summaryrefslogtreecommitdiffstats
path: root/misc.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Add a facility to sshd(8) to penalise particulardjm@openbsd.org2024-06-061-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList. When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-1/+9
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* upstream: Separate parsing of string array options from applying themdjm@openbsd.org2024-03-041-1/+2
| | | | | | | | | | | | | to the active configuration. This fixes the config parser from erroneously rejecting cases like: AuthenticationMethods password Match User ivy AuthenticationMethods any bz3657 ok markus@ OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
* upstream: add ChannelTimeout support to the client, mirroring thedjm@openbsd.org2023-10-121-1/+2
| | | | | | same option in the server. ok markus@ OpenBSD-Commit-ID: 55630b26f390ac063980cfe7ad8c54b03284ef02
* upstream: Add keystroke timing obfuscation to the client.djm@openbsd.org2023-08-281-1/+2
| | | | | | | | | | | | This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/ feedback/ok markus@ OpenBSD-Commit-ID: 02231ddd4f442212820976068c34a36e3c1b15be
* upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that causeddjm@openbsd.org2023-08-181-2/+3
| | | | | | | multiplexed sessions to ignore SIGINT under some circumstances. Reported by / feedback naddy@, ok dtucker@ OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a
* upstream: Ensure FIDO/PKCS11 libraries contain expected symbolsdjm@openbsd.org2023-07-191-1/+2
| | | | | | | | | | This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors. Feedback deraadt; ok markus OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
* upstream: Use time_t for x11_refuse_time timeout. We needdtucker@openbsd.org2023-03-031-1/+4
| | | | | | | SSH_TIME_T_MAX for this, so move from misc.c to misc.h so it's available. Fixes a Coverity warning for 64bit time_t safety, ok djm@ OpenBSD-Commit-ID: c69c4c3152cdaab953706db4ccf4d5fd682f7d8d
* upstream: add ptimeout API for keeping track of poll/ppolldjm@openbsd.org2023-01-061-1/+10
| | | | | | timeouts; ok dtucker markus OpenBSD-Commit-ID: 3335268ca135b3ec15a947547d7cfbb8ff929ead
* upstream: Make SetEnv directives first-match-wins in bothdjm@openbsd.org2022-06-031-1/+3
| | | | | | | | | | | sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
* upstream: replace select() with ppoll(), including convertingderaadt@openbsd.org2021-11-171-2/+2
| | | | | | timeval's to timespec's to make things easier. back and forth and ok; djm OpenBSD-Commit-ID: 89d3b23c60875da919e7820f9de6213286ffbec9
* upstream: SFTP protocol extension to allow the server to expanddjm@openbsd.org2021-08-101-1/+2
| | | | | | | | | | ~-prefixed paths, in particular ~user ones. Allows scp in sftp mode to accept these paths, like scp in rcp mode does. prompted by and much discussion deraadt@ ok markus@ OpenBSD-Commit-ID: 7d794def9e4de348e1e777f6030fc9bafdfff392
* upstream: Allow argv_split() to optionally terminate tokenisationdjm@openbsd.org2021-06-081-2/+7
| | | | | | | | | | | | when it encounters an unquoted comment. Add some additional utility function for working with argument vectors, since we'll be switching to using them to parse ssh/sshd_config shortly. ok markus@ as part of a larger diff; tested in snaps OpenBSD-Commit-ID: fd9c108cef2f713f24e3bc5848861d221bb3a1ac
* upstream: allow ssh_config SetEnv to override $TERM, which is otherwisedjm@openbsd.org2021-06-041-1/+3
| | | | | | | | handled specially by the protocol. Useful in ~/.ssh/config to set TERM to something generic (e.g. "xterm" instead of "xterm-256color") for destinations that lack terminfo entries. feedback and ok dtucker@ OpenBSD-Commit-ID: 38b1ef4d5bc159c7d9d589d05e3017433e2d5758
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-6/+6
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: needs FILE*; from Mike Frysingerdjm@openbsd.org2021-03-031-1/+2
| | | | OpenBSD-Commit-ID: dddb3aa9cb5792eeeaa37a1af67b5a3f25ded41d
* upstream: factor out opt_array_append; ok djm@markus@openbsd.org2021-02-171-1/+9
| | | | OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a
* upstream: Change convtime() from returning long to returning int.dtucker@openbsd.org2021-01-111-2/+2
| | | | | | | | On platforms where sizeof(int) != sizeof(long), convtime could accept values >MAX_INT which subsequently truncate when stored in an int during config parsing. bz#3250, ok djm@ OpenBSD-Commit-ID: 8fc932683d6b4660d52f50911d62bd6639c5db31
* upstream: move subprocess() from auth.c to misc.cdjm@openbsd.org2020-12-221-1/+11
| | | | | | | | | | | | make privilege dropping optional but allow it via callbacks (to avoid need to link uidswap.c everywhere) add some other flags (keep environment, disable strict path safety check) that make this more useful for client-side use. feedback & ok markus@ OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf
* upstream: Set the specified TOS/DSCP for interactive use prior todjm@openbsd.org2020-11-271-1/+3
| | | | | | | | | | | TCP connect. The connection phase of the SSH session is time-sensitive (due to server side login grace periods) and is frequently interactive (e.g. entering passwords). The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. ok dtucker@ OpenBSD-Commit-ID: f31ab10d9233363a6d2c9996007083ba43a093f1
* upstream: when requesting a security key touch on stderr, inform thedjm@openbsd.org2020-11-081-2/+3
| | | | | | user once the touch has been recorded; requested by claudio@ ok markus@ OpenBSD-Commit-ID: 3b76ee444490e546b9ea7f879e4092ee0d256233
* upstream: There are lots of place where we want to redirect stdin,djm@openbsd.org2020-10-031-1/+2
| | | | | | | | stdout and/or stderr to /dev/null. Factor all these out to a single stdfd_devnull() function that allows selection of which of these to redirect. ok markus@ OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099
* upstream: Make dollar_expand variadic and pass a real va_list todtucker@openbsd.org2020-05-291-2/+2
| | | | | | vdollar_percent_expand. Fixes build error on arm64 spotted by otto@. OpenBSD-Commit-ID: 181910d7ae489f40ad609b4cf4a20f3d068a7279
* upstream: Allow some keywords to expand shell-style ${ENV}dtucker@openbsd.org2020-05-291-1/+4
| | | | | | | | | | environment variables on the client side. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. This would for example allow forwarding of Unix domain socket paths that change at runtime. bz#3140, ok djm@ OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
* upstream: add fmt_timeframe() (from bgpd) to format a timedjm@openbsd.org2020-05-271-1/+2
| | | | | | | | interval in a human- friendly format. Switch copyright for this file from BSD to MIT to make it easier to add Henning's copyright for this function. ok markus@ OpenBSD-Commit-ID: 414a831c662df7e68893e5233e86f2cac081ccf9
* upstream: add xextendf() to extend a string with a formatdjm@openbsd.org2020-01-251-1/+3
| | | | | | (reallocating as necessary). ok aja@ as part of a larger diff OpenBSD-Commit-ID: 30796b50d330b3e0e201747fe40cdf9aa70a77f9
* upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org2020-01-231-1/+3
| | | | | | | | sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
* upstream: dd API for performing one-shot notifications via tty ordjm@openbsd.org2019-11-131-1/+6
| | | | | | SSH_ASKPASS OpenBSD-Commit-ID: 9484aea33aff5b62ce3642bf259546c7639f23f3
* upstream: move authorized_keys option parsing helpsers to misc.cdjm@openbsd.org2019-09-031-1/+6
| | | | | | and make them public; ok markus@ OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2
* upstream: move skip_space() to misc.c and make it public; okdjm@openbsd.org2019-09-031-1/+2
| | | | | | markus@ OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae
* upstream: Remove support for obsolete host/port syntax.dtucker@openbsd.org2019-01-241-1/+2
| | | | | | | | | | | host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH now supports for some things. Remove the slash notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen at redhat.com, ok markus@ OpenBSD-Commit-ID: fae5f4e23c51a368d6b2d98376069ac2b10ad4b7
* upstream: move client/server SSH-* banners to buffers underdjm@openbsd.org2018-12-271-1/+4
| | | | | | | | | | | | | ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
* upstream: Fix calculation of initial bandwidth limits. Account fordtucker@openbsd.org2018-12-271-2/+4
| | | | | | | | | | written bytes before the initial timer check so that the first buffer written is accounted. Set the threshold after which the timer is checked such that the limit starts being computed as soon as possible, ie after the second buffer is written. This prevents an initial burst of traffic and provides a more accurate bandwidth limit. bz#2927, ok djm. OpenBSD-Commit-ID: ff3ef76e4e43040ec198c2718d5682c36b255cb6
* upstream: use path_absolute() for pathname checks; from Manoj Ampalamdjm@openbsd.org2018-11-161-1/+2
| | | | OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
* upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org2018-10-031-1/+2
| | | | | | environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
* upstream: Remove uid checks from low port binds. Now that sshdtucker@openbsd.org2018-07-311-2/+1
| | | | | | | | | cannot be setuid and sshd always has privsep on, we can remove the uid checks for low port binds and just let the system do the check. We leave a sanity check for the !privsep case so long as the code is stil there. with & ok djm@ OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
* upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org2018-06-091-1/+2
| | | | | | | | | | | environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
* upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org2018-06-061-2/+1
| | | | | | static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
* upstream: add valid-before="[time]" authorized_keys option. Adjm@openbsd.org2018-03-141-1/+3
| | | | | | simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
* upstream commitmarkus@openbsd.org2018-01-231-7/+1
| | | | | | | move subprocess() so scp/sftp do not need uidswap.o; ok djm@ OpenBSD-Commit-ID: 6601b8360388542c2e5fef0f4085f8e54750bea8
* upstream commitdtucker@openbsd.org2017-12-071-1/+2
| | | | | | | | Replace atoi and strtol conversions for integer arguments to config keywords with a checking wrapper around strtonum. This will prevent and flag invalid and negative arguments to these keywords. ok djm@ OpenBSD-Commit-ID: 99ae3981f3d608a219ccb8d2fff635ae52c17998
* upstream commitdtucker@openbsd.org@openbsd.org2017-11-281-1/+3
| | | | | | | | | | Add monotime_ts and monotime_tv that return monotonic timespec and timeval respectively. Replace calls to gettimeofday() in packet timing with monotime_tv so that the callers will work over a clock step. Should prevent integer overflow during clock steps reported by wangle6 at huawei.com. "I like" markus@ OpenBSD-Commit-ID: 74d684264814ff806f197948b87aa732cb1b0b8a
* upstream commitdjm@openbsd.org2017-10-251-1/+2
| | | | | | | | | | add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
* upstream commitdjm@openbsd.org2017-10-251-1/+3
| | | | | | | | | Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4 Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
* upstream commitdjm@openbsd.org2017-10-231-2/+2
| | | | | | | | | | | | | | | Expose devices allocated for tun/tap forwarding. At the client, the device may be obtained from a new %T expansion for LocalCommand. At the server, the allocated devices will be listed in a SSH_TUNNEL variable exposed to the environment of any user sessions started after the tunnel forwarding was established. ok markus Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
* upstream commitmillert@openbsd.org2017-10-231-1/+4
| | | | | | | | | | Add URI support to ssh, sftp and scp. For example ssh://user@host or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@ Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
* upstream commitdjm@openbsd.org2017-08-231-2/+2
| | | | | | | add a "quiet" flag to exited_cleanly() that supresses errors about exit status (failure due to signal is still reported) Upstream-ID: db85c39c3aa08e6ff67fc1fb4ffa89f807a9d2f0
* upstream commitdjm@openbsd.org2017-08-231-1/+21
| | | | | | | | | | Move several subprocess-related functions from various locations to misc.c. Extend subprocess() to offer a little more control over stdio disposition. feedback & ok dtucker@ Upstream-ID: 3573dd7109d13ef9bd3bed93a3deb170fbfce049
* upstream commitdtucker@openbsd.org2016-11-301-1/+2
| | | | | | | | | On startup, check to see if sshd is already daemonized and if so, skip the call to daemon() and do not rewrite the PidFile. This means that when sshd re-execs itself on SIGHUP the process ID will no longer change. Should address bz#2641. ok djm@ markus@. Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
* upstream commitdtucker@openbsd.org2016-10-241-1/+2
| | | | | | | | | Factor out "can bind to low ports" check into its own function. This will make it easier for Portable to support platforms with permissions models other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@. Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 12:06:09 +0100