summaryrefslogtreecommitdiffstats
path: root/monitor_wrap.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Make debug call printf("%s", NULL) safe.dtucker@openbsd.org2024-10-221-2/+3
| | | | | | | Prevents problems on platforms where this isn't safe (which it's not required to be). ok djm@ OpenBSD-Commit-ID: 8fa4ce3ad90915c925b81b99a79ab920b0523387
* Resync cvsid missed in commit 6072e4c9.Darren Tucker2024-10-221-1/+1
|
* upstream: Split per-connection sshd-session binarydjm@openbsd.org2024-10-141-13/+68
| | | | | | | | | | | | | | | | | | | This splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after thhe authentication phase completes. Joint work with markus@ feedback deraadt@ Tested in snaps since last week OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
* upstream: put back reaping of preauth child process when writesdjm@openbsd.org2024-06-201-19/+24
| | | | | | | from the monitor fail. Not sure how this got lost in the avalanche of patches. OpenBSD-Commit-ID: eb7eb36371e1ac01050b32b70fb2b3e5d98e72f5
* upstream: reap preauth net child if it hangs up during privsep messagedjm@openbsd.org2024-06-111-37/+24
| | | | | | send, not just message receive OpenBSD-Commit-ID: 02a093f4ab4f8f83f0cd1ea2bb35b9ca420448f0
* upstream: reap the pre-auth [net] child if it hangs up during privsepdjm@openbsd.org2024-06-111-24/+37
| | | | | | message sending, not just receiving OpenBSD-Commit-ID: f7341605bf08c4c15830910446e6775323f2f8cb
* upstream: reap the [net] child if it hangs up while writing privsepdjm@openbsd.org2024-06-111-4/+9
| | | | | | message payloads, not just the message header OpenBSD-Commit-ID: 24dbd400aa381ac96be7ed2dd49018487dfef6ce
* upstream: log waitpid() status for abnormal exitsdjm@openbsd.org2024-06-111-2/+3
| | | | OpenBSD-Commit-ID: b317930e06b51819c1a2bc6a4359764fecfb1c2d
* upstream: Add a facility to sshd(8) to penalise particulardjm@openbsd.org2024-06-061-1/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList. When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-39/+139
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* upstream: add "ext-info-in-auth@openssh.com" extensiondjm@openbsd.org2023-12-181-2/+2
| | | | | | | | | | | | | | | This adds another transport protocol extension to allow a sshd to send SSH2_MSG_EXT_INFO during user authentication, after the server has learned the username that is being logged in to. This lets sshd to update the acceptable signature algoritms for public key authentication, and allows these to be varied via sshd_config(5) "Match" directives, which are evaluated after the server learns the username being authenticated. Full details in the PROTOCOL file OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
* upstream: Check fd against >=0 instead of >0 in error path. Thedtucker@openbsd.org2023-03-311-2/+2
| | | | | | | dup could in theory return fd 0 although currently it doesn't in practice. From Dmitry Belyavskiy vi github PR#238. OpenBSD-Commit-ID: 4a95f3f7330394dffee5c749d52713cbf3b54846
* upstream: Remove dead code from inside if block.dtucker@openbsd.org2023-03-301-3/+1
| | | | | | | The only way the if statement can be true is if both dup()s fail, and in that case the tmp2 can never be set. Coverity CID 291805, ok djm@ OpenBSD-Commit-ID: c0d6089b3fb725015462040cd94e23237449f0c8
* upstream: Implement channel inactivity timeoutsdjm@openbsd.org2023-01-061-1/+2
| | | | | | | | | | | | | | | This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
* upstream: make sure that UseDNS hostname lookup happens in the monitordjm@openbsd.org2022-06-151-4/+3
| | | | | | | and not in the pledge(2)'d unprivileged process; fixes regression caused by recent refactoring spotted by henning@ OpenBSD-Commit-ID: a089870b95101cd8881a2dff65b2f1627d13e88d
* upstream: refactor authorized_keys/principals handlingdjm@openbsd.org2022-05-271-3/+4
| | | | | | | | | | remove "struct ssh *" from arguments - this was only used to pass the remote host/address. These can be passed in instead and the resulting code is less tightly coupled to ssh_api.[ch] ok dtucker@ OpenBSD-Commit-ID: 9d4373d013edc4cc4b5c21a599e1837ac31dda0d
* upstream: do not pass file/func to monitor; noted by Ilja van Sprundel;markus@openbsd.org2021-04-161-6/+3
| | | | | | ok djm@ OpenBSD-Commit-ID: 85ae5c063845c410283cbdce685515dcd19479fa
* upstream: clean up passing of struct passwd from monitor to preauthdjm@openbsd.org2020-11-271-7/+18
| | | | | | | | | privsep process. No longer copy entire struct w/ pointer addresses, but pass remaining scalar fields explicitly, Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@ OpenBSD-Commit-ID: 9925df75a56732c43f3663e70dd15ff413ab3e53
* Use fatal_fr not fatal_r when passing r.Darren Tucker2020-10-191-1/+1
| | | | Caught by the PAM -Werror tinderbox build.
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-118/+109
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: LogVerbose keyword for ssh and sshddjm@openbsd.org2020-10-161-1/+4
| | | | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@ OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
* upstream: revised log infrastructure for OpenSSHdjm@openbsd.org2020-10-161-2/+6
| | | | | | | | | log functions receive function, filename and line number of caller. We can use this to selectively enable logging via pattern-lists. ok markus@ OpenBSD-Commit-ID: 51a472610cbe37834ce6ce4a3f0e0b1ccc95a349
* upstream: support for user-verified FIDO keysdjm@openbsd.org2020-08-271-2/+2
| | | | | | | | | | | | | | | | | FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
* upstream: allow security keys to act as host keys as well as userdjm@openbsd.org2019-12-161-3/+1
| | | | | | | | | | | | | keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
* upstream: Add new structure for signature optionsdjm@openbsd.org2019-11-251-4/+19
| | | | | | | | | | | This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
* upstream: additional missing stdarg.h includes when built withoutnaddy@openbsd.org2019-11-191-1/+1
| | | | | | WITH_OPENSSL; ok djm@ OpenBSD-Commit-ID: 881f9a2c4e2239849cee8bbf4faec9bab128f55b
* upstream: Refactor signing - use sshkey_sign for everything,djm@openbsd.org2019-10-311-3/+5
| | | | | | | | | | | | | including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
* upstream: When system calls indicate an error they return -1, notderaadt@openbsd.org2019-07-051-2/+2
| | | | | | | | some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future. OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
* upstream: Make sshpkt_get_bignum2() allocate the bignum it isdjm@openbsd.org2019-01-211-7/+3
| | | | | | | | parsing rather than make the caller do it. Saves a lot of boilerplate code. from markus@ ok djm@ OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
* last bits of old packet API / active_state globalDamien Miller2019-01-201-1/+1
|
* remove PAM dependencies on old packet APIDamien Miller2019-01-201-1/+1
| | | | | Requires some caching of values, because the PAM code isn't always called with packet context.
* upstream: remove last references to active_statedjm@openbsd.org2019-01-191-9/+6
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
* upstream: convert monitor.c to new packet APIdjm@openbsd.org2019-01-191-2/+1
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 61ecd154bd9804461a0cf5f495a29d919e0014d5
* upstream: convert auth.c to new packet APIdjm@openbsd.org2019-01-191-3/+2
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
* upstream: begin landing remaining refactoring of packet parsingdjm@openbsd.org2019-01-191-1/+4
| | | | | | | | | | | | | API, started almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@ OpenBSD-Commit-ID: 93c98a6b38f6911fd1ae025a1ec57807fb4d4ef4
* Remove support for S/KeyDamien Miller2018-07-311-67/+0
| | | | | | Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
* upstream: remove unused zlib.hdjm@openbsd.org2018-07-201-8/+1
| | | | OpenBSD-Commit-ID: 8d274a9b467c7958df12668b49144056819f79f1
* Fallout from buffer conversion in AUDIT_EVENTS.Darren Tucker2018-07-131-2/+4
| | | | Supply missing "int r" and fix error path for sshbuf_new().
* upstream: remove legacy key emulation layer; ok djm@markus@openbsd.org2018-07-121-10/+7
| | | | OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
* Fix sshbuf_new error path in skey.Darren Tucker2018-07-111-2/+2
|
* Supply missing third arg in skey.Darren Tucker2018-07-111-1/+1
| | | | | During the change to the new buffer api the third arg to sshbuf_get_cstring was ommitted. Fixes build when configured with skey.
* Supply some more missing "int r" in skeyDarren Tucker2018-07-111-1/+2
|
* upstream: re-remove some pre-auth compression bitssf@openbsd.org2018-07-111-3/+1
| | | | | | | | | | This time, make sure to not remove things that are necessary for pre-auth compression on the client. Add a comment that pre-auth compression is still supported in the client. ok markus@ OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
* Adapt portable to legacy buffer API removalDamien Miller2018-07-101-79/+113
|
* upstream: kerberos/gssapi fixes for buffer removaldjm@openbsd.org2018-07-101-2/+2
| | | | OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
* upstream: sshd: switch monitor to sshbuf API; lots of help & okmarkus@openbsd.org2018-07-101-201/+284
| | | | | | djm@ OpenBSD-Commit-ID: d89bd02d33974fd35ca0b8940d88572227b34a48
* upstream: sshd: switch loginmsg to sshbuf API; ok djm@markus@openbsd.org2018-07-101-4/+5
| | | | OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
* upstream: Revert previous two commitssf@openbsd.org2018-07-101-1/+3
| | | | | | | | | | | | | | | | | | | | | | It turns out we still support pre-auth compression on the client. Therefore revert the previous two commits: date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE; Rename COMP_DELAYED to COMP_ZLIB Only delayed compression is supported nowadays. ok markus@ date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP; Remove leftovers from pre-authentication compression Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
* upstream: Remove leftovers from pre-authentication compressionsf@openbsd.org2018-07-101-3/+1
| | | | | | | | | Support for this has been removed in 2016. COMP_DELAYED will be renamed in a later commit. ok markus@ OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
* Many typo fixes from Karsten WeissDamien Miller2018-04-101-1/+1
| | | | Spotted using https://github.com/lucasdemarchi/codespell
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 20:58:48 +0100