summaryrefslogtreecommitdiff
path: root/servconf.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Revert "[auth.c] On Cygwin, refuse usernames that have differences in case"Corinna Vinschen2019-02-221-0/+4
| | | | | | This reverts commit acc9b29486dfd649dfda474e5c1a03b317449f1c. Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
* upstream: Always initialize 2nd arg to hpdelim2. It populates thatdtucker@openbsd.org2019-01-241-5/+5
| | | | | | | | *ONLY IF* there's a delimiter. If there's not (the common case) it checked uninitialized memory, which usually passed, but if not would cause spurious failures when the uninitialized memory happens to contain "/". ok deraadt. OpenBSD-Commit-ID: 4291611eaf2a53d4c92f4a57c7f267c9f944e0d3
* upstream: Remove support for obsolete host/port syntax.dtucker@openbsd.org2019-01-241-8/+12
| | | | | | | | | | | host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@ OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
* upstream: convert servconf.c to new packet APIdjm@openbsd.org2019-01-201-7/+3
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
* upstream: begin landing remaining refactoring of packet parsingdjm@openbsd.org2019-01-201-1/+4
| | | | | | | | | | | | | API, started almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@ OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
* upstream: silence (to log level debug2) failure messages whendjm@openbsd.org2018-11-191-12/+28
| | | | | | | | | | | | | | | | loading the default hostkeys. Hostkeys explicitly specified in the configuration or on the command-line are still reported as errors, and failure to load at least one host key remains a fatal error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch from Dag-Erling Smørgrav via https://github.com/openssh/openssh-portable/pull/103 ok markus@ OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
* upstream: use path_absolute() for pathname checks; from Manoj Ampalamdjm@openbsd.org2018-11-161-2/+2
| | | | OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
* upstream: actually make CASignatureAlgorithms available as a configdjm@openbsd.org2018-09-211-1/+2
| | | | | | option OpenBSD-Commit-ID: 93fa7ff58314ed7b1ab7744090a6a91232e6ae52
* upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org2018-09-201-3/+13
| | | | | | | | | | control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
* upstream: better diagnosics on alg list assembly errors; okdjm@openbsd.org2018-08-131-14/+14
| | | | | | deraadt@ markus@ OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
* Remove support for S/KeyDamien Miller2018-07-311-1/+1
| | | | | | Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
* upstream: remove legacy key emulation layer; ok djm@markus@openbsd.org2018-07-121-2/+2
| | | | OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
* upstream: sshd: switch config to sshbuf API; ok djm@markus@openbsd.org2018-07-101-14/+16
| | | | OpenBSD-Commit-ID: 72b02017bac7feac48c9dceff8355056bea300bd
* upstream: Revert previous two commitssf@openbsd.org2018-07-101-4/+4
| | | | | | | | | | | | | | | | | | | | | | It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
* upstream: Rename COMP_DELAYED to COMP_ZLIBsf@openbsd.org2018-07-101-4/+4
| | | | | | | | Only delayed compression is supported nowadays. ok markus@ OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
* upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org2018-07-041-9/+23
| | | | | | | | | | | | | | | | signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
* upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org2018-07-031-4/+36
| | | | | | | | pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
* upstream: allow bare port numbers to appear in PermitListen directives,djm@openbsd.org2018-06-191-9/+17
| | | | | | | | | | | | | | | | e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
* upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org2018-06-091-2/+18
| | | | | | | | | | | administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
* upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org2018-06-071-5/+5
| | | | | | static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
* upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org2018-06-071-16/+16
| | | | OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
* upstream: Add a PermitListen directive to control which server-sidedjm@openbsd.org2018-06-071-48/+90
| | | | | | | | | | | | addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
* upstream: lots of typos in comments/docs. Patch from Karsten Weissdjm@openbsd.org2018-04-101-3/+3
| | | | | | | after checking with codespell tool (https://github.com/lucasdemarchi/codespell) OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
* upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 forjob@openbsd.org2018-04-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | interactive and CS1 for bulk AF21 was selected as this is the highest priority within the low-latency service class (and it is higher than what we have today). SSH is elastic and time-sensitive data, where a user is waiting for a response via the network in order to continue with a task at hand. As such, these flows should be considered foreground traffic, with delays or drops to such traffic directly impacting user-productivity. For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable networks implementing a scavanger/lower-than-best effort class to discriminate scp(1) below normal activities, such as web surfing. In general this type of bulk SSH traffic is a background activity. An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH is that they are recognisable values on all common platforms (IANA https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and for AF21 specifically a definition of the intended behavior exists https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662 The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate", or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e, MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK"). OK deraadt@, "no objection" djm@ OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
* upstream: missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report bymarkus@openbsd.org2018-03-021-1/+3
| | | | | | jmc@ OpenBSD-Commit-ID: 9039cb69a3f9886bfef096891a9e7fcbd620280b
* upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org2018-02-261-1/+3
| | | | | | | | | Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
* upstream: stop loading DSA keys by default, remove sshd_configdjm@openbsd.org2018-02-161-3/+1
| | | | | | stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
* upstream commitdtucker@openbsd.org2018-02-091-3/+2
| | | | | | | Remove unused sKerberosTgtPassing from enum. From calestyo via github pull req #11, ok djm@ OpenBSD-Commit-ID: 1008f8870865a7c4968b7aed402a0a9e3e5b9540
* upstream commitdtucker@openbsd.org2017-12-071-5/+5
| | | | | | | | Replace atoi and strtol conversions for integer arguments to config keywords with a checking wrapper around strtonum. This will prevent and flag invalid and negative arguments to these keywords. ok djm@ OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
* upstream commitdtucker@openbsd.org2017-12-071-1/+2
| | | | | | | Add missing break for rdomain. Prevents spurious "Deprecated option" warnings. ok djm@ OpenBSD-Commit-ID: ba28a675d39bb04a974586241c3cba71a9c6099a
* upstream commitdjm@openbsd.org@openbsd.org2017-11-031-16/+8
| | | | | | | | reuse parse_multistate for parse_flag (yes/no arguments). Saves a few lines of code and makes the parser more consistent wrt case- sensitivity. bz#2664 ok dtucker@ OpenBSD-Commit-ID: b2ad1b6086858d5db71c7b11e5a74dba6d60efef
* upstream commitdtucker@openbsd.org@openbsd.org2017-11-031-20/+27
| | | | | | | | When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. ok djm@, man page help jmc@ OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
* fix rdomain compilation errorsDamien Miller2017-10-271-1/+1
|
* upstream commitdjm@openbsd.org2017-10-251-2/+4
| | | | | | uninitialised variable in PermitTunnel printing code Upstream-ID: f04dc33e42855704e116b8da61095ecc71bc9e9a
* provide hooks and fallbacks for rdomain supportDamien Miller2017-10-251-0/+7
|
* upstream commitdjm@openbsd.org2017-10-251-1/+14
| | | | | | | | add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
* upstream commitdjm@openbsd.org2017-10-251-2/+19
| | | | | | | | | | add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
* upstream commitdjm@openbsd.org2017-10-251-67/+162
| | | | | | | | | Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4 Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
* upstream commitdjm@openbsd.org2017-10-201-95/+115
| | | | | | | | replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@ Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
* upstream commitdjm@openbsd.org2017-10-051-4/+4
| | | | | | | | fix (another) problem in PermitOpen introduced during the channels.c refactor: the third and subsequent arguments to PermitOpen were being silently ignored; ok markus@ Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
* upstream commitV_7_6_P1djm@openbsd.org2017-10-031-1/+9
| | | | | | Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@ Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
* upstream commitdtucker@openbsd.org2017-09-191-2/+3
| | | | | | Add braces missing after channels refactor. ok markus@ Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
* upstream commitdjm@openbsd.org2017-09-121-21/+66
| | | | | | | | | | | | | | | | | | | | | | refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
* upstream commitdjm@openbsd.org2017-06-241-1/+12
| | | | | | | | | | | refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
* upstream commitdjm@openbsd.org2017-05-171-3/+4
| | | | | | | allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717 Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
* upstream commitjsg@openbsd.org2017-04-281-8/+1
| | | | | | | remove a static array unused since rev 1.306 spotted by clang ok djm@ Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
* upstream commitdjm@openbsd.org2017-03-151-10/+2
| | | | | | | | | | | Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually). Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
* upstream commitdtucker@openbsd.org2017-03-101-3/+1
| | | | | | | Remove old null check from config dumper. Patch from jjelen at redhat.com vi bz#2687, ok djm@ Upstream-ID: 824ab71467b78c4bab0dd1b3a38e8bc5f63dd528
* upstream commitdjm@openbsd.org2017-02-041-5/+7
| | | | | | | | support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
* upstream commitdjm@openbsd.org2017-02-031-1/+10
| | | | | | allow form-feed characters at EOL; bz#2431 ok dtucker@ Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
View Lorry Controller Status