diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2021-11-04 17:16:52 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2021-11-04 17:16:52 +0000 |
| commit | 4f19900354cc6b4531038e294d8ad1d115118e9d (patch) | |
| tree | 50a787995c8ed3d824f4d8a690bb9cd26a7f5e3e | |
| parent | 66719ee573ac2290622db642f6e89ab35b179f3d (diff) | |
Vendor import of OpenSSH 8.8p1vendor/openssh/8.8p1
53 files changed, 939 insertions, 1055 deletions
diff --git a/.github/setup_ci.sh b/.github/setup_ci.sh index 70a444e4eff4..107c049c4175 100755 --- a/.github/setup_ci.sh +++ b/.github/setup_ci.sh @@ -11,6 +11,7 @@ TARGETS=$@ PACKAGES="" INSTALL_FIDO_PPA="no" +export DEBIAN_FRONTEND=noninteractive #echo "Setting up for '$TARGETS'" @@ -54,6 +55,7 @@ for TARGET in $TARGETS; do openssl-*) INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-) case ${INSTALL_OPENSSL} in + 1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;; 1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;; 3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;; esac @@ -78,8 +80,8 @@ done if [ "yes" = "$INSTALL_FIDO_PPA" ]; then sudo apt update -qq - sudo apt install software-properties-common - sudo apt-add-repository ppa:yubico/stable + sudo apt install -qy software-properties-common + sudo apt-add-repository -y ppa:yubico/stable fi if [ "x" != "x$PACKAGES" ]; then diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml index 289b18b7f621..152ddaa4fba6 100644 --- a/.github/workflows/c-cpp.yml +++ b/.github/workflows/c-cpp.yml @@ -31,7 +31,9 @@ jobs: - { os: ubuntu-latest, configs: libressl-2.2.9 } - { os: ubuntu-latest, configs: libressl-2.8.3 } - { os: ubuntu-latest, configs: libressl-3.0.2 } - - { os: ubuntu-latest, configs: libressl-3.2.5 } + - { os: ubuntu-latest, configs: libressl-3.2.6 } + - { os: ubuntu-latest, configs: libressl-3.3.4 } + - { os: ubuntu-latest, configs: libressl-3.4.0 } - { os: ubuntu-latest, configs: openssl-master } - { os: ubuntu-latest, configs: openssl-noec } - { os: ubuntu-latest, configs: openssl-1.0.1 } @@ -40,6 +42,9 @@ jobs: - { os: ubuntu-latest, configs: openssl-1.1.0h } - { os: ubuntu-latest, configs: openssl-1.1.1 } - { os: ubuntu-latest, configs: openssl-1.1.1k } + - { os: ubuntu-latest, configs: openssl-3.0.0 } + - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch + - { os: ubuntu-latest, configs: openssl-3.0 } # stable branch - { os: ubuntu-18.04, configs: pam } - { os: ubuntu-18.04, configs: kerberos5 } - { os: ubuntu-18.04, configs: libedit } diff --git a/ChangeLog b/ChangeLog index 288e90bbfe51..9e660ec37ef3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,538 @@ +commit bf944e3794eff5413f2df1ef37cddf96918c6bde +Author: Damien Miller <djm@mindrot.org> +Date: Mon Sep 27 00:03:19 2021 +1000 + + initgroups needs grp.h + +commit 8c5b5655149bd76ea21026d7fe73ab387dbc3bc7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 26 14:01:11 2021 +0000 + + upstream: openssh-8.8 + + OpenBSD-Commit-ID: 12357794602ac979eb7312a1fb190c453f492ec4 + +commit f3cbe43e28fe71427d41cfe3a17125b972710455 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Sep 26 14:01:03 2021 +0000 + + upstream: need initgroups() before setresgid(); reported by anton@, + + ok deraadt@ + + OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce + +commit 8acaff41f7518be40774c626334157b1b1c5583c +Author: Damien Miller <djm@mindrot.org> +Date: Sun Sep 26 22:16:36 2021 +1000 + + update version numbers for release + +commit d39039ddc0010baa91c70a0fa0753a2699bbf435 +Author: kn@openbsd.org <kn@openbsd.org> +Date: Sat Sep 25 09:40:33 2021 +0000 + + upstream: RSA/SHA-1 is not used by default anymore + + OK dtucker deraadt djm + + OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6 + +commit 9b2ee74e3aa8c461eb5552a6ebf260449bb06f7e +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Sep 24 11:08:03 2021 +1000 + + Move the fgrep replacement to hostkey-rotate.sh. + + The fgrep replacement for buggy greps doesn't work in the sftp-glob test + so move it to just where we know it's needed. + +commit f7039541570d4b66d76e6f574544db176d8d5c02 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Sep 24 08:04:14 2021 +1000 + + Replacement function for buggy fgrep. + + GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will + occasionally fail to find ssh host keys in the hostkey-rotate test. + If we have those versions, use awk instead. + +commit f6a660e5bf28a01962af87568e118a2d2e79eaa0 +Author: David Manouchehri <david.manouchehri@riseup.net> +Date: Thu Sep 23 17:03:18 2021 -0400 + + Don't prompt for yes/no questions. + +commit 7ed1a3117c09f8c3f1add35aad77d3ebe1b85b4d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 20 06:53:56 2021 +0000 + + upstream: fix missing -s in SYNOPSYS and usage() as well as a + + capitalisation mistake; spotted by jmc@ + + OpenBSD-Commit-ID: 0ed8ee085c7503c60578941d8b45f3a61d4c9710 + +commit 8c07170135dde82a26886b600a8bf6fb290b633d +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Mon Sep 20 04:02:13 2021 +0000 + + upstream: Fix "Allocated port" debug message + + for unix domain sockets. From peder.stray at gmail.com via github PR#272, + ok deraadt@ + + OpenBSD-Commit-ID: 8d5ef3fbdcdd29ebb0792b5022a4942db03f017e + +commit 277d3c6adfb128b4129db08e3d65195d94b55fe7 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Sep 20 01:55:42 2021 +0000 + + upstream: Switch scp back to use the old protocol by default, ahead of + + release. We'll wait a little longer for people to pick up sftp-server(8) that + supports the extension that scp needs for ~user paths to continue working in + SFTP protocol mode. Discussed with deraadt@ + + OpenBSD-Commit-ID: f281f603a705fba317ff076e7b11bcf2df941871 + +commit ace19b34cc15bea3482be90450c1ed0cd0dd0669 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Sep 18 02:03:25 2021 +0000 + + upstream: better error message for ~user failures when the + + sftp-server lacks the expand-path extension; ok deraadt@ + + OpenBSD-Commit-ID: 9c1d965d389411f7e86f0a445158bf09b8f9e4bc + +commit 6b1238ba971ee722a310d95037b498ede5539c03 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Sep 16 15:22:22 2021 +0000 + + upstream: make some more scp-in-SFTP mode better match Unix idioms + + suggested by deraadt@ + + OpenBSD-Commit-ID: 0f2439404ed4cf0b0be8bf49a1ee734836e1ac87 + +commit e694f8ac4409931e67d08ac44ed251b20b10a957 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Sep 16 15:11:19 2021 +0000 + + upstream: allow log_stderr==2 to prefix log messages with argv[0] + + use this to make scp's SFTP mode error messages more scp-like + + prompted by and ok deraadt@ + + OpenBSD-Commit-ID: 0e821dbde423fc2280e47414bdc22aaa5b4e0733 + +commit 8a7a06ee505cb833e613f74a07392e9296286c30 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Sep 17 13:03:31 2021 +1000 + + Test against LibreSSL 3.2.6, 3.3.4, 3.4.0. + +commit c25c84074a47f700dd6534995b4af4b456927150 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Thu Sep 16 05:36:03 2021 +0000 + + upstream: missing space character in ssh -G output broke the + + t-sshcfgparse regression test; spotted by anton@ + + OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0 + +commit a4bee1934bf5e5575fea486628f4123d6a29dff8 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 15 06:56:01 2021 +0000 + + upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok + + markus@ + + OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623 + +commit d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd +Author: mbuhl@openbsd.org <mbuhl@openbsd.org> +Date: Tue Sep 14 11:04:21 2021 +0000 + + upstream: put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT + + OK mfriedl@ + + OpenBSD-Commit-ID: 1aba1da828956cacaadb81a637338734697d9798 + +commit 19b3d846f06697c85957ab79a63454f57f8e22d6 +Author: schwarze@openbsd.org <schwarze@openbsd.org> +Date: Sat Sep 11 09:05:50 2021 +0000 + + upstream: Do not ignore SIGINT while waiting for input if editline(3) + + is not used. Instead, in non-interactive mode, exit sftp(1), like for other + serious errors. As pointed out by dtucker@, when compiled without editline(3) + support in portable OpenSSH, the el == NULL branch is also used for + interactive mode. In that case, discard the input line and provide a fresh + prompt to the user just like in the case where editline(3) is used. OK djm@ + + OpenBSD-Commit-ID: 7d06f4d3ebba62115527fafacf38370d09dfb393 + +commit ba61123eef9c6356d438c90c1199a57a0d7bcb0a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sat Sep 11 00:40:24 2021 +0000 + + upstream: when using SFTP protocol, continue transferring files after a + + transfer error occurs. This matches original scp/rcp behaviour. ok dtucker@ + + OpenBSD-Commit-ID: dfe4558d71dd09707e9b5d6e7d2e53b793da69fa + +commit b0ec59a708b493c6f3940336b1a537bcb64dd2a7 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 10 11:38:38 2021 +0000 + + upstream: Document that non-interactive commands are run via the user's + + shell using the -c flag. ok jmc@ + + OpenBSD-Commit-ID: 4f0d912077732eead10423afd1acf4fc0ceec477 + +commit 66a658b5d9e009ea11f8a0ca6e69c7feb2d851ea +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 10 10:26:02 2021 +0000 + + upstream: Document behaviour of arguments following non-interactive + + commands. Prompted by github PR#139 from EvanTheB, feedback & ok djm@ jmc@ + + OpenBSD-Commit-ID: fc758d1fe0471dfab4304fcad6cd4ecc3d79162a + +commit 1d47e28e407d1f95fdf8f799be23f48dcfa5206b +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 10 07:11:11 2021 +0000 + + upstream: Clarify which file's attributes -p preserves, and that + + it's specifically the file mode bits. bz#3340 from calestyo at scientia.net, + ok djm@ jmc@ + + OpenBSD-Commit-ID: f09e6098ed1c4be00c730873049825f8ee7cb884 + +commit b344db7a413478e4c21e4cadba4a970ad3e6128a +Author: djm@openbsd.org <djm@openbsd.org> +Date: Fri Sep 10 05:46:09 2021 +0000 + + upstream: openssh-7.4 was incorrectly listed twice; spotted by + + Dmitry Belyavskiy, ok dtucker@ + + OpenBSD-Commit-ID: 4b823ae448f6e899927ce7b04225ac9e489f58ef + +commit 9136d6239ad7a4a293e0418a49b69e70c76d58b8 +Author: jmc@openbsd.org <jmc@openbsd.org> +Date: Thu Sep 9 06:17:39 2021 +0000 + + upstream: - move CAVEATS to its correct order - use the term + + "legacy" protocol rather than "original", as the latter made the text + misleading - uppercase SCP + + ok djm + + OpenBSD-Commit-ID: 8479255746d5fa76a358ee59e7340fecf4245ff0 + +commit 2d678c5e3bdc2f5c99f7af5122e9d054925d560d +Author: David Carlier <devnexen@gmail.com> +Date: Wed Sep 8 19:49:54 2021 +0100 + + Disable tracing on FreeBSD using procctl. + + Placed at the start of platform_disable_tracing() to prevent declaration + after code errors from strict C89 compilers (in the unlikely event that + more than one method is enabled). + +commit 73050fa38fb36ae3326d768b574806352b97002d +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 8 23:31:39 2021 +0000 + + upstream: Use the SFTP protocol by default. The original scp/rcp + + protocol remains available via the -O flag. + + Note that ~user/ prefixed paths in SFTP mode require a protocol extension + that was first shipped in OpenSSH 8.7. + + ok deraadt, after baking in snaps for a while without incident + + OpenBSD-Commit-ID: 23588976e28c281ff5988da0848cb821fec9213c + +commit c4565e69ffa2485cff715aa842ea7a350296bfb6 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Sep 8 21:09:49 2021 +1000 + + Really fix test on OpenSSL 1.1.1 stable. + +commit 79f1bb5f56cef3ae9276207316345b8309248478 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Sep 8 18:51:39 2021 +1000 + + Correct OpenSSL 1.1.1 stable identifier. + +commit b6255593ed5ccbe5e7d3d4b26b2ad31ad4afc232 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Sep 8 18:39:44 2021 +1000 + + Increment nfds when coming from startup_pipe. + + If we have to increase nfds because startup_pipe[0] is above any of the + descriptors passed in the fd_sets, we also need to add 1 to nfds since + select takes highest FD number plus one. bz#3345 from yaroslav.kuzmin + at vmssoftware.com. + +commit a3e92a6794817df6012ac8546aea19652cc91b61 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Wed Sep 8 13:45:10 2021 +1000 + + Tests for OpenSSL 3.0.0 release & 1.1.1 branch. + +commit 4afe431da98ec1cf6a2933fe5658f4fd68dee9e2 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Wed Sep 8 03:23:44 2021 +0000 + + upstream: correct my mistake in previous fix; spotted by halex + + OpenBSD-Commit-ID: 3cc62d92e3f70006bf02468fc146bfc36fffa183 + +commit ca0e455b9331213ff9505a21b94c38e34faa2bba +Author: djm@openbsd.org <djm@openbsd.org> +Date: Tue Sep 7 06:03:51 2021 +0000 + + upstream: avoid NULL deref in -Y find-principals. Report and fix + + from Carlo Marcelo Arenas Belón + MIME-Version: 1.0 + Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit + + OpenBSD-Commit-ID: 6238486f8ecc888d6ccafcd9ad99e621bb41f1e0 + +commit 37616807f150fb46610bbd5031c31af4857ad1e9 +Author: millert@openbsd.org <millert@openbsd.org> +Date: Mon Sep 6 00:36:01 2021 +0000 + + upstream: revision 1.381 neglected to remove + + sChallengeResponseAuthentication from the enum. Noticed by + christos@zoulas.com. OK dtucker@ + + OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff + +commit 7acb3578cdfec0b3d34501408071f7a96c1684ea +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Sep 5 20:45:42 2021 +1000 + + Correct version_num for OpenSSL dev branch. + +commit 65bb01111320dfd0d25e21e1fd4d3f2b77532669 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Sep 5 19:37:39 2021 +1000 + + Test against OpenSSL 3 branch as well as dev. + + Now that OpenSSL development has moved to 3.1, test against the most + recent version of the openssl-3.0 branch too. + +commit 864ed0d5e04a503b97202c776b7cf3f163f3eeaa +Author: Darren Tucker <dtucker@dtucker.net> +Date: Sun Sep 5 19:33:22 2021 +1000 + + OpenSSL development is now 3.1.* + +commit a60209a586a928f92ab323bf23bd07f57093342e +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 3 07:43:23 2021 +0000 + + upstream: Use .Cm instead of .Dq in StrictHostKeyChecking list for + + consistency. Patch from scop via github PR#257, ok jmc@ + + OpenBSD-Commit-ID: 3652a91564570779431802c31224fb4a9cf39872 + +commit 8d1d9eb6de37331e872700e9e399a3190cca1242 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 3 07:27:03 2021 +0000 + + upstream: Mention using ssh -i for specifying the public key file + + in the case where the private key is loaded into ssh-agent but is not present + locally. Based on patch from rafork via github PR#215, ok jmc@ + + OpenBSD-Commit-ID: 2282e83b0ff78d2efbe705883b67240745fa5bb2 + +commit eb4362e5e3aa7ac26138b11e44d8c191910aff64 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 3 05:25:50 2021 +0000 + + upstream: Refer to KEX "algorithms" instead of "methods" to match + + other references and improve consistency. Patch from scop via github PR#241, + ok djm@ + + OpenBSD-Commit-ID: 840bc94ff6861b28d8603c8e8c16499bfb65e32c + +commit b3318946ce5725da43c4bf7eeea1b73129c47d2a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 3 05:12:25 2021 +0000 + + upstream: Remove redundant attrib_clear in upload_dir_internal. + + The subsequent call to stat_to_attrib clears the struct as its first step + anyway. From pmeinhardt via github PR#220, ok djm@ + + OpenBSD-Commit-ID: f5234fc6d7425b607e179acb3383f21716f3029e + +commit 7cc3fe28896e653956a6a2eed0a25d551b83a029 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Fri Sep 3 04:11:13 2021 +0000 + + upstream: Add test for client termination status on signal. + + Based on patch from Alexxz via github PR#235 with some tweaks, to + match patch in bz#3281. + + OpenBSD-Regress-ID: d87c7446fb8b5f8b45894fbbd6875df326e729e2 + +commit 5428b0d239f6b516c81d1dd15aa9fe9e60af75d4 +Author: deraadt@openbsd.org <deraadt@openbsd.org> +Date: Thu Sep 2 21:03:54 2021 +0000 + + upstream: sys/param.h is not needed for any visible reason + + OpenBSD-Commit-ID: 8bdea2d0c75692e4c5777670ac039d4b01c1f368 + +commit 1ff38f34b4c4545eb28106629cafa1e0496bc726 +Author: Shchelkunov Artem <a.shchelkunov@ideco.ru> +Date: Wed Aug 11 18:07:58 2021 +0500 + + Fix memory leak in error path. + + *info is allocated via xstrdup but was leaked in the PAM_AUTH_ERR path. + From github PR#266. + +commit cb37e2f0c0ca4fef844ed7edc5d0e3b7d0e83f6a +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Sep 1 03:16:06 2021 +0000 + + upstream: Fix ssh-rsa fallback for old PuTTY interop tests. + + OpenBSD-Regress-ID: a19ac929da604843a5b5f0f48d2c0eb6e0773d37 + +commit 8b02ef0f28dc24cda8cbcd8b7eb02bda8f8bbe59 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Wed Sep 1 00:50:27 2021 +0000 + + upstream: Add a function to skip remaining tests. + + Many tests skip tests for various reasons but not in a consistent way and + don't always clean up, so add that and switch the tests that do that over. + + OpenBSD-Regress-ID: 72d2ec90a3ee8849486956a808811734281af735 + +commit d486845c07324c04240f1674ac513985bd356f66 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Aug 31 07:13:59 2021 +0000 + + upstream: Specify path to PuTTY keys. + + Portable needs this and it makes no difference on OpenBSD, so resync + them. (Id sync only, Portable already had this.) + + OpenBSD-Regress-ID: 33f6f66744455886d148527af8368811e4264162 + +commit d22b299115e27606e846b23490746f69fdd4fb38 +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Aug 31 06:13:23 2021 +0000 + + upstream: Better compat tests with old PuTTY. + + When running PuTTY interop tests and using a PuTTY version older than + 0.76, re-enable the ssh-rsa host key algorithm (the 256 and 512 variants + of RSA were added some time between 0.73 and 0.76). + + OpenBSD-Regress-ID: e6138d6987aa705fa1e4f216db0bb386e1ff38e1 + +commit 87ad70d605c3e39c9b8aa275db27120d7cc09b77 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Tue Aug 31 17:04:50 2021 +1000 + + Resync PuTTY interop tests. + + Resync behaviour when REGRESS_INTEROP_PUTTY is not set with OpenBSD. + +commit e47b82a7bf51021afac218bf59a3be121827653d +Author: dtucker@openbsd.org <dtucker@openbsd.org> +Date: Tue Aug 31 01:25:27 2021 +0000 + + upstream: Specify hostkeyalgorithms in SSHFP test. + + Specify host key algorithms in sshd's default set for the SSHFP test, + from djm@. Make the reason for when the test is skipped a bit clearer. + + OpenBSD-Regress-ID: 4f923dfc761480d5411de17ea6f0b30de3e32cea + +commit 7db3e0a9e8477c018757b59ee955f7372c0b55fb +Author: djm@openbsd.org <djm@openbsd.org> +Date: Mon Aug 30 01:15:45 2021 +0000 + + upstream: adapt to RSA/SHA1 deprectation + + OpenBSD-Regress-ID: 952397c39a22722880e4de9d1c50bb1a14f907bb + +commit 2344750250247111a6c3c6a4fe84ed583a61cc11 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Aug 29 23:53:10 2021 +0000 + + upstream: After years of forewarning, disable the RSA/SHA-1 + + signature algorithm by default. It is feasible to create colliding SHA1 + hashes, so we need to deprecate its use. + + RSA/SHA-256/512 remains available and will be transparently selected + instead of RSA/SHA1 for most SSH servers released in the last five+ + years. There is no need to regenerate RSA keys. + + The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the + PubkeyAcceptedAlgorithms directives on the client and server. + + ok dtucker deraadt + + OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5 + +commit 56c4455d3b54b7d481c77c82115c830b9c8ce328 +Author: djm@openbsd.org <djm@openbsd.org> +Date: Sun Aug 29 23:44:07 2021 +0000 + + upstream: wrap at 80 columns + + OpenBSD-Commit-ID: 47ca2286d6b52a9747f34da16d742879e1a37bf0 + +commit 95401eea8503943449f712e5f3de52fc0bc612c5 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 20 18:14:13 2021 +1000 + + Replace shell function with ssh-keygen -A. + + Prevents the init script in the SysV package from trying (and failing) + to generate unsupported key types. Remove now-unused COMMENT_OUT_ECC. + ok tim@ + +commit d83ec9ed995a76ed1d5c65cf10b447222ec86131 +Author: Darren Tucker <dtucker@dtucker.net> +Date: Fri Aug 20 15:39:05 2021 +1000 + + Remove obsolete Redhat PAM config and init script. + commit e1a596186c81e65a34ce13076449712d3bf97eb4 Author: Damien Miller <djm@mindrot.org> Date: Fri Aug 20 14:03:49 2021 +1000 @@ -13074,630 +13609,3 @@ Date: Fri Sep 27 15:26:22 2019 +1000 Since we've added larger fallback groups to dh.c this test will pass even if there is no moduli file installed on the system. - -commit c1e0a32fa852de6d1c82ece4f76add0ab0ca0eae -Author: Darren Tucker <dtucker@dtucker.net> -Date: Tue Sep 24 21:17:20 2019 +1000 - - Add more ToS bits, currently only used by netcat. - -commit 5a273a33ca1410351cb484af7db7c13e8b4e8e4e -Author: Darren Tucker <dtucker@dtucker.net> -Date: Thu Sep 19 15:41:23 2019 +1000 - - Privsep is now required. - -commit 8aa2aa3cd4d27d14e74b247c773696349472ef20 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 16 03:23:02 2019 +0000 - - upstream: Allow testing signature syntax and validity without verifying - - that a signature came from a trusted signer. To discourage accidental or - unintentional use, this is invoked by the deliberately ugly option name - "check-novalidate" - - from Sebastian Kinne - - OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b - -commit 7047d5afe3103f0f07966c05b810682d92add359 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 13 04:52:34 2019 +0000 - - upstream: clarify that IdentitiesOnly also applies to the default - - ~/.ssh/id_* keys; bz#3062 - - OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa - -commit b36ee3fcb2f1601693b1b7fd60dd6bd96006ea75 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Sep 13 04:36:43 2019 +0000 - - upstream: Plug mem leaks on error paths, based in part on github - - pr#120 from David Carlier. ok djm@. - - OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e - -commit 2aefdf1aef906cf7548a2e5927d35aacb55948d4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 13 04:31:19 2019 +0000 - - upstream: whitespace - - OpenBSD-Commit-ID: 57a71dd5f4cae8d61e0ac631a862589fb2bfd700 - -commit fbe24b142915331ceb2a3a76be3dc5b6d204fddf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 13 04:27:35 2019 +0000 - - upstream: allow %n to be expanded in ProxyCommand strings - - From Zachary Harmany via github.com/openssh/openssh-portable/pull/118 - ok dtucker@ - - OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6 - -commit 2ce1d11600e13bee0667d6b717ffcc18a057b821 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 13 04:07:42 2019 +0000 - - upstream: clarify that ConnectTimeout applies both to the TCP - - connection and to the protocol handshake/KEX. From Jean-Charles Longuet via - Github PR140 - - OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf - -commit df780114278f406ef7cb2278802a2660092fff09 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Mon Sep 9 02:31:19 2019 +0000 - - upstream: Fix potential truncation warning. ok deraadt. - - OpenBSD-Commit-ID: d87b7e3a94ec935e8194e7fce41815e22804c3ff - -commit ec0e6243660bf2df30c620a6a0d83eded376c9c6 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Sep 13 13:14:39 2019 +1000 - - memleak of buffer in sshpam_query - - coverity report via Ed Maste; ok dtucker@ - -commit c17e4638e5592688264fc0349f61bfc7b4425aa5 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Sep 13 13:12:42 2019 +1000 - - explicitly test set[ug]id() return values - - Legacy !_POSIX_SAVED_IDS path only; coverity report via Ed Maste - ok dtucker@ - -commit 91a2135f32acdd6378476c5bae475a6e7811a6a2 -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Fri Sep 6 14:45:34 2019 +0000 - - upstream: Allow prepending a list of algorithms to the default set - - by starting the list with the '^' character, e.g. - - HostKeyAlgorithms ^ssh-ed25519 - Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com - - ok djm@ dtucker@ - - OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97 - -commit c8bdd2db77ac2369d5cdee237656f266c8f41552 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 07:53:40 2019 +0000 - - upstream: key conversion should fail for !openssl builds, not fall - - through to the key generation code - - OpenBSD-Commit-ID: b957436adc43c4941e61d61958a193a708bc83c9 - -commit 823f6c37eb2d8191d45539f7b6fa877a4cb4ed3d -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 06:08:11 2019 +0000 - - upstream: typo in previous - - OpenBSD-Commit-ID: 7c3b94110864771a6b80a0d8acaca34037c3c96e - -commit 6a710d3e06fd375e2c2ae02546b9541c488a2cdb -Author: Damien Miller <djm@mindrot.org> -Date: Sun Sep 8 14:48:11 2019 +1000 - - needs time.h for --without-openssl - -commit f61f29afda6c71eda26effa54d3c2e5306fd0833 -Author: Damien Miller <djm@mindrot.org> -Date: Sat Sep 7 19:25:00 2019 +1000 - - make unittests pass for no-openssl case - -commit 105e1c9218940eb53473f55a9177652d889ddbad -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 05:59:41 2019 +0000 - - upstream: avoid compiling certain files that deeply depend on - - libcrypto when WITH_OPENSSL isn't set - - OpenBSD-Commit-ID: 569f08445c27124ec7c7f6c0268d844ec56ac061 - -commit 670104b923dd97b1c06c0659aef7c3e52af571b2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 05:23:55 2019 +0000 - - upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@ - - OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f - -commit be02d7cbde3d211ec2ed2320a1f7d86b2339d758 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 04:53:27 2019 +0000 - - upstream: lots of things were relying on libcrypto headers to - - transitively include various system headers (mostly stdlib.h); include them - explicitly - - OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080 - -commit d05aaaaadcad592abfaa44540928e0c61ef72ebb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 03:30:42 2019 +0000 - - upstream: remove leakmalloc reference; we used this early when - - refactoring but not since - - OpenBSD-Commit-ID: bb28ebda8f7c490b87b37954044a6cdd43a7eb2c - -commit 1268f0bcd8fc844ac6c27167888443c8350005eb -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Sep 6 04:24:06 2019 +0000 - - upstream: Check for RSA support before using it for the user key, - - otherwise use ed25519 which is supported when built without OpenSSL. - - OpenBSD-Regress-ID: 3d23ddfe83c5062f00ac845d463f19a2ec78c0f7 - -commit fd7a2dec652b9efc8e97f03f118f935dce732c60 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Fri Sep 6 14:07:10 2019 +1000 - - Provide explicit path to configure-check. - - On some platforms (at least OpenBSD) make won't search VPATH for target - files, so building out-of-tree will fail at configure-check. Provide - explicit path. ok djm@ - -commit 00865c29690003b4523cc09a0e104724b9f911a4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Sep 6 01:58:50 2019 +0000 - - upstream: better error code for bad arguments; inspired by - - OpenBSD-Commit-ID: dfc263b6041de7f0ed921a1de0b81ddebfab1e0a - -commit afdf27f5aceb4973b9f5308f4310c6e3fd8db1fb -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 21:38:40 2019 +1000 - - revert config.h/config.h.in freshness checks - - turns out autoreconf and configure don't touch some files if their content - doesn't change, so the mtime can't be relied upon in a makefile rule - -commit a97609e850c57bd2cc2fe7e175fc35cb865bc834 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 20:54:39 2019 +1000 - - extend autoconf freshness test - - make it cover config.h.in and config.h separately - -commit 182297c10edb21c4856c6a38326fd04d81de41a5 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 20:34:54 2019 +1000 - - check that configure/config.h is up to date - - Ensure they are newer than the configure.ac / aclocal.m4 source - -commit 7d6034bd020248e9fc0f8c39c71c858debd0d0c1 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 5 10:05:51 2019 +0000 - - upstream: if a PKCS#11 token returns no keys then try to login and - - refetch them. Based on patch from Jakub Jelen; bz#2430 ok markus@ - - OpenBSD-Commit-ID: ab53bd6ddd54dd09e54a8bfbed1a984496f08b43 - -commit 76f09bd95917862101b740afb19f4db5ccc752bf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 5 09:35:19 2019 +0000 - - upstream: sprinkle in some explicit errors here, otherwise the - - percolate all the way up to dispatch_run_fatal() and lose all meaninful - context - - to help with bz#3063; ok dtucker@ - - OpenBSD-Commit-ID: 5b2da83bb1c4a3471444b7910b2120ae36438a0a - -commit 0ea332497b2b2fc3995f72f6bafe9d664c0195b3 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 5 09:25:13 2019 +0000 - - upstream: only send ext_info for KEX_INITIAL; bz#2929 ok dtucker - - OpenBSD-Commit-ID: 00f5c6062f6863769f5447c6346f78c05d2e4a63 - -commit f23d91f9fa7f6f42e70404e000fac88aebfe3076 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Thu Sep 5 05:47:23 2019 +0000 - - upstream: macro fix; ok djm - - OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e - -commit 8b57337c1c1506df2bb9f039d0628a6de618566b -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 15:46:39 2019 +1000 - - update fuzzing makefile to more recent clang - -commit ae631ad77daf8fd39723d15a687cd4b1482cbae8 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 15:45:32 2019 +1000 - - fuzzer for sshsig allowed_signers option parsing - -commit 69159afe24120c97e5ebaf81016c85968afb903e -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 5 05:42:59 2019 +0000 - - upstream: memleak on error path; found by libfuzzer - - OpenBSD-Commit-ID: 34d44cb0fb5bdb5fcbc6b02b804e71b20a7a5fc7 - -commit bab6feb01f9924758ca7129dba708298a53dde5f -Author: djm@openbsd.org <djm@openbsd.org> -Date: Thu Sep 5 04:55:32 2019 +0000 - - upstream: expose allowed_signers options parsing code in header for - - fuzzing - - rename to make more consistent with philosophically-similar auth - options parsing API. - - OpenBSD-Commit-ID: 0c67600ef04187f98e2912ca57b60c22a8025b7c - -commit 4f9d75fbafde83d428e291516f8ce98e6b3a7c4b -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Wed Sep 4 20:31:15 2019 +0000 - - upstream: Call comma-separated lists as such to clarify semantics. - - Options such as Ciphers take values that may be a list of ciphers; the - complete list, not indiviual elements, may be prefixed with a dash or plus - character to remove from or append to the default list, respectively. - - Users might read the current text as if each elment took an optional prefix, - so tweak the wording from "values" to "list" to prevent such ambiguity for - all options supporting these semantics. - - Fix instances missed in first commit. ok jmc@ kn@ - - OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417 - -commit db1e6f60f03641b2d17e0ab062242609f4ed4598 -Author: jmc@openbsd.org <jmc@openbsd.org> -Date: Wed Sep 4 05:56:54 2019 +0000 - - upstream: tweak previous; - - OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27 - -commit 0f44e5956c7c816f6600f2a47be4d7bb5a8d711d -Author: naddy@openbsd.org <naddy@openbsd.org> -Date: Tue Sep 3 20:51:49 2019 +0000 - - upstream: repair typo and editing mishap - - OpenBSD-Commit-ID: d125ab720ca71ccf9baf83e08ddc8c12a328597e - -commit f4846dfc6a79f84bbc6356ae3184f142bacedc24 -Author: Damien Miller <djm@mindrot.org> -Date: Thu Sep 5 11:09:28 2019 +1000 - - Fuzzer harness for sshsig - -commit b08a6bc1cc7750c6f8a425d1cdbd86552fffc637 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Sep 3 18:45:42 2019 +1000 - - oops; missed including the actual file - -commit 1a72c0dd89f09754df443c9576dde624a17d7dd0 -Author: Damien Miller <djm@mindrot.org> -Date: Tue Sep 3 18:44:10 2019 +1000 - - portability fixes for sshsig - -commit 6d6427d01304d967e58544cf1c71d2b4394c0522 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:37:45 2019 +0000 - - upstream: regress test for sshsig; feedback and ok markus@ - - OpenBSD-Regress-ID: 74c0974f2cdae8d9599b9d76a09680bae55d8a8b - -commit 59650f0eaf65115afe04c39abfb93a4fc994ec55 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:37:06 2019 +0000 - - upstream: only add plain keys to prevent any certs laying around - - from confusing the test. - - OpenBSD-Regress-ID: b8f1508f822bc560b98dea910e61ecd76f34100f - -commit d637c4aee6f9b5280c13c020d7653444ac1fcaa5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:35:27 2019 +0000 - - upstream: sshsig tweaks and improvements from and suggested by - - Markus - - ok markus/me - - OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9 - -commit 2a9c9f7272c1e8665155118fe6536bebdafb6166 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:34:19 2019 +0000 - - upstream: sshsig: lightweight signature and verification ability - - for OpenSSH - - This adds a simple manual signature scheme to OpenSSH. - Signatures can be made and verified using ssh-keygen -Y sign|verify - - Signatures embed the key used to make them. At verification time, this - is matched via principal name against an authorized_keys-like list - of allowed signers. - - Mostly by Sebastian Kinne w/ some tweaks by me - - ok markus@ - - OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb - -commit 5485f8d50a5bc46aeed829075ebf5d9c617027ea -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:32:11 2019 +0000 - - upstream: move authorized_keys option parsing helpsers to misc.c - - and make them public; ok markus@ - - OpenBSD-Commit-ID: c18bcb2a687227b3478377c981c2d56af2638ea2 - -commit f8df0413f0a057b6a3d3dd7bd8bc7c5d80911d3a -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:31:20 2019 +0000 - - upstream: make get_sigtype public as sshkey_get_sigtype(); ok - - markus@ - - OpenBSD-Commit-ID: 01f8cdbec63350490d2249f41112c5780d1cfbb8 - -commit dd8002fbe63d903ffea5be7b7f5fc2714acab4a0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:30:47 2019 +0000 - - upstream: move advance_past_options to authfile.c and make it - - public; ok markus@ - - OpenBSD-Commit-ID: edda2fbba2c5b1f48e60f857a2010479e80c5f3c - -commit c72d78ccbe642e08591a626e5de18381489716e0 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:29:58 2019 +0000 - - upstream: move skip_space() to misc.c and make it public; ok - - markus@ - - OpenBSD-Commit-ID: caa77e8a3b210948e29ad3e28c5db00852961eae - -commit 06af3583f46e2c327fdd44d8a95b8b4e8dfd8db5 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:29:15 2019 +0000 - - upstream: authfd: add function to check if key is in agent - - This commit adds a helper function which allows the caller to - check if a given public key is present in ssh-agent. - - work by Sebastian Kinne; ok markus@ - - OpenBSD-Commit-ID: d43c5826353e1fdc1af71eb42961b30782c7bd13 - -commit 2ab5a8464870cc4b29ddbe849bbbc255729437bf -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:28:30 2019 +0000 - - upstream: fix memleak in ssh_free_identitylist(); ok markus@ - - OpenBSD-Commit-ID: aa51f77ae2c5330a1f61b2d22933f24a443f9abf - -commit 85443f165b4169b2a448b3e24bc1d4dc5b3156a4 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Tue Sep 3 08:27:52 2019 +0000 - - upstream: factor out confirm_overwrite(); ok markus@ - - OpenBSD-Commit-ID: 304e95381b39c774c8fced7e5328b106a3ff0400 - -commit 9a396e33685633581c67d5ad9664570ef95281f2 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 2 23:46:46 2019 +0000 - - upstream: constify an argument - - OpenBSD-Commit-ID: 724bafc9f993746ad4303e95bede2c030de6233b - -commit b52c0c2e64988277a35a955a474d944967059aeb -Author: djm@openbsd.org <djm@openbsd.org> -Date: Mon Sep 2 00:19:25 2019 +0000 - - upstream: downgrade PKCS#11 "provider returned no slots" warning - - from log level error to debug. This is common when attempting to enumerate - keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@ - - OpenBSD-Commit-ID: bb8839ddeb77c271390488af1b771041d43e49c6 - -commit 0713322e18162463c5ab5ddfb9f935055ca775d8 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Sun Sep 1 23:47:32 2019 +0000 - - upstream: print comment when printing pubkey from private - - bz#3052; ok dtucker - - OpenBSD-Commit-ID: a91b2a8d5f1053d34d7fce44523c53fb534ba914 - -commit 368f1cc2fbd6ad10c66bc1b67c2c04aebf8a04a8 -Author: Damien Miller <djm@mindrot.org> -Date: Mon Sep 2 10:28:42 2019 +1000 - - fixed test in OSX closefrom() replacement - - from likan_999.student AT sina.com - -commit 6b7c53498def19a14dd9587bf521ab6dbee8988f -Author: Damien Miller <djm@mindrot.org> -Date: Mon Sep 2 10:22:02 2019 +1000 - - retain Solaris PRIV_FILE_LINK_ANY in sftp-server - - Dropping this privilege removes the ability to create hard links to - files owned by other users. This is required for the legacy sftp rename - operation. - - bz#3036; approach ok Alex Wilson (the original author of the Solaris - sandbox/pledge replacement code) - -commit e50f808712393e86d69e42e9847cdf8d473412d7 -Author: dtucker@openbsd.org <dtucker@openbsd.org> -Date: Fri Aug 30 05:08:28 2019 +0000 - - upstream: Use ed25519 for most hostkey rotation tests since it's - - supported even when built without OpenSSL. Use RSA for the secondary type - test if supported, otherwise skip it. Fixes this test for !OpenSSL builds. - - OpenBSD-Regress-ID: 101cb34a84fd974c623bdb2e496f25a6e91be109 - -commit 5e4796c47dd8d6c38fb2ff0b3e817525fed6040d -Author: bluhm@openbsd.org <bluhm@openbsd.org> -Date: Thu Aug 22 21:47:27 2019 +0000 - - upstream: Test did not compile due to missing symbols. Add source - - sshbuf-misc.c to regress as it was done in ssh make file. from Moritz Buhl - - OpenBSD-Regress-ID: 9e1c23476bb845f3cf3d15d9032da3ed0cb2fcf5 - -commit e0e7e3d0e26f2c30697e6d0cfc293414908963c7 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Aug 30 14:26:19 2019 +1000 - - tweak warning flags - - Enable -Wextra if compiler supports it - - Set -Wno-error=format-truncation if available to prevent expected - string truncations in openbsd-compat from breaking -Werror builds - -commit 28744182cf90e0073b76a9e98de58a47e688b2c4 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Aug 30 13:21:38 2019 +1000 - - proc_pidinfo()-based closefrom() for OS X - - Refactor closefrom() to use a single brute-force close() loop fallback. - - Based on patch from likan_999.student@sina.com in bz#3049. ok dtucker@ - -commit dc2ca588144f088a54febebfde3414568dc73d5f -Author: kn@openbsd.org <kn@openbsd.org> -Date: Fri Aug 16 11:16:32 2019 +0000 - - upstream: Call comma-separated lists as such to clarify semantics - - Options such as Ciphers take values that may be a list of ciphers; the - complete list, not indiviual elements, may be prefixed with a dash or plus - character to remove from or append to the default list respectively. - - Users might read the current text as if each elment took an optional prefix, - so tweak the wording from "values" to "list" to prevent such ambiguity for - all options supporting this semantics (those that provide a list of - available elements via "ssh -Q ..."). - - Input and OK jmc - - OpenBSD-Commit-ID: 4fdd175b0e5f5cb10ab3f26ccc38a93bb6515d57 - -commit c4736f39e66729ce2bf5b06ee6b391e092b48f47 -Author: djm@openbsd.org <djm@openbsd.org> -Date: Fri Aug 16 06:35:27 2019 +0000 - - upstream: include sshbuf-misc.c in SRCS_BASE - - OpenBSD-Commit-ID: 99dd10e72c04e93849981d43d64c946619efa474 - -commit d0e51810f332fe44ebdba41113aacf319d35f5a5 -Author: Darren Tucker <dtucker@dtucker.net> -Date: Sat Aug 24 15:12:11 2019 +1000 - - Fix pasto in fallback code. - - There is no parameter called "pathname", it should simply be "path". - bz#3059, patch from samuel at cendio.se. - -commit e83c989bfd9fc9838b7dfb711d1dc6da81814045 -Author: Damien Miller <djm@mindrot.org> -Date: Fri Aug 23 10:19:30 2019 +1000 - - use SC_ALLOW_ARG_MASK to limit mmap protections - - Restrict to PROT_(READ|WRITE|NONE), i.e. exclude PROT_EXEC - -commit f6906f9bf12c968debec3671bbf19926ff8a235b -Author: Damien Miller <djm@mindrot.org> -Date: Fri Aug 23 10:08:48 2019 +1000 - - allow mprotect(2) with PROT_(READ|WRITE|NONE) only - - Used by some hardened heap allocators. Requested by Yegor - Timoshenko in https://github.com/openssh/openssh-portable/pull/142 @@ -1,4 +1,4 @@ -See https://www.openssh.com/releasenotes.html#8.7p1 for the release notes. +See https://www.openssh.com/releasenotes.html#8.8p1 for the release notes. Please read https://www.openssh.com/report.html for bug reporting instructions and note that we do not use Github for bug reporting or diff --git a/auth-pam.c b/auth-pam.c index f39d03f4b18e..29034e40d655 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -886,6 +886,7 @@ sshpam_query(void *ctx, char **name, char **info, case PAM_AUTH_ERR: debug3("PAM: %s", pam_strerror(sshpam_handle, type)); if (**prompts != NULL && strlen(**prompts) != 0) { + free(*info); *info = **prompts; **prompts = NULL; *num = 0; diff --git a/channels.c b/channels.c index fd72f371df98..1c714c845e18 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.407 2021/05/19 01:24:05 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -629,9 +629,11 @@ channel_free(struct ssh *ssh, Channel *c) debug("channel %d: free: %s, nchannels %u", c->self, c->remote_name ? c->remote_name : "???", n); - if (c->type == SSH_CHANNEL_MUX_CLIENT) + if (c->type == SSH_CHANNEL_MUX_CLIENT) { mux_remove_remote_forwardings(ssh, c); - else if (c->type == SSH_CHANNEL_MUX_LISTENER) { + free(c->mux_ctx); + c->mux_ctx = NULL; + } else if (c->type == SSH_CHANNEL_MUX_LISTENER) { free(c->mux_ctx); c->mux_ctx = NULL; } diff --git a/clientloop.c b/clientloop.c index bfcd50c263fd..da14d150791d 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.369 2021/07/23 04:04:52 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1405,7 +1405,8 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, * exit status to be returned. In that case, clear error code if the * connection was deliberately terminated at this end. */ - if (options.session_type == SESSION_TYPE_NONE && received_signal == SIGTERM) { + if (options.session_type == SESSION_TYPE_NONE && + received_signal == SIGTERM) { received_signal = 0; exit_status = 0; } @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -69,7 +69,6 @@ compat_banner(struct ssh *ssh, const char *version) "OpenSSH_7.1*," "OpenSSH_7.2*," "OpenSSH_7.3*," - "OpenSSH_7.4*," "OpenSSH_7.5*," "OpenSSH_7.6*," "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, diff --git a/config.h.in b/config.h.in index 3b3222a8e4c8..93d53f2646b4 100644 --- a/config.h.in +++ b/config.h.in @@ -1061,6 +1061,9 @@ /* Define to 1 if you have the <priv.h> header file. */ #undef HAVE_PRIV_H +/* Define to 1 if you have the `procctl' function. */ +#undef HAVE_PROCCTL + /* Define if you have /proc/$pid/fd */ #undef HAVE_PROC_PID @@ -1485,6 +1488,9 @@ /* Define to 1 if you have the <sys/prctl.h> header file. */ #undef HAVE_SYS_PRCTL_H +/* Define to 1 if you have the <sys/procctl.h> header file. */ +#undef HAVE_SYS_PROCCTL_H + /* Define to 1 if you have the <sys/pstat.h> header file. */ #undef HAVE_SYS_PSTAT_H diff --git a/configure b/configure index b66cfd6577f6..d40e942303a3 100755 --- a/configure +++ b/configure @@ -645,7 +645,6 @@ SSHDLIBS SSH_PRIVSEP_USER LIBFIDO2 SK_DUMMY_LIBRARY -COMMENT_OUT_ECC TEST_SSH_ECC PICFLAG LIBEDIT @@ -7138,6 +7137,7 @@ for ac_header in \ sys/ndir.h \ sys/poll.h \ sys/prctl.h \ + sys/procctl.h \ sys/pstat.h \ sys/ptrace.h \ sys/random.h \ @@ -11515,6 +11515,7 @@ for ac_func in \ pledge \ poll \ prctl \ + procctl \ pselect \ pstat \ raise \ @@ -13470,7 +13471,8 @@ if ac_fn_c_try_run "$LINENO"; then : ;; 101*) ;; # 1.1.x 200*) ;; # LibreSSL - 300*) ;; # OpenSSL development branch. + 300*) ;; # OpenSSL 3 + 301*) ;; # OpenSSL development branch. *) as_fn_error $? "Unknown/unsupported OpenSSL version (\"$ssl_library_ver\")" "$LINENO" 5 ;; @@ -14171,7 +14173,6 @@ fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - COMMENT_OUT_ECC="#no ecc#" TEST_SSH_ECC=no if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ @@ -14199,7 +14200,6 @@ done $as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdsa-sha2-nistp256 \ @@ -14211,7 +14211,6 @@ $as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h $as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdsa-sha2-nistp384 \ @@ -14223,7 +14222,6 @@ $as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h $as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdh-sha2-nistp521 \ @@ -14232,7 +14230,6 @@ $as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h fi - else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypt in -lcrypt" >&5 $as_echo_n "checking for crypt in -lcrypt... " >&6; } diff --git a/configure.ac b/configure.ac index 01e7d2a4fbec..413913a7c72e 100644 --- a/configure.ac +++ b/configure.ac @@ -454,6 +454,7 @@ AC_CHECK_HEADERS([ \ sys/ndir.h \ sys/poll.h \ sys/prctl.h \ + sys/procctl.h \ sys/pstat.h \ sys/ptrace.h \ sys/random.h \ @@ -1868,6 +1869,7 @@ AC_CHECK_FUNCS([ \ pledge \ poll \ prctl \ + procctl \ pselect \ pstat \ raise \ @@ -2761,7 +2763,8 @@ if test "x$openssl" = "xyes" ; then ;; 101*) ;; # 1.1.x 200*) ;; # LibreSSL - 300*) ;; # OpenSSL development branch. + 300*) ;; # OpenSSL 3 + 301*) ;; # OpenSSL development branch. *) AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) ;; @@ -3100,7 +3103,6 @@ if test "x$openssl" = "xyes" ; then AC_MSG_RESULT([no]) ) - COMMENT_OUT_ECC="#no ecc#" TEST_SSH_ECC=no if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ @@ -3115,7 +3117,6 @@ if test "x$openssl" = "xyes" ; then AC_DEFINE([OPENSSL_HAS_NISTP256], [1], [libcrypto has NID_X9_62_prime256v1]) TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdsa-sha2-nistp256 \ @@ -3125,7 +3126,6 @@ if test "x$openssl" = "xyes" ; then if test x$enable_nistp384 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdsa-sha2-nistp384 \ @@ -3135,7 +3135,6 @@ if test "x$openssl" = "xyes" ; then if test x$enable_nistp521 = x1; then AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) TEST_SSH_ECC=yes - COMMENT_OUT_ECC="" else unsupported_algorithms="$unsupported_algorithms \ ecdh-sha2-nistp521 \ @@ -3144,7 +3143,6 @@ if test "x$openssl" = "xyes" ; then fi AC_SUBST([TEST_SSH_ECC]) - AC_SUBST([COMMENT_OUT_ECC]) else AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) AC_CHECK_FUNCS([crypt]) diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 5fb81ce31491..2905db0e8c39 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%global ver 8.7p1 +%global ver 8.8p1 %global rel 1%{?dist} # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/redhat/sshd.init.old b/contrib/redhat/sshd.init.old deleted file mode 100755 index 8a30f7da4a4a..000000000000 --- a/contrib/redhat/sshd.init.old +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash -# -# Init file for OpenSSH server daemon -# -# chkconfig: 2345 55 25 -# description: OpenSSH server daemon -# -# processname: sshd -# config: /etc/ssh/ssh_host_key -# config: /etc/ssh/ssh_host_key.pub -# config: /etc/ssh/ssh_random_seed -# config: /etc/ssh/sshd_config -# pidfile: /var/run/sshd.pid - -# source function library -. /etc/rc.d/init.d/functions - -# pull in sysconfig settings -[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd - -RETVAL=0 -prog="sshd" - -# Some functions to make the below more readable -KEYGEN=/usr/bin/ssh-keygen -SSHD=/usr/sbin/sshd -RSA_KEY=/etc/ssh/ssh_host_rsa_key -DSA_KEY=/etc/ssh/ssh_host_dsa_key -PID_FILE=/var/run/sshd.pid - -my_success() { - local msg - if [ $# -gt 1 ]; then - msg="$2" - else - msg="done" - fi - case "`type -type success`" in - function) - success "$1" - ;; - *) - echo -n "${msg}" - ;; - esac -} -my_failure() { - local msg - if [ $# -gt 1 ]; then - msg="$2" - else - msg="FAILED" - fi - case "`type -type failure`" in - function) - failure "$1" - ;; - *) - echo -n "${msg}" - ;; - esac -} -do_rsa_keygen() { - if [ ! -s $RSA_KEY ]; then - echo -n "Generating SSH2 RSA host key: " - if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then - chmod 600 $RSA_KEY - chmod 644 $RSA_KEY.pub - my_success "RSA key generation" - echo - else - my_failure "RSA key generation" - echo - exit 1 - fi - fi -} -do_dsa_keygen() { - if [ ! -s $DSA_KEY ]; then - echo -n "Generating SSH2 DSA host key: " - if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then - chmod 600 $DSA_KEY - chmod 644 $DSA_KEY.pub - my_success "DSA key generation" - echo - else - my_failure "DSA key generation" - echo - exit 1 - fi - fi -} -do_restart_sanity_check() { - $SSHD -t - RETVAL=$? - if [ ! "$RETVAL" = 0 ]; then - my_failure "Configuration file or keys" - echo - fi -} - - -case "$1" in - start) - # Create keys if necessary - do_rsa_keygen; - do_dsa_keygen; - - echo -n "Starting sshd: " - if [ ! -f $PID_FILE ] ; then - sshd $OPTIONS - RETVAL=$? - if [ "$RETVAL" = "0" ] ; then - my_success "sshd startup" "sshd" - touch /var/lock/subsys/sshd - else - my_failure "sshd startup" "" - fi - fi - echo - ;; - stop) - echo -n "Shutting down sshd: " - if [ -f $PID_FILE ] ; then - killproc sshd - RETVAL=$? - [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd - fi - echo - ;; - restart) - do_restart_sanity_check - $0 stop - $0 start - RETVAL=$? - ;; - condrestart) - if [ -f /var/lock/subsys/sshd ] ; then - do_restart_sanity_check - $0 stop - $0 start - RETVAL=$? - fi - ;; - status) - status sshd - RETVAL=$? - ;; - *) - echo "Usage: sshd {start|stop|restart|status|condrestart}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/contrib/redhat/sshd.pam.old b/contrib/redhat/sshd.pam.old deleted file mode 100644 index 26dcb34d9e94..000000000000 --- a/contrib/redhat/sshd.pam.old +++ /dev/null @@ -1,8 +0,0 @@ -#%PAM-1.0 -auth required /lib/security/pam_pwdb.so shadow nodelay -auth required /lib/security/pam_nologin.so -account required /lib/security/pam_pwdb.so -password required /lib/security/pam_cracklib.so -password required /lib/security/pam_pwdb.so shadow nullok use_authtok -session required /lib/security/pam_pwdb.so -session required /lib/security/pam_limits.so diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 6cd222e5a424..ee320c76d8d0 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 8.7p1 +Version: 8.8p1 URL: https://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz @@ -1,4 +1,4 @@ -/* $OpenBSD: log.c,v 1.59 2021/05/07 04:11:51 djm Exp $ */ +/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -346,6 +346,7 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt, int pri = LOG_INFO; int saved_errno = errno; log_handler_fn *tmp_handler; + const char *progname = argv0 != NULL ? argv0 : __progname; if (!force && level > log_level) return; @@ -403,16 +404,18 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt, tmp_handler(level, force, fmtbuf, log_handler_ctx); log_handler = tmp_handler; } else if (log_on_stderr) { - snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n", + snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n", + (log_on_stderr > 1) ? progname : "", + (log_on_stderr > 1) ? ": " : "", (int)sizeof msgbuf - 3, fmtbuf); (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) - openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); + openlog_r(progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); #else - openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); + openlog(progname, LOG_PID, log_facility); syslog(pri, "%.500s", fmtbuf); closelog(); #endif @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -56,6 +56,7 @@ #ifdef HAVE_PATHS_H # include <paths.h> #include <pwd.h> +#include <grp.h> #endif #ifdef SSH_TUN_OPENBSD #include <net/if.h> @@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command, } closefrom(STDERR_FILENO + 1); + if (geteuid() == 0 && + initgroups(pw->pw_name, pw->pw_gid) == -1) { + error("%s: initgroups(%s, %u): %s", tag, + pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); + _exit(1); + } if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, strerror(errno)); diff --git a/myproposal.h b/myproposal.h index f03b7dfd0df9..6d79937b6fa8 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -46,7 +46,6 @@ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ "rsa-sha2-512-cert-v01@openssh.com," \ "rsa-sha2-256-cert-v01@openssh.com," \ - "ssh-rsa-cert-v01@openssh.com," \ "ssh-ed25519," \ "ecdsa-sha2-nistp256," \ "ecdsa-sha2-nistp384," \ @@ -54,8 +53,7 @@ "sk-ssh-ed25519@openssh.com," \ "sk-ecdsa-sha2-nistp256@openssh.com," \ "rsa-sha2-512," \ - "rsa-sha2-256," \ - "ssh-rsa" + "rsa-sha2-256" #define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ diff --git a/openbsd-compat/bsd-pselect.c b/openbsd-compat/bsd-pselect.c index fff1bf54f72c..b3632086368a 100644 --- a/openbsd-compat/bsd-pselect.c +++ b/openbsd-compat/bsd-pselect.c @@ -188,7 +188,7 @@ pselect(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, if (unmasked) { pselect_notify_setup(); pselect_notify_prepare(readfds); - nfds = MAX(nfds, notify_pipe[0]); + nfds = MAX(nfds, notify_pipe[0] + 1); } /* Unmask signals, call select then restore signal mask. */ diff --git a/opensshd.init.in b/opensshd.init.in index 99e5a51ab8b7..251724805f7f 100755 --- a/opensshd.init.in +++ b/opensshd.init.in @@ -17,26 +17,6 @@ PIDFILE=$piddir/sshd.pid PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'` [ X$PidFile = X ] || PIDFILE=$PidFile SSH_KEYGEN=$prefix/bin/ssh-keygen -HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key -HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key -@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key -HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key - - -checkkeys() { - if [ ! -f $HOST_KEY_DSA ]; then - ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" - fi - if [ ! -f $HOST_KEY_RSA ]; then - ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" - fi -@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then -@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N "" -@COMMENT_OUT_ECC@ fi - if [ ! -f $HOST_KEY_ED25519 ]; then - ${SSH_KEYGEN} -t ed25519 -f ${HOST_KEY_ED25519} -N "" - fi -} stop_service() { if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then @@ -54,7 +34,7 @@ start_service() { # XXX we will opt out at this time. - Bal # Check to see if we have keys that need to be made - checkkeys + ${SSH_KEYGEN} -A # Start SSHD echo "starting $SSHD... \c" ; $SSHD diff --git a/platform-tracing.c b/platform-tracing.c index 4c80a282c493..0daf2a86f333 100644 --- a/platform-tracing.c +++ b/platform-tracing.c @@ -17,6 +17,9 @@ #include "includes.h" #include <sys/types.h> +#ifdef HAVE_SYS_PROCCTL_H +#include <sys/procctl.h> +#endif #if defined(HAVE_SYS_PRCTL_H) #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ #endif @@ -33,6 +36,13 @@ void platform_disable_tracing(int strict) { +#if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL) + /* On FreeBSD, we should make this process untraceable */ + int disable_trace = PROC_TRACE_CTL_DISABLE; + + if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict) + fatal("unable to make the process untraceable"); +#endif #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict) diff --git a/readconf.c b/readconf.c index 03369a0866e6..bcca6ed47c4c 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2011,11 +2011,23 @@ parse_pubkey_algos: case oCanonicalizePermittedCNAMEs: value = options->num_permitted_cnames != 0; + i = 0; while ((arg = argv_next(&ac, &av)) != NULL) { - /* Either '*' for everything or 'list:list' */ - if (strcmp(arg, "*") == 0) + /* + * Either 'none' (only in first position), '*' for + * everything or 'list:list' + */ + if (strcasecmp(arg, "none") == 0) { + if (i > 0 || ac > 0) { + error("%s line %d: keyword %s \"none\" " + "argument must appear alone.", + filename, linenum, keyword); + goto out; + } + arg2 = ""; + } else if (strcmp(arg, "*") == 0) { arg2 = arg; - else { + } else { lowercase(arg); if ((arg2 = strchr(arg, ':')) == NULL || arg2[1] == '\0') { @@ -2027,6 +2039,7 @@ parse_pubkey_algos: *arg2 = '\0'; arg2++; } + i++; if (!*activep || value) continue; if (options->num_permitted_cnames >= @@ -2281,6 +2294,20 @@ option_clear_or_none(const char *o) } /* + * Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise. + * Allowed to be called on non-final configuration. + */ +int +config_has_permitted_cnames(Options *options) +{ + if (options->num_permitted_cnames == 1 && + strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 && + strcmp(options->permitted_cnames[0].target_list, "") == 0) + return 0; + return options->num_permitted_cnames > 0; +} + +/* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options * are processed in the following order: command line, user config file, @@ -2648,6 +2675,15 @@ fill_default_options(Options * options) free(options->jump_host); options->jump_host = NULL; } + if (options->num_permitted_cnames == 1 && + !config_has_permitted_cnames(options)) { + /* clean up CanonicalizePermittedCNAMEs=none */ + free(options->permitted_cnames[0].source_list); + free(options->permitted_cnames[0].target_list); + memset(options->permitted_cnames, '\0', + sizeof(*options->permitted_cnames)); + options->num_permitted_cnames = 0; + } /* options->identity_agent distinguishes NULL from 'none' */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ @@ -3363,14 +3399,14 @@ dump_client_config(Options *o, const char *host) printf("\n"); /* oCanonicalizePermittedCNAMEs */ - if ( o->num_permitted_cnames > 0) { - printf("canonicalizePermittedcnames"); - for (i = 0; i < o->num_permitted_cnames; i++) { - printf(" %s:%s", o->permitted_cnames[i].source_list, - o->permitted_cnames[i].target_list); - } - printf("\n"); + printf("canonicalizePermittedcnames"); + if (o->num_permitted_cnames == 0) + printf(" none"); + for (i = 0; i < o->num_permitted_cnames; i++) { + printf(" %s:%s", o->permitted_cnames[i].source_list, + o->permitted_cnames[i].target_list); } + printf("\n"); /* oControlPersist */ if (o->control_persist == 0 || o->control_persist_timeout == 0) diff --git a/readconf.h b/readconf.h index f7d53b067604..f24719f982df 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -228,6 +228,7 @@ int parse_jump(const char *, Options *, int); int parse_ssh_uri(const char *, char **, char **, int *); int default_ssh_port(void); int option_clear_or_none(const char *); +int config_has_permitted_cnames(Options *); void dump_client_config(Options *o, const char *host); void add_local_forward(Options *, const struct Forward *); diff --git a/regress/Makefile b/regress/Makefile index 810d74ce599d..0b5ad45d753a 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.116 2021/08/04 21:28:00 djm Exp $ +# $OpenBSD: Makefile,v 1.117 2021/09/03 04:11:13 dtucker Exp $ tests: prep file-tests t-exec unit @@ -27,6 +27,7 @@ LTESTS= connect \ proto-version \ proto-mismatch \ exit-status \ + exit-status-signal \ envpass \ transfer \ banner \ diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index ddeef01f1b73..2874100fa0f1 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.13 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" @@ -10,19 +10,15 @@ SSH_AUTH_SOCK=/nonexistent if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then : else - echo "skipped (not supported on this platform)" - exit 0 + skip "skipped (not supported on this platform)" fi case "x$SUDO" in xsudo) sudo=1;; xdoas|xdoas\ *) ;; x) - echo "need SUDO to switch to uid $UNPRIV" - echo SKIPPED - exit 0 ;; + skip "need SUDO to switch to uid $UNPRIV" ;; *) - echo "unsupported $SUDO - "doas" and "sudo" are allowed" - exit 0 ;; + skip "unsupported $SUDO - "doas" and "sudo" are allowed" ;; esac trace "start agent" diff --git a/regress/exit-status-signal.sh b/regress/exit-status-signal.sh new file mode 100644 index 000000000000..1b3af0d84ddd --- /dev/null +++ b/regress/exit-status-signal.sh @@ -0,0 +1,24 @@ +# This test performs validation that ssh client is not successive on being terminated + +tid="exit status on signal" + +# spawn client in background +rm -f $OBJ/remote_pid +${SSH} -F $OBJ/ssh_proxy somehost 'echo $$ >'$OBJ'/remote_pid; sleep 444' & +ssh_pid=$! + +# wait for it to start +n=20 +while [ ! -f $OBJ/remote_pid ] && [ $n -gt 0 ]; do + n=$(($n - 1)) + sleep 1 +done + +kill $ssh_pid +wait $ssh_pid +exit_code=$? + +if [ $exit_code -eq 0 ]; then + fail "ssh client should fail on signal" +fi + diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh index 2852c457c259..0ae0c3dfcb44 100644 --- a/regress/hostkey-rotate.sh +++ b/regress/hostkey-rotate.sh @@ -3,6 +3,25 @@ tid="hostkey rotate" +# +# GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will occasionally +# fail to find ssh host keys in the hostkey-rotate test. If we have those +# versions, use awk instead. +# See # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258616 +# +case `grep --version 2>&1 | awk '/GNU grep/{print $4}'` in +2.19) fgrep=good ;; +1.*|2.?|2.?.?|2.1?) fgrep=bad ;; # stock GNU grep +2.5.1*) fgrep=bad ;; # FreeBSD and NetBSD +*) fgrep=good ;; +esac +if test "x$fgrep" = "xbad"; then + fgrep() +{ + awk 'BEGIN{e=1} {if (index($0,"'$1'")>0){e=0;print}} END{exit e}' $2 +} +fi + rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig $OBJ/ssh_proxy.orig grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig diff --git a/regress/keys-command.sh b/regress/keys-command.sh index 33b6e7b423df..a3acf5e4d905 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $ +# $OpenBSD: keys-command.sh,v 1.7 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. tid="authorized keys from command" @@ -77,5 +77,5 @@ if [ -x $KEY_COMMAND ]; then fail "connect failed" fi else - echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" + skip "$KEY_COMMAND not executable (/var/run mounted noexec?)" fi diff --git a/regress/knownhosts-command.sh b/regress/knownhosts-command.sh index f15df670b0c8..8472ec8121c5 100644 --- a/regress/knownhosts-command.sh +++ b/regress/knownhosts-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: knownhosts-command.sh,v 1.2 2020/12/22 06:47:24 djm Exp $ +# $OpenBSD: knownhosts-command.sh,v 1.3 2021/08/30 01:15:45 djm Exp $ # Placed in the Public Domain. tid="known hosts command " @@ -39,7 +39,9 @@ chmod a+x $OBJ/knownhosts_command ${SSH} -F $OBJ/ssh_proxy x true && fail "ssh connect succeeded with bad exit" for keytype in ${SSH_HOSTKEY_TYPES} ; do + algs=$keytype test "x$keytype" = "xssh-dss" && continue + test "x$keytype" = "xssh-rsa" && algs=ssh-rsa,rsa-sha2-256,rsa-sha2-512 verbose "keytype $keytype" cat > $OBJ/knownhosts_command << _EOF #!/bin/sh @@ -48,6 +50,6 @@ test "x\$1" = "x$keytype" || die "wrong keytype \$1 (expected $keytype)" test "x\$3" = "x$LOGNAME" || die "wrong username \$3 (expected $LOGNAME)" grep -- "\$1.*\$2" $OBJ/known_hosts _EOF - ${SSH} -F $OBJ/ssh_proxy -oHostKeyAlgorithms=$keytype x true || + ${SSH} -F $OBJ/ssh_proxy -oHostKeyAlgorithms=$algs x true || fail "ssh connect failed for keytype $x" done diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 708c288d73ae..5b8e25a27199 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh @@ -1,11 +1,17 @@ -# $OpenBSD: putty-ciphers.sh,v 1.7 2020/01/23 03:35:07 dtucker Exp $ +# $OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $ # Placed in the Public Domain. tid="putty ciphers" if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then - echo "putty interop tests not enabled" - exit 0 + skip "putty interop tests not enabled" +fi + +# Re-enable ssh-rsa on older PuTTY versions. +oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`" +if [ "x$oldver" = "xyes" ]; then + echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy fi for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh index 686d0e1af2e5..c75802a06103 100644 --- a/regress/putty-kex.sh +++ b/regress/putty-kex.sh @@ -1,11 +1,17 @@ -# $OpenBSD: putty-kex.sh,v 1.5 2020/01/23 03:24:38 dtucker Exp $ +# $OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $ # Placed in the Public Domain. tid="putty KEX" if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then - echo "putty interop tests not enabled" - exit 0 + skip "putty interop tests not enabled" +fi + +# Re-enable ssh-rsa on older PuTTY versions. +oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`" +if [ "x$oldver" = "xyes" ]; then + echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy fi for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index 14b41022f8a6..a6864f9515a7 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh @@ -1,11 +1,17 @@ -# $OpenBSD: putty-transfer.sh,v 1.7 2020/01/23 11:19:12 dtucker Exp $ +# $OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $ # Placed in the Public Domain. tid="putty transfer data" if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then - echo "putty interop tests not enabled" - exit 0 + skip "putty interop tests not enabled" +fi + +# Re-enable ssh-rsa on older PuTTY versions. +oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`" +if [ "x$oldver" = "xyes" ]; then + echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy + echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy fi if [ "`${SSH} -Q compression`" = "none" ]; then diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 5acc4d2de4a6..a7766fe63a2e 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-chroot.sh,v 1.7 2018/11/22 08:48:32 dtucker Exp $ +# $OpenBSD: sftp-chroot.sh,v 1.8 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. tid="sftp in chroot" @@ -9,14 +9,11 @@ PRIVDATA=${CHROOT}/${FILENAME} trap "${SUDO} rm -f ${PRIVDATA}" 0 if [ -z "$SUDO" -a ! -w /var/run ]; then - echo "need SUDO to create file in /var/run, test won't work without" - echo SKIPPED - exit 0 + skip "need SUDO to create file in /var/run, test won't work without" fi if ! $OBJ/check-perm -m chroot "$CHROOT" ; then - echo "skipped: $CHROOT is unsuitable as ChrootDirectory" - exit 0 + skip "$CHROOT is unsuitable as ChrootDirectory" fi $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh index 06e91cdbb851..f78646922efe 100644 --- a/regress/sshfp-connect.sh +++ b/regress/sshfp-connect.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshfp-connect.sh,v 1.2 2021/07/19 08:48:33 dtucker Exp $ +# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. # This test requires external setup and thus is skipped unless @@ -24,9 +24,11 @@ tid="sshfp connect" -if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \ - $SSH -Q key-plain | grep ssh-rsa >/dev/null; then - +if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then + skip "RSA keys not supported." +elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then + skip "TEST_SSH_SSHFP_DOMAIN not set." +else # Set RSA host key to match fingerprints above. mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa @@ -45,7 +47,7 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \ trace "sshfp connect $n good fingerprint" host="${n}.dtucker.net" opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes " - opts="$opts -o HostKeyAlgorithms=ssh-rsa" + opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256" host="${n}.${TEST_SSH_SSHFP_DOMAIN}" SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'` if [ $? -ne 0 ]; then @@ -61,6 +63,4 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \ fail "sshfp-connect succeeded with bad SSHFP record" fi done -else - echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set. fi diff --git a/regress/test-exec.sh b/regress/test-exec.sh index db6d6161aa2b..415422ef5573 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.86 2021/08/08 08:27:28 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.87 2021/09/01 00:50:27 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -462,6 +462,14 @@ fatal () exit $RESULT } +# Skip remaining tests in script. +skip () +{ + echo "SKIPPED: $@" + cleanup + exit $RESULT +} + RESULT=0 PIDFILE=$OBJ/pidfile @@ -12,8 +12,7 @@ DESCRIPTION scp copies files between hosts on a network. It uses ssh(1) for data transfer, and uses the same authentication and - provides the same security as a login session. The scp protocol requires - execution of the remote user's shell to perform glob(3) pattern matching. + provides the same security as a login session. scp will ask for passwords or passphrases if they are needed for authentication. @@ -31,7 +30,7 @@ DESCRIPTION -3 Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between - the two remote hosts. Note that, when using the legacy SCP + the two remote hosts. Note that, when using the original SCP protocol (the default), this option selects batch mode for the second host as scp cannot ask for passwords or passphrases for both hosts. This mode is the default. @@ -54,7 +53,7 @@ DESCRIPTION option is directly passed to ssh(1). -D sftp_server_path - When using the SFTP protocol support via -M, connect directly to + When using the SFTP protocol support via -s, connect directly to a local SFTP server program rather than a remote one via ssh(1). This option may be useful in debugging the client and server. @@ -78,11 +77,12 @@ DESCRIPTION -l limit Limits the used bandwidth, specified in Kbit/s. - -O Use the legacy SCP protocol for file transfers instead of the + -O Use the original SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be - necessary for servers that do not implement SFTP or for - backwards-compatibility for particular filename wildcard - patterns. This mode is the default. + necessary for servers that do not implement SFTP, for backwards- + compatibility for particular filename wildcard patterns and for + expanding paths with a M-bM-^@M-^X~M-bM-^@M-^Y prefix for older SFTP servers. This + mode is the default. -o ssh_option Can be used to pass options to ssh in the format used in @@ -155,10 +155,10 @@ DESCRIPTION -P port Specifies the port to connect to on the remote host. Note that this option is written with a capital M-bM-^@M-^XPM-bM-^@M-^Y, because -p is already - reserved for preserving the times and modes of the file. + reserved for preserving the times and mode bits of the file. - -p Preserves modification times, access times, and modes from the - original file. + -p Preserves modification times, access times, and file mode bits + from the source file. -q Quiet mode: disables the progress meter as well as warning and diagnostic messages from ssh(1). @@ -175,14 +175,8 @@ DESCRIPTION Name of program to use for the encrypted connection. The program must understand ssh(1) options. - -s Use the SFTP protocol for file transfers instead of the legacy - SCP protocol. Using SFTP avoids invoking a shell on the remote - side and provides more predictable filename handling, as the SCP - protocol relied on the remote shell for expanding glob(3) - wildcards. - - A near-future release of OpenSSH will make the SFTP protocol the - default. This option will be deleted before the end of 2022. + -s Use the SFTP protocol for transfers rather than the original scp + protocol. -T Disable strict filename checking. By default when copying files from a remote host to a local directory scp checks that the @@ -213,4 +207,10 @@ AUTHORS Timo Rinne <tri@iki.fi> Tatu Ylonen <ylo@cs.hut.fi> -OpenBSD 6.9 August 11, 2021 OpenBSD 6.9 +CAVEATS + The original SCP protocol (used by default) requires execution of the + remote user's shell to perform glob(3) pattern matching. This requires + careful quoting of any characters that have special meaning to the remote + shell, such as quote characters. + +OpenBSD 6.9 September 20, 2021 OpenBSD 6.9 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $ +.\" $OpenBSD: scp.1,v 1.105 2021/09/20 06:53:56 djm Exp $ .\" -.Dd $Mdocdate: August 11 2021 $ +.Dd $Mdocdate: September 20 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -37,9 +37,6 @@ It uses .Xr ssh 1 for data transfer, and uses the same authentication and provides the same security as a login session. -The scp protocol requires execution of the remote user's shell to perform -.Xr glob 3 -pattern matching. .Pp .Nm will ask for passwords or passphrases if they are needed for @@ -79,7 +76,7 @@ The options are as follows: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. -Note that, when using the legacy SCP protocol (the default), this option +Note that, when using the original SCP protocol (the default), this option selects batch mode for the second host as .Nm cannot ask for passwords or passphrases for both hosts. @@ -112,7 +109,7 @@ This option is directly passed to .Xr ssh 1 . .It Fl D Ar sftp_server_path When using the SFTP protocol support via -.Fl M , +.Fl s , connect directly to a local SFTP server program rather than a remote one via .Xr ssh 1 . @@ -144,10 +141,12 @@ This option is directly passed to .It Fl l Ar limit Limits the used bandwidth, specified in Kbit/s. .It Fl O -Use the legacy SCP protocol for file transfers instead of the SFTP protocol. +Use the original SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do -not implement SFTP or for backwards-compatibility for particular filename -wildcard patterns. +not implement SFTP, for backwards-compatibility for particular filename +wildcard patterns and for expanding paths with a +.Sq ~ +prefix for older SFTP servers. This mode is the default. .It Fl o Ar ssh_option Can be used to pass options to @@ -229,10 +228,10 @@ Note that this option is written with a capital .Sq P , because .Fl p -is already reserved for preserving the times and modes of the file. +is already reserved for preserving the times and mode bits of the file. .It Fl p -Preserves modification times, access times, and modes from the -original file. +Preserves modification times, access times, and file mode bits from the +source file. .It Fl q Quiet mode: disables the progress meter as well as warning and diagnostic messages from @@ -259,15 +258,7 @@ The program must understand .Xr ssh 1 options. .It Fl s -Use the SFTP protocol for file transfers instead of the legacy SCP protocol. -Using SFTP avoids invoking a shell on the remote side and provides -more predictable filename handling, as the SCP protocol -relied on the remote shell for expanding -.Xr glob 3 -wildcards. -.Pp -A near-future release of OpenSSH will make the SFTP protocol the default. -This option will be deleted before the end of 2022. +Use the SFTP protocol for transfers rather than the original scp protocol. .It Fl T Disable strict filename checking. By default when copying files from a remote host to a local directory @@ -307,3 +298,10 @@ source code from the Regents of the University of California. .Sh AUTHORS .An Timo Rinne Aq Mt tri@iki.fi .An Tatu Ylonen Aq Mt ylo@cs.hut.fi +.Sh CAVEATS +The original SCP protocol (used by default) requires execution of the +remote user's shell to perform +.Xr glob 3 +pattern matching. +This requires careful quoting of any characters that have special meaning to +the remote shell, such as quote characters. @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */ +/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -467,7 +467,7 @@ main(int argc, char **argv) __progname = ssh_get_progname(argv[0]); - log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1); + log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2); memset(&args, '\0', sizeof(args)); memset(&remote_remote_args, '\0', sizeof(remote_remote_args)); @@ -588,7 +588,7 @@ main(int argc, char **argv) argc -= optind; argv += optind; - log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1); + log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2); /* Do this last because we want the user to be able to override it */ addargs(&args, "-oForwardAgent=no"); @@ -652,7 +652,7 @@ main(int argc, char **argv) * Finally check the exit status of the ssh process, if one was forked * and no error has occurred yet */ - if (do_cmd_pid != -1 && errs == 0) { + if (do_cmd_pid != -1 && (mode == MODE_SFTP || errs == 0)) { if (remin != -1) (void) close(remin); if (remout != -1) @@ -1213,8 +1213,7 @@ tolocal(int argc, char **argv, enum scp_mode_e mode, char *sftp_direct) conn = do_sftp_connect(host, suser, sport, sftp_direct, &remin, &remout, &do_cmd_pid); if (conn == NULL) { - error("Couldn't make sftp connection " - "to server"); + error("sftp connection failed"); ++errs; continue; } @@ -1261,7 +1260,8 @@ prepare_remote_path(struct sftp_conn *conn, const char *path) if (can_expand_path(conn)) return do_expand_path(conn, path); /* No protocol extension */ - error("~user paths are not currently supported"); + error("server expand-path extension is required " + "for ~user paths in SFTP mode"); return NULL; } @@ -1296,11 +1296,14 @@ source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn) if (local_is_dir(src) && iamrecursive) { if (upload_dir(conn, src, abs_dst, pflag, SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) { - fatal("failed to upload directory %s to %s", + error("failed to upload directory %s to %s", src, abs_dst); + errs = 1; } - } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) - fatal("failed to upload file %s to %s", src, abs_dst); + } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) { + error("failed to upload file %s to %s", src, abs_dst); + errs = 1; + } free(abs_dst); free(target); @@ -1490,9 +1493,9 @@ sink_sftp(int argc, char *dst, const char *src, struct sftp_conn *conn) debug3_f("copying remote %s to local %s", abs_src, dst); if ((r = remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) != 0) { if (r == GLOB_NOSPACE) - error("Too many glob matches for \"%s\".", abs_src); + error("%s: too many glob matches", abs_src); else - error("File \"%s\" not found.", abs_src); + error("%s: %s", abs_src, strerror(ENOENT)); err = -1; goto out; } @@ -1537,9 +1540,8 @@ out: free(abs_src); free(tmp); globfree(&g); - if (err == -1) { - fatal("Failed to download file '%s'", src); - } + if (err == -1) + errs = 1; } @@ -1887,7 +1889,7 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to, targetisdir = remote_is_dir(to, target); if (!targetisdir && targetshouldbedirectory) { - error("Destination path \"%s\" is not a directory", target); + error("%s: destination is not a directory", target); err = -1; goto out; } @@ -1895,9 +1897,9 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to, debug3_f("copying remote %s to remote %s", abs_src, target); if ((r = remote_glob(from, abs_src, GLOB_MARK, NULL, &g)) != 0) { if (r == GLOB_NOSPACE) - error("Too many glob matches for \"%s\".", abs_src); + error("%s: too many glob matches", abs_src); else - error("File \"%s\" not found.", abs_src); + error("%s: %s", abs_src, strerror(ENOENT)); err = -1; goto out; } @@ -1938,7 +1940,7 @@ out: free(tmp); globfree(&g); if (err == -1) - fatal("Failed to download file '%s'", src); + errs = 1; } int diff --git a/servconf.c b/servconf.c index a765e4e05f50..b2fbf0b2a3b6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.382 2021/09/06 00:36:01 millert Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -490,9 +490,8 @@ typedef enum { sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, + sKerberosGetAFSToken, sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, diff --git a/sftp-client.c b/sftp-client.c index 5bfff90d187f..9de9afa20f68 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.154 2021/08/09 23:47:44 djm Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.155 2021/09/03 05:12:25 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> * @@ -2039,7 +2039,6 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, if (print_flag && print_flag != SFTP_PROGRESS_ONLY) mprintf("Entering %s\n", src); - attrib_clear(&a); stat_to_attrib(&sb, &a); a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; diff --git a/sftp-realpath.c b/sftp-realpath.c index 9ac40181227f..2ec779d8f901 100644 --- a/sftp-realpath.c +++ b/sftp-realpath.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-realpath.c,v 1.1 2019/07/05 04:55:40 djm Exp $ */ +/* $OpenBSD: sftp-realpath.c,v 1.2 2021/09/02 21:03:54 deraadt Exp $ */ /* * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru> * @@ -30,7 +30,6 @@ #include "includes.h" #include <sys/types.h> -#include <sys/param.h> #include <sys/stat.h> #include <errno.h> @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.211 2021/08/12 09:59:00 schwarze Exp $ */ +/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> * @@ -2204,28 +2204,31 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) interactive = !batchmode && isatty(STDIN_FILENO); err = 0; for (;;) { + struct sigaction sa; + + interrupted = 0; + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = interactive ? read_interrupt : killchild; + if (sigaction(SIGINT, &sa, NULL) == -1) { + debug3("sigaction(%s): %s", strsignal(SIGINT), + strerror(errno)); + break; + } if (el == NULL) { if (interactive) printf("sftp> "); if (fgets(cmd, sizeof(cmd), infile) == NULL) { if (interactive) printf("\n"); + if (interrupted) + continue; break; } } else { #ifdef USE_LIBEDIT const char *line; int count = 0; - struct sigaction sa; - - interrupted = 0; - memset(&sa, 0, sizeof(sa)); - sa.sa_handler = read_interrupt; - if (sigaction(SIGINT, &sa, NULL) == -1) { - debug3("sigaction(%s): %s", - strsignal(SIGINT), strerror(errno)); - break; - } + if ((line = el_gets(el, &count)) == NULL || count <= 0) { printf("\n"); diff --git a/ssh-keygen.c b/ssh-keygen.c index 18e9f1d180c6..4b40768d517f 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2680,7 +2680,8 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep, time_t now; *verify_timep = 0; - *print_pubkey = 0; + if (print_pubkey != NULL) + *print_pubkey = 0; for (i = 0; i < nopts; i++) { if (strncasecmp(opts[i], "verify-time=", 12) == 0) { if (parse_absolute_time(opts[i] + 12, @@ -10,7 +10,7 @@ SYNOPSIS [-J destination] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination - [command] + [command [argument ...]] DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for @@ -24,8 +24,11 @@ DESCRIPTION ssh://[user@]hostname[:port]. The user must prove their identity to the remote machine using one of several methods (see below). - If a command is specified, it is executed on the remote host instead of a - login shell. + If a command is specified, it will be executed on the remote host instead + of a login shell. A complete command line may be specified as command, + or it may have additional arguments. If supplied, the arguments will be + appended to the command, separated by spaces, before it is sent to the + server to be executed. The options are as follows: @@ -137,15 +140,18 @@ DESCRIPTION -i identity_file Selects a file from which the identity (private key) for public - key authentication is read. The default is ~/.ssh/id_dsa, - ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, - ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa. Identity files may also - be specified on a per-host basis in the configuration file. It - is possible to have multiple -i options (and multiple identities - specified in configuration files). If no certificates have been - explicitly specified by the CertificateFile directive, ssh will - also try to load certificate information from the filename - obtained by appending -cert.pub to identity filenames. + key authentication is read. You can also specify a public key + file to use the corresponding private key that is loaded in + ssh-agent(1) when the private key file is not present locally. + The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, + ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and + ~/.ssh/id_rsa. Identity files may also be specified on a per- + host basis in the configuration file. It is possible to have + multiple -i options (and multiple identities specified in + configuration files). If no certificates have been explicitly + specified by the CertificateFile directive, ssh will also try to + load certificate information from the filename obtained by + appending -cert.pub to identity filenames. -J destination Connect to the target host by first making a ssh connection to @@ -1007,4 +1013,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 6.9 July 28, 2021 OpenBSD 6.9 +OpenBSD 6.9 September 10, 2021 OpenBSD 6.9 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.425 2021/07/28 05:57:42 jmc Exp $ -.Dd $Mdocdate: July 28 2021 $ +.\" $OpenBSD: ssh.1,v 1.427 2021/09/10 10:26:02 dtucker Exp $ +.Dd $Mdocdate: September 10 2021 $ .Dt SSH 1 .Os .Sh NAME @@ -65,7 +65,7 @@ .Op Fl W Ar host : Ns Ar port .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun .Ar destination -.Op Ar command +.Op Ar command Op Ar argument ... .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -94,7 +94,12 @@ their identity to the remote machine using one of several methods If a .Ar command is specified, -it is executed on the remote host instead of a login shell. +it will be executed on the remote host instead of a login shell. +A complete command line may be specified as +.Ar command , +or it may have additional arguments. +If supplied, the arguments will be appended to the command, separated by +spaces, before it is sent to the server to be executed. .Pp The options are as follows: .Pp @@ -288,6 +293,10 @@ authentication. .It Fl i Ar identity_file Selects a file from which the identity (private key) for public key authentication is read. +You can also specify a public key file to use the corresponding +private key that is loaded in +.Xr ssh-agent 1 +when the private key file is not present locally. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.566 2021/08/08 08:49:09 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -185,7 +185,7 @@ usage(void) " [-i identity_file] [-J [user@]host[:port]] [-L address]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n" -" [-w local_tun[:remote_tun]] destination [command]\n" +" [-w local_tun[:remote_tun]] destination [command [argument ...]]\n" ); exit(255); } @@ -259,6 +259,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen) port = default_ssh_port(); if (cname != NULL) *cname = '\0'; + debug3_f("lookup %s:%d", name, port); snprintf(strport, sizeof strport, "%d", port); memset(&hints, 0, sizeof(hints)); @@ -382,7 +383,7 @@ check_follow_cname(int direct, char **namep, const char *cname) int i; struct allowed_cname *rule; - if (*cname == '\0' || options.num_permitted_cnames == 0 || + if (*cname == '\0' || !config_has_permitted_cnames(&options) || strcmp(*namep, cname) == 0) return 0; if (options.canonicalize_hostname == SSH_CANONICALISE_NO) @@ -1186,7 +1187,7 @@ main(int ac, char **av) */ direct = option_clear_or_none(options.proxy_command) && options.jump_host == NULL; - if (addrs == NULL && options.num_permitted_cnames != 0 && (direct || + if (addrs == NULL && config_has_permitted_cnames(&options) && (direct || options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { if ((addrs = resolve_host(host, options.port, direct, cname, sizeof(cname))) == NULL) { @@ -1792,7 +1793,8 @@ ssh_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) rfwd->allocated_port = (int)port; logit("Allocated port %u for remote " "forward to %s:%d", - rfwd->allocated_port, rfwd->connect_host, + rfwd->allocated_port, rfwd->connect_path ? + rfwd->connect_path : rfwd->connect_host, rfwd->connect_port); channel_update_permission(ssh, rfwd->handle, rfwd->allocated_port); diff --git a/ssh_config.0 b/ssh_config.0 index b13a74e7d8e4..d3890a4a7fc4 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -173,6 +173,9 @@ DESCRIPTION canonicalized to names in the "*.b.example.com" or "*.c.example.com" domains. + A single argument of "none" causes no CNAMEs to be considered for + canonicalization. This is the default behaviour. + CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: @@ -494,12 +497,11 @@ DESCRIPTION sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, - rsa-sha2-512,rsa-sha2-256,ssh-rsa + rsa-sha2-512,rsa-sha2-256 The -Q option of ssh(1) may be used to list supported signature algorithms. This was formerly named HostbasedKeyTypes. @@ -529,12 +531,11 @@ DESCRIPTION sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, - rsa-sha2-512,rsa-sha2-256,ssh-rsa + rsa-sha2-512,rsa-sha2-256 If hostkeys are known for the destination host then this default is modified to prefer their algorithms. @@ -661,13 +662,13 @@ DESCRIPTION KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins - with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will be appended - to the default set instead of replacing them. If the specified - list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified methods - (including wildcards) will be removed from the default set - instead of replacing them. If the specified list begins with a - M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the - head of the default set. The default is: + with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be + appended to the default set instead of replacing them. If the + specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified + algorithms (including wildcards) will be removed from the default + set instead of replacing them. If the specified list begins with + a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will be placed at + the head of the default set. The default is: curve25519-sha256,curve25519-sha256@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, @@ -895,12 +896,11 @@ DESCRIPTION sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, - ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, - rsa-sha2-512,rsa-sha2-256,ssh-rsa + rsa-sha2-512,rsa-sha2-256 The list of available signature algorithms may also be obtained using "ssh -Q PubkeyAcceptedAlgorithms". @@ -1080,11 +1080,11 @@ DESCRIPTION maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. - If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically - add new host keys to the user's known_hosts file, but will not - permit connections to hosts with changed host keys. If this flag - is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys - to the user known hosts files and allow connections to hosts with + If this flag is set to accept-new then ssh will automatically add + new host keys to the user's known_hosts file, but will not permit + connections to hosts with changed host keys. If this flag is set + to no or off, ssh will automatically add new host keys to the + user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions. If this flag is set to ask (the default), new host keys will be added to the user known host files only after the user has @@ -1303,4 +1303,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 6.9 August 12, 2021 OpenBSD 6.9 +OpenBSD 6.9 September 25, 2021 OpenBSD 6.9 diff --git a/ssh_config.5 b/ssh_config.5 index cd0eea867049..170125a0e443 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $ -.Dd $Mdocdate: August 12 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.366 2021/09/25 09:40:33 kn Exp $ +.Dd $Mdocdate: September 25 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -372,6 +372,11 @@ to be canonicalized to names in the or .Qq *.c.example.com domains. +.Pp +A single argument of +.Qq none +causes no CNAMEs to be considered for canonicalization. +This is the default behaviour. .It Cm CASignatureAlgorithms Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). @@ -874,12 +879,11 @@ sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa +rsa-sha2-512,rsa-sha2-256 .Ed .Pp The @@ -921,12 +925,11 @@ sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa +rsa-sha2-512,rsa-sha2-256 .Ed .Pp If hostkeys are known for the destination host then this default is modified @@ -1150,15 +1153,15 @@ Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a .Sq + -character, then the specified methods will be appended to the default set +character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a .Sq - -character, then the specified methods (including wildcards) will be removed +character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a .Sq ^ -character, then the specified methods will be placed at the head of the +character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent @@ -1504,12 +1507,11 @@ sk-ssh-ed25519-cert-v01@openssh.com, sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa +rsa-sha2-512,rsa-sha2-256 .Ed .Pp The list of available signature algorithms may also be obtained using @@ -1788,15 +1790,15 @@ This option forces the user to manually add all new hosts. .Pp If this flag is set to -.Dq accept-new +.Cm accept-new then ssh will automatically add new host keys to the user's .Pa known_hosts file, but will not permit connections to hosts with changed host keys. If this flag is set to -.Dq no +.Cm no or -.Dq off , +.Cm off , ssh will automatically add new host keys to the user known hosts files and allow connections to hosts with changed hostkeys to proceed, subject to some restrictions. @@ -157,10 +157,12 @@ AUTHENTICATION connections, or forwarding the authentication agent connection over the secure channel. - After this, the client either requests a shell or execution of a command. - The sides then enter session mode. In this mode, either side may send - data at any time, and such data is forwarded to/from the shell or command - on the server side, and the user terminal in the client side. + After this, the client either requests an interactive shell or execution + or a non-interactive command, which sshd will execute via the user's + shell using its -c option. The sides then enter session mode. In this + mode, either side may send data at any time, and such data is forwarded + to/from the shell or command on the server side, and the user terminal in + the client side. When the user program terminates and all forwarded X11 and other connections have been closed, the server sends command exit status to the @@ -670,4 +672,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 6.9 July 30, 2021 OpenBSD 6.9 +OpenBSD 6.9 September 10, 2021 OpenBSD 6.9 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $ -.Dd $Mdocdate: July 30 2021 $ +.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $ +.Dd $Mdocdate: September 10 2021 $ .Dt SSHD 8 .Os .Sh NAME @@ -303,7 +303,12 @@ things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP connections, or forwarding the authentication agent connection over the secure channel. .Pp -After this, the client either requests a shell or execution of a command. +After this, the client either requests an interactive shell or execution +or a non-interactive command, which +.Nm +will execute via the user's shell using its +.Fl c +option. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or diff --git a/sshd_config.0 b/sshd_config.0 index 94f0a4d8b2b6..92a98165963b 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -554,13 +554,14 @@ DESCRIPTION KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified - list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will - be appended to the default set instead of replacing them. If the - specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified - methods (including wildcards) will be removed from the default - set instead of replacing them. If the specified list begins with - a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the - head of the default set. The supported algorithms are: + list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms + will be appended to the default set instead of replacing them. + If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the + specified algorithms (including wildcards) will be removed from + the default set instead of replacing them. If the specified list + begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will + be placed at the head of the default set. The supported + algorithms are: curve25519-sha256 curve25519-sha256@libssh.org @@ -1191,4 +1192,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 6.9 August 12, 2021 OpenBSD 6.9 +OpenBSD 6.9 September 3, 2021 OpenBSD 6.9 diff --git a/sshd_config.5 b/sshd_config.5 index 69d55206a951..a8d0545c31dd 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $ -.Dd $Mdocdate: August 12 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.335 2021/09/03 05:25:50 dtucker Exp $ +.Dd $Mdocdate: September 3 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -920,15 +920,15 @@ Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified list begins with a .Sq + -character, then the specified methods will be appended to the default set +character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a .Sq - -character, then the specified methods (including wildcards) will be removed +character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a .Sq ^ -character, then the specified methods will be placed at the head of the +character, then the specified algorithms will be placed at the head of the default set. The supported algorithms are: .Pp diff --git a/version.h b/version.h index e699e103824e..eba7aca0643d 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.91 2021/08/20 03:22:55 djm Exp $ */ +/* $OpenBSD: version.h,v 1.92 2021/09/26 14:01:11 djm Exp $ */ -#define SSH_VERSION "OpenSSH_8.7" +#define SSH_VERSION "OpenSSH_8.8" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE |