call _close. The underlying handle is also closed by a call to _close, so it is not necessary to call the Win32 function CloseHandle on the original handle"
Current group membership resolution though very effective, is very slow. In a typical domain joined enterprise machine, adding a simple entry like the following in sshd_config
AllowGroups administrators
will incur a long delay in remote session establishment as sshd tried to pull all groups associated with the domain user.
Changes in this PR optimize the general case scenarios where no wild cards are in use. Specifically rules like this are processed promptly:
AllowGroups group1, group2, group3 //with no wild cards
Match Group group1 //single group with no negation and wild cards
Optimization is done by resolve the groupname in rule immediately to SID and checking its membership against user token. Enumerating the entire group membership is done on a lazy on-demand basis.
Beyond the optimization, there are 2 functional changes
- removed domain prefix for builtin groups
- removed domain prefix'ed versions of local groups since we are strictly following the convention that local principals shouldn't have any domain qualification.
After creating a user token, the SeServiceLogonRight is now removed from the account so it does not create an orphaned reference in the local security policy.
Other small code changes for code style consistency within the file.
PowerShell/Win32-OpenSSH#1202
Updated SSHD user password generation routine to be longer and more complex. This should satisfy systems with password filters that require more character types or very long passwords.
Updated routine to now securely zero memory for the SSHD account password.
Corrected attempt to write to NULL pointer by localtime_s() in localtime_r() and made function return NULL on error per specification.
Addressed various compiler / code analysis warnings.
Added utility to build session process command line - this accounts for restrictions from various shells. With these changes, scp and sftp-server are expected to be machine wide PATH if a custom shell (other than cmd.exe) is defined. Added comprehensive test cases.
Fixed issue with USERNAME env variable containing domain prefix too.
PowerShell/Win32-OpenSSH#1165PowerShell/Win32-OpenSSH#1165PowerShell/Win32-OpenSSH#1171
- Removed logic that was excluding the group membership SID that matched 'None' on workgroup computers or 'Domain Users' on domain systems.
- Removed test that was checking that AllowGroups failure if user was not in any group at all. This is no longer testable since user will always be a member of at least one group.
https://github.com/PowerShell/Win32-OpenSSH/issues/1167
On certain machines, virtual tokens were not getting generated due to lack of required privileges. Fixed it by assigning them before doing LogonUserExExW. Consolidated runtime dll loading logic.
PowerShell/Win32-OpenSSH#1162
* Updates To Address OneCore Linking
- Modified generate_s4u_user_token() and sys_auth_passwd() to dynamically load TranslateNameW() to avoid OneCore static library linking.
- Modified getusergroups() to avoid Lsa* calls that are not present in OneCore libraries.
* Updates To Address OneCore Linking - Revisions
- Corrected failure detection logic when TranslateNameW() cannot be located.
* Alternate Thread Creation API To Avoid Memory Leaks
- Switched from CreateThread() to _beginthreadex() and ExitThread() to _endthreadex() in order to avoid potential leaks when linking with static CRT library.
- Addressed a variety of warnings that were being detected with static code analysis.
* Addressed Type Cast Warning
- Added explicit cast to the output of _beginthreadex() to avoid a compiler warning.
* Indentation Fix
Added support to run sshd as non-system. In this mode, sshd can authenticate only the user that sshd is running as, and only via public key authentication.
PowerShell/Win32-OpenSSH#1153
Changes include:
- Removing sid from pwd structure to comply with Unix structure
- Integrating default shell logic within pwd
- pwd placeholder to allow logins using usernames not associated with Windows account (possible via custom LSA authentication)
- Moving all nonPTY logic from shellhost to session.c.
- ssh-shellhost is now exclusively for implementing PTY
- Spawning all session processes from within a shell
- Validation checks in safely_chroot
- Added chroot implementation that simply stores the path in internal state and sets an environment variable
- Spawned processes pickup chroot from environment variable
- Core change in realpath and resolved_path_utf16 now take into account chroot path.
- Unit tests
- Other miscellaneous changes to account for chroot enabled logic in core code
PowerShell/Win32-OpenSSH#190PowerShell/Win32-OpenSSH#292
Modified getusergroups() to use s4u tokens to discover nested groups and return them in NetBiosName\GroupName format.
Modified get_passwd() to internally normalize names to NetBiosName\SamAccountName format and changed functions that use it to translate to UPN where necessary.
Removed unnecessary support functions used by previous version of getusergroups().
Various refactoring and function consolidation / simplification.
Addressed several buffer over-read issues.
PowerShell/Win32-OpenSSH#553
Reworked resolved_path() into resolved_path_utf16() that combined utf16 conversion and path conditioning into a single function. This eliminated the previously non-threadsafe resolved_path() function that used a static buffer. Changed some functions to use unicode to eliminate use of previous resolve_path function.
Adjusted functions to use resolved_path_utf16().
Collapsed copy_file() function that was only used once.
Corrected compilation errors when debug4() and debug5() are enabled.
Removed debug statements that were interfering with APC wakeup due to the way that logging works in atomicio6().
Filled in a missing parameter in a debug statement.
Changed test helper so test name is displayed when running release build.
Corrected permissions check for whether to run symbolic links in test cases.
Removed TEST_RESOURCES() in unit tests calls due to inconsistent ability to sample handles in Windows 8.1 / Server 2012 R2.
1. Fix issue install-sshd.ps1 failed on Nano
2. Update settings of services in install-sshd.ps1 to match windows inbox
3. added setup tests and update the test helper scripts to run setup tests before changing configurations on the machine
4. added uninstallation tests
1. Add support to take key files with windows new line ending (PowerShell/Win32-OpenSSH#1130)
2. add test cases for CRLF
3. Update test helper script to catch the exitcode of unittest and report the failure
4. Enable uni test unittest-sshkey and unittest-sshkey
5. Disable resource check for signal tests due to some API issue to follow.
6. Remove workaround for windows new line ending in test scripts
7. Add test validation for ACL of registry entries when perform ssh-add
- Removed debug statements that were interfering with APC wakeup due to the way that logging works in atomicio6().
- Filled in a missing parameter in a debug statement.
- Reworked resolved_path() into resolved_path_utf16() that combined utf16 conversion and path conditioning into a single function. This eliminated the previously non-threadsafe resolved_path() function.
- Adjusted functions to use resolved_path_utf16().
- Collapsed copy_file() function that was only used once.
- Corrected compilation errors when debug4() and debug5() are enabled.
fileio_open previously treated all O_CREAT flags as CREATE_* flags in
CreateFile; CREATE_* always truncates files but O_CREAT only truncates
files when O_TRUNC is also set on POSIX platforms. This becomes
noticeable under SFTP sessions where remote files are opened with
O_APPEND: the file is instead truncated as in O_CREAT | O_TRUNC.
https://github.com/PowerShell/Win32-OpenSSH/issues/1078
Fixes following issues:
- gettimeofday : Incorrect converting 100ns intervals (from GetSystemTimeAsFileTime) to timeval.
(us % RATE_DIFF) means number of microseconds but it may be great than 10**6
- nanosleep : SetWaitableTimer works with 100ns intervals but get nanoseconnds (only part of timespec) Missed CloseHandle call in WaitForSingleObject error case.
https://github.com/PowerShell/Win32-OpenSSH/issues/1094
- Added implementation of symlink() using native CreateSymbolicLink() function.
- Added unit tests for symlink behavior in readlink(), lstat, stat(), and symlink().
- Reworked readlink() to be more inline with POSIX readlink() behavior.
- Reworked symlink handling in stat/lstat due to revised readlink().
- Added additional error handling to readlink().
- Added symlink() Implementation - Memory Leak Fix
- Modified fileio_readlink() to properly free a temporary buffer it creates.
https://github.com/PowerShell/Win32-OpenSSH/issues/1096https://github.com/PowerShell/Win32-OpenSSH/issues/191
- Updated wait_for_multiple_objects_enhanced() to handle a no-event request while alterable.
- Simplified wait_for_any_event() to by taking advantage of no-event alterable request in wait_for_multiple_objects_enhanced().
- Updated wait_for_any_event() to use MAX_CHILDREN limit instead of MAXIMUM_WAIT_OBJECTS limit.
- Removed unnecessary ZeroMemory() call.
- Created distinct definition MAXIMUM_WAIT_OBJECTS_ENHANCED
and modified functions to use it.
- Upped w32_select() event limit.
- Modified wait_for_multiple_objects_enhanced() to allow for 0 millisecond wait.
- Added wait_for_multiple_objects_enhanced() function that can logically handle wait-any on many children (system resources permitting).
- Added unit tests for wait_for_multiple_objects_enhanced().
- Incorporated use of wait_for_multiple_objects_enhanced() into main signal handler.
- Upped max child processes to 500.
1. Expand wildcard for input parameters
2. add scp tests with wildcard
3. for debug mode, need to enable the log to local log file.
4. update the path to log file
Regression: Service is unable to start if "ssh" programdata directory is missing.
Reason: This is due to refactored changes around w32_programdir() that moved its initialization to within win32_posix_initialize. sshd_main() is relying on this call even before the POSIX layer gets initialized.
Fix: Reverted the refactoring changes and added comments to consolidate these changes later. Also removed directory creation logic in install-sshd.ps1 that masked this issue before.
* Test Fixes on downlevel machines
1. Test fix to run on win7 and win8
2. Add -onecore parameter to start-opensshpackage in build helper script
3. Add copying of libcrypto.dll and libcrypto.pdb
4. Update the build number on appveyor.yml
* add NoOpenSSL and OneCore parameter for packaging
* update the log option so it can print out the build console log
* update script to use vs2017 if it exists
* update path to copy libcrypto.dll
PowerShell/Win32-OpenSSH#1065
Fix: In recent sshd architectural changes, post authentication changes that process user specific changes were missing in authenticated sshd worker. Added missing call.
PowerShell/Win32-OpenSSH#1052
Fix: getpwd* functions will now strip off domain of any local user account.
Updated file version info:
FileVersionRaw : 7.6.0.0
ProductVersionRaw : 7.6.0.0
ProductName : OpenSSH for Windows
ProductVersion : OpenSSH_7.6p1 for Windows
Updated softwareversion - this would show up in protocol identification string and when doing ssh -V
OpenSSH_for_Windows_7.6
Issue: All SSHD unauthenticated workers are currently running as "sshd". Any compromised worker can snoop into the process space of one other worker, steal authentication payload and elevate itself.
Fix: Added logic to spawn the unauthenticated workers under the context of run time unique security identities that will provide complete isolation between these worker processes.
1. Move Start-SSHD-TestDaemon and Stop-SSHD-TestDaemon to commonUtils.psm1
2. Fix the timing issue when trying to read the log while it is still locked by the process.
3, Start the service to create the config fold if it is not there.
4. Skip authorizedkey and sshdconfig tests on win7 since the task scheduler cmdlets are not available on win7.
5. rename variables
PowerShell/Win32-OpenSSH#1032
Issue: Ssh-shellhost.exe creates a job object and ties all its child processes to its lifetime. It does not allow the child processes to break away from this job. This restriction is unnecessary.
Fix: Modified job object to allow child processes to break away if they need to.
* add date in the log file in MM/DD/YYYY format
* changed date format in log file to bigendian ISO 8601 (YYYY-MM-DD) (#256)
The "madendian" MM/DD/YYYY format is not used outside the United States
(and rather irritating elsewhere)
OpenSSh privilege separation model - http://www.citi.umich.edu/u/provos/ssh/privsep.html
Posix_spawn is implemented in POSIX adapter as an alternative to fork() that is heavily used in Privilege separation.
Additional state info is added to sshd to accommodate distinguishing the various modes (privileged monitor, unprivileged child, authenticated child).
Required service state (like config and host keys) is transmitted over pipes from monitor to child processes.
Changes to installation scripts and tests to accomodate new architectural changes
Check for MIKDIR_P and use it instead of mkinstalldirs. Should fix "mkdir:
cannot create directory:... File exists" during "make install".
Patch from eb at emlix.com.
bingbing8
bagajjal
Manoj Ampalam
Bryan Berns
cbookg
Darren Tucker
Dominic Watley
Damien Miller
Manoj Ampalam
Daniel Sweet
revngnr
nkadel
Karl Itnic
Darren Tucker