summaryrefslogtreecommitdiffstats
path: root/servconf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Split per-connection sshd-session binarydjm@openbsd.org2024-10-141-1/+10
| | | | | | | | | | | | | | | | | | | This splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after thhe authentication phase completes. Joint work with markus@ feedback deraadt@ Tested in snaps since last week OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
* upstream: fix regression introduced when I switched the "Match"djm@openbsd.org2024-09-251-15/+42
| | | | | | | | | | | | | criteria tokeniser to a more shell-like one. Apparently the old tokeniser (accidentally?) allowed "Match criteria=argument" as well as the "Match criteria argument" syntax that we tested for. People were using this syntax so this adds back support for "Match criteria=argument" bz3739 ok dtucker OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
* upstream: bad whitespace in config dump outputdjm@openbsd.org2024-09-151-2/+2
| | | | OpenBSD-Commit-ID: d899c13b0e8061d209298eaf58fe53e3643e967c
* upstream: add a "Match invalid-user" predicate to sshd_config Matchdjm@openbsd.org2024-09-151-2/+15
| | | | | | | | | | | | | | | | | | options. This allows writing Match conditions that trigger for invalid username. E.g. PerSourcePenalties refuseconnection:90s Match invalid-user RefuseConnection yes Will effectively penalise bots try to guess passwords for bogus accounts, at the cost of implicitly revealing which accounts are invalid. feedback markus@ OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
* upstream: Add a "refuseconnection" penalty class to sshd_configdjm@openbsd.org2024-09-151-3/+11
| | | | | | | | | PerSourcePenalties This allows penalising connection sources that have had connections dropped by the RefuseConnection option. ok markus@ OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
* upstream: Add a sshd_config "RefuseConnection" optiondjm@openbsd.org2024-09-151-2/+13
| | | | | | | | | If set, this will terminate the connection at the first authentication request (this is the earliest we can evaluate sshd_config Match blocks) ok markus@ OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
* upstream: switch sshd_config Match processing to the argv tokeniserdjm@openbsd.org2024-09-151-20/+16
| | | | | | too; ok markus@ OpenBSD-Commit-ID: b74b5b0385f2e0379670e2b869318a65b0bc3923
* upstream: fix minor memory leak in Subsystem option parsing; fromdjm@openbsd.org2024-08-171-1/+2
| | | | | | Antonio Larrosa via GHPR515 OpenBSD-Commit-ID: fff3bbefd1b2c45c98cbe45c6b857b15d8a2d364
* upstream: reduce logingrace penalty.djm@openbsd.org2024-07-261-2/+2
| | | | | | | | | A single forgotton login that times out should be below the penalty threshold. ok deraadt/claudio OpenBSD-Commit-ID: cee1f7d17597c97bff8e5092af5d136fdb08f81d
* add a sshd_config PamServiceName optionDamien Miller2024-06-141-1/+21
| | | | | | | | Allows selecting which PAM service name to use when UsePAM is enabled. Defaults to "sshd" unless overridden at compile time by defining SSHD_PAM_SERVICE. bz2102, ok dtucker@
* upstream: split PerSourcePenalties address tracking. Previously itdjm@openbsd.org2024-06-131-10/+32
| | | | | | | | | | | | | used one shared table and overflow policy for IPv4 and IPv6 addresses, now it will use separate tables and optionally different overflow policies. This prevents misbehaviour from IPv6 addresses (which are vastly easier to obtain many of) from affecting IPv4 connections and may allow for stricter overflow policies. ok deraadt@ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
* upstream: correct error messagedjm@openbsd.org2024-06-111-2/+2
| | | | OpenBSD-Commit-ID: 581f60f73099083392887206860229ab104620ed
* upstream: enable PerSourcePenalties by default.djm@openbsd.org2024-06-061-2/+2
| | | | | | | | | | | | | | | ok markus NB. if you run a sshd that accepts connections from behind large NAT blocks, proxies or anything else that aggregates many possible users behind few IP addresses, then this change may cause legitimate traffic to be denied. Please read the PerSourcePenalties, PerSourcePenaltyExemptList and PerSourceNetBlockSize options in sshd_config(5) for how to tune your sshd(8) for your specific circumstances. OpenBSD-Commit-ID: 24a0e5c23d37e5a63e16d2c6da3920a51078f6ce
* upstream: Add a facility to sshd(8) to penalise particulardjm@openbsd.org2024-06-061-1/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList. When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
* upstream: fix incorrect debug option name introduce in previousdjm@openbsd.org2024-05-171-5/+5
| | | | | | commit OpenBSD-Commit-ID: 66d69e22b1c072c694a7267c847f212284614ed3
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-96/+11
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* upstream: Separate parsing of string array options from applying themdjm@openbsd.org2024-03-041-56/+110
| | | | | | | | | | | | | to the active configuration. This fixes the config parser from erroneously rejecting cases like: AuthenticationMethods password Match User ivy AuthenticationMethods any bz3657 ok markus@ OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
* upstream: don't append a gratuitous space to the end of subsystemdjm@openbsd.org2024-02-201-2/+2
| | | | | | arguments; bz3667 OpenBSD-Commit-ID: e11023aeb3f30b77a674e37b8292c862926d5dc6
* upstream: add ChannelTimeout support to the client, mirroring thedjm@openbsd.org2023-10-121-36/+4
| | | | | | same option in the server. ok markus@ OpenBSD-Commit-ID: 55630b26f390ac063980cfe7ad8c54b03284ef02
* upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer heredjm@openbsd.org2023-09-081-7/+7
| | | | | | is char**, so harmless); spotted in CID 416964 OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002
* upstream: allow override of Sybsystem directives in sshd Matchdjm@openbsd.org2023-09-071-2/+46
| | | | | | blocks OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722
* upstream: allocate the subsystems array as necessary and remove thedjm@openbsd.org2023-09-071-5/+13
| | | | | | | fixed limit of subsystems. Saves a few kb of memory in the server and makes it more like the other options. OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f
* upstream: preserve quoting of Subsystem commands and arguments.djm@openbsd.org2023-09-071-13/+11
| | | | | | | This may change behaviour of exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf
* upstream: downgrade duplicate Subsystem directives from being adjm@openbsd.org2023-09-071-6/+15
| | | | | | | fatal error to being a debug message to match behaviour with just about all other directives. OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce
* upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@djm@openbsd.org2023-08-291-2/+2
| | | | OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7
* upstream: move other RCSIDs to before their respective license blocksdjm@openbsd.org2023-07-171-2/+1
| | | | | | too no code change OpenBSD-Commit-ID: ef5bf46b57726e4260a63b032b0b5ac3b4fe9cd4
* upstream: better validate CASignatureAlgorithms in ssh_config anddjm@openbsd.org2023-06-211-2/+8
| | | | | | | | | | | sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@ OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
* upstream: Store timeouts as int, not u_int as they are limited tomillert@openbsd.org2023-06-201-4/+5
| | | | | | | INT_MAX. Fixes sign compare warnings systems with 32-bit time_t due to type promotion. OK djm@ OpenBSD-Commit-ID: 48081e9ad35705c5f1705711704a4c2ff94e87b7
* upstream: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommanddjm@openbsd.org2023-05-251-2/+2
| | | | | | | appears previously in configuration. Reported by John Meyers in bz3574 ok dtucker@ OpenBSD-Commit-ID: 1c92e4517284386703936e1d3abaa36cfacf1951
* upstream: Remove unused compat.h includes.dtucker@openbsd.org2023-03-051-2/+1
| | | | | | | | We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it. OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
* upstream: actually print "channeltimeout none" in config dump mode;djm@openbsd.org2023-03-031-3/+11
| | | | | | spotted via Coverity CID 405022 OpenBSD-Commit-ID: b074b52bf138b75f08264e8da15880b29c7a630f
* upstream: Add a sshd_config UnusedConnectionTimeout option to terminatedjm@openbsd.org2023-01-171-2/+23
| | | | | | | | | | client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@ OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
* upstream: Implement channel inactivity timeoutsdjm@openbsd.org2023-01-061-10/+100
| | | | | | | | | | | | | | | This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
* upstream: Remove some set but otherwise unused variables, spotteddtucker@openbsd.org2022-11-071-3/+2
| | | | | | in -portable by clang 16's -Wunused-but-set-variable. ok djm@ OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
* upstream: Check for and disallow MaxStartups values less than ordtucker@openbsd.org2022-11-071-1/+5
| | | | | | | equal to zero during config parsing, rather than faling later at runtime. bz#3489, ok djm@ OpenBSD-Commit-ID: d79c2b7a8601eb9be493629a91245d761154308b
* upstream: Add RequiredRSASize for sshd(8); RSA keys that falldjm@openbsd.org2022-09-171-1/+12
| | | | | | | | beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
* upstream: Make SetEnv directives first-match-wins in bothdjm@openbsd.org2022-06-031-1/+7
| | | | | | | | | | | sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
* upstream: don't try to resolve ListenAddress directives in the sshddjm@openbsd.org2022-03-201-4/+5
| | | | | | | | re-exec path - we're never going to use the result and if the operation fails then it can prevent connections from being accepted. Reported by Aaron Poffenberger; with / ok dtucker@ OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
* upstream: Switch hpdelim interface to accept only ":" as delimiter.dtucker@openbsd.org2022-02-101-12/+9
| | | | | | | | | | Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@ OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
* upstream: revision 1.381 neglected to removemillert@openbsd.org2021-09-071-4/+3
| | | | | | | sChallengeResponseAuthentication from the enum. Noticed by christos@zoulas.com. OK dtucker@ OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff
* Remove now-unused SSHv1 enums.Darren Tucker2021-07-021-1/+0
| | | | | sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options and are no longer used.
* upstream: Remove references to ChallengeResponseAuthentication indtucker@openbsd.org2021-07-021-13/+4
| | | | | | | | | | | | | favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
* upstream: switch sshd_config parsing to argv_split()djm@openbsd.org2021-06-081-283/+331
| | | | | | | | | | | | | similar to the previous commit, this switches sshd_config parsing to the newer tokeniser. Config parsing will be a little stricter wrt quote correctness and directives appearing without arguments. feedback and ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-7/+7
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: Add ModuliFile keyword to sshd_config to specify thedtucker@openbsd.org2021-03-131-2/+10
| | | | | | | | location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
* upstream: Put obsolete aliases for hostbasedalgorithms anddtucker@openbsd.org2021-02-241-3/+3
| | | | | | | pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock. OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
* upstream: factor out opt_array_append; ok djm@markus@openbsd.org2021-02-171-41/+15
| | | | OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-8/+9
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-12/+13
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: Correct spelling of persourcenetblocksize in config-dumpdtucker@openbsd.org2021-01-111-2/+2
| | | | | | mode. OpenBSD-Commit-ID: ecdc49e2b6bde6b6b0e52163d621831f6ac7b13d
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 16:43:28 +0100