| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
We've previously removed a lot of the really old compatibility code,
and with it went the need to include compat.h in most of the files that
have it.
OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
|
|
|
|
|
|
| |
spotted via Coverity CID 405022
OpenBSD-Commit-ID: b074b52bf138b75f08264e8da15880b29c7a630f
|
|
|
|
|
|
|
|
|
|
| |
client connections that have no open channels for some length of time. This
complements the recently-added ChannelTimeout option that terminates inactive
channels after a timeout.
ok markus@
OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.
Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.
ok markus dtucker
OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
|
|
|
|
|
|
| |
in -portable by clang 16's -Wunused-but-set-variable. ok djm@
OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
|
|
|
|
|
|
|
| |
equal to zero during config parsing, rather than faling later at runtime.
bz#3489, ok djm@
OpenBSD-Commit-ID: d79c2b7a8601eb9be493629a91245d761154308b
|
|
|
|
|
|
|
|
| |
beneath this limit will be ignored for user and host-based authentication.
Feedback deraadt@ ok markus@
OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
|
|
|
|
|
|
|
|
|
|
|
| |
sshd_config and sshd_config; previously if the same name was reused then the
last would win (which is the opposite to how the config is supposed to work).
While there, make the ssh_config parsing more like sshd_config.
bz3438, ok dtucker
OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
|
|
|
|
|
|
|
|
| |
re-exec path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by Aaron
Poffenberger; with / ok dtucker@
OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
|
|
|
|
|
|
|
|
|
|
| |
Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports. These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2
in the other cases. ok djm@
OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
|
|
|
|
|
|
|
| |
sChallengeResponseAuthentication from the enum. Noticed by
christos@zoulas.com. OK dtucker@
OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff
|
|
|
|
|
| |
sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options
and are no longer used.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
not entirely equivalent. We retain the old name as deprecated alias so
config files continue to work and a reference in the man page for people
looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@
OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
similar to the previous commit, this switches sshd_config parsing to
the newer tokeniser. Config parsing will be a little stricter wrt
quote correctness and directives appearing without arguments.
feedback and ok markus@
tested in snaps for the last five or so days - thanks Theo and those who
caught bugs
OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
|
|
|
|
|
|
| |
and bad indentation on continuation lines. Prompted by GHPR#185
OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
|
|
|
|
|
|
|
|
| |
location of the "moduli" file containing the groups for DH-GEX. This will
allow us to run tests against arbitrary moduli files without having to
install them. ok djm@
OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
|
|
|
|
|
|
|
| |
pubkeyacceptedalgorithms after their current names so that the config-dump
mode finds and uses the current names. Spotted by Phil Pennock.
OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
|
|
|
|
| |
OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a
|
|
|
|
|
|
|
|
|
| |
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok
djm@
OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
|
|
|
|
|
|
|
|
|
|
| |
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted. Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading. The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
|
|
|
|
|
|
| |
mode.
OpenBSD-Commit-ID: ecdc49e2b6bde6b6b0e52163d621831f6ac7b13d
|
|
|
|
|
|
|
| |
options which provide more fine grained MaxStartups limits. Man page help
jmc@, feedback & ok djm@
OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b
|
|
|
|
|
|
| |
__func__ and appending ssh_err(r) manually; ok markus@
OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
|
|
|
|
|
|
|
|
| |
Allows forcing maximum debug logging by file/function/line pattern-
lists.
ok markus@
OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BROKEN_MMAP is no longer defined since commit
1cfd5c06efb12 ("Remove portability support for mmap")
this commit also removed other HAVE_MMAP user. I didn't find anything
that defines HAVE_MMAP. The check does not trigger because compression
on server side is by default COMP_DELAYED (2) so it never triggers.
Remove remaining HAVE_MMAP and BROKEN_MMAP bits.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
|
|
|
|
|
|
|
|
| |
Match LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause problems at runtime. Found by
Daniel Stocker, ok djm@
OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.
feedback and ok markus@
OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
|
|
|
|
| |
OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
|
|
|
|
|
|
| |
djm
OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171
|
|
|
|
|
|
| |
from Jakub Jelen
OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4
|
|
|
|
|
|
| |
included file from sshd_config; patch from Jakub Jelen
OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
|
|
|
|
|
|
|
| |
If the config contained 'RDomain %D' on a platform that did not support
it, the error would not be detected until runtime resulting in a broken
sshd. Detect this earlier and error out if found. bz#3126, based on a
patch from jjelen at redhat.com, tweaks and ok djm@
|
|
|
|
|
| |
so change the preprocessor test used to include it to check
__OpenBSD__, matching the code that uses the symbols it declares.
|
|
|
|
|
|
|
| |
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@
OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
|
|
|
|
|
|
| |
sshd_config, not just before any Match blocks; bz3148, ok dtucker@
OpenBSD-Commit-ID: e042467d703bce640b1f42c5d1a62bf3825736e8
|
|
|
|
| |
OpenBSD-Commit-ID: fa29b0da3c93cbc3a1d4c6bcd58af43c00ffeb5b
|
|
|
|
|
|
|
|
| |
of files. This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub Jelen in
bz2468; feedback and ok markus@
OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
|
|
|
|
|
|
|
| |
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
|
|
|
|
|
|
|
|
|
|
| |
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
|
|
|
|
|
|
| |
spurious warnings from the cfgparse regress test
OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
|
|
|
|
|
|
| |
SecurityKeyProvider=internal - unbreaks cfgparse regress test
OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
|
|
|
|
|
|
|
|
|
|
|
| |
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
|
|
|
|
|
|
|
|
|
| |
U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.
feedback & ok markus@
OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
|
|
|
|
|
|
|
|
|
|
|
| |
by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
|
|
|
|
|
|
|
| |
-C does not match, which allows it to work when sshd_config contains a Match
directive with or without -C. bz#2858, ok djm@
OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
|
|
|
|
| |
OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
|
|
|
|
|
|
|
|
| |
function. This is a no-op on OpenBSD but will make things easier in
-portable, eg on systems where these checks should be case-insensitive. ok
djm@
OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
|
|
|
|
|
|
|
|
|
|
| |
The previous revert enabled case-insensitive user names again. This
patch implements the case-insensitive user and group name matching.
To allow Unicode chars, implement the matcher using wchar_t chars in
Cygwin-specific code. Keep the generic code changes as small as possible.
Cygwin: implement case-insensitive Unicode user and group name matching
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
|
| |
|