[pull] master from openssh:master #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
kernel, and all the ssh tools. The dynamic objects are entirely ret-clean, static binaries will contain a blend of cleaning and non-cleaning callers. OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172
problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList. When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
OpenBSD-Commit-ID: d42cb895ee4542098050367fc35321c9303f003a
in future OpenBSD-Regress-ID: 5236c6d1c823997aac5a35e2915da30f1903bec7
OpenBSD-Regress-ID: 50316e0d1ae0c0a057a45af042253e54ce23d11c
OpenBSD-Regress-ID: de4ef0e32e3ab85ff3a6c36eb08d1909c0dd1b4a
OpenBSD-Regress-ID: a1af13d411b25a727742644459d26480b9a1b0f1
in-progress connections. OpenBSD-Commit-ID: 20389da6264f2c97ac3463edfaa1182c212d420c
ok markus NB. if you run a sshd that accepts connections from behind large NAT blocks, proxies or anything else that aggregates many possible users behind few IP addresses, then this change may cause legitimate traffic to be denied. Please read the PerSourcePenalties, PerSourcePenaltyExemptList and PerSourceNetBlockSize options in sshd_config(5) for how to tune your sshd(8) for your specific circumstances. OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce
spacing; OpenBSD-Commit-ID: 0a9fb10bc9f7d577afe2da3f498a08bc431115b9
ok djm OpenBSD-Commit-ID: 1e89572397dda83433d58c4fa6333a08f51170d4
OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d
message payloads, not just the message header OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce
being enabled and document the default values for each parameter. OpenBSD-Commit-ID: b981288bddfb097aad269f62df4081c688ce0034
OpenBSD-Commit-ID: 72e2c5b69f151c08a7c5bf5ad929b97a92c273df
OpenBSD-Commit-ID: af4f5d01c41ef870b23e55655bfbf73474a6c02b
OpenBSD-Commit-ID: 8dc2fd21eebd8830c4a4d25461ac4fe228e11156
message sending, not just receiving OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb
here OpenBSD-Regress-ID: 96fec579af228f87a036e94801eb294af9074625
send, not just message receive OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0
OpenBSD-Commit-ID: 54151ecdecfa1b67dcdda4fd24826ef6e2148ad4
used one shared table and overflow policy for IPv4 and IPv6 addresses, now it will use separate tables and optionally different overflow policies. This prevents misbehaviour from IPv6 addresses (which are vastly easier to obtain many of) from affecting IPv4 connections and may allow for stricter overflow policies. ok deraadt@ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
sshd-session attempting to use options.kerberos_authentication to decide whether it needed to lookup the privsep user before the configuration was loaded. This caused it to get a placeholder value that caused it always to try to lookup the privsep user, breaking at least one test environment.
Cygwin doesn't support FD passing and so used to disable post-auth privilege separation entirely because privsep requires PTY allocation to happen in the privileged monitor process with the PTY file descriptors being passed back to the unprivileged process. This brings back a minimal version of the previous special treatment for Cygwin (and any other platform that sets DISABLE_FD_PASSING): privilege separation remains enabled, but PTY allocation happens in the post-auth user process rather than the monitor. This either requires PTY allocation to not need privilege to begin with (this appears to be the case on Cygwin), or the post-auth privsep process retain privilege (other platforms that set the DISABLE_FD_PASSING option). Keeping privileges here is bad, but the non-Cygwin systems that set DISABLE_FD_PASSING are so deeply legacy that this is likely to be the least of their problems.
OpenBSD-Commit-ID: 597ab7dd3f0e78939d2659fc1904d0f39ee95487
domain socket paths; GHPR115 OpenBSD-Commit-ID: a8a34d0a0c51a9ddab3dfce615f9878fa76ef842
Prevents problems on platforms where this isn't safe (which it's not required to be). ok djm@ OpenBSD-Commit-ID: 8fa4ce3ad90915c925b81b99a79ab920b0523387
... to run all of the subprograms from the build directory while developing and debugging. Should help prevent accidentally testing against unchanged installed sshd-auth and sshd-session binaries. ok djm@ OpenBSD-Commit-ID: 61760cdc98c2bc8f1e9f83a6f97cca0f66b52e69
... and ssh and sshd log wrappers before recreating them. Prevents "can't create" errors during tests when running tests without SUDO after having run them with SUDO. OpenBSD-Regress-ID: 2f0a83532e3dccd673a9bf0291090277268c69a6
first character. ok deraadt@ OpenBSD-Commit-ID: 3f8be6d32496e5596dd8b14e19cb067ddd7969ef
let's users zap keys without access to $SSH_AUTH_SOCK ok deraadt@ OpenBSD-Commit-ID: dae9db0516b1011e5ba8c655ac702fce42e6c023
OpenBSD-Regress-ID: 8654b9aa8eb695b1499fffc408c25319592bf0e0
ok markus@ OpenBSD-Commit-ID: fc673065e6505bb06b2e2b9362f78ccb4200a828
Instead of maintaing state (pipe descriptors, signal handlers) across pselect-on-select invocations, set up and restore them each call. This prevents outside factors (eg a closefrom or signal handler installation) from potentially causing problems. This does result in a drop in throughput of a couple of percent on geriatric platforms without a native pselect due to the extra overhead. Tweaks & ok djm@
It got broken by the sshd-auth change, it's not obvious why, and the platform lacks the debugging tools (eg gdb, strace) to figure it out. The upstream project seems effectively dead (6 years since the last commit, 10 since the last release). It was useful while it lasted (we found a real bug because of it) but its time seems to have passed.
exchange OpenBSD-Commit-ID: 5a3259a193fd42108a869ebf650b95b5f2d08dcf
jsg@ feedback/ok deraadt@ OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
to getgrouplist(3) Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents an admin from adding a user to more groups. With that tweak we'll keep on ignoring them instead of potentially reading past the buffer passed to getgrouplist(3). That behavior is explicitely described in initgroups(3). ok millert@ gilles@ OpenBSD-Commit-ID: a959fc45ea3431b36f52eda04faefc58bcde00db
FIDO application IDs for security key-backed keys, to prevent web key handles from being used remotely as this would likely lead to unpleasant surprises. By default, only application IDs that start with "ssh:*" are allowed. This adds a -Owebsafe-allow=... argument that can override the default list with a more or less restrictive one. The default remains unchanged. ok markus@ OpenBSD-Commit-ID: 957c1ed92a8d7c87453b9341f70cb3f4e6b23e8d
This will allow tests to specify an alternative sshd, eg on a remote machine with different endianness.
Where our test target is a bigendian system, do an additional build on the runner host (which is little endian) and test interop between the two. Should hopefully catch obvious endianness bugs.
Move the the flags used by the OpenWRT distro to mipsel target and enable OpenSSL on all targets to improve coverage. Explicitly disable security key and openssl on mips target so that host end of the bigendian interop tests don't attempt them and fail (since they're not enabled on the target side).
It doesn't currently work. It's not clear why, but I suspect sk-dummy.so ends up being built for the wrong architecture.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )