Commit Graph

554 Commits

Author SHA1 Message Date
emaste
43e49b6ffe sshd: make getpwclass wrapper MON_ISAUTH not MON_AUTH
In r339216 a privsep wrapper was added for login_getpwclass to address
PR 231172.  Unfortunately the change used the MON_AUTH flag in the
wrapper, and MON_AUTH includes MON_AUTHDECIDE which triggers an
auth_log() on each invocation.  getpwclass() does not participate in the
authentication decision, so should be MON_ISAUTH instead.

PR:		234793
Submitted by:	Henry Hu
Reviewed by:	Yuichiro NAITO
MFC after:	1 week
2019-11-20 16:30:37 +00:00
des
cf475d661f Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
emaste
c8d9eb1607 Merge r345574 from vendor-crypto:
upstream: when checking that filenames sent by the server side

match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".

"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@

OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e

Discussed with: des
Obtained from:	OpenSSH-portable 3d896c157c722bc47adca51a58dca859225b5874
2019-03-27 14:35:38 +00:00
emaste
55cc6970c9 scp: validate filenames provided by server against wildcard in client
OpenSSH-portable commits:

check in scp client that filenames sent during remote->local directory
copies satisfy the wildcard specified by the user.

This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.

For this reason, this also adds a new -T flag to disable the check.

reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@

OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda

Minor patch conflict (getopt) resolved.

Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc

scp: add -T to usage();

OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899

Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8

PR:		234965
Approved by:	des
MFC after:	3 days
Obtained from:	OpenSSH-portable 391ffc4b9d, 2c21b75a7b
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19076
2019-02-21 22:45:54 +00:00
emaste
6ab515da5a scp: disallow empty or current directory
Obtained from:	OpenBSD scp.c 1.198
Security:	CVE-2018-20685
Sponsored by:	The FreeBSD Foundation
2019-01-15 15:35:14 +00:00
des
7419258c5c Try harder to sanitize the environment before running configure.
Remove a workaround for older Unbound versions that used sbrk.

Approved by:	re (gjb)
2018-10-10 22:29:06 +00:00
gjb
05d1d50555 Merge the remainder of the projects/openssl111 branch to head.
- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by:	re (kib)
Sponsored by:	The FreeBSD Foundation
2018-10-09 21:28:26 +00:00
des
5972318805 Fix portability issues with the Capsicum patch committed in r339216:
- Wrap access to pw_change and pw_expire in the appropriate #ifdefs.
- Wrap calls to login_cap(3) API in appropriate #ifdefs.
- Add wrapper for transferring time_t, which is still only 32 bits wide
  on FreeBSD i386.
- Use a temporary variable to deserialize size_t.

Approved by:	re (gjb)
2018-10-09 19:27:42 +00:00
emaste
642f44c193 Regenerate ssh_namespace.h for OpenSSL 1.1.1 update 2018-10-09 17:29:31 +00:00
gjb
b710187041 MFH r338661 through r339253.
Sponsored by:	The FreeBSD Foundation
2018-10-09 14:27:55 +00:00
emaste
2263c196a6 openssh: regenerate ssh-namespace.h after r339213 and r339216
Reported by:	des
Approved by:	re (rgrimes)
2018-10-09 03:11:59 +00:00
gjb
f328ad48e2 MFH r339206-r339212, r339215-r339239
Sponsored by:	The FreeBSD Foundation
2018-10-08 18:06:40 +00:00
emaste
df69fc9823 sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
  capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
  timezone file.
* Reverse resolve hostname before entering capability mode.

PR:		231172
Submitted by:	naito.yuichiro@gmail.com
Reviewed by:	cem, des
Approved by:	re (rgrimes)
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D17128
2018-10-06 21:32:55 +00:00
emaste
3af09b53ad openssh: cherry-pick OpenSSL 1.1.1 compatibility
Compatibility with existing OpenSSL versions is maintained.

Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.

Trivial conflicts in sshkey.c and test_sshkey.c were resolved.

Connect libressl-api-compat.c to the build, and regenerate config.h

Reviewed by:	des
Approved by:	re (rgrimes)
MFC after:	2 seeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D17444
2018-10-06 14:38:34 +00:00
emaste
e0d48e3a14 openssh: connect libressl-api-compat.c and regen config.h
Differential Revision:	https://reviews.freebsd.org/D17390
2018-10-03 16:38:36 +00:00
emaste
7921dde60d openssh: add openbsd-compat/libressl-api-compat.c
Missed in migrating changeset from git to svn for r338811

Reported by:	jhb
2018-10-03 16:06:17 +00:00
emaste
1f5ea84932 openssh: cherry-pick OpenSSL 1.1.1 compatibility
Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.

Trivial conflicts in sshkey.c and test_sshkey.c were resolved.

Sponsored by:	The FreeBSD Foundation
2018-09-19 21:18:44 +00:00
emaste
d56ac75924 openssh: rename local macro to avoid OpenSSL 1.1.1 conflict
Local changes introduced an OPENSSH_VERSION macro, but this conflicts
with a macro of the same name introduced with OepnsSL 1.1.1

Reviewed by:	des
Approved by:	re (gjb)
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2018-09-19 20:52:47 +00:00
emaste
d46475a2e7 openssh: rename local macro to avoid OpenSSL 1.1.1 conflict
Local changes introduced an OPENSSH_VERSION macro, but this conflicts
with a macro of the same name introduced with OpenSSL 1.1.1.
2018-09-19 19:13:29 +00:00
des
0a47c58bdd Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
delphij
cc30da3fe1 Update userland arc4random() with OpenBSD's Chacha20 based arc4random().
ObsoleteFiles.inc:

    Remove manual pages for arc4random_addrandom(3) and
    arc4random_stir(3).

  contrib/ntp/lib/isc/random.c:
  contrib/ntp/sntp/libevent/evutil_rand.c:

    Eliminate in-tree usage of arc4random_addrandom().

  crypto/heimdal/lib/roken/rand.c:
  crypto/openssh/config.h:

    Eliminate in-tree usage of arc4random_stir().

  include/stdlib.h:

    Remove arc4random_stir() and arc4random_addrandom() prototypes,
    provide temporary shims for transistion period.

  lib/libc/gen/Makefile.inc:

    Hook arc4random-compat.c to build, add hint for Chacha20 source for
    kernel, and remove arc4random_addrandom(3) and arc4random_stir(3)
    links.

  lib/libc/gen/arc4random.c:

    Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the
    sys/crypto/chacha20 implementation of keystream.

  lib/libc/gen/Symbol.map:

    Remove arc4random_stir and arc4random_addrandom interfaces.

  lib/libc/gen/arc4random.h:

    Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own.

  lib/libc/gen/arc4random.3:

    Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and
    r118247.

  lib/libc/gen/arc4random-compat.c:

    Compatibility shims for arc4random_stir and arc4random_addrandom
    functions to preserve ABI.  Log once when called but do nothing
    otherwise.

  lib/libc/gen/getentropy.c:
  lib/libc/include/libc_private.h:

    Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl).
    Remove from libc_private.h as a result.

  sys/crypto/chacha20/chacha.c:
  sys/crypto/chacha20/chacha.h:

    Make it possible to use the kernel implementation in libc.

PR:		182610
Reviewed by:	cem, markm
Obtained from:	OpenBSD
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16760
2018-08-19 17:40:50 +00:00
des
22c418c243 Merge upstream patch to unbreak tunnel forwarding.
Reported by:	cy@
2018-05-16 14:04:39 +00:00
des
13e42418d1 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
des
271dcc6a42 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
des
8598cec90a Update the repository URLs. 2018-05-06 13:21:44 +00:00
des
a2e5565774 Upgrade to OpenSSH 7.5p1. 2017-08-04 12:57:24 +00:00
lidl
64d41a9ba5 Refine and update blacklist support in sshd
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.

Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.

Reviewed by:	des
Approved by:	des
Sponsored by:	The FreeBSD Foundation
2017-05-12 15:20:12 +00:00
des
c995370269 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
des
229b651a25 Re-apply part of r311585 which was inadvertantly reverted in the upgrade
to 7.3p1.  The other part (which adds -DLIBWRAP to sshd's CFLAGS) is
still in place.

Reported by:	ngie
2017-03-03 14:25:55 +00:00
des
0f3c0d66a4 Forgot to bump the version addendum date. 2017-03-03 01:50:10 +00:00
des
dc519490bb Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
des
427bf4fd96 Avoid picking up MIT Kerberos from ports (if installed). 2017-02-26 19:00:55 +00:00
des
308f28721f Fix amusingly harmless mis-merge. 2017-02-26 16:34:58 +00:00
lidl
fd982d3dfd Only notify blacklistd for successful logins in auth.c
Reported by:	Rick Adams
Reviewed by:	des
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-02-19 20:35:39 +00:00
delphij
db4ad7afa3 MFV r311913:
Fix multiple OpenSSH vulnerabilities.

Submitted by:	des
Approved by:	so
2017-01-11 05:49:39 +00:00
ngie
078b533dd4 Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
2017-01-07 08:08:35 +00:00
delphij
40a7840d69 MFV r308196:
Fix OpenSSH remote Denial of Service vulnerability.

Security:	CVE-2016-8858
2016-11-02 06:49:25 +00:00
lidl
7235884959 Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
des
291f74b116 Try to check whether each key file exists before adding it, and bail out
if we didn't find any of them.  This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.

PR:		208254
MFC after:	3 days
2016-08-08 10:46:18 +00:00
des
7b7845b35c Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
2016-08-03 16:08:21 +00:00
gjb
7095173950 Revert r301551, which added blacklistd(8) to sshd(8).
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
2016-06-24 23:22:42 +00:00
lidl
9b5f176b51 Add blacklist support to sshd
Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
2016-06-07 16:18:09 +00:00
des
ba453f42f3 Re-add AES-CBC ciphers to the default cipher list on the server.
PR:		207679
2016-03-11 00:23:10 +00:00
des
bb6f58c772 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
des
d381a76dda Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00
des
bf4d314681 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
des
84fe0a03f6 r294563 was incomplete; re-add the client-side options as well. 2016-01-22 14:22:11 +00:00
des
150b570cfa Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
2016-01-22 13:13:46 +00:00
des
316c45f5be Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
des
e5b44dd19f Explain why we don't include VersionAddendum in the debug mode banner. 2016-01-21 12:41:02 +00:00