Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/crypto/external/bsd/openssh/dist/auth2.c

811 lines
22 KiB
C
Raw Permalink Normal View History

Import OpenSSH 9.6/9.6p1 (2023-12-18) Last was 9.5 Changes since OpenSSH 9.5 ========================= This release contains a number of security fixes, some small features and bugfixes. Security ======== This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters. * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source distribition. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources. Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. New features ------------ * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. Bugfixes -------- * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. Portability ----------- * Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases. * A number of fixes to regression test reliability and log collection. * Update the OpenSSL dependency in the RPM specification. * sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833
2023-12-20 20:11:24 +03:00
/* $OpenBSD: auth2.c,v 1.168 2023/12/18 14:45:49 djm Exp $ */
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>
#include <fcntl.h>
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
#include <limits.h>
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#include <pwd.h>
#include <stdarg.h>
import openssh 5.3
2009-12-27 04:06:47 +03:00
#include <string.h>
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#include <unistd.h>
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
#include <time.h>
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
OpenSSH 8.1 was released on 2019-10-09. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Security ======== * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program. * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ...").
2019-10-12 18:13:53 +03:00
#include "stdlib.h"
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#include "atomicio.h"
#include "xmalloc.h"
#include "ssh2.h"
#include "packet.h"
#include "log.h"
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
#include "sshbuf.h"
Changes since OpenSSH 6.6 ========================= Potentially-incompatible changes * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features * Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. * sftp(1): Allow resumption of interrupted uploads. * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154 * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222 * sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160 * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220 * sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199 * Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target. Bugfixes * sshd(8): Fix remote forwarding with the same listen port but different listen address. * ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred. * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255 * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247 * ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236 * ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234 * ssh-keygen(1): When hashing or removing hosts, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241 * ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion) * scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238 * ssh-keyscan(1): Scan for Ed25519 keys by default. * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 * Fix some strict-alignment errors. Portable OpenSSH * Portable OpenSSH now supports building against libressl-portable. * Portable OpenSSH now requires openssl 0.9.8f or greater. Older versions are no longer supported. * In the OpenSSL version check, allow fix version upgrades (but not downgrades. Debian bug #748150. * sshd(8): On Cygwin, determine privilege separation user at runtime, since it may need to be a domain account. * sshd(8): Don't attempt to use vhangup on Linux. It doesn't work for non-root users, and for them it just messes up the tty settings. * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly. bz#2228 * Add support for ed25519 to opensshd.init init script. * sftp-server(8): On platforms that support it, use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps} Changes since OpenSSH 6.5 ========================= This is primarily a bugfix release. Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. New / changed features: * ssh(1), sshd(8): this release removes the J-PAKE authentication code. This code was experimental, never enabled and had been unmaintained for some time. * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 * ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. bz#2205 * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. bz#2107 * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated. * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Changes since OpenSSH 6.4 ========================= This is a feature-focused release. New features: * ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it. * ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for Ed25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file. * ssh(1), sshd(8): Add a new transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file. * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419. * ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide X.509 certs instead of raw public keys (requested as bz#1908). * ssh(1): Add a ssh_config(5) "Match" keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands. * ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names. * sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name. * sftp-server(8): Add a sftp "fsync@openssh.com" to support calling fsync(2) on an open file handle. * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option. * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data. Bugfixes: * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates. * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort. * sftp(1): bz#2137: fix the progress meter for resumed transfer. * ssh-add(1): bz#2187: do not request smartcard PIN when removing keys from ssh-agent. * sshd(8): bz#2139: fix re-exec fallback when original sshd binary cannot be executed. * ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time. * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block. * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise the target path. * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent helper executable. * sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any). * sshd(8): bz#1297: tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting. * sshd(8): bz#2162: include report port in bad protocol banner message. * sftp(1): bz#2163: fix memory leak in error path in do_readdir(). * sftp(1): bz#2171: don't leak file descriptor on error. * sshd(8): Include the local address and port in "Connection from ..." message (only shown at loglevel>=verbose). Portable OpenSSH: * Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release. * Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc- like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag. * A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag. * If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option. * sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10. * Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own. * sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart. * sshd(8): bz#2032: use local username in krb5_kuserok check rather than full client name which may be of form user@REALM. * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in OpenSSL and that they actually work. Fedora (at least) has NID_secp521r1 that doesn't work. * bz#2173: use pkg-config --libs to include correct -L location for libedit.
2014-10-19 20:28:33 +04:00
#include "misc.h"
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#include "servconf.h"
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
#include "sshkey.h"
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#include "hostfile.h"
#include "auth.h"
#include "dispatch.h"
#include "pathnames.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
#include "ssherr.h"
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
#include "digest.h"
Import OpenSSH 9.6/9.6p1 (2023-12-18) Last was 9.5 Changes since OpenSSH 9.5 ========================= This release contains a number of security fixes, some small features and bugfixes. Security ======== This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters. * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source distribition. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources. Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. New features ------------ * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. Bugfixes -------- * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. Portability ----------- * Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases. * A number of fixes to regression test reliability and log collection. * Update the OpenSSL dependency in the RPM specification. * sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833
2023-12-20 20:11:24 +03:00
#include "kex.h"
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* import */
extern ServerOptions options;
/* methods */
extern Authmethod method_none;
extern Authmethod method_pubkey;
extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
extern Authmethod method_gssapi;
#endif
Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
#ifdef GSSAPI
&method_gssapi,
#endif
&method_passwd,
&method_kbdint,
&method_hostbased,
NULL
};
/* protocol */
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
static int input_service_request(int, u_int32_t, struct ssh *);
static int input_userauth_request(int, u_int32_t, struct ssh *);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* helper */
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
static Authmethod *authmethod_byname(const char *);
from openbsd
2013-03-29 18:52:38 +04:00
static Authmethod *authmethod_lookup(Authctxt *, const char *);
static char *authmethods_get(Authctxt *authctxt);
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
#define MATCH_NONE 0 /* method or submethod mismatch */
#define MATCH_METHOD 1 /* method matches (no submethod specified) */
#define MATCH_BOTH 2 /* method and submethod match */
#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */
static int list_starts_with(const char *, const char *, const char *);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
char *
auth2_read_banner(void)
{
struct stat st;
char *banner = NULL;
size_t len, n;
int fd;
if ((fd = open(options.banner, O_RDONLY)) == -1)
return (NULL);
if (fstat(fd, &st) == -1) {
close(fd);
return (NULL);
}
from ftp.openbsd.org
2012-05-02 06:13:04 +04:00
if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
close(fd);
return (NULL);
}
len = (size_t)st.st_size; /* truncate */
banner = xmalloc(len + 1);
n = atomicio(read, fd, banner, len);
close(fd);
if (n != len) {
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
free(banner);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
return (NULL);
}
banner[n] = '\0';
return (banner);
}
static void
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
userauth_banner(struct ssh *ssh)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
char *banner = NULL;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
int r;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
OpenSSH 7.7 was released on 2018-04-02. It is available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. Changes since OpenSSH 7.6 ========================= This is primarily a bugfix release. New Features ------------ * All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress) * ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface. * sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server. * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm. * ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither). * sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760 * sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. Bugfixes -------- * ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1. * sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message. * sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664 * ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shown. bz#2814 * ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821 * regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823 * ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent. * scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.) * ssh-keygen(1): Refuse to create a certificate with an unusable number of principals. * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline. * ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803 * sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps. * Numerous manual page fixes and improvements. Portability ----------- * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes sandbox violations on some environments. * sshd(8): Remove UNICOS support. The hardware and software are literal museum pieces and support in sshd is too intrusive to justify maintaining. * All: Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability. * All: Add auto-generated dependency information to Makefile. * Numerous fixed to the RPM spec files. Checksums: ========== - SHA1 (openssh-7.7.tar.gz) = 24812e05fa233014c847c7775748316e7f8a836c - SHA256 (openssh-7.7.tar.gz) = T4ua1L/vgAYqwB0muRahvnm5ZUr3PLY9nPljaG8egvo= - SHA1 (openssh-7.7p1.tar.gz) = 446fe9ed171f289f0d62197dffdbfdaaf21c49f2 - SHA256 (openssh-7.7p1.tar.gz) = 1zvn5oTpnvzQJL4Vowv/y+QbASsvezyQhK7WIXdea48= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2018-04-06 21:56:05 +03:00
if (options.banner == NULL)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
return;
if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
goto done;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 ||
(r = sshpkt_put_cstring(ssh, banner)) != 0 ||
(r = sshpkt_put_cstring(ssh, "")) != 0 || /* language, unused */
(r = sshpkt_send(ssh)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "send packet");
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
debug("userauth_banner: sent");
done:
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
free(banner);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
/*
* loop until authctxt->success == TRUE
*/
void
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
do_authentication2(struct ssh *ssh)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
Authctxt *authctxt = ssh->authctxt;
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
ssh_dispatch_init(ssh, &dispatch_protocol_error);
Import OpenSSH 9.6/9.6p1 (2023-12-18) Last was 9.5 Changes since OpenSSH 9.5 ========================= This release contains a number of security fixes, some small features and bugfixes. Security ======== This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters. * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source distribition. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources. Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. New features ------------ * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. Bugfixes -------- * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. Portability ----------- * Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases. * A number of fixes to regression test reliability and log collection. * Update the OpenSSL dependency in the RPM specification. * sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833
2023-12-20 20:11:24 +03:00
if (ssh->kex->ext_info_c)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_input_ext_info);
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_REQUEST, &input_service_request);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt->success);
ssh->authctxt = NULL;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
Changes since OpenSSH 6.7 ========================= This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes -------------------------------- * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. * ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default off). * ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. * ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. * sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. * sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. * ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. * ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. * ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". * The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange. Bugfixes * ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol. * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields. * ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286 * ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267 * ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324; * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345. * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * Various fixes to manual pages: bz#2288, bz#2316, bz#2273 Portable OpenSSH * Support --without-openssl at configure time Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on systems with native arc4random or /dev/urandom. Considered highly experimental for now. * Support --without-ssh1 option at configure time Allows disabling support for SSH protocol 1. * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 * Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names. Checksums: ========== - SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37 - SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw= - SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92 - SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4= Please note that the PGP key used to sign releases was recently rotated. The new key has been signed by the old key to provide continuity. It is available from the mirror sites as RELEASE_KEY.asc. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2015-04-04 02:49:21 +03:00
static int
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
input_service_request(int type, u_int32_t seq, struct ssh *ssh)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
Authctxt *authctxt = ssh->authctxt;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
char *service = NULL;
int r, acceptit = 0;
if ((r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (authctxt == NULL)
fatal("input_service_request: no authctxt");
if (strcmp(service, "ssh-userauth") == 0) {
if (!authctxt->success) {
acceptit = 1;
/* now we can handle user-auth requests */
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
&input_userauth_request);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
}
/* XXX all other service requests are denied */
if (acceptit) {
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshpkt_start(ssh, SSH2_MSG_SERVICE_ACCEPT)) != 0 ||
(r = sshpkt_put_cstring(ssh, service)) != 0 ||
(r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
goto out;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
} else {
debug("bad service request %s", service);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
ssh_packet_disconnect(ssh, "bad service request %s", service);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
Import OpenSSH 9.6/9.6p1 (2023-12-18) Last was 9.5 Changes since OpenSSH 9.5 ========================= This release contains a number of security fixes, some small features and bugfixes. Security ======== This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters. * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source distribition. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources. Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. New features ------------ * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. Bugfixes -------- * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. Portability ----------- * Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases. * A number of fixes to regression test reliability and log collection. * Update the OpenSSL dependency in the RPM specification. * sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833
2023-12-20 20:11:24 +03:00
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &dispatch_protocol_error);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
r = 0;
out:
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
free(service);
OpenSSH 8.3 was released on 2020-05-27. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. A future release of OpenSSH will enable UpdateHostKeys by default to allow the client to automatically migrate to better algorithms. Users may consider enabling this option manually. Vendors of devices that implement the SSH protocol should ensure that they support the new signature algorithms for RSA keys. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. Exploitation of this is not likely as utimes(2) does not fail under normal circumstances. Successful exploitation is not silent - the output of scp(1) would show transfer errors followed by the actual file(s) that were received. Finally, filenames returned from the peer are (since openssh-8.0) matched against the user's requested destination, thereby disallowing a successful exploit from writing files outside the user's selected target glob (or directory, in the case of a recursive transfer). This ensures that this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. Changes since OpenSSH 8.2 ========================= The focus of this release is bug fixing. New Features ------------ * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148 * ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. bz#3014 * all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present. * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH. * ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path" bz#3132 Bugfixes -------- * ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider; bz#3141 * ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key. * scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts. * ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello. * ssh(1): fix incorrect error message for "too many known hosts files." bz#3149 * ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled; bz#3116 * ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same. * sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match); bz#3134 * sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root; bz#3148 * ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing (oss-fuzz #20074). * ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options. * ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases; bz#3130 * ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses bz#3129 * various: fix a number of spelling errors in comments and debug/error messages * ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication. * sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. * ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. bz#3119 * ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. Portability ----------- * Detect systems where signals flagged with SA_RESTART will interrupt select(2). POSIX permits implementations to choose whether select(2) will return when interrupted with a SA_RESTART-flagged signal, but OpenSSH requires interrupting behaviour. * Several compilation fixes for HP/UX and AIX. * On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. bz#3126 * Improve detection of egrep (used in regression tests) on platforms that offer a poor default one (e.g. Solaris). * A number of shell portability fixes for the regression tests. * Fix theoretical infinite loop in the glob(3) replacement implementation. * Fix seccomp sandbox compilation problems for some Linux configurations bz#3085 * Improved detection of libfido2 and some compilation fixes for some configurations when --with-security-key-builtin is selected.
2020-05-28 20:02:58 +03:00
return r;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
#define MIN_FAIL_DELAY_SECONDS 0.005
Import OpenSSH 9.5 (Last was OpenSSH 9.3) OpenSSH 9.5/9.5p1 (2023-10-04) OpenSSH 9.5 was released on 2023-10-04. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.4 ========================= This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword. * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". * sshd(8): allow override of Subsystem directives in sshd Match blocks. Bugfixes -------- * scp(1): fix scp in SFTP mode recursive upload and download of directories that contain symlinks to other directories. In scp mode, the links would be followed, but in SFTP mode they were not. bz3611 * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in sshsig signature files. * ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty. * sshd(8): make PerSourceMaxStartups first-match-wins * sshd(8): limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism.cw bz3602 * sshd(8): Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal(). * sshd(8): correct math for ClientAliveInterval that caused the probes to be sent less frequently than configured. * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Portability ----------- * Avoid clang zero-call-used-regs=all bug on Apple compilers, which for some reason have version numbers that do not match the upstream clang version numbers. bz#3584 * Fix configure test for zlib 1.3 and later/development versions. bz3604 Checksums: ========== - SHA1 (openssh-9.5.tar.gz) = 8a0bd3a91fac338d97d91817af58df731f6509a3 - SHA256 (openssh-9.5.tar.gz) = sVMxeM3d6g65qBMktJIofxmK4Ipg9dblKif0VnhPeO0= - SHA1 (openssh-9.5p1.tar.gz) = 35c16dcc6e7d0a9465faa241476ef24f76b196cc - SHA256 (openssh-9.5p1.tar.gz) = 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH 9.4/9.4p1 (2023-08-10) OpenSSH 9.4 was released on 2023-08-10. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3p2 =========================== This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors. * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. New features ------------ * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. Bugfixes -------- * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. * ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581 * ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 * scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server. Based on GHPR#370 Portability ----------- * All: a number of build fixes for various platforms and configuration combinations. * sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated. * All: relax libcrypto version checks for OpenSSL >=3. Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). bz#3548. * Tests: fix build problems for the sk-dummy.so FIDO provider module used in some tests. Checksums: ========== - SHA1 (openssh-9.4.tar.gz) = d88126d8d7b8e5bf4656587ac4a16055560641cc - SHA256 (openssh-9.4.tar.gz) = 7eqFjx2hAunw+1Jy7f1JQXq//3AMr9B3dKtASDtq8go= - SHA1 (openssh-9.4p1.tar.gz) = 5dea1f3c88f9cfe53a711a3c893ee8b7d3ffecff - SHA256 (openssh-9.4p1.tar.gz) = Ngj9kIjbIWPOs+YAyFq3nQ3j0iHlkZLqGSPiMmOGaoU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2023-10-25 23:14:30 +03:00
#define MAX_FAIL_DELAY_SECONDS 5.0
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
static double
user_specific_delay(const char *user)
{
char b[512];
size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
u_char *hash = xmalloc(len);
double delay;
(void)snprintf(b, sizeof b, "%llu%s",
Import OpenSSH-8.6: Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this option was enabled with a set of patterns that activated logging in code that runs in the low-privilege sandboxed sshd process, the log messages were constructed in such a way that printf(3) format strings could effectively be specified the low-privilege code. An attacker who had sucessfully exploited the low-privilege process could use this to escape OpenSSH's sandboxing and attack the high-privilege process. Exploitation of this weakness is highly unlikely in practice as the LogVerbose option is not enabled by default and is typically only used for debugging. No vulnerabilities in the low-privilege process are currently known to exist. Thanks to Ilja Van Sprundel for reporting this bug. Changes since OpenSSH 8.5 ========================= This release contains mostly bug fixes. New features ------------ * sftp-server(8): add a new limits@openssh.com protocol extension that allows a client to discover various server limits, including maximum packet size and maximum read/write length. * sftp(1): use the new limits@openssh.com extension (when available) to select better transfer lengths in the client. * sshd(8): Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to enable printing of the elapsed time in seconds of each test. Bugfixes -------- * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in manual pages with the current default. GHPR#174 * ssh(1): ensure that pkcs11_del_provider() is called before exit. GHPR#234 * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR#223 * ssh(1): return non-zero exit status when killed by signal; bz#3281 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are not explicitly banned by the spec. Portability ----------- * sshd(8): don't mistakenly exit on transient read errors on the network socket (e.g. EINTR, EAGAIN); bz3297 * Create a dedicated contrib/gnome-ssk-askpass3.c source instead of building it from the same file as used for GNOME2. Use the GNOME3 gdk_seat_grab() to manage keyboard/mouse/server grabs for better compatibility with Wayland. * Fix portability build errors bz3293 bz3292 bz3291 bz3278 * sshd(8): soft-disallow the fstatat64 syscall in the Linux seccomp-bpf sandbox. bz3276 * unit tests: enable autoopt and misc unit tests that were previously skipped
2021-04-19 17:38:27 +03:00
(unsigned long long)options.timing_secret, user);
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("ssh_digest_memory");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
/* 0-4.2 ms of delay */
delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
freezero(hash, len);
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("user specific delay %0.3lfms", delay/1000);
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
return MIN_FAIL_DELAY_SECONDS + delay;
}
static void
ensure_minimum_time_since(double start, double seconds)
{
struct timespec ts;
double elapsed = monotime_double() - start, req = seconds, remain;
Import OpenSSH 9.5 (Last was OpenSSH 9.3) OpenSSH 9.5/9.5p1 (2023-10-04) OpenSSH 9.5 was released on 2023-10-04. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.4 ========================= This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword. * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". * sshd(8): allow override of Subsystem directives in sshd Match blocks. Bugfixes -------- * scp(1): fix scp in SFTP mode recursive upload and download of directories that contain symlinks to other directories. In scp mode, the links would be followed, but in SFTP mode they were not. bz3611 * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in sshsig signature files. * ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty. * sshd(8): make PerSourceMaxStartups first-match-wins * sshd(8): limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism.cw bz3602 * sshd(8): Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal(). * sshd(8): correct math for ClientAliveInterval that caused the probes to be sent less frequently than configured. * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Portability ----------- * Avoid clang zero-call-used-regs=all bug on Apple compilers, which for some reason have version numbers that do not match the upstream clang version numbers. bz#3584 * Fix configure test for zlib 1.3 and later/development versions. bz3604 Checksums: ========== - SHA1 (openssh-9.5.tar.gz) = 8a0bd3a91fac338d97d91817af58df731f6509a3 - SHA256 (openssh-9.5.tar.gz) = sVMxeM3d6g65qBMktJIofxmK4Ipg9dblKif0VnhPeO0= - SHA1 (openssh-9.5p1.tar.gz) = 35c16dcc6e7d0a9465faa241476ef24f76b196cc - SHA256 (openssh-9.5p1.tar.gz) = 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH 9.4/9.4p1 (2023-08-10) OpenSSH 9.4 was released on 2023-08-10. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3p2 =========================== This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors. * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. New features ------------ * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. Bugfixes -------- * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. * ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581 * ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 * scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server. Based on GHPR#370 Portability ----------- * All: a number of build fixes for various platforms and configuration combinations. * sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated. * All: relax libcrypto version checks for OpenSSL >=3. Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). bz#3548. * Tests: fix build problems for the sk-dummy.so FIDO provider module used in some tests. Checksums: ========== - SHA1 (openssh-9.4.tar.gz) = d88126d8d7b8e5bf4656587ac4a16055560641cc - SHA256 (openssh-9.4.tar.gz) = 7eqFjx2hAunw+1Jy7f1JQXq//3AMr9B3dKtASDtq8go= - SHA1 (openssh-9.4p1.tar.gz) = 5dea1f3c88f9cfe53a711a3c893ee8b7d3ffecff - SHA256 (openssh-9.4p1.tar.gz) = Ngj9kIjbIWPOs+YAyFq3nQ3j0iHlkZLqGSPiMmOGaoU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2023-10-25 23:14:30 +03:00
if (elapsed > MAX_FAIL_DELAY_SECONDS) {
debug3_f("elapsed %0.3lfms exceeded the max delay "
"requested %0.3lfms)", elapsed*1000, req*1000);
return;
}
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
/* if we've already passed the requested time, scale up */
while ((remain = seconds - elapsed) < 0.0)
seconds *= 2;
ts.tv_sec = remain;
ts.tv_nsec = (remain - ts.tv_sec) * 1000000000;
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("elapsed %0.3lfms, delaying %0.3lfms (requested %0.3lfms)",
elapsed*1000, remain*1000, req*1000);
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
nanosleep(&ts, NULL);
}
Changes since OpenSSH 6.7 ========================= This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes -------------------------------- * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. * ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default off). * ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. * ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. * sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. * sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. * ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. * ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. * ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". * The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange. Bugfixes * ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol. * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields. * ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286 * ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267 * ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324; * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345. * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * Various fixes to manual pages: bz#2288, bz#2316, bz#2273 Portable OpenSSH * Support --without-openssl at configure time Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on systems with native arc4random or /dev/urandom. Considered highly experimental for now. * Support --without-ssh1 option at configure time Allows disabling support for SSH protocol 1. * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 * Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names. Checksums: ========== - SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37 - SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw= - SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92 - SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4= Please note that the PGP key used to sign releases was recently rotated. The new key has been signed by the old key to provide continuity. It is available from the mirror sites as RELEASE_KEY.asc. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2015-04-04 02:49:21 +03:00
static int
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
Authctxt *authctxt = ssh->authctxt;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
Authmethod *m = NULL;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
int r, authenticated = 0;
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
double tstart = monotime_double();
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshpkt_get_cstring(ssh, &user, NULL)) != 0 ||
(r = sshpkt_get_cstring(ssh, &service, NULL)) != 0 ||
(r = sshpkt_get_cstring(ssh, &method, NULL)) != 0)
goto out;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
if (authctxt->attempt >= 1024)
auth_maxtries_exceeded(ssh);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (authctxt->attempt++ == 0) {
/* setup auth context */
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug2_f("setting up authctxt for %s", user);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
} else {
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
authctxt->valid = 0;
OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Future deprecation notice ========================= We plan on retiring more legacy cryptography in future releases, specifically: * In the next major release (expected June-August), removing remaining support for the SSH v.1 protocol (currently client-only and compile- time disabled). * In the same release, removing support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC. (These are currently run-time disabled). * In the same release, removing the remaining CBC ciphers from being offered by default in the client (These have not been offered in sshd by default for several years). * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs).
2017-04-18 21:39:17 +03:00
/* Invalid user, fake password information */
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
authctxt->pw = fakepw();
}
OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Future deprecation notice ========================= We plan on retiring more legacy cryptography in future releases, specifically: * In the next major release (expected June-August), removing remaining support for the SSH v.1 protocol (currently client-only and compile- time disabled). * In the same release, removing support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC. (These are currently run-time disabled). * In the same release, removing the remaining CBC ciphers from being offered by default in the client (These have not been offered in sshd by default for several years). * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs).
2017-04-18 21:39:17 +03:00
ssh_packet_set_log_preamble(ssh, "%suser %s",
authctxt->valid ? "authenticating " : "invalid ", user);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
if (use_privsep)
mm_inform_authserv(service, style);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
userauth_banner(ssh);
Import OpenSSH 9.6/9.6p1 (2023-12-18) Last was 9.5 Changes since OpenSSH 9.5 ========================= This release contains a number of security fixes, some small features and bugfixes. Security ======== This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters. * ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source distribition. * ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. * ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources. Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files. Potentially incompatible changes -------------------------------- * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. New features ------------ * ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610 * ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. * ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. Bugfixes -------- * ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531 * ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326 * sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message. * A number of fixes to the PuTTY and Dropbear regress/integration tests. * ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982 * ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080 * scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. * ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. Portability ----------- * Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases. * A number of fixes to regression test reliability and log collection. * Update the OpenSSL dependency in the RPM specification. * sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833
2023-12-20 20:11:24 +03:00
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
from openbsd
2013-03-29 18:52:38 +04:00
if (auth2_setup_methods_lists(authctxt) != 0)
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
ssh_packet_disconnect(ssh,
"no authentication methods enabled");
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
ssh_packet_disconnect(ssh, "Change of username or service "
"not allowed: (%s,%s) -> (%s,%s)",
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
authctxt->user, authctxt->service, user, service);
}
/* reset state */
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
auth2_challenge_stop(ssh);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#ifdef GSSAPI
/* XXX move to auth2_gssapi_stop() */
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
#endif
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
auth2_authctxt_reset_info(authctxt);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
authctxt->postponed = 0;
new openssh: See http://www.openssh.com/txt/release-5.9
2011-09-07 00:16:49 +04:00
authctxt->server_caused_failure = 0;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* try to authenticate user */
from openbsd
2013-03-29 18:52:38 +04:00
m = authmethod_lookup(authctxt, method);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (m != NULL && authctxt->failures < options.max_authtries) {
debug2("input_userauth_request: try method %s", method);
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
authenticated = m->userauth(ssh, method);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
Import OpenSSH 9.5 (Last was OpenSSH 9.3) OpenSSH 9.5/9.5p1 (2023-10-04) OpenSSH 9.5 was released on 2023-10-04. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.4 ========================= This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword. * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0". * sshd(8): allow override of Subsystem directives in sshd Match blocks. Bugfixes -------- * scp(1): fix scp in SFTP mode recursive upload and download of directories that contain symlinks to other directories. In scp mode, the links would be followed, but in SFTP mode they were not. bz3611 * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in sshsig signature files. * ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty. * sshd(8): make PerSourceMaxStartups first-match-wins * sshd(8): limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism.cw bz3602 * sshd(8): Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal(). * sshd(8): correct math for ClientAliveInterval that caused the probes to be sent less frequently than configured. * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. Portability ----------- * Avoid clang zero-call-used-regs=all bug on Apple compilers, which for some reason have version numbers that do not match the upstream clang version numbers. bz#3584 * Fix configure test for zlib 1.3 and later/development versions. bz3604 Checksums: ========== - SHA1 (openssh-9.5.tar.gz) = 8a0bd3a91fac338d97d91817af58df731f6509a3 - SHA256 (openssh-9.5.tar.gz) = sVMxeM3d6g65qBMktJIofxmK4Ipg9dblKif0VnhPeO0= - SHA1 (openssh-9.5p1.tar.gz) = 35c16dcc6e7d0a9465faa241476ef24f76b196cc - SHA256 (openssh-9.5p1.tar.gz) = 8Cbnt5un+1QPdRgq+W3IqPHbOV+SK7yfbKYDZyaGCGs= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH 9.4/9.4p1 (2023-08-10) OpenSSH 9.4 was released on 2023-08-10. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Changes since OpenSSH 9.3p2 =========================== This release fixes a number of bugs and adds some small features. Potentially incompatible changes -------------------------------- * This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors. * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. New features ------------ * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection. * ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%. Bugfixes -------- * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files. * All: fix a number of memory leaks and unreachable/harmless integer overflows. * ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406 * sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms. * ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581 * ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 * scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server. Based on GHPR#370 Portability ----------- * All: a number of build fixes for various platforms and configuration combinations. * sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated. * All: relax libcrypto version checks for OpenSSL >=3. Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). bz#3548. * Tests: fix build problems for the sk-dummy.so FIDO provider module used in some tests. Checksums: ========== - SHA1 (openssh-9.4.tar.gz) = d88126d8d7b8e5bf4656587ac4a16055560641cc - SHA256 (openssh-9.4.tar.gz) = 7eqFjx2hAunw+1Jy7f1JQXq//3AMr9B3dKtASDtq8go= - SHA1 (openssh-9.4p1.tar.gz) = 5dea1f3c88f9cfe53a711a3c893ee8b7d3ffecff - SHA256 (openssh-9.4p1.tar.gz) = Ngj9kIjbIWPOs+YAyFq3nQ3j0iHlkZLqGSPiMmOGaoU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2023-10-25 23:14:30 +03:00
if (!authctxt->authenticated && strcmp(method, "none") != 0)
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
ensure_minimum_time_since(tstart,
user_specific_delay(authctxt->user));
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
userauth_finish(ssh, authenticated, method, NULL);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
r = 0;
out:
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
free(service);
free(user);
free(method);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
return r;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
void
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
userauth_finish(struct ssh *ssh, int authenticated, const char *packet_method,
from openbsd
2013-03-29 18:52:38 +04:00
const char *submethod)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
Authctxt *authctxt = ssh->authctxt;
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
Authmethod *m = NULL;
const char *method = packet_method;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
char *methods;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
int r, partial = 0;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
if (authenticated) {
if (!authctxt->valid) {
fatal("INTERNAL ERROR: authenticated invalid user %s",
authctxt->user);
}
if (authctxt->postponed)
fatal("INTERNAL ERROR: authenticated and postponed");
/* prefer primary authmethod name to possible synonym */
if ((m = authmethod_byname(method)) == NULL)
fatal("INTERNAL ERROR: bad method %s", method);
method = m->name;
}
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
OpenSSH 7.7 was released on 2018-04-02. It is available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. Changes since OpenSSH 7.6 ========================= This is primarily a bugfix release. New Features ------------ * All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress) * ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface. * sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server. * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm. * ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither). * sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760 * sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. Bugfixes -------- * ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1. * sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message. * sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664 * ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shown. bz#2814 * ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821 * regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823 * ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent. * scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.) * ssh-keygen(1): Refuse to create a certificate with an unusable number of principals. * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline. * ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803 * sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps. * Numerous manual page fixes and improvements. Portability ----------- * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes sandbox violations on some environments. * sshd(8): Remove UNICOS support. The hardware and software are literal museum pieces and support in sshd is too intrusive to justify maintaining. * All: Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability. * All: Add auto-generated dependency information to Makefile. * Numerous fixed to the RPM spec files. Checksums: ========== - SHA1 (openssh-7.7.tar.gz) = 24812e05fa233014c847c7775748316e7f8a836c - SHA256 (openssh-7.7.tar.gz) = T4ua1L/vgAYqwB0muRahvnm5ZUr3PLY9nPljaG8egvo= - SHA1 (openssh-7.7p1.tar.gz) = 446fe9ed171f289f0d62197dffdbfdaaf21c49f2 - SHA256 (openssh-7.7p1.tar.gz) = 1zvn5oTpnvzQJL4Vowv/y+QbASsvezyQhK7WIXdea48= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2018-04-06 21:56:05 +03:00
!auth_root_allowed(ssh, method))
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
authenticated = 0;
from openbsd
2013-03-29 18:52:38 +04:00
if (authenticated && options.num_auth_methods != 0) {
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
if (!auth2_update_methods_lists(authctxt, method, submethod)) {
from openbsd
2013-03-29 18:52:38 +04:00
authenticated = 0;
partial = 1;
}
}
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* Log before sending the reply */
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
auth_log(ssh, authenticated, partial, method, submethod);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
/* Update information exposed to session */
if (authenticated || partial)
auth2_update_session_info(authctxt, method, submethod);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
if (authctxt->postponed)
return;
if (authenticated == 1) {
/* turn off userauth */
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_REQUEST,
&dispatch_protocol_ignore);
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_SUCCESS)) != 0 ||
(r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "send success packet");
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
/* now we can break out */
authctxt->success = 1;
OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Future deprecation notice ========================= We plan on retiring more legacy cryptography in future releases, specifically: * In the next major release (expected June-August), removing remaining support for the SSH v.1 protocol (currently client-only and compile- time disabled). * In the same release, removing support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC. (These are currently run-time disabled). * In the same release, removing the remaining CBC ciphers from being offered by default in the client (These have not been offered in sshd by default for several years). * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs).
2017-04-18 21:39:17 +03:00
ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
} else {
/* Allow initial try of "none" auth without failure penalty */
Changes since OpenSSH 6.7 ========================= This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes -------------------------------- * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. * ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default off). * ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. * ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. * sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. * sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. * ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. * ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. * ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". * The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange. Bugfixes * ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol. * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields. * ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286 * ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267 * ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324; * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345. * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * Various fixes to manual pages: bz#2288, bz#2316, bz#2273 Portable OpenSSH * Support --without-openssl at configure time Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on systems with native arc4random or /dev/urandom. Considered highly experimental for now. * Support --without-ssh1 option at configure time Allows disabling support for SSH protocol 1. * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 * Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names. Checksums: ========== - SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37 - SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw= - SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92 - SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4= Please note that the PGP key used to sign releases was recently rotated. The new key has been signed by the old key to provide continuity. It is available from the mirror sites as RELEASE_KEY.asc. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2015-04-04 02:49:21 +03:00
if (!partial && !authctxt->server_caused_failure &&
new openssh: See http://www.openssh.com/txt/release-5.9
2011-09-07 00:16:49 +04:00
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
authctxt->failures++;
if (authctxt->failures >= options.max_authtries)
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
auth_maxtries_exceeded(ssh);
from openbsd
2013-03-29 18:52:38 +04:00
methods = authmethods_get(authctxt);
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("failure partial=%d next methods=\"%s\"",
from openbsd
2013-03-29 18:52:38 +04:00
partial, methods);
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_FAILURE)) != 0 ||
(r = sshpkt_put_cstring(ssh, methods)) != 0 ||
(r = sshpkt_put_u8(ssh, partial)) != 0 ||
(r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "send failure packet");
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
free(methods);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
}
from openbsd
2013-03-29 18:52:38 +04:00
/*
* Checks whether method is allowed by at least one AuthenticationMethods
* methods list. Returns 1 if allowed, or no methods lists configured.
* 0 otherwise.
*/
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
int
auth2_method_allowed(Authctxt *authctxt, const char *method,
const char *submethod)
from openbsd
2013-03-29 18:52:38 +04:00
{
u_int i;
/*
* NB. authctxt->num_auth_methods might be zero as a result of
* auth2_setup_methods_lists(), so check the configuration.
*/
if (options.num_auth_methods == 0)
return 1;
for (i = 0; i < authctxt->num_auth_methods; i++) {
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
if (list_starts_with(authctxt->auth_methods[i], method,
submethod) != MATCH_NONE)
from openbsd
2013-03-29 18:52:38 +04:00
return 1;
}
return 0;
}
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
static char *
from openbsd
2013-03-29 18:52:38 +04:00
authmethods_get(Authctxt *authctxt)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
struct sshbuf *b;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
char *list;
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
int i, r;
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
if ((b = sshbuf_new()) == NULL)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("sshbuf_new failed");
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
continue;
from openbsd
2013-03-29 18:52:38 +04:00
if (authmethods[i]->enabled == NULL ||
*(authmethods[i]->enabled) == 0)
continue;
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
if (!auth2_method_allowed(authctxt, authmethods[i]->name,
NULL))
from openbsd
2013-03-29 18:52:38 +04:00
continue;
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "",
authmethods[i]->name)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "buffer error");
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
}
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
if ((list = sshbuf_dup_string(b)) == NULL)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("sshbuf_dup_string failed");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
2018-08-26 10:39:56 +03:00
sshbuf_free(b);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
return list;
}
static Authmethod *
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
authmethod_byname(const char *name)
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
{
int i;
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
if (name == NULL)
fatal_f("NULL authentication method name");
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(name, authmethods[i]->name) == 0 ||
(authmethods[i]->synonym != NULL &&
strcmp(name, authmethods[i]->synonym) == 0))
return authmethods[i];
}
debug_f("unrecognized authentication method name: %s", name);
import 5.2 from ftp.openbsd.org
2009-06-08 02:19:00 +04:00
return NULL;
}
Import OpenSSH 8.9. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. Security Near Miss ================== * sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since openssh-3.2.2 (released in 2002) and has been mandatory since openssh-7.5 (released in 2017). Moreover, portable OpenSSH has used toolchain features available in most modern compilers to abort on signed integer overflow since openssh-6.5 (released in 2014). Thanks to Malcolm Stagg for finding and reporting this bug. Potentially-incompatible changes ================================ * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. * This release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. Changes since OpenSSH 8.8 ========================= This release includes a number of new features. New features ------------ * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. * ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). * ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement. * ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. * ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. Bugfixes -------- * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277. * sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes * ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360 * scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. * ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375 * ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available. * ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. * ssh-keygen(1): make sshsig verify-time argument parsing optional * sshd(8): fix truncation in rhosts/shosts path construction. * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364 * ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. * ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line * ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372 * scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. * scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. * sshd(8): fix potential race in SIGTERM handling PR#289 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files Portability ----------- * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349, * OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005. * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. * Cygwin: correct checking of mbstowcs() return value. * Add a basic SECURITY.md that refers people to the openssh.com website. * Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init. * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.
2022-02-23 22:04:25 +03:00
static Authmethod *
authmethod_lookup(Authctxt *authctxt, const char *name)
{
Authmethod *method;
if ((method = authmethod_byname(name)) == NULL)
return NULL;
if (method->enabled == NULL || *(method->enabled) == 0) {
debug3_f("method %s not enabled", name);
return NULL;
}
if (!auth2_method_allowed(authctxt, method->name, NULL)) {
debug3_f("method %s not allowed "
"by AuthenticationMethods", name);
return NULL;
}
return method;
}
from openbsd
2013-03-29 18:52:38 +04:00
/*
* Check a comma-separated list of methods for validity. Is need_enable is
* non-zero, then also require that the methods are enabled.
* Returns 0 on success or -1 if the methods list is invalid.
*/
int
auth2_methods_valid(const char *_methods, int need_enable)
{
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
char *methods, *omethods, *method, *p;
from openbsd
2013-03-29 18:52:38 +04:00
u_int i, found;
int ret = -1;
if (*_methods == '\0') {
error("empty authentication method list");
return -1;
}
omethods = methods = xstrdup(_methods);
while ((method = strsep(&methods, ",")) != NULL) {
for (found = i = 0; !found && authmethods[i] != NULL; i++) {
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
if ((p = strchr(method, ':')) != NULL)
*p = '\0';
from openbsd
2013-03-29 18:52:38 +04:00
if (strcmp(method, authmethods[i]->name) != 0)
continue;
if (need_enable) {
if (authmethods[i]->enabled == NULL ||
*(authmethods[i]->enabled) == 0) {
error("Disabled method \"%s\" in "
"AuthenticationMethods list \"%s\"",
method, _methods);
goto out;
}
}
found = 1;
break;
}
if (!found) {
error("Unknown authentication method \"%s\" in list",
method);
goto out;
}
}
ret = 0;
out:
free(omethods);
return ret;
}
/*
* Prune the AuthenticationMethods supplied in the configuration, removing
* any methods lists that include disabled methods. Note that this might
* leave authctxt->num_auth_methods == 0, even when multiple required auth
* has been requested. For this reason, all tests for whether multiple is
* enabled should consult options.num_auth_methods directly.
*/
int
auth2_setup_methods_lists(Authctxt *authctxt)
{
u_int i;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
/* First, normalise away the "any" pseudo-method */
if (options.num_auth_methods == 1 &&
strcmp(options.auth_methods[0], "any") == 0) {
free(options.auth_methods[0]);
options.auth_methods[0] = NULL;
options.num_auth_methods = 0;
}
from openbsd
2013-03-29 18:52:38 +04:00
if (options.num_auth_methods == 0)
return 0;
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("checking methods");
from openbsd
2013-03-29 18:52:38 +04:00
authctxt->auth_methods = xcalloc(options.num_auth_methods,
sizeof(*authctxt->auth_methods));
authctxt->num_auth_methods = 0;
for (i = 0; i < options.num_auth_methods; i++) {
if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
logit("Authentication methods list \"%s\" contains "
"disabled method, skipping",
options.auth_methods[i]);
continue;
}
debug("authentication methods list %d: %s",
authctxt->num_auth_methods, options.auth_methods[i]);
authctxt->auth_methods[authctxt->num_auth_methods++] =
xstrdup(options.auth_methods[i]);
}
if (authctxt->num_auth_methods == 0) {
error("No AuthenticationMethods left after eliminating "
"disabled methods");
return -1;
}
return 0;
}
static int
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
list_starts_with(const char *methods, const char *method,
const char *submethod)
from openbsd
2013-03-29 18:52:38 +04:00
{
size_t l = strlen(method);
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
int match;
const char *p;
from openbsd
2013-03-29 18:52:38 +04:00
if (strncmp(methods, method, l) != 0)
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
return MATCH_NONE;
p = methods + l;
match = MATCH_METHOD;
if (*p == ':') {
if (!submethod)
return MATCH_PARTIAL;
l = strlen(submethod);
p += 1;
if (strncmp(submethod, p, l))
return MATCH_NONE;
p += l;
match = MATCH_BOTH;
}
if (*p != ',' && *p != '\0')
return MATCH_NONE;
return match;
from openbsd
2013-03-29 18:52:38 +04:00
}
/*
* Remove method from the start of a comma-separated list of methods.
* Returns 0 if the list of methods did not start with that method or 1
* if it did.
*/
static int
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
remove_method(char **methods, const char *method, const char *submethod)
from openbsd
2013-03-29 18:52:38 +04:00
{
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
char *omethods = *methods, *p;
from openbsd
2013-03-29 18:52:38 +04:00
size_t l = strlen(method);
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
int match;
from openbsd
2013-03-29 18:52:38 +04:00
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
match = list_starts_with(omethods, method, submethod);
if (match != MATCH_METHOD && match != MATCH_BOTH)
from openbsd
2013-03-29 18:52:38 +04:00
return 0;
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
p = omethods + l;
if (submethod && match == MATCH_BOTH)
p += 1 + strlen(submethod); /* include colon */
if (*p == ',')
p++;
*methods = xstrdup(p);
from openbsd
2013-03-29 18:52:38 +04:00
free(omethods);
return 1;
}
/*
* Called after successful authentication. Will remove the successful method
* from the start of each list in which it occurs. If it was the last method
* in any list, then authentication is deemed successful.
* Returns 1 if the method completed any authentication list or 0 otherwise.
*/
int
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
auth2_update_methods_lists(Authctxt *authctxt, const char *method,
const char *submethod)
from openbsd
2013-03-29 18:52:38 +04:00
{
u_int i, found = 0;
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("updating methods list after \"%s\"", method);
from openbsd
2013-03-29 18:52:38 +04:00
for (i = 0; i < authctxt->num_auth_methods; i++) {
Import new openssh to address Changes since OpenSSH 6.3 ========================= This release fixes a security bug: * sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv Checksums: ========== - SHA1 (openssh-6.4.tar.gz) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c - SHA1 (openssh-6.4p1.tar.gz) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
2013-11-08 21:58:08 +04:00
if (!remove_method(&(authctxt->auth_methods[i]), method,
submethod))
from openbsd
2013-03-29 18:52:38 +04:00
continue;
found = 1;
if (*authctxt->auth_methods[i] == '\0') {
debug2("authentication methods list %d complete", i);
return 1;
}
debug3("authentication methods list %d remaining: \"%s\"",
i, authctxt->auth_methods[i]);
}
/* This should not happen, but would be bad if it did */
if (!found)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("method not in AuthenticationMethods");
from openbsd
2013-03-29 18:52:38 +04:00
return 0;
}
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
/* Reset method-specific information */
void auth2_authctxt_reset_info(Authctxt *authctxt)
{
sshkey_free(authctxt->auth_method_key);
free(authctxt->auth_method_info);
authctxt->auth_method_key = NULL;
authctxt->auth_method_info = NULL;
}
/* Record auth method-specific information for logs */
void
auth2_record_info(Authctxt *authctxt, const char *fmt, ...)
{
va_list ap;
Import OpenSSH-8.6: Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this option was enabled with a set of patterns that activated logging in code that runs in the low-privilege sandboxed sshd process, the log messages were constructed in such a way that printf(3) format strings could effectively be specified the low-privilege code. An attacker who had sucessfully exploited the low-privilege process could use this to escape OpenSSH's sandboxing and attack the high-privilege process. Exploitation of this weakness is highly unlikely in practice as the LogVerbose option is not enabled by default and is typically only used for debugging. No vulnerabilities in the low-privilege process are currently known to exist. Thanks to Ilja Van Sprundel for reporting this bug. Changes since OpenSSH 8.5 ========================= This release contains mostly bug fixes. New features ------------ * sftp-server(8): add a new limits@openssh.com protocol extension that allows a client to discover various server limits, including maximum packet size and maximum read/write length. * sftp(1): use the new limits@openssh.com extension (when available) to select better transfer lengths in the client. * sshd(8): Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to enable printing of the elapsed time in seconds of each test. Bugfixes -------- * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in manual pages with the current default. GHPR#174 * ssh(1): ensure that pkcs11_del_provider() is called before exit. GHPR#234 * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR#223 * ssh(1): return non-zero exit status when killed by signal; bz#3281 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum packet size. Also handle zero-length reads that are not explicitly banned by the spec. Portability ----------- * sshd(8): don't mistakenly exit on transient read errors on the network socket (e.g. EINTR, EAGAIN); bz3297 * Create a dedicated contrib/gnome-ssk-askpass3.c source instead of building it from the same file as used for GNOME2. Use the GNOME3 gdk_seat_grab() to manage keyboard/mouse/server grabs for better compatibility with Wayland. * Fix portability build errors bz3293 bz3292 bz3291 bz3278 * sshd(8): soft-disallow the fstatat64 syscall in the Linux seccomp-bpf sandbox. bz3276 * unit tests: enable autoopt and misc unit tests that were previously skipped
2021-04-19 17:38:27 +03:00
int i;
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
free(authctxt->auth_method_info);
authctxt->auth_method_info = NULL;
va_start(ap, fmt);
i = vasprintf(&authctxt->auth_method_info, fmt, ap);
va_end(ap);
OpenSSH 8.1 was released on 2019-10-09. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Security ======== * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program. * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ...").
2019-10-12 18:13:53 +03:00
if (i == -1)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("vasprintf failed");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
}
/*
* Records a public key used in authentication. This is used for logging
* and to ensure that the same key is not subsequently accepted again for
* multiple authentication.
*/
void
auth2_record_key(Authctxt *authctxt, int authenticated,
const struct sshkey *key)
{
struct sshkey **tmp, *dup;
int r;
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshkey_from_private(key, &dup)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "copy key");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
sshkey_free(authctxt->auth_method_key);
authctxt->auth_method_key = dup;
if (!authenticated)
return;
/* If authenticated, make sure we don't accept this key again */
Import 8.0: Security ======== This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * scp(1): Relating to the above changes to scp(1); the scp protocol relies on the remote shell for wildcard expansion, so there is no infallible way for the client's wildcard matching to perfectly reflect the server's. If there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, we have provided a new "-T" flag to scp that disables these client-side checks at the risk of reintroducing the attack described above. * sshd(8): Remove support for obsolete "host/port" syntax. Slash- separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are establised standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen; bz#2335 Changes since OpenSSH 7.9 ========================= This release is focused on new features and internal refactoring. New Features ------------ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens. * ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. * ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level. * ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974 * sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960 * ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. * ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. * ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741 * sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926 * ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. Bugfixes -------- * sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. * sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. * ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. * sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout; bz#2918 * ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903 * scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434 * sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757 * ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652 * ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. * ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. * Various: fix a number of memory leaks, including bz#2942 and bz#2938 * scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927 * sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 * sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. * ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746 * ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. Portability ----------- * sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for token creation if it supports MsV1_0 S4U Logon. * sshd(8): On Cygwin, use custom user/group matching code that respects the OS' behaviour of case-insensitive matching. * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled; bz#2937 * sshd(8) Cygwin: Change service name to cygsshd to avoid collision with Microsoft's OpenSSH port. * Allow building against OpenSSL -dev (3.x) * Fix a number of build problems against version configurations and versions of OpenSSL. Including bz#2931 and bz#2921 * Improve warnings in cygwin service setup. bz#2922 * Remove hardcoded service name in cygwin setup. bz#2922
2019-04-20 20:13:53 +03:00
if ((r = sshkey_from_private(key, &dup)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "copy key");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
if (authctxt->nprev_keys >= INT_MAX ||
(tmp = recallocarray(authctxt->prev_keys, authctxt->nprev_keys,
authctxt->nprev_keys + 1, sizeof(*authctxt->prev_keys))) == NULL)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("reallocarray failed");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
authctxt->prev_keys = tmp;
authctxt->prev_keys[authctxt->nprev_keys] = dup;
authctxt->nprev_keys++;
}
/* Checks whether a key has already been previously used for authentication */
int
auth2_key_already_used(Authctxt *authctxt, const struct sshkey *key)
{
u_int i;
char *fp;
for (i = 0; i < authctxt->nprev_keys; i++) {
if (sshkey_equal_public(key, authctxt->prev_keys[i])) {
fp = sshkey_fingerprint(authctxt->prev_keys[i],
options.fingerprint_hash, SSH_FP_DEFAULT);
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
debug3_f("key already used: %s %s",
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
sshkey_type(authctxt->prev_keys[i]),
fp == NULL ? "UNKNOWN" : fp);
free(fp);
return 1;
}
}
return 0;
}
/*
* Updates authctxt->session_info with details of authentication. Should be
* whenever an authentication method succeeds.
*/
void
auth2_update_session_info(Authctxt *authctxt, const char *method,
const char *submethod)
{
int r;
if (authctxt->session_info == NULL) {
if ((authctxt->session_info = sshbuf_new()) == NULL)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("sshbuf_new");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
}
/* Append method[/submethod] */
if ((r = sshbuf_putf(authctxt->session_info, "%s%s%s",
method, submethod == NULL ? "" : "/",
submethod == NULL ? "" : submethod)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "append method");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
/* Append key if present */
if (authctxt->auth_method_key != NULL) {
if ((r = sshbuf_put_u8(authctxt->session_info, ' ')) != 0 ||
(r = sshkey_format_text(authctxt->auth_method_key,
authctxt->session_info)) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "append key");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
}
if (authctxt->auth_method_info != NULL) {
/* Ensure no ambiguity here */
if (strchr(authctxt->auth_method_info, '\n') != NULL)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_f("auth_method_info contains \\n");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
if ((r = sshbuf_put_u8(authctxt->session_info, ' ')) != 0 ||
(r = sshbuf_putf(authctxt->session_info, "%s",
authctxt->auth_method_info)) != 0) {
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "append method info");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
}
}
if ((r = sshbuf_put_u8(authctxt->session_info, '\n')) != 0)
OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com
2021-03-05 20:45:24 +03:00
fatal_fr(r, "append");
Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1): delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): do not offer CBC ciphers by default. Changes since OpenSSH 7.5 ========================= This is primarily a bugfix release. It also contains substantial internal refactoring. Security -------- * sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski. New Features ------------ * ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host. * sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. * ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. * sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717 * ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. * ssh-add(1): added -q option to make ssh-add quiet on success. * ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705 Bugfixes -------- * ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728 * sftp(1): implement sorting for globbed ls; bz#2649 * ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720 * ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. * ssh(1)/sshd(8): repair compression statistics printed at connection exit * sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710 * ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707 * ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709 * Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699 * sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748 * ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734 * sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704 * sshd_config(8): document available AuthenticationMethods; bz#2453 * ssh(1): avoid truncation in some login prompts; bz#2768 * sshd(8): Fix various compilations failures, inc bz#2767 * ssh(1): make "--" before the hostname terminate argument processing after the hostname too. * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754 * ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737 * sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750 * sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756 * sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. * Make integrity.sh regression tests more robust against timeouts. bz#2658 * ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. Portability ----------- * sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723 * sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735 * Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation. * sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall. * Fix use of ldns when using ldns-config; bz#2697 * configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail. * Add clang libFuzzer harnesses for public key parsing and signature verification.
2017-10-07 22:36:11 +03:00
}
from openbsd
2013-03-29 18:52:38 +04:00