summaryrefslogtreecommitdiffstats
path: root/servconf.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Split per-connection sshd-session binarydjm@openbsd.org2024-10-141-0/+1
| | | | | | | | | | | | | | | | | | | This splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after thhe authentication phase completes. Joint work with markus@ feedback deraadt@ Tested in snaps since last week OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
* upstream: add a "Match invalid-user" predicate to sshd_config Matchdjm@openbsd.org2024-09-151-1/+2
| | | | | | | | | | | | | | | | | | options. This allows writing Match conditions that trigger for invalid username. E.g. PerSourcePenalties refuseconnection:90s Match invalid-user RefuseConnection yes Will effectively penalise bots try to guess passwords for bogus accounts, at the cost of implicitly revealing which accounts are invalid. feedback markus@ OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
* upstream: Add a "refuseconnection" penalty class to sshd_configdjm@openbsd.org2024-09-151-1/+2
| | | | | | | | | PerSourcePenalties This allows penalising connection sources that have had connections dropped by the RefuseConnection option. ok markus@ OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
* upstream: Add a sshd_config "RefuseConnection" optiondjm@openbsd.org2024-09-151-1/+3
| | | | | | | | | If set, this will terminate the connection at the first authentication request (this is the earliest we can evaluate sshd_config Match blocks) ok markus@ OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
* add a sshd_config PamServiceName optionDamien Miller2024-06-141-0/+2
| | | | | | | | Allows selecting which PAM service name to use when UsePAM is enabled. Defaults to "sshd" unless overridden at compile time by defining SSHD_PAM_SERVICE. bz2102, ok dtucker@
* upstream: split PerSourcePenalties address tracking. Previously itdjm@openbsd.org2024-06-131-2/+4
| | | | | | | | | | | | | used one shared table and overflow policy for IPv4 and IPv6 addresses, now it will use separate tables and optionally different overflow policies. This prevents misbehaviour from IPv6 addresses (which are vastly easier to obtain many of) from affecting IPv4 connections and may allow for stricter overflow policies. ok deraadt@ OpenBSD-Commit-ID: 12637ed0aa4d5f1f3e702da42ea967cbd8bfdfd9
* upstream: Add a facility to sshd(8) to penalise particulardjm@openbsd.org2024-06-061-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | problematic client behaviours, controlled by two new sshd_config(5) options: PerSourcePenalties and PerSourcePenaltyExemptList. When PerSourcePenalties are enabled, sshd(8) will monitor the exit status of its child pre-auth session processes. Through the exit status, it can observe situations where the session did not authenticate as expected. These conditions include when the client repeatedly attempted authentication unsucessfully (possibly indicating an attack against one or more accounts, e.g. password guessing), or when client behaviour caused sshd to crash (possibly indicating attempts to exploit sshd). When such a condition is observed, sshd will record a penalty of some duration (e.g. 30 seconds) against the client's address. If this time is above a minimum threshold specified by the PerSourcePenalties, then connections from the client address will be refused (along with any others in the same PerSourceNetBlockSize CIDR range). Repeated offenses by the same client address will accrue greater penalties, up to a configurable maximum. A PerSourcePenaltyExemptList option allows certain address ranges to be exempt from all penalties. We hope these options will make it significantly more difficult for attackers to find accounts with weak/guessable passwords or exploit bugs in sshd(8) itself. PerSourcePenalties is off by default, but we expect to enable it automatically in the near future. much feedback markus@ and others, ok markus@ OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
* upstream: remove unused struct fwd_perm_list, no decl with completejsg@openbsd.org2024-05-271-2/+1
| | | | | | type ok djm@ OpenBSD-Commit-ID: 416fb3970b7e73c76d2963c4f00cf96f2b2ee2fb
* upstream: remove prototypes with no matching function; ok djm@jsg@openbsd.org2024-05-221-3/+1
| | | | OpenBSD-Commit-ID: 6d9065dadea5f14a01bece0dbfe2fba1be31c693
* upstream: Start the process of splitting sshd into separatedjm@openbsd.org2024-05-171-9/+4
| | | | | | | | | | | | | | | | | | | | binaries. This step splits sshd into a listener and a session binary. More splits are planned. After this changes, the listener binary will validate the configuration, load the hostkeys, listen on port 22 and manage MaxStartups only. All session handling will be performed by a new sshd-session binary that the listener fork+execs. This reduces the listener process to the minimum necessary and sets us up for future work on the sshd-session binary. feedback/ok markus@ deraadt@ NB. if you're updating via source, please restart sshd after installing, otherwise you run the risk of locking yourself out. OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
* upstream: allow override of Sybsystem directives in sshd Matchdjm@openbsd.org2023-09-071-6/+8
| | | | | | blocks OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722
* upstream: Add a sshd_config UnusedConnectionTimeout option to terminatedjm@openbsd.org2023-01-171-1/+3
| | | | | | | | | | client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@ OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
* upstream: Implement channel inactivity timeoutsdjm@openbsd.org2023-01-061-1/+6
| | | | | | | | | | | | | | | This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
* upstream: Add RequiredRSASize for sshd(8); RSA keys that falldjm@openbsd.org2022-09-171-1/+2
| | | | | | | | beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
* upstream: don't try to resolve ListenAddress directives in the sshddjm@openbsd.org2022-03-201-2/+2
| | | | | | | | re-exec path - we're never going to use the result and if the operation fails then it can prevent connections from being accepted. Reported by Aaron Poffenberger; with / ok dtucker@ OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
* Sync remaining ChallengeResponse removal.Darren Tucker2021-07-031-2/+1
| | | | These were omitted from commit 88868fd131.
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-4/+4
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: whitespace (tab after space)djm@openbsd.org2021-04-031-2/+2
| | | | OpenBSD-Commit-ID: 0e2b3f7674e985d3f7c27ff5028e690ba1c2efd4
* upstream: Add ModuliFile keyword to sshd_config to specify thedtucker@openbsd.org2021-03-131-1/+2
| | | | | | | | location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-3/+3
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-3/+3
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: Add PerSourceMaxStartups and PerSourceNetBlockSizedtucker@openbsd.org2021-01-111-1/+4
| | | | | | | options which provide more fine grained MaxStartups limits. Man page help jmc@, feedback & ok djm@ OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b
* upstream: fix sshd_config SetEnv directive inside Match blocks; part ofdjm@openbsd.org2020-10-291-1/+2
| | | | | | github PR#201 from github user manuelm OpenBSD-Commit-ID: 9772e3748abff3ad65ae8fc43d026ed569b1d2bc
* upstream: LogVerbose keyword for ssh and sshddjm@openbsd.org2020-10-161-1/+4
| | | | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@ OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
* upstream: support for requiring user verified FIDO keys in sshddjm@openbsd.org2020-08-271-2/+3
| | | | | | | | | | | | | This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
* upstream: some language improvements; ok markusdjm@openbsd.org2020-07-151-4/+4
| | | | OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
* upstream: make IgnoreRhosts a tri-state option: "yes" ignoredjm@openbsd.org2020-04-171-1/+6
| | | | | | | rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. ok dtucker@ OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
* Use sys-queue.h from compat library.Darren Tucker2020-02-011-1/+1
| | | | Fixes build on platforms that don't have sys/queue.h (eg MUSL).
* upstream: Add a sshd_config "Include" directive to allow inclusiondjm@openbsd.org2020-02-011-4/+16
| | | | | | | | of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@ OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
* upstream: allow security keys to act as host keys as well as userdjm@openbsd.org2019-12-161-1/+2
| | | | | | | | | | | | | keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
* upstream: Add a sshd_config PubkeyAuthOptions directivedjm@openbsd.org2019-11-251-1/+5
| | | | | | | | | | | This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
* upstream: When running sshd -T, assume any attibute not provided bydtucker@openbsd.org2019-05-081-1/+3
| | | | | | | -C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858, ok djm@ OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
* upstream: convert servconf.c to new packet APIdjm@openbsd.org2019-01-191-2/+2
| | | | | | with & ok markus@ OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4
* upstream: silence (to log level debug2) failure messages whendjm@openbsd.org2018-11-191-2/+3
| | | | | | | | | | | | | | | | loading the default hostkeys. Hostkeys explicitly specified in the configuration or on the command-line are still reported as errors, and failure to load at least one host key remains a fatal error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch from Dag-Erling Smørgrav via https://github.com/openssh/openssh-portable/pull/103 ok markus@ OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684
* upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org2018-09-201-1/+3
| | | | | | | | | | control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
* upstream: sshd: switch loginmsg to sshbuf API; ok djm@markus@openbsd.org2018-07-101-3/+3
| | | | OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
* upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org2018-07-031-1/+3
| | | | | | | | pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
* upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org2018-06-091-1/+3
| | | | | | | | | | | administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
* upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org2018-06-061-5/+4
| | | | OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
* upstream: Add a PermitListen directive to control which server-sidedjm@openbsd.org2018-06-061-9/+7
| | | | | | | | | | | | addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
* upstream: Defend against user enumeration timing attacks. Thisdtucker@openbsd.org2018-04-131-1/+2
| | | | | | | | establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@. OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca
* upstream commitdjm@openbsd.org2017-10-251-1/+2
| | | | | | | | add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
* upstream commitdjm@openbsd.org2017-10-251-1/+4
| | | | | | | | | | add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
* upstream commitdjm@openbsd.org2017-10-251-4/+21
| | | | | | | | | Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4 Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
* upstream commitDamien Miller2017-10-201-28/+24
| | | | | | Apply missing commit 1.127 to servconf.h Upstream-ID: f14c4bac74a2b7cf1e3cff6bea5c447f192a7d15
* upstream commitV_7_6_P1djm@openbsd.org2017-10-021-2/+2
| | | | | | Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@ Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
* upstream commitdjm@openbsd.org2017-09-121-2/+12
| | | | | | | | | | | | | | | | | | | | | | refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
* upstream commitdjm@openbsd.org2017-06-241-1/+2
| | | | | | | | | | | refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
* upstream commitdjm@openbsd.org2016-11-301-1/+2
| | | | | | | | | | | | Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
* upstream commitdjm@openbsd.org2016-08-231-2/+1
| | | | | | | remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 17:43:40 +0100