problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
kernel, and all the ssh tools. The dynamic objects are entirely ret-clean,
static binaries will contain a blend of cleaning and non-cleaning callers.
OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172
separate sshd-session process - reserve them early and fatal if we can't
dup2(2) them later. The pre-split fallback to re-reading the configuration
files is not possible, so sshd-session absolutely requires the fd the
configuration is passed over to be in order.
ok deraadt@
OpenBSD-Commit-ID: 308a98ef3c8a6665ebf92c7c9a0fc9600ccd7065
testing the same key exchange algorithm repeatedly instead of testing all of
them. Spotted by nreilly AT blackberry.com in bz3692
Who broke the test? me.
OpenBSD-Regress-ID: 48f4f5946276f975667141957d25441b3c9a50e2
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
The sanitise_stdfd call makes sure that standard file descriptors are
open (if they were closed, they are connected with /dev/null).
Do not close stdin in any case to prevent error messages when stdin is
read multiple times and to prevent later usage of fd 0 for connections,
e.g.
echo localhost | ssh-keyscan -f - -f -
While at it, make stdin-related error messages nicer.
Authored with Max Kunzelmann <maxdev at posteo dot de>
ok djm
OpenBSD-Commit-ID: 48e9b7938e2fa2f9bd47e6de6df66a31e0b375d3
returned the current user's home directory contrary to the spec.
Patch from Jakub Jelen via GHPR477
OpenBSD-Commit-ID: 5afd775eab7f9cbe222d7fbae4c793de6c3b3d28
HostkeyAlgorithms. Allows HostkeyAlgorithms to disable implicit fallback from
certificate keys to plain keys. ok markus@
OpenBSD-Commit-ID: 364087e4a395ff9b2f42bf3aefdb2090bb23643a
While here try to improve how it reads a bit better. Surprising the
regression tests didn't spot this error, maybe it fails to roundtrip the
values.
OpenBSD-Commit-ID: 866cfcc1955aef8f3fc32da0b70c353a1b859f2e
strtonum() instead of strange strtoul can might be fooled by garage
characters. passes regress/usr.bin/ssh/unittests/misc ok djm
OpenBSD-Commit-ID: 4b1ef826bb16047aea3f3bdcb385b72ffd450abc
djm@openbsd.org
Damien Miller
deraadt@openbsd.org
naddy@openbsd.org
jsg@openbsd.org
miod@openbsd.org
anton@openbsd.org
tobias@openbsd.org
semarie@openbsd.org