| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
OpenBSD-Regress-ID: df7d18a87b475f70004770f0f4e404adba5f6ab7
|
|
negations
OpenBSD-Regress-ID: 67476baccc60bf1a255fd4e329ada950047b8b8d
|
|
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
|
|
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting is
enabled. Patch from Antonio Larrosa via bz3655
OpenBSD-Commit-ID: 820284a92eb4592fcd3d181a62c1b86b08a4a7ab
|
|
OpenBSD-Commit-ID: fdd056e7854294834d54632b4282b877cfe4c12e
|
|
exchange in sshd by default. Specifically, this removes the
diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client
is unchanged and continues to support these methods by default.
Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.
ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.
ok markus@
OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da
|
|
negated Matches; spotted by phessler@ ok deraadt@
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
|
|
OpenBSD-Commit-ID: 3a63e4e11d455704f684c28715d61b17f91e0996
|
|
original diff had a couple of errors, which i've fixed
OpenBSD-Commit-ID: f37ad5888adbc0d4e1cd6b6de237841f4b1e650d
|
|
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
|
|
OpenBSD-Commit-ID: 22072bfa1df1391858ae7768a6c627e08593a91e
|
|
From Void Linux
|
|
Fixes compile error on Void Linux/Musl
|
|
|
|
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
utmpx, but forgot to change the ifdef appropriately
|
|
OpenBSD-Commit-ID: 81869ee6356fdbff19dae6ff757095e6b24de712
|
|
OpenBSD-Commit-ID: 3fb621a58e04b759a875ad6a33f35bb57ca80231
|
|
|
|
|
|
OpenBSD-Commit-ID: 303417285f1a73b9cb7a2ae78d3f493bbbe31f98
|
|
|
|
|
|
key values need to be static to persist across invocations;
spotted by the Qualys Security Advisory team.
|
|
relies on using -fwrapv to provide defined over/underflow behaviour, but we
use -ftrapv to catch integer errors and abort the program. ok dtucker@
OpenBSD-Commit-ID: 8933369b33c17b5f02479503d0a92d87bc3a574b
|
|
OpenBSD-Commit-ID: 1c81f37b138b8b66abba811fec836388a0f3e6da
|
|
|
|
OpenBSD-Commit-ID: d899c13b0e8061d209298eaf58fe53e3643e967c
|
|
Simpler and removes some code with the old-style BSD license.
|
|
implementation in SUPERCOP 20201130 to the "compact" implementation in
SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel
J Bernstein for pointing out the new implementation (and of course for
writing it).
tested in snaps/ok deraadt@
OpenBSD-Commit-ID: bf1a77924c125ecdbf03e2f3df8ad13bd3dafdcb
|
|
OpenBSD-Commit-ID: 2c84a9b517283e9711e2812c1f268081dcb02081
|
|
options.
This allows writing Match conditions that trigger for invalid username.
E.g.
PerSourcePenalties refuseconnection:90s
Match invalid-user
RefuseConnection yes
Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.
feedback markus@
OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
|
|
PerSourcePenalties
This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@
OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
|
|
If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)
ok markus@
OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
|
|
too; ok markus@
OpenBSD-Commit-ID: b74b5b0385f2e0379670e2b869318a65b0bc3923
|
|
string tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@
OpenBSD-Commit-ID: 0877309650b76f624b2194c35dbacaf065e769a5
|
|
prompts. Helps the user know what's going on when ssh-keygen is invoked via
other tools. Requested in GHPR503
OpenBSD-Commit-ID: 613b0bb6cf845b7e787d69a5b314057ceda6a8b6
|
|
verification fails. Prevents restrictive key options being incorrectly
applied to subsequent keys in authorized_keys. bz3733, ok markus@
OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e
|
|
In Fedora systems, %{?rhel} is empty. In RHEL systems, %{?fedora} is
empty. Therefore, the original code always sets without_openssl to 1.
|
|
OpenSSH 9.8, which incorrectly required that sshd was started with an
absolute path in inetd mode. bz3717, patch from Colin Wilson
OpenBSD-Commit-ID: 25c57f22764897242d942853f8cccc5e991ea058
|
|
OpenBSD-Commit-ID: fa18dccdd9753dd287e62ecab189b3de45672521
|
|
|
|
|
|
|
|
|
|
used for C89 compilers
|
|
I can't find a reliable way to detect the features the ML-KEM code
requires in configure. Give up for now and use VLA support (that we
can detect) as a proxy for "old compiler" and turn off ML-KEM if
it isn't supported.
|
|
The previous commit was incorrect (or at least insufficient), the
ML-KEM code is actually using compound literals, so test for them.
|
