Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

add "ext-info-in-auth@openssh.com" extension

This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

limit artificial login delay to a reasonable maximum (5s) and don't
delay at all for the "none" authentication mechanism. Patch by
Dmitry Belyavskiy in bz3602 with polish/ok dtucker@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

avoid integer overflow of auth attempts (harmless, caught by monitor)

split method list search functionality from authmethod_lookup() into
a separate authmethod_byname(), for cases where we don't need to
check whether a method is enabled, etc.

use this to fix the "none" authentication method regression reported
by Nam Nguyen via bugs@

ok deraadt@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

exit on parse failures in input_service_request; ok djm

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

asprintf returns -1, not an arbitrary value < 0. Also upon error the
(very sloppy specification) leaves an undefined value in *ret, so it is
wrong to inspect it, the error condition is enough.
discussed a little with nicm, and then much more with millert until we
were exasperated

Fix authentication failures when "AuthenticationMethods any" in a
Match block overrides a more restrictive global default.

Spotted by jmc@, ok markus@

convert auth.c to new packet API

with & ok markus@

convert auth2.c to new packet API

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove legacy key emulation layer; ok djm@

sshd: switch authentication to sshbuf API; ok djm@

Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms
where int64 is long not long long. ok djm@

Defend against user enumeration timing attacks.
This establishes a minimum time for each failed authentication
attempt (5ms) and adds a per-user constant derived from a host
secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok
markus@ djm@.

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

remove now obsolete ctx from ssh_dispatch_run; ok djm@

use the ssh_dispatch_run_fatal variant

switch auth2 to ssh_dispatch API; ok djm@

protocol handlers all get struct ssh passed; ok djm@

sshd: pass struct ssh to auth functions; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

move dispatch to struct ssh; ok djm@

make internal handling of filename arguments of "none" more consistent
with ssh. "none" arguments are now replaced with NULL when the
configuration is finalised.

Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@

don't count partial authentication success as a failure against
MaxAuthTries; ok deraadt@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

remove experimental, never-enabled JPAKE code; ok markus@

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

add submethod support to AuthenticationMethods; ok and freedback djm@

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@

allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

Make protocol 1 MaxAuthTries logic match protocol 2's.

Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".

Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.

ok dtucker@

really really remove the freebie "none" auth try for protocol 2

Make protocol 2 MaxAuthTries behaviour a little more sensible:

Check whether client has exceeded MaxAuthTries before running
an authentication method and skip it if they have, previously it
would always allow one try (for "none" auth).

Preincrement failure count before post-auth test - previously this
checked and postincremented, also to allow one "none" try.

Together, these two changes always count the "none" auth method
which could be skipped by a malicious client (e.g. an SSH worm)
to get an extra attempt at a real auth method. They also make
MaxAuthTries=0 a useful way to block users entirely (esp. in a
sshd_config Match block).

Also, move sending of any preauth banner from "none" auth method
to the first call to input_userauth_request(), so worms that skip
the "none" method get to see it too.

Remove unused prototype. ok djm@

remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>

Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)

RCSID() can die

branches: 1.107.6; 1.107.8;
more s/illegal/invalid/

bz#899: Don't display invalid usernames in setproctitle
from peak AT argo.troja.mff.cuni.cz; ok markus@

Add MaxAuthTries sshd config option; ok markus@

branches: 1.104.2;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.102.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

nuke "kerberos-2@ssh.com"

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

int -> u_int; ok djm@, deraadt@, mouring@

implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
server interops with commercial client; ok jakob@ djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.96.2;
undo broken fix for #387, fixes #486

branches: 1.95.2;
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325

lint asks that we use names that do not overlap

move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

less warnings. skey_{respond,query} are public (in auth.h)

Fix sshd Banner option for privsep; ok markus@ provos@

branches: 1.89.2;
make getpwnamallow() allways call pwcopy()

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

have the authentication functions return the authentication context
and then do_authenticated; okay millert@

getpwnamallow returns struct passwd * only if user valid; okay markus@

signed vs. unsigned: make size arguments u_int, ok stevesk@

cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

use buffer API and avoid static strings of fixed size; ok provos@/mouring@

a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
dispatch_range(): set handler for a ranges message types
use dispatch_protocol_ignore() for authentication requests after
successful authentication (the drafts requirement).
serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.

remove plen from the dispatch fn. it's no longer used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

basic KNF done while i was looking for something else

log fingerprint on successful public key authentication; ok markus@

add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions,
fixes memleak.

make it compile with more strict prototype checking

enum/int type cleanup where it made sense to do so; ok markus@

unused includes

branches: 1.71.2;
typos; from solar

key_read returns now -1 or 1

use %lu; ok markus@

new interface for secure_filename()

prototype cleanup; ok markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

restore correct ignore_user_known_hosts logic.

*known_hosts2 is obsolete for hostbased authentication and
only used for backward compat. merge ssh1/2 hostkey check
and move it to auth.c

merge authorized_keys2 into authorized_keys.
authorized_keys2 is used for backward compat.
(just append authorized_keys2 to authorized_keys).

style is used for bsdauth.
disconnect on user/service change (ietf-drafts)

undo the .c file split, just merge the header and keep the cvs history

merge

channel layer cleanup: merge header files and split .c files

configurable authorized_keys{,2} location; originally from peter@; ok djm@

improved kbd-interactive support. work by per@appgate.com and me

branches: 1.56.2;
use local variable, no function call needed.
(btw, hostbased works now with ssh.com >= 2.0.13)

more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now
(however the 2.1.0 server seems to work only if debug is enabled...)

no longer const

use FDQN with trailing dot in the hostbased auth packets, ok deraadt@

implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@

check auth_root_allowed for kbd-int auth, too.

merge common ssh v1/2 code

add changes need for BSD_AUTH plus disabled BSD_AUTH code

debug

Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid
header conflicts in portable; ok markus@

KNF

use pwcopy in ssh.c, too

setproctitle(user) only if getpwnam succeeds

PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)

offer passwd before s/key

strict checking

fix typo

move k_setpag() to a central place; ok dugsong@

unexpand and remove end-of-line whitespace; ok markus@

remove duplicate #include's; ok markus@

rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.

no need to include; from mouring@etoh.eviladmin.org

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

typo

pass the filename to auth_parse_options()

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.

support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com

enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu

implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).

count authentication failures only

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

support f-secure/ssh.com 2.0.12; ok niels@

add support for RSA to SSH2. please test.

there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.

you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.

SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.

IdentityFile2, HostDsaKey and DSAAuthentication are obsolete.
you can use multiple IdentityFile and HostKey for all types of keys.

the option DSAAuthentication is replaced by PubkeyAuthetication.

branches: 1.20.2;
OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons

new cipher framework

add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

clear auth options unless auth sucessfull

use key_type()

add context to dispatch_run

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

clean code is good code

make userauth+pubkey interop with ssh.com-2.2.0

split auth-rsa option parsing into auth-options
add options support to authorized_keys2

implement bug compatibility with ssh-2.0.13 pubkey, server side

branches: 1.8.2;
bug compat w/ ssh-2.0.13 x11, split out bugs

add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8

log failure before sending the reply

Add missing #ifdefs; ok - markus

disable kerb,s/key in ssh2

cleanup logging for sshd/2, respect PasswordAuth no

xfree DSA blobs

split auth/sshconnect in one file per protocol version

add "ext-info-in-auth@openssh.com" extension

This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.

This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.

Full details in the PROTOCOL file

limit artificial login delay to a reasonable maximum (5s) and don't
delay at all for the "none" authentication mechanism. Patch by
Dmitry Belyavskiy in bz3602 with polish/ok dtucker@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

avoid integer overflow of auth attempts (harmless, caught by monitor)

split method list search functionality from authmethod_lookup() into
a separate authmethod_byname(), for cases where we don't need to
check whether a method is enabled, etc.

use this to fix the "none" authentication method regression reported
by Nam Nguyen via bugs@

ok deraadt@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

exit on parse failures in input_service_request; ok djm

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

asprintf returns -1, not an arbitrary value < 0. Also upon error the
(very sloppy specification) leaves an undefined value in *ret, so it is
wrong to inspect it, the error condition is enough.
discussed a little with nicm, and then much more with millert until we
were exasperated

Fix authentication failures when "AuthenticationMethods any" in a
Match block overrides a more restrictive global default.

Spotted by jmc@, ok markus@

convert auth.c to new packet API

with & ok markus@

convert auth2.c to new packet API

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove legacy key emulation layer; ok djm@

sshd: switch authentication to sshbuf API; ok djm@

Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms
where int64 is long not long long. ok djm@

Defend against user enumeration timing attacks.
This establishes a minimum time for each failed authentication
attempt (5ms) and adds a per-user constant derived from a host
secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok
markus@ djm@.

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

remove now obsolete ctx from ssh_dispatch_run; ok djm@

use the ssh_dispatch_run_fatal variant

switch auth2 to ssh_dispatch API; ok djm@

protocol handlers all get struct ssh passed; ok djm@

sshd: pass struct ssh to auth functions; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

move dispatch to struct ssh; ok djm@

make internal handling of filename arguments of "none" more consistent
with ssh. "none" arguments are now replaced with NULL when the
configuration is finalised.

Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@

don't count partial authentication success as a failure against
MaxAuthTries; ok deraadt@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

remove experimental, never-enabled JPAKE code; ok markus@

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

add submethod support to AuthenticationMethods; ok and freedback djm@

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@

allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

Make protocol 1 MaxAuthTries logic match protocol 2's.

Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".

Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.

ok dtucker@

really really remove the freebie "none" auth try for protocol 2

Make protocol 2 MaxAuthTries behaviour a little more sensible:

Check whether client has exceeded MaxAuthTries before running
an authentication method and skip it if they have, previously it
would always allow one try (for "none" auth).

Preincrement failure count before post-auth test - previously this
checked and postincremented, also to allow one "none" try.

Together, these two changes always count the "none" auth method
which could be skipped by a malicious client (e.g. an SSH worm)
to get an extra attempt at a real auth method. They also make
MaxAuthTries=0 a useful way to block users entirely (esp. in a
sshd_config Match block).

Also, move sending of any preauth banner from "none" auth method
to the first call to input_userauth_request(), so worms that skip
the "none" method get to see it too.

Remove unused prototype. ok djm@

remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>

Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)

RCSID() can die

branches: 1.107.6; 1.107.8;
more s/illegal/invalid/

bz#899: Don't display invalid usernames in setproctitle
from peak AT argo.troja.mff.cuni.cz; ok markus@

Add MaxAuthTries sshd config option; ok markus@

branches: 1.104.2;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.102.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

nuke "kerberos-2@ssh.com"

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

int -> u_int; ok djm@, deraadt@, mouring@

implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
server interops with commercial client; ok jakob@ djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.96.2;
undo broken fix for #387, fixes #486

branches: 1.95.2;
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325

lint asks that we use names that do not overlap

move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

less warnings. skey_{respond,query} are public (in auth.h)

Fix sshd Banner option for privsep; ok markus@ provos@

branches: 1.89.2;
make getpwnamallow() allways call pwcopy()

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

have the authentication functions return the authentication context
and then do_authenticated; okay millert@

getpwnamallow returns struct passwd * only if user valid; okay markus@

signed vs. unsigned: make size arguments u_int, ok stevesk@

cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

use buffer API and avoid static strings of fixed size; ok provos@/mouring@

a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
dispatch_range(): set handler for a ranges message types
use dispatch_protocol_ignore() for authentication requests after
successful authentication (the drafts requirement).
serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.

remove plen from the dispatch fn. it's no longer used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

basic KNF done while i was looking for something else

log fingerprint on successful public key authentication; ok markus@

add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions,
fixes memleak.

make it compile with more strict prototype checking

enum/int type cleanup where it made sense to do so; ok markus@

unused includes

branches: 1.71.2;
typos; from solar

key_read returns now -1 or 1

use %lu; ok markus@

new interface for secure_filename()

prototype cleanup; ok markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

restore correct ignore_user_known_hosts logic.

*known_hosts2 is obsolete for hostbased authentication and
only used for backward compat. merge ssh1/2 hostkey check
and move it to auth.c

merge authorized_keys2 into authorized_keys.
authorized_keys2 is used for backward compat.
(just append authorized_keys2 to authorized_keys).

style is used for bsdauth.
disconnect on user/service change (ietf-drafts)

undo the .c file split, just merge the header and keep the cvs history

merge

channel layer cleanup: merge header files and split .c files

configurable authorized_keys{,2} location; originally from peter@; ok djm@

improved kbd-interactive support. work by per@appgate.com and me

branches: 1.56.2;
use local variable, no function call needed.
(btw, hostbased works now with ssh.com >= 2.0.13)

more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now
(however the 2.1.0 server seems to work only if debug is enabled...)

no longer const

use FDQN with trailing dot in the hostbased auth packets, ok deraadt@

implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.

we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@

check auth_root_allowed for kbd-int auth, too.

merge common ssh v1/2 code

add changes need for BSD_AUTH plus disabled BSD_AUTH code

debug

Rename pty.[ch] -> sshpty.[ch] and login.[ch] to sshlogin.[ch] to avoid
header conflicts in portable; ok markus@

KNF

use pwcopy in ssh.c, too

setproctitle(user) only if getpwnam succeeds

PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)

offer passwd before s/key

strict checking

fix typo

move k_setpag() to a central place; ok dugsong@

unexpand and remove end-of-line whitespace; ok markus@

remove duplicate #include's; ok markus@

rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.

no need to include; from mouring@etoh.eviladmin.org

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

typo

pass the filename to auth_parse_options()

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.

support supplementary group in {Allow,Deny}Groups
from stevesk@pobox.com

enable kerberos passwd auth in ssh2, use k_setpag; ok hin, dugsong, from ksulliva@psc.edu

implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).

count authentication failures only

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

support f-secure/ssh.com 2.0.12; ok niels@

add support for RSA to SSH2. please test.

there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.

you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.

SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.

IdentityFile2, HostDsaKey and DSAAuthentication are obsolete.
you can use multiple IdentityFile and HostKey for all types of keys.

the option DSAAuthentication is replaced by PubkeyAuthetication.

branches: 1.20.2;
OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons

new cipher framework

add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

clear auth options unless auth sucessfull

use key_type()

add context to dispatch_run

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

clean code is good code

make userauth+pubkey interop with ssh.com-2.2.0

split auth-rsa option parsing into auth-options
add options support to authorized_keys2

implement bug compatibility with ssh-2.0.13 pubkey, server side

branches: 1.8.2;
bug compat w/ ssh-2.0.13 x11, split out bugs

add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8

log failure before sending the reply

Add missing #ifdefs; ok - markus

disable kerb,s/key in ssh2

cleanup logging for sshd/2, respect PasswordAuth no

xfree DSA blobs

split auth/sshconnect in one file per protocol version

limit artificial login delay to a reasonable maximum (5s) and don't
delay at all for the "none" authentication mechanism. Patch by
Dmitry Belyavskiy in bz3602 with polish/ok dtucker@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

avoid integer overflow of auth attempts (harmless, caught by monitor)

split method list search functionality from authmethod_lookup() into
a separate authmethod_byname(), for cases where we don't need to
check whether a method is enabled, etc.

use this to fix the "none" authentication method regression reported
by Nam Nguyen via bugs@

ok deraadt@

prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

exit on parse failures in input_service_request; ok djm

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

asprintf returns -1, not an arbitrary value < 0. Also upon error the
(very sloppy specification) leaves an undefined value in *ret, so it is
wrong to inspect it, the error condition is enough.
discussed a little with nicm, and then much more with millert until we
were exasperated

Fix authentication failures when "AuthenticationMethods any" in a
Match block overrides a more restrictive global default.

Spotted by jmc@, ok markus@

convert auth.c to new packet API

with & ok markus@

convert auth2.c to new packet API

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

include time.h for time(3)/nanosleep(2); from Ian McKellar

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove legacy key emulation layer; ok djm@

sshd: switch authentication to sshbuf API; ok djm@

Explicit cast when snprintf'ing an uint64. Prevents warnings on platforms
where int64 is long not long long. ok djm@

Defend against user enumeration timing attacks.
This establishes a minimum time for each failed authentication
attempt (5ms) and adds a per-user constant derived from a host
secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok
markus@ djm@.

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

remove now obsolete ctx from ssh_dispatch_run; ok djm@

use the ssh_dispatch_run_fatal variant

switch auth2 to ssh_dispatch API; ok djm@

protocol handlers all get struct ssh passed; ok djm@

sshd: pass struct ssh to auth functions; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

move dispatch to struct ssh; ok djm@

make internal handling of filename arguments of "none" more consistent
with ssh. "none" arguments are now replaced with NULL when the
configuration is finalised.

Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@

don't count partial authentication success as a failure against
MaxAuthTries; ok deraadt@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

make the "Too many authentication failures" message include the
user, source address, port and protocol in a format similar to the
authentication success / failure messages; bz#2199, ok dtucker

remove experimental, never-enabled JPAKE code; ok markus@

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

add submethod support to AuthenticationMethods; ok and freedback djm@

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

fix some harmless and/or unreachable int overflows;
reported Xi Wang, ok markus@

allow GSSAPI authentication to detect when a server-side failure causes
authentication failure and don't count such failures against MaxAuthTries;
bz#1244 from simon AT sxw.org.uk; ok markus@ before lock

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

Make protocol 1 MaxAuthTries logic match protocol 2's.

Do not treat the first protocol 2 authentication attempt as
a failure IFF it is for method "none".

Makes MaxAuthTries' user-visible behaviour identical for
protocol 1 vs 2.

ok dtucker@

really really remove the freebie "none" auth try for protocol 2

Make protocol 2 MaxAuthTries behaviour a little more sensible:

Check whether client has exceeded MaxAuthTries before running
an authentication method and skip it if they have, previously it
would always allow one try (for "none" auth).

Preincrement failure count before post-auth test - previously this
checked and postincremented, also to allow one "none" try.

Together, these two changes always count the "none" auth method
which could be skipped by a malicious client (e.g. an SSH worm)
to get an extra attempt at a real auth method. They also make
MaxAuthTries=0 a useful way to block users entirely (esp. in a
sshd_config Match block).

Also, move sending of any preauth banner from "none" auth method
to the first call to input_userauth_request(), so worms that skip
the "none" method get to see it too.

Remove unused prototype. ok djm@

remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>

Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

sprinkle some ARGSUSED for table driven functions (which sometimes must ignore their args)

RCSID() can die

branches: 1.107.6; 1.107.8;
more s/illegal/invalid/

bz#899: Don't display invalid usernames in setproctitle
from peak AT argo.troja.mff.cuni.cz; ok markus@

Add MaxAuthTries sshd config option; ok markus@

branches: 1.104.2;
standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.102.2;
fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

nuke "kerberos-2@ssh.com"

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

int -> u_int; ok djm@, deraadt@, mouring@

implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
server interops with commercial client; ok jakob@ djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.96.2;
undo broken fix for #387, fixes #486

branches: 1.95.2;
auth_root_allowed() is handled by the monitor in the privsep case,
so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325

lint asks that we use names that do not overlap

move Authmethod definitons to per-method file.

split auth2.c into one file per method; ok provos@/deraadt@

less warnings. skey_{respond,query} are public (in auth.h)

Fix sshd Banner option for privsep; ok markus@ provos@

branches: 1.89.2;
make getpwnamallow() allways call pwcopy()

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

have the authentication functions return the authentication context
and then do_authenticated; okay millert@

getpwnamallow returns struct passwd * only if user valid; okay markus@

signed vs. unsigned: make size arguments u_int, ok stevesk@

cross checking of announced vs actual pktype in pubkey/hostbaed auth; ok stevesk@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

use buffer API and avoid static strings of fixed size; ok provos@/mouring@

a single dispatch_protocol_error() that sends a message of type 'UNIMPLEMENTED'
dispatch_range(): set handler for a ranges message types
use dispatch_protocol_ignore() for authentication requests after
successful authentication (the drafts requirement).
serverloop/clientloop now send a 'UNIMPLEMENTED' message instead of exiting.

remove plen from the dispatch fn. it's no longer used.

s/packet_done/packet_check_eom/ (end-of-message); ok djm@

Conformance fix: we should send failing packet sequence number when
responding with a SSH_MSG_UNIMPLEMENTED message. Spotted by
yakk@yakk.dot.net; ok markus@

basic KNF done while i was looking for something else

log fingerprint on successful public key authentication; ok markus@

add auth2_challenge_stop(), simplifies cleanup of kbd-int sessions,
fixes memleak.

make it compile with more strict prototype checking

enum/int type cleanup where it made sense to do so; ok markus@

unused includes

branches: 1.71.2;
typos; from solar

key_read returns now -1 or 1

use %lu; ok markus@

new interface for secure_filename()

prototype cleanup; ok markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

restore correct ignore_user_known_hosts logic.

*known_hosts2 is obsolete for hostbased authentication and
only used for backward compat. merge ssh1/2 hostkey check
and move it to auth.c

merge authorized_keys2 into authorized_keys.
authorized_keys2 is used for backward compat.
(just append authorized_keys2 to authorized_keys).

style is used for bsdauth.
disconnect on user/service change (ietf-drafts)

undo the .c file split, just merge the header and keep the cvs history

merge

channel layer cleanup: merge header files and split .c files

configurable authorized_keys{,2} location; originally from peter@; ok djm@

improved kbd-interactive support. work by per@appgate.com and me

branches: 1.56.2;
use local variable, no function call needed.
(btw, hostbased works now with ssh.com >= 2.0.13)

more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now
(however the 2.1.0 server seems to work only if debug is enabled...)

no longer const

use FDQN with trailing dot in the hostbased auth packets, ok deraadt@