Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

move auth_openprincipals() and auth_openkeyfile() over to
auth2-pubkeyfile.c too; they make more sense there.

split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.

ok dtucker@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at
microsoft.com. ok djm@

randomise the password used in fakepw

Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

branches: 1.147.4;
support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jelen in bz2468; feedback and ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

potential NULL dereference for revoked hostkeys; reported by
krishnaiah bommu

remove some duplicate #includes

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

convert auth.c to new packet API

with & ok markus@

convert servconf.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

use path_absolute() for pathname checks; from Manoj Ampalam

log certificate fingerprint in authentication success/failure message
(previously we logged only key ID and CA key fingerprint).

ok markus@

s/wuth/with/ in comment

sshd: switch authentication to sshbuf API; ok djm@

permitlisten option for authorized_keys; ok markus@

make UID available as a %-expansion everywhere that the username is
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for this, but
used for something different in the server);
bz#2870, ok dtucker@

Do not ban PTY allocation when a sshd session is restricted because
the user password is expired as it breaks password change dialog.

regression in openssh-7.7 reported by Daniel Wagner

add valid-before="[time]" authorized_keys option. A simple way of
giving a key an expiry date. ok markus@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

move subprocess() so scp/sftp do not need uidswap.o; ok djm@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Move several subprocess-related functions from various locations to
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.

feedback & ok dtucker@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

switch from Key typedef with struct sshkey; ok djm@

allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717

Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,
ok deraadt@

unbreak DenyUsers; reported by henning@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

remove ssh1 server code; ok djm@

Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and
reverse DNS not matching. We haven't supported IP-based auth methods
for a very long time so it's now misleading. part of bz#2585, ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

fix inverted logic that broke PermitRootLogin;
reported by Mantas Mikulenas; ok markus@

branches: 1.112.4;
add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is enabled)
from djm, ok markus

make handling of AuthorizedPrincipalsFile=none more consistent
with other =none options; bz#2288 from Jakub Jelen; ok dtucker@

don't leak validity of user in "too many authentication failures"
disconnect message; reported by Sebastian Reitenbach

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

add RevokedHostKeys option for the client

Allow textfile or KRL-based revocation of hostkeys.

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

Fix comment, from jfree.e1 at gmail

add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.

feedback and ok markus@

use correct string in error message; from rustybsd at gmx.fr

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.

patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@

Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.

Support "none" as an argument for AuthorizedPrincipalsFile to indicate
no file should be read.

make secure_filename() spam debug logs less

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@

automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@

use strict_modes already passed as function argument over referencing
global options.strict_modes

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

queue auth debug messages for bad ownership or permissions on the user's
keyfiles. These messages will be sent after the user has successfully
authenticated (where our client will display them with LogLevel=debug).
bz#1554; ok dtucker@

add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.

When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.

For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.

These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.

feedback and ok markus@

make the warning for a revoked key louder and more noticable

Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).

Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.

feedback and ok markus@

unbreak ChrootDirectory+internal-sftp by skipping check for executable shell
when chrooting; reported by danh AT wzrd.com; ok dtucker@

when using ChrootDirectory, make sure we test for the existence of the
user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
ok dtucker

Fix a couple of typos/mispellings in comments

Output a debug if we can't open an existing keyfile. bz#1694, ok djm@

need unistd.h for close() prototype

Merge duplicate host key file checks, based in part on a patch from Rob
Holland via bz #1348 . Also checks for non-regular files during protocol
1 RSA auth. ok djm@

unifdef -DBSD_AUTH
unifdef -USKEY

These options have been in use for some years;
ok markus@ "no objection" millert@

missed include bits from last commit

unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.

Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg

AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no

will allow port forwarding by all users except "anoncvs".

Currently only a very small subset of directives are supported.

ok djm@

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <pwd.h> out of includes.h; ok markus@

Prevent duplicate log messages when privsep=yes; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

in a switch (), break after return or goto is stupid

RCSID() can die

branches: 1.62.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.60.2;
make this -Wsign-compare clean; ok avsm@ markus@

introduce a generic %foo expansion function. replace existing % expansion and
add expansion to ControlPath; ok markus@

branches: 1.58.2;
Populate host for log message for logins denied by AllowUsers and DenyUsers.
(bz #999); ok markus@

Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@

branches: 1.56.2;
more s/illegal/invalid/

s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...

Add MaxAuthTries sshd config option; ok markus@

improve some code lint did not like; djm millert ok

make two tiny header files go away; djm ok

branches: 1.51.2;
unexpand and delete whitespace at EOL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.49.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.46.2;
don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@

branches: 1.45.2;
log illegal user here for missing privsep case (ssh2).
this is executed in the monitor. ok markus@

typo in comment

Fix typo/thinko. Pass in as to auth_approval(), not NULL.
Closes PR 2659.

move the packet_send_debug handling from auth-options.c to auth.c; ok provos@

branches: 1.41.2;
check for NULL; from provos@

make getpwnamallow() allways call pwcopy()

KNF whitespace

move auth_approval into getpwnamallow with help from millert@

getpwnamallow returns struct passwd * only if user valid; okay markus@

fix file type checking (use S_ISREG). ok by markus

undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

log user not allowed details, from dwd@bell-labs.com; ok markus@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

enum/int type cleanup where it made sense to do so; ok markus@

don't print ROOT in CAPS for the authentication messages, i.e.
Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2
becomes
Accepted publickey for root from 127.0.0.1 port 42734 ssh2

branches: 1.28.2;
use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp

no need to call dirname(pw->pw_dir).
note that dirname(3) modifies its argument on some systems.

tridge@samba.org

terminate secure_filename checking after checking homedir. that way it
works on AFS. okay markus@

*known_hosts2 is obsolete for hostbased authentication and
only used for backward compat. merge ssh1/2 hostkey check
and move it to auth.c

fix comment; from jakob@

configurable authorized_keys{,2} location; originally from peter@; ok djm@

branches: 1.21.2;
undo /etc/shell and proto 2,1 change for openssh-2.5.2

check /etc/shells, too

make copyright lines the same format

use pwcopy in ssh.c, too

PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)

unexpand and remove end-of-line whitespace; ok markus@

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.

support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com

branches: 1.11.2;
new cipher framework

some more Copyright fixes

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

unused

accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu

branches: 1.6.2;
split auth/sshconnect in one file per protocol version

add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX]
for trading keys with the real and the original SSH, directly from the
people who invented the SSH protocol.

whitespace cleanup

check payload for (illegal) extra data

ssh2 server side, see README.openssh2; enable with 'sshd -2'

split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

move auth_openprincipals() and auth_openkeyfile() over to
auth2-pubkeyfile.c too; they make more sense there.

split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.

ok dtucker@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at
microsoft.com. ok djm@

randomise the password used in fakepw

Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

branches: 1.147.4;
support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jelen in bz2468; feedback and ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

potential NULL dereference for revoked hostkeys; reported by
krishnaiah bommu

remove some duplicate #includes

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

convert auth.c to new packet API

with & ok markus@

convert servconf.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

use path_absolute() for pathname checks; from Manoj Ampalam

log certificate fingerprint in authentication success/failure message
(previously we logged only key ID and CA key fingerprint).

ok markus@

s/wuth/with/ in comment

sshd: switch authentication to sshbuf API; ok djm@

permitlisten option for authorized_keys; ok markus@

make UID available as a %-expansion everywhere that the username is
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for this, but
used for something different in the server);
bz#2870, ok dtucker@

Do not ban PTY allocation when a sshd session is restricted because
the user password is expired as it breaks password change dialog.

regression in openssh-7.7 reported by Daniel Wagner

add valid-before="[time]" authorized_keys option. A simple way of
giving a key an expiry date. ok markus@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

move subprocess() so scp/sftp do not need uidswap.o; ok djm@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Move several subprocess-related functions from various locations to
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.

feedback & ok dtucker@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

switch from Key typedef with struct sshkey; ok djm@

allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717

Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,
ok deraadt@

unbreak DenyUsers; reported by henning@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

remove ssh1 server code; ok djm@

Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and
reverse DNS not matching. We haven't supported IP-based auth methods
for a very long time so it's now misleading. part of bz#2585, ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

fix inverted logic that broke PermitRootLogin;
reported by Mantas Mikulenas; ok markus@

branches: 1.112.4;
add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is enabled)
from djm, ok markus

make handling of AuthorizedPrincipalsFile=none more consistent
with other =none options; bz#2288 from Jakub Jelen; ok dtucker@

don't leak validity of user in "too many authentication failures"
disconnect message; reported by Sebastian Reitenbach

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

add RevokedHostKeys option for the client

Allow textfile or KRL-based revocation of hostkeys.

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

Fix comment, from jfree.e1 at gmail

add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.

feedback and ok markus@

use correct string in error message; from rustybsd at gmx.fr

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.

patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@

Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.

Support "none" as an argument for AuthorizedPrincipalsFile to indicate
no file should be read.

make secure_filename() spam debug logs less

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@

automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@

use strict_modes already passed as function argument over referencing
global options.strict_modes

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

queue auth debug messages for bad ownership or permissions on the user's
keyfiles. These messages will be sent after the user has successfully
authenticated (where our client will display them with LogLevel=debug).
bz#1554; ok dtucker@

add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.

When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.

For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.

These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.

feedback and ok markus@

make the warning for a revoked key louder and more noticable

Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).

Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.

feedback and ok markus@

unbreak ChrootDirectory+internal-sftp by skipping check for executable shell
when chrooting; reported by danh AT wzrd.com; ok dtucker@

when using ChrootDirectory, make sure we test for the existence of the
user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
ok dtucker

Fix a couple of typos/mispellings in comments

Output a debug if we can't open an existing keyfile. bz#1694, ok djm@

need unistd.h for close() prototype

Merge duplicate host key file checks, based in part on a patch from Rob
Holland via bz #1348 . Also checks for non-regular files during protocol
1 RSA auth. ok djm@

unifdef -DBSD_AUTH
unifdef -USKEY

These options have been in use for some years;
ok markus@ "no objection" millert@

missed include bits from last commit

unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.

Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg

AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no

will allow port forwarding by all users except "anoncvs".

Currently only a very small subset of directives are supported.

ok djm@

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <pwd.h> out of includes.h; ok markus@

Prevent duplicate log messages when privsep=yes; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

in a switch (), break after return or goto is stupid

RCSID() can die

branches: 1.62.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.60.2;
make this -Wsign-compare clean; ok avsm@ markus@

introduce a generic %foo expansion function. replace existing % expansion and
add expansion to ControlPath; ok markus@

branches: 1.58.2;
Populate host for log message for logins denied by AllowUsers and DenyUsers.
(bz #999); ok markus@

Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@

branches: 1.56.2;
more s/illegal/invalid/

s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...

Add MaxAuthTries sshd config option; ok markus@

improve some code lint did not like; djm millert ok

make two tiny header files go away; djm ok

branches: 1.51.2;
unexpand and delete whitespace at EOL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.49.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.46.2;
don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@

branches: 1.45.2;
log illegal user here for missing privsep case (ssh2).
this is executed in the monitor. ok markus@

typo in comment

Fix typo/thinko. Pass in as to auth_approval(), not NULL.
Closes PR 2659.

move the packet_send_debug handling from auth-options.c to auth.c; ok provos@

branches: 1.41.2;
check for NULL; from provos@

make getpwnamallow() allways call pwcopy()

KNF whitespace

move auth_approval into getpwnamallow with help from millert@

getpwnamallow returns struct passwd * only if user valid; okay markus@

fix file type checking (use S_ISREG). ok by markus

undo the 'delay hostname lookup' change
match.c must not use compress.c (via canonhost.c/packet.c)
thanks to wilfried@

log user not allowed details, from dwd@bell-labs.com; ok markus@

delay hostname lookup until we see a ``@'' in DenyUsers and AllowUsers
for sshd -u0; ok markus@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

basic KNF done while i was looking for something else

enum/int type cleanup where it made sense to do so; ok markus@

don't print ROOT in CAPS for the authentication messages, i.e.
Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2
becomes
Accepted publickey for root from 127.0.0.1 port 42734 ssh2

branches: 1.28.2;
use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp

no need to call dirname(pw->pw_dir).
note that dirname(3) modifies its argument on some systems.

tridge@samba.org

terminate secure_filename checking after checking homedir. that way it
works on AFS. okay markus@

*known_hosts2 is obsolete for hostbased authentication and
only used for backward compat. merge ssh1/2 hostkey check
and move it to auth.c

fix comment; from jakob@

configurable authorized_keys{,2} location; originally from peter@; ok djm@

branches: 1.21.2;
undo /etc/shell and proto 2,1 change for openssh-2.5.2

check /etc/shells, too

make copyright lines the same format

use pwcopy in ssh.c, too

PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)

unexpand and remove end-of-line whitespace; ok markus@

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.

support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com

branches: 1.11.2;
new cipher framework

some more Copyright fixes

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

unused

accept an empty shell in authentication; bug reported by chris@tinker.ucr.edu

branches: 1.6.2;
split auth/sshconnect in one file per protocol version

add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX]
for trading keys with the real and the original SSH, directly from the
people who invented the SSH protocol.

whitespace cleanup

check payload for (illegal) extra data

ssh2 server side, see README.openssh2; enable with 'sshd -2'

split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

move auth_openprincipals() and auth_openkeyfile() over to
auth2-pubkeyfile.c too; they make more sense there.

split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.

ok dtucker@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at
microsoft.com. ok djm@

randomise the password used in fakepw

Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

branches: 1.147.4;
support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jelen in bz2468; feedback and ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

potential NULL dereference for revoked hostkeys; reported by
krishnaiah bommu

remove some duplicate #includes

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

convert auth.c to new packet API

with & ok markus@

convert servconf.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

use path_absolute() for pathname checks; from Manoj Ampalam

log certificate fingerprint in authentication success/failure message
(previously we logged only key ID and CA key fingerprint).

ok markus@

s/wuth/with/ in comment

sshd: switch authentication to sshbuf API; ok djm@

permitlisten option for authorized_keys; ok markus@

make UID available as a %-expansion everywhere that the username is
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for this, but
used for something different in the server);
bz#2870, ok dtucker@

Do not ban PTY allocation when a sshd session is restricted because
the user password is expired as it breaks password change dialog.

regression in openssh-7.7 reported by Daniel Wagner

add valid-before="[time]" authorized_keys option. A simple way of
giving a key an expiry date. ok markus@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

move subprocess() so scp/sftp do not need uidswap.o; ok djm@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Move several subprocess-related functions from various locations to
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.

feedback & ok dtucker@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

switch from Key typedef with struct sshkey; ok djm@

allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717

Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,
ok deraadt@

unbreak DenyUsers; reported by henning@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

remove ssh1 server code; ok djm@

Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and
reverse DNS not matching. We haven't supported IP-based auth methods
for a very long time so it's now misleading. part of bz#2585, ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

fix inverted logic that broke PermitRootLogin;
reported by Mantas Mikulenas; ok markus@

branches: 1.112.4;
add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is enabled)
from djm, ok markus

make handling of AuthorizedPrincipalsFile=none more consistent
with other =none options; bz#2288 from Jakub Jelen; ok dtucker@

don't leak validity of user in "too many authentication failures"
disconnect message; reported by Sebastian Reitenbach

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

add RevokedHostKeys option for the client

Allow textfile or KRL-based revocation of hostkeys.

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

Fix comment, from jfree.e1 at gmail

add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.

feedback and ok markus@

use correct string in error message; from rustybsd at gmx.fr

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.

patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@

Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.

Support "none" as an argument for AuthorizedPrincipalsFile to indicate
no file should be read.

make secure_filename() spam debug logs less

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@

automatically order the hostkeys requested by the client based on
which hostkeys are already recorded in known_hosts. This avoids
hostkey warnings when connecting to servers with new ECDSA keys
that are preferred by default; with markus@

use strict_modes already passed as function argument over referencing
global options.strict_modes

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

queue auth debug messages for bad ownership or permissions on the user's
keyfiles. These messages will be sent after the user has successfully
authenticated (where our client will display them with LogLevel=debug).
bz#1554; ok dtucker@

add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.

When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.

For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.

These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.

feedback and ok markus@

make the warning for a revoked key louder and more noticable

Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).

Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.

feedback and ok markus@

unbreak ChrootDirectory+internal-sftp by skipping check for executable shell
when chrooting; reported by danh AT wzrd.com; ok dtucker@

when using ChrootDirectory, make sure we test for the existence of the
user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
ok dtucker

Fix a couple of typos/mispellings in comments

Output a debug if we can't open an existing keyfile. bz#1694, ok djm@

need unistd.h for close() prototype

Merge duplicate host key file checks, based in part on a patch from Rob
Holland via bz #1348 . Also checks for non-regular files during protocol
1 RSA auth. ok djm@

unifdef -DBSD_AUTH
unifdef -USKEY

These options have been in use for some years;
ok markus@ "no objection" millert@

missed include bits from last commit

unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.

Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg

AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no

will allow port forwarding by all users except "anoncvs".

Currently only a very small subset of directives are supported.

ok djm@

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <pwd.h> out of includes.h; ok markus@

Prevent duplicate log messages when privsep=yes; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

in a switch (), break after return or goto is stupid

RCSID() can die

branches: 1.62.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.60.2;
make this -Wsign-compare clean; ok avsm@ markus@

introduce a generic %foo expansion function. replace existing % expansion and
add expansion to ControlPath; ok markus@

branches: 1.58.2;
Populate host for log message for logins denied by AllowUsers and DenyUsers.
(bz #999); ok markus@

Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
DenyGroups. bz #909, ok djm@

branches: 1.56.2;
more s/illegal/invalid/

s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, miod, ...

Add MaxAuthTries sshd config option; ok markus@

improve some code lint did not like; djm millert ok

make two tiny header files go away; djm ok

branches: 1.51.2;
unexpand and delete whitespace at EOL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.49.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.46.2;
don't compare against pw_home if realpath fails for pw_home (seen on AFS); ok djm@