Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@

remove prototypes with no matching function; ok djm@

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

defence-in-depth MaxAuthTries check in monitor; ok markus

Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via
github PR#396.

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

make sure that UseDNS hostname lookup happens in the monitor and
not in the pledge(2)'d unprivileged process; fixes regression
caused by recent refactoring spotted by henning@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

save an unneccessary alloc/free, based on patch from
Martin Vahlensieck; ok dtucker@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

log signature algorithm during verification by monitor; ok markus

sshd side of hostbound public key auth

This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok markus@

remove a bunch of %p in format strings; leftovers of debuggings
past. prompted by Michael Forney, ok dtucker@

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@

Remove now-unused skey function prototypes leftover from skey removal.

do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@

don't sshbuf_get_u32() into an enum; reported by goetze AT
dovetail.com via bz3269

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@

Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading. The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

clean up passing of struct passwd from monitor to preauth privsep
process. No longer copy entire struct w/ pointer addresses, but
pass remaining scalar fields explicitly,

Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

variants of the log methods that append a ssherr.h string from
a supplied error code; ok markus@

revised log infrastructure for OpenSSH

log functions receive function, filename and line number of caller.
We can use this to selectively enable logging via pattern-lists.

ok markus@

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

correct recently broken comments

some language improvements; ok markus

spelling errors in comments; no code change
from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace "security key" with "authenticator" in program messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

allow security keys to act as host keys as well as user keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

redundant test

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

a little more information from the monitor when signature
verification fails.

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

reversed test yielded incorrect debug message

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

merge kexkem[cs] into kexgen

from markus@ ok djm@

use KEM API for vanilla ECDH

from markus@ ok djm@

use KEM API for vanilla DH KEX

from markus@ ok djm@

use KEM API for vanilla c25519 KEX

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

remove last references to active_state

with & ok markus@

convert monitor.c to new packet API

with & ok markus@

convert auth.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options.
If only RSA-SHA2 siganture types were specified, then authentication would
always fail for RSA keys as the monitor checks only the base key (not the
signature algorithm) type against *AcceptedKeyTypes.
bz#2746; reported by Jakub Jelen; ok dtucker

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove unused zlib.h

remove legacy key emulation layer; ok djm@

kerberos/gssapi fixes for buffer removal

sshd: switch monitor to sshbuf API; lots of help & ok djm@

sshd: switch authentication to sshbuf API; ok djm@

sshd: switch loginmsg to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Add a couple of non-negativity checks to avoid close(-1).

ok djm

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

revert stricter key type / signature type checking in userauth path;
too much software generates inconsistent messages, so we need a
better plan.

pass negotiated signing algorithm though to sshkey_verify() and
check that the negotiated algorithm matches the type in the
signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

replace statically-sized arrays in ServerOptions with dynamic ones
managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@

Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

use SO_ZEROIZE for privsep communication (if available)

clear session keys from memory; ok djm@

switch auth2-pubkey.c to modern APIs; with & ok djm@

switch from Key typedef with struct sshkey; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen
for testing; ok markus@

restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration.

prompted by Solar Designer; ok markus dtucker

remove UseLogin option and support for having /bin/login manage
login sessions; ok deraadt markus dtucker

remove ssh1 server code; ok djm@

move debug("%p", key) to before key is free'd; probable undefined
behaviour on strict compilers; reported by Jakub Jelen bz#2581

add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen

remove roaming support; ok djm@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

Compare pointers to NULL rather than 0.

ok djm@

don't record hostbased authentication hostkeys as user keys
in test for multiple authentication with the same key

Fix occurrences of "r = func() != 0" which result in the wrong error
codes being returned due to != having higher precedence than =.

ok deraadt@ markus@

Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like.
Discussed with tedu, millert, otto.... and ok djm

Don't count successful partial authentication as failures in monitor;
this may have caused the monitor to refuse multiple authentications
that would otherwise have successfully completed; ok markus@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

prevent authorized_keys options picked up on public key tests without
a corresponding private key authentication being applied to other
authentication methods. Reported by halex@, ok markus@

fix compilation with OPENSSL=no; ok dtucker@

don't call record_login() in monitor when UseLogin is enabled;
bz#278 reported by drk AT sgi.com; ok dtucker

UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)

Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@

make rekey_limit for sshd w/privsep work; ok djm@ dtucker@

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

adapt kex to sshbuf and struct ssh; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

move authfd.c and its tentacles to the new buffer/key API;
ok markus@

add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow sshd to control what public key types will be
accepted. Currently defaults to all. Feedback & ok markus@

remember which public keys have been used for authentication and
refuse to accept previously-used keys.

This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.

ok markus@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.

unbreak compression, by re-init-ing the compression code in the
post-auth child. the new buffer code is more strict, and requires
buffer_init() while the old code was happy after a bzero();
originally from djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

convert memset of potentially-private data to explicit_bzero()

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

remove experimental, never-enabled JPAKE code; ok markus@

fix rekeying for KEX_C25519_SHA256; noted by dtucker@

add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@

for hostbased authentication, print the client host and user on
the auth success/failure line; bz#2064, ok dtucker@

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

Add RekeyLimit to sshd with the same syntax as the client allowing rekeying
based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.

add submethod support to AuthenticationMethods; ok and freedback djm@

reconstruct the original username that was sent by the client, which may
have included a style (e.g. "root:skey") when checking public key
signatures. Fixes public key and hostbased auth when the client specified
a style; ok markus@

drain the log messages after receiving the keystate from the unpriv
child. otherwise it might block while sending. ok djm@

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@

memleak on error path

ignore EINTR errors from poll()

make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering

"this is at once beautiful and horrible" + ok dtucker@

use FD_CLOEXEC consistently; patch from zion AT x96.org

ECDH/ECDSA compliance fix: these methods vary the hash function they use
(SHA256/384/512) depending on the length of the curve in use. The previous
code incorrectly used SHA256 in all cases.

This fix will cause authentication failure when using 384 or 521-bit curve
keys if one peer hasn't been upgraded and the other has. (256-bit curve
keys work ok). In particular you may need to specify HostkeyAlgorithms
when connecting to a server that has not been upgraded from an upgraded
client.

ok naddy@

Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).

Certificate host and user keys using the new ECDSA key types are supported.

Note that this code has not been tested for interoperability and may be
subject to change.

feedback and ok markus@

s/timing_safe_cmp/timingsafe_bcmp/g

implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Add support for certificate key types for users and hosts.

OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.

Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.

Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.

Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.

Documentation on the format of certificates is in the file
PROTOCOL.certkeys

feedback and ok markus@

Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@

Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@

Put the globals in packet.c into a struct and don't access it directly
from other files. No functional changes.
ok markus@ djm@

some paranoia: check that the serialised key is really KEY_RSA before
diddling its internals

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@

Make debug a little clearer. ok djm@

Clear key options in the monitor on failed authentication, prevents
applying additional restrictions to non-pubkey authentications in
the case where pubkey fails but another method subsequently succeeds.
bz #1472, found by Colin Watson, ok markus@ djm@

Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.

Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().

bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com

ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

Send config block back to slave for invalid users too so options
set by a Match block (eg Banner) behave the same for non-existent
users. Found by and ok djm@

unifdef -DBSD_AUTH
unifdef -USKEY

These options have been in use for some years;
ok markus@ "no objection" millert@

make file descriptor passing code return an error rather than call fatal()
when it encounters problems, and use this to make session multiplexing
masters survive slaves failing to pass all stdio FDs; ok markus@

pass received SIGINT from monitor to postauth child so it can clean
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
ok markus@

Teach Match how handle config directives that are used before authentication.
This allows configurations such as permitting password authentication from
the local net only while requiring pubkey from offsite. ok djm@, man page
bits ok jmc@

correctly check for bad signatures in the monitor, otherwise the monitor and
the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@

branches: 1.88.4;
Revert previous include file ordering change, for ssh to compile under gcc2
(or until openssl include files are cleaned of parameter names in function
prototypes)

"zlib.h" can be <zlib.h>; ok djm@ markus@

spaces

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

missed these from last commit:
move #include <sys/socket.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Prevent duplicate log messages when privsep=yes; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

spacing

annoying spacing fixes getting in the way of real diffs

memory leaks detected by Coverity via elad AT netbsd.org;
deraadt@ ok

that should be all of them now

spacing

RCSID() can die

Implement the diffie-hellman-group-exchange-sha256 key exchange method
using the SHA256 code in libc (and wrapper to make it into an OpenSSL
EVP), interop tested against CVS PuTTY

branches: 1.68.2;
move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

small KNF

move #include <paths.h> out of includes.h; ok markus@

KNF; ok djm@

branches: 1.63.2; 1.63.4;
spacing

Make code match intent; ok djm@

branches: 1.61.2;
Move "Last logged in at.." message generation to the monitor, right
before recording the new login. Fixes missing lastlog message when
/var/log/lastlog is not world-readable and incorrect datestamp when
multiple sessions are used (bz #463); much assistance & ok markus@

Change login->username, will prevent -Wshadow errors in Portable; ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

implement diffie-hellman-group14-sha1 kex method (trivial extension to
existing diffie-hellman-group1-sha1); ok markus@

improve some code lint did not like; djm millert ok

kill some more tiny files; ok deraadt@

branches: 1.55.2;
Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@

unexpand and delete whitespace at EOL; ok markus@

unbreak fake authloop for non-existent users (my screwup). Spotted and
tested by dtucker@; ok markus@

replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.

standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.49.2;
remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...

fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar

64 bit cleanups; markus ok

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
test+ok henning@

int -> u_int; ok djm@, deraadt@, mouring@

typos; dtucker at zip.com.au

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

cast some types for printing; ok markus@

http://bugzilla.mindrot.org/show_bug.cgi?id=560
Privsep child continues to run after monitor killed.
Pass monitor signals through to child; Darren Tucker

implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
server interops with commercial client; ok jakob@ djm@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

reapply rekeying chage, tested by henning@, ok djm@

backout rekeying changes (for 3.6.1)

rekeying bugfixes and automatic rekeying:

* both client and server rekey _automatically_
(a) after 2^31 packets, because after 2^32 packets
the sequence number for packets wraps
(b) after 2^(blocksize_in_bits/4) blocks
(see: http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt)
(a) and (b) are _enabled_ by default, and only disabled for known
openssh versions, that don't support rekeying properly.
* client option 'RekeyLimit'
* do not reply to requests during rekeying

branches: 1.34.2;
unbreak rekeying for privsep; ok millert@

fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

fix permitrootlogin forced-commands-only for privsep; bux #387; ok provos@

skey/bsdauth: use 0 to indicate failure instead of -1, because
the buffer API only supports unsigned ints.

handle overflows for size_t larger than u_int; siw@goneko.de, bug #425

branches: 1.29.2;
krb4 + privsep; ok dugsong@, deraadt@

only call kerberos code for authctxt->valid

only call auth_krb5 if kerberos is enabled; ok deraadt@

signed vs unsigned from -pedantic; ok henning@

kerberos support for privsep. confirmed to work by lha@stacken.kth.se
patch from markus

pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
NOTE: there are also p-specific parts to this patch. ok markus@

Change mm_zalloc() sanity checks to be more in line with what
we do in calloc() and add a check to monitor_mm.c.
OK provos@ and markus@

u_int here; ok provos@

use xfree()

improve mm_zalloc check; markus ok

correct %u

be careful in mm_zalloc

save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@

Don't initialise compression buffers when compression=no in sshd_config;
ok Niels@

make the monitor sync the transfer ssh1 session key;
transfer keycontext only for RC4 (this is still depends on EVP
implementation details and is broken).

__FUNCTION__ -> __func__

save the session id (hash) for ssh2 (it will be passed with the initial sign request)
and verify that this value is used during authentication; ok provos@

only allow enabled authentication methods; ok provos@

branches: 1.11.2; 1.11.4;
'monitor' variable clashes with at least one lame platform (NeXT). Renamed
to 'pmonitor'. provos@

Fix sshd Banner option for privsep; ok markus@ provos@

branches: 1.9.2;
check waitpid for EINTR; based on patch from peter@ifm.liu.se

monitor_allowed_key() returns int instead of pointer. ok markus@

remove "\n" from fatal()

fix NULL %s on debug3(); ok markus@

use SSH_SESSION_KEY_LENGTH for key length

make getpwnamallow() allways call pwcopy()

whitespace KNF

clean up prototypes

implementation of the interface between privileged and unprivileged process
for ssh-privsep

remove prototypes with no matching function; ok djm@

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

defence-in-depth MaxAuthTries check in monitor; ok markus

Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via
github PR#396.

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

make sure that UseDNS hostname lookup happens in the monitor and
not in the pledge(2)'d unprivileged process; fixes regression
caused by recent refactoring spotted by henning@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

save an unneccessary alloc/free, based on patch from
Martin Vahlensieck; ok dtucker@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

log signature algorithm during verification by monitor; ok markus

sshd side of hostbound public key auth

This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok markus@

remove a bunch of %p in format strings; leftovers of debuggings
past. prompted by Michael Forney, ok dtucker@

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@

Remove now-unused skey function prototypes leftover from skey removal.

do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@

don't sshbuf_get_u32() into an enum; reported by goetze AT
dovetail.com via bz3269

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@

Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading. The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

clean up passing of struct passwd from monitor to preauth privsep
process. No longer copy entire struct w/ pointer addresses, but
pass remaining scalar fields explicitly,

Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

variants of the log methods that append a ssherr.h string from
a supplied error code; ok markus@

revised log infrastructure for OpenSSH

log functions receive function, filename and line number of caller.
We can use this to selectively enable logging via pattern-lists.

ok markus@

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

correct recently broken comments

some language improvements; ok markus

spelling errors in comments; no code change
from https://fossies.org/linux/misc/openssh-8.2p1.tar.gz/codespell.html

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

Replace "security key" with "authenticator" in program messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

allow security keys to act as host keys as well as user keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

redundant test

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

a little more information from the monitor when signature
verification fails.

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

reversed test yielded incorrect debug message

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

merge kexkem[cs] into kexgen

from markus@ ok djm@

use KEM API for vanilla ECDH

from markus@ ok djm@

use KEM API for vanilla DH KEX

from markus@ ok djm@

use KEM API for vanilla c25519 KEX

Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org
using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP
coupled with X25519 as a stop-loss. Not enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

remove last references to active_state

with & ok markus@

convert monitor.c to new packet API

with & ok markus@

convert auth.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options.
If only RSA-SHA2 siganture types were specified, then authentication would
always fail for RSA keys as the monitor checks only the base key (not the
signature algorithm) type against *AcceptedKeyTypes.
bz#2746; reported by Jakub Jelen; ok dtucker

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove unused zlib.h

remove legacy key emulation layer; ok djm@

kerberos/gssapi fixes for buffer removal

sshd: switch monitor to sshbuf API; lots of help & ok djm@

sshd: switch authentication to sshbuf API; ok djm@

sshd: switch loginmsg to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Add a couple of non-negativity checks to avoid close(-1).

ok djm

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

revert stricter key type / signature type checking in userauth path;
too much software generates inconsistent messages, so we need a
better plan.

pass negotiated signing algorithm though to sshkey_verify() and
check that the negotiated algorithm matches the type in the
signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

replace statically-sized arrays in ServerOptions with dynamic ones
managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@

Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

use SO_ZEROIZE for privsep communication (if available)

clear session keys from memory; ok djm@

switch auth2-pubkey.c to modern APIs; with & ok djm@

switch from Key typedef with struct sshkey; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

enforce expected request flow for GSSAPI calls; thanks to Jakub Jelen
for testing; ok markus@

restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration.

prompted by Solar Designer; ok markus dtucker

remove UseLogin option and support for having /bin/login manage
login sessions; ok deraadt markus dtucker

remove ssh1 server code; ok djm@

move debug("%p", key) to before key is free'd; probable undefined
behaviour on strict compilers; reported by Jakub Jelen bz#2581

add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

memleak of algorithm name in mm_answer_sign; reported by Jakub Jelen

remove roaming support; ok djm@

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

Compare pointers to NULL rather than 0.

ok djm@

don't record hostbased authentication hostkeys as user keys
in test for multiple authentication with the same key

Fix occurrences of "r = func() != 0" which result in the wrong error
codes being returned due to != having higher precedence than =.

ok deraadt@ markus@

Improve size == 0, count == 0 checking in mm_zalloc, which is "array" like.
Discussed with tedu, millert, otto.... and ok djm

Don't count successful partial authentication as failures in monitor;
this may have caused the monitor to refuse multiple authentications
that would otherwise have successfully completed; ok markus@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

prevent authorized_keys options picked up on public key tests without
a corresponding private key authentication being applied to other
authentication methods. Reported by halex@, ok markus@

fix compilation with OPENSSL=no; ok dtucker@

don't call record_login() in monitor when UseLogin is enabled;
bz#278 reported by drk AT sgi.com; ok dtucker

UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)

Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@

make rekey_limit for sshd w/privsep work; ok djm@ dtucker@

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

adapt kex to sshbuf and struct ssh; ok djm@

update packet.c & isolate, introduce struct ssh
a) switch packet.c to buffer api and isolate per-connection info into struct ssh
b) (de)serialization of the state is moved from monitor to packet.c
c) the old packet.c API is implemented in opacket.[ch]
d) compress.c/h is removed and integrated into packet.c
with and ok djm@

move authfd.c and its tentacles to the new buffer/key API;
ok markus@

add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow sshd to control what public key types will be
accepted. Currently defaults to all. Feedback & ok markus@

remember which public keys have been used for authentication and
refuse to accept previously-used keys.

This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.

ok markus@

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.

unbreak compression, by re-init-ing the compression code in the
post-auth child. the new buffer code is more strict, and requires
buffer_init() while the old code was happy after a bzero();
originally from djm@

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

convert memset of potentially-private data to explicit_bzero()

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

remove experimental, never-enabled JPAKE code; ok markus@

fix rekeying for KEX_C25519_SHA256; noted by dtucker@

add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@

for hostbased authentication, print the client host and user on
the auth success/failure line; bz#2064, ok dtucker@

Standardise logging of supplemental information during userauth. Keys
and ruser is now logged in the auth success/failure message alongside
the local username, remote host/port and protocol in use. Certificates
contents and CA are logged too.

Pushing all logging onto a single line simplifies log analysis as it is
no longer necessary to relate information scattered across multiple log
entries. "I like it" markus@

bye, bye xfree(); ok markus@

Add RekeyLimit to sshd with the same syntax as the client allowing rekeying
based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.

add submethod support to AuthenticationMethods; ok and freedback djm@

reconstruct the original username that was sent by the client, which may
have included a style (e.g. "root:skey") when checking public key
signatures. Fixes public key and hostbased auth when the client specified
a style; ok markus@

drain the log messages after receiving the keystate from the unpriv
child. otherwise it might block while sending. ok djm@

Fixes logging of partial authentication when privsep is enabled
Previously, we recorded "Failed xxx" since we reset authenticated before
calling auth_log() in auth2.c. This adds an explcit "Partial" state.

Add a "submethod" to auth_log() to report which submethod is used
for keyboard-interactive.

Fix multiple authentication when one of the methods is
keyboard-interactive.

ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

remove dead code following 'for (;;)' loops.
From Steve.McClellan at radisys com, ok markus@

memleak on error path

ignore EINTR errors from poll()

make the pre-auth privsep slave log via a socketpair shared with the
monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering

"this is at once beautiful and horrible" + ok dtucker@

use FD_CLOEXEC consistently; patch from zion AT x96.org

ECDH/ECDSA compliance fix: these methods vary the hash function they use
(SHA256/384/512) depending on the length of the curve in use. The previous
code incorrectly used SHA256 in all cases.

This fix will cause authentication failure when using 384 or 521-bit curve
keys if one peer hasn't been upgraded and the other has. (256-bit curve
keys work ok). In particular you may need to specify HostkeyAlgorithms
when connecting to a server that has not been upgraded from an upgraded
client.

ok naddy@

Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).

Certificate host and user keys using the new ECDSA key types are supported.

Note that this code has not been tested for interoperability and may be
subject to change.

feedback and ok markus@

s/timing_safe_cmp/timingsafe_bcmp/g

implement a timing_safe_cmp() function to compare memory without leaking
timing information by short-circuiting like memcmp() and use it for
some of the more sensitive comparisons (though nothing high-value was
readily attackable anyway); "looks ok" markus@

Hold authentication debug messages until after successful authentication.
Fixes an info leak of environment variables specified in authorized_keys,
reported by Jacob Appelbaum. ok djm@

Add support for certificate key types for users and hosts.

OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.

Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.

Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.

Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.

Documentation on the format of certificates is in the file
PROTOCOL.certkeys

feedback and ok markus@

Fix warnings found by chl@ and djm@ and change roaming_atomicio's
return type to match atomicio's
Diff from djm@, ok markus@

Keep track of number of bytes read and written. Needed for upcoming
changes. Most code from Martin Forssen, maf at appgate dot com.
ok markus@

Put the globals in packet.c into a struct and don't access it directly
from other files. No functional changes.
ok markus@ djm@

some paranoia: check that the serialised key is really KEY_RSA before
diddling its internals

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

sync v1 and v2 traffic accounting; add it to sshd, too; ok djm@, dtucker@

Make debug a little clearer. ok djm@

Clear key options in the monitor on failed authentication, prevents
applying additional restrictions to non-pubkey authentications in
the case where pubkey fails but another method subsequently succeeds.
bz #1472, found by Colin Watson, ok markus@ djm@

Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.

Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().

bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com

ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

Send config block back to slave for invalid users too so options
set by a Match block (eg Banner) behave the same for non-existent
users. Found by and ok djm@

unifdef -DBSD_AUTH
unifdef -USKEY

These options have been in use for some years;
ok markus@ "no objection" millert@

make file descriptor passing code return an error rather than call fatal()
when it encounters problems, and use this to make session multiplexing
masters survive slaves failing to pass all stdio FDs; ok markus@

pass received SIGINT from monitor to postauth child so it can clean
up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
ok markus@

Teach Match how handle config directives that are used before authentication.
This allows configurations such as permitting password authentication from
the local net only while requiring pubkey from offsite. ok djm@, man page
bits ok jmc@

correctly check for bad signatures in the monitor, otherwise the monitor and
the unpriv process can get out of sync. with dtucker@, ok djm@, dtucker@

branches: 1.88.4;
Revert previous include file ordering change, for ssh to compile under gcc2
(or until openssl include files are cleaned of parameter names in function
prototypes)

"zlib.h" can be <zlib.h>; ok djm@ markus@

spaces

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

missed these from last commit:
move #include <sys/socket.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

Prevent duplicate log messages when privsep=yes; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

introduce xcalloc() and xasprintf() failure-checked allocations functions
and use them throughout openssh

xcalloc is particularly important because malloc(nmemb * size) is a
dangerous idiom (subject to integer overflow) and it is time for it to
die

feedback and ok deraadt@

spacing

annoying spacing fixes getting in the way of real diffs

memory leaks detected by Coverity via elad AT netbsd.org;
deraadt@ ok

that should be all of them now

spacing

RCSID() can die

Implement the diffie-hellman-group-exchange-sha256 key exchange method
using the SHA256 code in libc (and wrapper to make it into an OpenSSL
EVP), interop tested against CVS PuTTY

branches: 1.68.2;
move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

small KNF

move #include <paths.h> out of includes.h; ok markus@

KNF; ok djm@

branches: 1.63.2; 1.63.4;
spacing

Make code match intent; ok djm@

branches: 1.61.2;
Move "Last logged in at.." message generation to the monitor, right
before recording the new login. Fixes missing lastlog message when
/var/log/lastlog is not world-readable and incorrect datestamp when
multiple sessions are used (bz #463); much assistance & ok markus@

Change login->username, will prevent -Wshadow errors in Portable; ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

implement diffie-hellman-group14-sha1 kex method (trivial extension to
existing diffie-hellman-group1-sha1); ok markus@

improve some code lint did not like; djm millert ok

kill some more tiny files; ok deraadt@

branches: 1.55.2;
Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@

unexpand and delete whitespace at EOL; ok markus@

unbreak fake authloop for non-existent users (my screwup). Spotted and
tested by dtucker@; ok markus@

replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.

standardise arguments to auth methods - they should all take authctxt.
check authctxt->valid rather then pw != NULL; ok markus@

replace fatal_cleanup() and linked list of fatal callbacks with static
cleanup_exit() function. re-refine cleanup_exit() where appropriate,
allocate sshd's authctxt eary to allow simpler cleanup in sshd.
tested by many, ok deraadt@

branches: 1.49.2;
remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...

fix passwd auth for 'username leaks via timing'; with djm@, original patches from solar