summaryrefslogtreecommitdiffstats
path: root/monitor.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org2020-01-231-5/+5
| | | | | | | | sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
* upstream: allow security keys to act as host keys as well as userdjm@openbsd.org2019-12-161-2/+2
| | | | | | | | | | | | | keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
* upstream: redundant testdjm@openbsd.org2019-11-251-2/+2
| | | | OpenBSD-Commit-ID: 38fa7806c528a590d91ae560e67bd8b246c2d7a3
* upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org2019-11-251-2/+3
| | | | | | | | | | a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
* upstream: Add a sshd_config PubkeyAuthOptions directivedjm@openbsd.org2019-11-251-24/+39
| | | | | | | | | | | This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
* upstream: Add new structure for signature optionsdjm@openbsd.org2019-11-251-3/+11
| | | | | | | | | | | This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
* upstream: a little more information from the monitor when signaturedjm@openbsd.org2019-11-191-3/+4
| | | | | | verification fails. OpenBSD-Commit-ID: e6a30071e0518cac512f9e10be3dc3500e2003f3
* upstream: Refactor signing - use sshkey_sign for everything,djm@openbsd.org2019-10-311-2/+2
| | | | | | | | | | | | | including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
* upstream: reversed test yielded incorrect debug messagedjm@openbsd.org2019-10-091-2/+2
| | | | OpenBSD-Commit-ID: 78bb512d04cfc238adb2c5b7504ac93eecf523b3
* wrap stdint.h include in HAVE_STDINT_HDamien Miller2019-10-091-1/+1
| | | | | | make the indenting a little more consistent too.. Fixes Solaris 2.6; reported by Tom G. Christensen
* upstream: When system calls indicate an error they return -1, notderaadt@openbsd.org2019-07-051-5/+5
| | | | | | | | some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future. OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
* upstream: rename kex->kem_client_pub -> kex->client_pub now thatdjm@openbsd.org2019-01-211-9/+9
| | | | | | | | KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
* upstream: use KEM API for vanilla ECDHdjm@openbsd.org2019-01-211-2/+2
| | | | | | from markus@ ok djm@ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
* upstream: use KEM API for vanilla DH KEXdjm@openbsd.org2019-01-211-6/+6
| | | | | | from markus@ ok djm@ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
* upstream: use KEM API for vanilla c25519 KEXdjm@openbsd.org2019-01-211-2/+2
| | | | OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
* upstream: Add support for a PQC KEX/KEM:djm@openbsd.org2019-01-211-1/+2
| | | | | | | | | | | | sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
* last bits of old packet API / active_state globalDamien Miller2019-01-201-1/+1
|
* remove PAM dependencies on old packet APIDamien Miller2019-01-201-1/+1
| | | | | Requires some caching of values, because the PAM code isn't always called with packet context.
* upstream: remove last references to active_statedjm@openbsd.org2019-01-191-4/+4
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
* upstream: convert monitor.c to new packet APIdjm@openbsd.org2019-01-191-89/+80
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5
* upstream: convert auth.c to new packet APIdjm@openbsd.org2019-01-191-4/+4
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
* upstream: begin landing remaining refactoring of packet parsingdjm@openbsd.org2019-01-191-1/+4
| | | | | | | | | | | | | API, started almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@ OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
* upstream: fix bug in HostbasedAcceptedKeyTypes anddjm@openbsd.org2018-11-161-5/+34
| | | | | | | | | PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
* adapt -portable to OpenSSL 1.1x APIDamien Miller2018-09-131-1/+3
| | | | Polyfill missing API with replacement functions extracted from LibreSSL
* upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org2018-09-131-2/+4
| | | | | | OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
* Remove support for S/KeyDamien Miller2018-07-311-66/+0
| | | | | | Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
* upstream: remove unused zlib.hdjm@openbsd.org2018-07-201-8/+1
| | | | OpenBSD-Commit-ID: 8d274a9b467c7958df12668b49144056819f79f1
* upstream: remove legacy key emulation layer; ok djm@markus@openbsd.org2018-07-121-7/+8
| | | | OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
* Supply some more missing "int r" in skeyDarren Tucker2018-07-111-1/+1
|
* Supply missing "int r" in skey code.Darren Tucker2018-07-111-0/+1
|
* Adapt portable to legacy buffer API removalDamien Miller2018-07-101-51/+76
|
* upstream: kerberos/gssapi fixes for buffer removaldjm@openbsd.org2018-07-101-6/+9
| | | | OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
* upstream: sshd: switch monitor to sshbuf API; lots of help & okmarkus@openbsd.org2018-07-101-216/+278
| | | | | | djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
* upstream: sshd: switch authentication to sshbuf API; ok djm@markus@openbsd.org2018-07-101-3/+1
| | | | OpenBSD-Commit-ID: 880aa06bce4b140781e836bb56bec34873290641
* upstream: sshd: switch loginmsg to sshbuf API; ok djm@markus@openbsd.org2018-07-101-4/+4
| | | | OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
* upstream: switch over to the new authorized_keys options API anddjm@openbsd.org2018-03-031-25/+45
| | | | | | | | | | | remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
* upstream committb@openbsd.org2018-02-061-5/+9
| | | | | | | | Add a couple of non-negativity checks to avoid close(-1). ok djm OpenBSD-Commit-ID: 4701ce0b37161c891c838d0931305f1d37a50880
* upstream commitdjm@openbsd.org2018-01-231-13/+8
| | | | | | | | | | | | | Drop compatibility hacks for some ancient SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@ OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
* upstream commitdjm@openbsd.org2017-12-211-1/+8
| | | | | | | | revert stricter key type / signature type checking in userauth path; too much software generates inconsistent messages, so we need a better plan. OpenBSD-Commit-ID: 4a44ddc991c803c4ecc8f1ad40e0ab4d22e1c519
* upstream commitdjm@openbsd.org2017-12-191-3/+5
| | | | | | | | pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
* upstream commitdjm@openbsd.org2017-10-201-3/+1
| | | | | | | | replace statically-sized arrays in ServerOptions with dynamic ones managed by xrecallocarray, removing some arbitrary (though large) limits and saving a bit of memory; "much nicer" markus@ Upstream-ID: 1732720b2f478fe929d6687ac7b0a97ff2efe9d2
* upstream commitV_7_6_P1djm@openbsd.org2017-10-021-1/+3
| | | | | | Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@ Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
* upstream commitdjm@openbsd.org2017-09-121-2/+3
| | | | | | | | | | | | | | | | | | | | | | refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
* upstream commitdjm@openbsd.org2017-06-241-18/+23
| | | | | | | | | | | refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
* upstream commitmarkus@openbsd.org2017-06-011-1/+10
| | | | | | use SO_ZEROIZE for privsep communication (if available) Upstream-ID: abcbb6d2f8039fc4367a6a78096e5d5c39de4a62
* upstream commitmarkus@openbsd.org2017-06-011-1/+12
| | | | | | clear session keys from memory; ok djm@ Upstream-ID: ecd178819868975affd5fd6637458b7c712b6a0f
* upstream commitmarkus@openbsd.org2017-05-311-18/+23
| | | | | | switch auth2-pubkey.c to modern APIs; with & ok djm@ Upstream-ID: 8f08d4316eb1b0c4ffe4a206c05cdd45ed1daf07
* upstream commitmarkus@openbsd.org2017-05-311-3/+3
| | | | | | switch from Key typedef with struct sshkey; ok djm@ Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
* upstream commitdjm@openbsd.org2017-02-041-1/+6
| | | | | | | | | | | use ssh_packet_set_log_preamble() to include connection username in packet log messages, e.g. Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth] ok markus@ bz#113 Upstream-ID: 3591b88bdb5416d6066fb3d49d8fff2375bf1a15
* upstream commitdjm@openbsd.org2016-09-281-47/+1
| | | | | | | | | | | | | | | | | | | | Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 04:27:22 +0100