Commit Graph

448 Commits

Author SHA1 Message Date
djm@openbsd.org 7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
otto@openbsd.org fc041c4714 upstream commit
fix previous, a condition was modified incorrectly; ok
markus@ deraadt@

Upstream-ID: c443e339768e7ed396dff3bb55f693e7d3641453
2016-08-29 11:20:28 +10:00
djm@openbsd.org 83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
markus@openbsd.org 6cb6dcffe1 upstream commit
remove ssh1 server code; ok djm@

Upstream-ID: c24c0c32c49b91740d5a94ae914fb1898ea5f534
2016-08-14 11:19:14 +10:00
Darren Tucker aa37768f17 get_remote_name_or_ip inside LOGIN_NEEDS_UTMPX
Apply the same get_remote_name_or_ip -> session_get_remote_name_or_ip
change as commit 95767262 to the code inside #ifdef LOGIN_NEEDS_UTMPX.
Fixes build on AIX.
2016-06-20 15:55:34 +10:00
Damien Miller 85bdcd7c92 ignore PAM environment vars when UseLogin=yes
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
2016-04-13 10:44:42 +10:00
djm@openbsd.org 4b4bfb01cd upstream commit
sanitise characters destined for xauth reported by
 github.com/tintinweb feedback and ok deraadt and markus

Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
2016-03-15 03:23:46 +11:00
djm@openbsd.org 95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
djm@openbsd.org 5a0fcb7728 upstream commit
add a "Close session" log entry (at loglevel=verbose) to
 correspond to the existing "Starting session" one. Also include the session
 id number to make multiplexed sessions more apparent.

feedback and ok dtucker@

Upstream-ID: e72d2ac080e02774376325136e532cb24c2e617c
2016-02-17 16:37:55 +11:00
djm@openbsd.org 44fc7cd7dc upstream commit
skip "Could not chdir to home directory" message when
 chrooted

patch from Christian Hesse in bz#2485 ok dtucker@

Upstream-ID: 86783c1953da426dff5b03b03ce46e699d9e5431
2015-10-25 11:42:06 +11:00
deraadt@openbsd.org 657a5fbc0d upstream commit
rename xrealloc() to xreallocarray() since it follows
 that form. ok djm
2015-04-29 18:15:23 +10:00
deraadt@openbsd.org 2ae4f337b2 upstream commit
Replace <sys/param.h> with <limits.h> and other less
 dirty headers where possible.  Annotate <sys/param.h> lines with their
 current reasons.  Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
 LOGIN_NAME_MAX, etc.  Change MIN() and MAX() to local definitions of
 MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
 These are the files confirmed through binary verification. ok guenther,
 millert, doug (helped with the verification protocol)
2015-01-16 18:24:48 +11:00
djm@openbsd.org 141efe4954 upstream commit
move authfd.c and its tentacles to the new buffer/key
 API; ok markus@
2015-01-15 21:37:34 +11:00
djm@openbsd.org 161cf419f4 upstream commit
make internal handling of filename arguments of "none"
 more consistent with ssh. "none" arguments are now replaced with NULL when
 the configuration is finalised.

Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
2014-12-22 19:08:12 +11:00
Damien Miller 7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller 72e6b5c9ed - djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@
2014-07-04 09:00:04 +10:00
Damien Miller e5c0d52ceb - djm@cvs.openbsd.org 2014/07/03 03:34:09
[gss-serv.c session.c ssh-keygen.c]
     standardise on NI_MAXHOST for gethostname() string lengths; about
     1/2 the cases were using it already. Fixes bz#2239 en passant
2014-07-03 21:24:19 +10:00
Tim Rice a261b8df59 - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare 2014-06-18 16:17:28 -07:00
Damien Miller c10bf4d051 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
     Id sync only - portable already has this.
2014-04-20 12:58:04 +10:00
Damien Miller 8569eba5d7 - djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
2014-03-04 09:35:17 +11:00
Damien Miller 1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Tim Rice 617da33c20 - (tim) [session.c] Improve error reporting on set_id(). 2014-01-22 19:16:10 -08:00
Tim Rice 9464ba6fb3 - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
with sftp chroot support. Move set_id call after chroot.
2014-01-20 17:59:28 -08:00
Darren Tucker 293ee3c9f0 - dtucker@cvs.openbsd.org 2014/01/18 09:36:26
[session.c]
     explicitly define USE_PIPES to 1 to prevent redefinition warnings in
     portable on platforms that use pipes for everything.  From redhat @
     redhat.
2014-01-19 15:28:01 +11:00
Damien Miller 5ff30c6b68 - djm@cvs.openbsd.org 2013/10/29 09:48:02
[servconf.c servconf.h session.c sshd_config sshd_config.5]
     shd_config PermitTTY to disallow TTY allocation, mirroring the
     longstanding no-pty authorized_keys option;
     bz#2070, patch from Teran McKinney; ok markus@
2013-10-30 22:21:50 +11:00
Damien Miller 71df752de2 - djm@cvs.openbsd.org 2013/10/14 21:20:52
[session.c session.h]
     Add logging of session starts in a useful format; ok markus@ feedback and
     ok dtucker@
2013-10-15 12:12:02 +11:00
Damien Miller 85b45e0918 - markus@cvs.openbsd.org 2013/07/19 07:37:48
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
     [servconf.h session.c sshd.c sshd_config.5]
     add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
     or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
     ok djm@
2013-07-20 13:21:52 +10:00
Darren Tucker f60845fde2 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
   with the equivalent calls to free.
2013-06-02 08:07:31 +10:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller a56086b990 - djm@cvs.openbsd.org 2013/04/19 01:03:01
[session.c]
     reintroduce 1.262 without the connection-killing bug:
     fatal() when ChrootDirectory specified by running without root privileges;
     ok markus@
2013-04-23 15:24:18 +10:00
Damien Miller f1a02aea35 - dtucker@cvs.openbsd.org 2013/04/17 09:04:09
[session.c]
     revert rev 1.262; it fails because uid is already set here.  ok djm@
2013-04-23 15:22:13 +10:00
Damien Miller 998cc56b65 - djm@cvs.openbsd.org 2013/03/06 23:35:23
[session.c]
     fatal() when ChrootDirectory specified by running without root privileges;
     ok markus@
2013-04-23 15:16:43 +10:00
Damien Miller 5852840190 - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
occur after UID switch; patch from John Marshall via des AT des.no;
   ok dtucker@
2013-03-15 11:22:37 +11:00
Damien Miller aa5b3f8314 - djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@
2012-12-03 09:50:54 +11:00
Damien Miller 29cd188887 - guenther@cvs.openbsd.org 2012/03/15 03:10:27
[session.c]
     root should always be excluded from the test for /etc/nologin instead
     of having it always enforced even when marked as ignorenologin.  This
     regressed when the logic was incompletely flipped around in rev 1.251
     ok halex@ millert@
2012-04-22 11:08:10 +10:00
Darren Tucker 9c5d553d58 - djm@cvs.openbsd.org 2011/10/24 02:13:13
[session.c]
     bz#1859: send tty break to pty master instead of (probably already
     closed) slave side; "looks good" markus@
2011-11-04 10:55:24 +11:00
Damien Miller 14684a1f84 - (djm) [session.c] call setexeccon() before executing passwd for pw
changes; bz#1891 reported by jchadima AT redhat.com; ok dtucker@
2011-05-20 11:23:07 +10:00
Damien Miller f80c3deaaf - djm@cvs.openbsd.org 2010/11/25 04:10:09
[session.c]
     replace close() loop for fds 3->64 with closefrom();
     ok markus deraadt dtucker
2010-12-01 12:02:59 +11:00
Darren Tucker d995712383 - (dtucker) [platform.c session.c] Move the getluid call out of session.c and
into the platform-specific code  Only affects SCO, tested by and ok tim@.
2010-11-24 10:09:13 +11:00
Damien Miller 0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Darren Tucker b12fe272a0 - (dtucker) [platform.c platform.h session.c] Move the Cygwin special-case
check into platform.c
2010-11-05 14:47:01 +11:00
Darren Tucker cc12418e18 - (dtucker) [platform.c session.c] Move PAM credential establishment for the
non-LOGIN_CAP case into platform.c.
2010-11-05 13:32:52 +11:00
Darren Tucker 0b2ee6452c - (dtucker) [platform.c session.c] Move irix setusercontext fragment into
platform.c.
2010-11-05 13:29:25 +11:00
Darren Tucker 676b912e78 - (dtucker) platform.c session.c] Move aix_usrinfo frament into platform.c. 2010-11-05 13:11:04 +11:00
Darren Tucker 7a8afe3186 - (dtucker) platform.c session.c] Move the USE_LIBIAF fragment into
platform.c
2010-11-05 13:07:24 +11:00
Darren Tucker 728d8371a1 - (dtucker) [platform.c session.c] Move the PAM credential establishment for
the LOGIN_CAP case into platform.c.
2010-11-05 13:00:05 +11:00
Darren Tucker 44a97be0cc - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c. 2010-11-05 12:45:18 +11:00
Darren Tucker 4db380701d - (dtucker) [platform.c session.c] Move the AIX setpcred+chroot hack into
platform.c
2010-11-05 12:41:13 +11:00
Darren Tucker 920612e45a - (dtucker) [platform.c platform.h session.c] Add a platform hook to run
after the user's groups are established and move the selinux calls into it.
2010-11-05 12:36:15 +11:00
Darren Tucker 97528353c2 - (dtucker) [configure.ac platform.{c,h} session.c
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support.
   Patch from cory.erickson at csu mnscu edu with a bit of rework from me.
   ok djm@
2010-11-05 12:03:05 +11:00