Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

f sshpkt functions fail, then password is not cleared with freezero.
Unconditionally call freezero to guarantee that password is removed
from RAM.

From tobias@ and c3h2_ctf via github PR#286, ok djm@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

f sshpkt functions fail, then password is not cleared with freezero.
Unconditionally call freezero to guarantee that password is removed
from RAM.

From tobias@ and c3h2_ctf via github PR#286, ok djm@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

sshd: switch authentication to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

switch auth2 to ssh_dispatch API; ok djm@

switch auth2-passwd.c to modern APIs; ok djm@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.5.8; 1.5.10;
Ignore password change request during password auth (which we currently don't
support) and discard proposed new password. corrections/ok markus@

branches: 1.4.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.2.2; 1.2.4; 1.2.6; 1.2.8;
move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@