enable PerSourcePenalties by default.

ok markus

NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.

Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.

Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.

When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).

When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.

PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.

much feedback markus@ and others, ok markus@

fix incorrect debug option name introduce in previous commit

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

Separate parsing of string array options from applying them to the
active configuration. This fixes the config parser from erroneously
rejecting cases like:

AuthenticationMethods password
Match User ivy
AuthenticationMethods any

bz3657 ok markus@

don't append a gratuitous space to the end of subsystem arguments;
bz3667

add ChannelTimeout support to the client, mirroring the same option
in the server. ok markus@

fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here is
char**, so harmless); spotted in CID 416964

allow override of Sybsystem directives in sshd Match blocks

allocate the subsystems array as necessary and remove the fixed limit of
subsystems. Saves a few kb of memory in the server and makes it more like
the other options.

preserve quoting of Subsystem commands and arguments. This may change
behaviour of exotic configurations, but the most common subsystem
configuration (sftp-server) is unlikely to be affected.

downgrade duplicate Subsystem directives from being a fatal error
to being a debug message to match behaviour with just about all other
directives.

make PerSourceMaxStartups first-match-wins; ok dtucker@

move other RCSIDs to before their respective license blocks too
no code change

better validate CASignatureAlgorithms in ssh_config and sshd_config.

Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.

part of bz3577; ok dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears
previously in configuration. Reported by John Meyers in bz3574
ok dtucker@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

actually print "channeltimeout none" in config dump mode;
spotted via Coverity CID 405022

Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length
of time. This complements the recently-added ChannelTimeout
option that terminates inactive channels after a timeout.

ok markus@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Remove some set but otherwise unused variables, spotted in -portable by
clang 16's -Wunused-but-set-variable. ok djm@

Check for and disallow MaxStartups values less than or equal to zero
during config parsing, rather than faling later at runtime. bz#3489,
ok djm@

Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit
will be ignored for user and host-based authentication.

Feedback deraadt@ ok markus@

Make SetEnv directives first-match-wins in both sshd_config and
sshd_config; previously if the same name was reused then the last
would win (which is the opposite to how the config is supposed to
work).

While there, make the ssh_config parsing more like sshd_config.

bz3438, ok dtucker

don't try to resolve ListenAddress directives in the sshd re-exec
path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by
Aaron Poffenberger; with / ok dtucker@

Switch hpdelim interface to accept only ":" as delimiter.

Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports. These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2
in the other cases. ok djm@

revision 1.381 neglected to remove sChallengeResponseAuthentication
from the enum. Noticed by christos@zoulas.com. OK dtucker@

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@

switch sshd_config parsing to argv_split()

similar to the previous commit, this switches sshd_config parsing to
the newer tokeniser. Config parsing will be a little stricter wrt
quote correctness and directives appearing without arguments.

feedback and ok markus@

tested in snaps for the last five or so days - thanks Theo and those who
caught bugs

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Add ModuliFile keyword to sshd_config to specify the location of the
"moduli" file containing the groups for DH-GEX. This will allow us to
run tests against arbitrary moduli files without having to install them.
ok djm@

Put obsolete aliases for hostbasedalgorithms and pubkeyacceptedalgorithms
after their current names so that the config-dump mode finds and uses
the current names. Spotted by Phil Pennock.

factor out opt_array_append; ok djm@

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@

Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading. The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@

Correct spelling of persourcenetblocksize in config-dump mode.

Add PerSourceMaxStartups and PerSourceNetBlockSize options which provide
more fine grained MaxStartups limits. Man page help jmc@, feedback &
ok djm@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

Check that the addresses supplied to Match Address and Match
LocalAddress are valid when parsing in config-test mode. This will
catch address/mask mismatches before they cause problems at runtime.
Found by Daniel Stocker, ok djm@

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

some language improvements; ok markus

support loading big sshd_config files w/o realloc; ok djm

fix Include before Match in sshd_config; bz#3122 patch from Jakub Jelen

Do not call process_queued_listen_addrs() for every included file
from sshd_config; patch from Jakub Jelen

make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts,
"no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts
files but not .rhosts. ok dtucker@

allow the IgnoreRhosts directive to appear anywhere in a sshd_config,
not just before any Match blocks; bz3148, ok dtucker@

fix relative includes in sshd_config; ok djm

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jelen in bz2468; feedback and ok markus@

Make zlib optional. This adds a "ZLIB" build time option that allows
building without zlib compression and associated options. With feedback
from markus@, ok djm@

Remove unsupported algorithms from list of defaults at run time and
remove ifdef and distinct settings for OPENSSL=no case.

This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@

don't treat HostKeyAgent=none as a path either; avoids spurious
warnings from the cfgparse regress test

do not attempt to find an absolute path for sshd_config
SecurityKeyProvider=internal - unbreaks cfgparse regress test

allow security keys to act as host keys as well as user keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

Separate myproposal.h userauth pubkey types

U2F/FIDO keys are not supported for host authentication, so we need
a separate list for user keys.

feedback & ok markus@

Allow prepending a list of algorithms to the default set by starting
the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

When running sshd -T, assume any attibute not provided by -C does not match,
which allows it to work when sshd_config contains a Match directive with or
without -C. bz#2858, ok djm@

whitespace

Move checks for lists of users or groups into their own function.
This is a no-op on OpenBSD but will make things easier in -portable,
eg on systems where these checks should be case-insensitive. ok djm@

Always initialize 2nd arg to hpdelim2. It populates that *ONLY IF*
there's a delimiter. If there's not (the common case) it checked
uninitialized memory, which usually passed, but if not would cause
spurious failures when the uninitialized memory happens to contain
"/". ok deraadt.

Remove support for obsolete host/port syntax.

host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@

convert servconf.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

silence (to log level debug2) failure messages when loading the default
hostkeys. Hostkeys explicitly specified in the configuration or on
the command-line are still reported as errors, and failure to load at
least one host key remains a fatal error.

Based on patch from Dag-Erling Sm��rgrav via
https://github.com/openssh/openssh-portable/pull/103

ok markus@

use path_absolute() for pathname checks; from Manoj Ampalam

actually make CASignatureAlgorithms available as a config option

Add sshd_config CASignatureAlgorithms option to allow control over
which signature algorithms a CA may use when signing certificates.
In particular, this allows a sshd to ban certificates signed with
RSA/SHA1.

ok markus@

better diagnosics on alg list assembly errors; ok deraadt@ markus@

remove legacy key emulation layer; ok djm@

sshd: switch config to sshbuf API; ok djm@

Revert previous two commits

It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:

date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression

Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.

ok markus@

Rename COMP_DELAYED to COMP_ZLIB

Only delayed compression is supported nowadays.

ok markus@

repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work -
returns ability to add/remove/specify algorithms by wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

allow sshd_config PermitUserEnvironment to accept a pattern-list of
whitelisted environment variable names in addition to yes|no.

bz#1800, feedback and ok markus@

allow bare port numbers to appear in PermitListen directives, e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

add a SetEnv directive for sshd_config to allow an administrator to
explicitly specify environment variables set in sessions started by
sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.

ok markus@

switch config file parsing to getline(3) as this avoids static limits
noted by gerhard@; ok dtucker@, djm@

permitlisten option for authorized_keys; ok markus@

Add a PermitListen directive to control which server-side addresses
may be listened on when the client requests remote forwarding (ssh -R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for interactive and CS1 for bulk

AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.

For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.

An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662

The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").

OK deraadt@, "no objection" djm@

missing #ifdef for _PATH_HOST_XMSS_KEY_FILE; report by jmc@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

stop loading DSA keys by default, remove sshd_config stanza and manpage
bits; from Colin Watson via bz#2662, ok dtucker@

Remove unused sKerberosTgtPassing from enum. From calestyo via github
pull req #11, ok djm@

Replace atoi and strtol conversions for integer arguments to config
keywords with a checking wrapper around strtonum. This will prevent
and flag invalid and negative arguments to these keywords. ok djm@

Add missing break for rdomain. Prevents spurious "Deprecated option"
warnings. ok djm@

reuse parse_multistate for parse_flag (yes/no arguments). Saves
a few lines of code and makes the parser more consistent wrt case-
sensitivity. bz#2664 ok dtucker@

When doing a config test with sshd -T, only require the attributes
that are actually used in Match criteria rather than (an incomplete
list of) all criteria. ok djm@, man page help jmc@

uninitialised variable in PermitTunnel printing code

add a "rdomain" criteria for the sshd_config Match keyword to allow
conditional configuration that depends on which rdomain(4) a connection
was recevied on. ok markus@

add sshd_config RDomain keyword to place sshd and the subsequent
user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Add optional rdomain qualifier to sshd_config's ListenAddress option
to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

replace statically-sized arrays in ServerOptions with dynamic ones
managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@

fix (another) problem in PermitOpen introduced during the channels.c
refactor: the third and subsequent arguments to PermitOpen were being
silently ignored; ok markus@

branches: 1.312.2;
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

Add braces missing after channels refactor. ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717

remove a static array unused since rev 1.306 spotted by clang
ok djm@

Mark the sshd_config UsePrivilegeSeparation option as deprecated,
effectively making privsep mandatory in sandboxing mode.
ok markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Remove old null check from config dumper. Patch from jjelen at redhat.com
vi bz#2687, ok djm@

support =- for removing methods from algorithms lists, e.g.
Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671
"I like it" markus@

allow form-feed characters at EOL; bz#2431 ok dtucker@

sshd_config is documented to set GSSAPIStrictAcceptorCheck=yes by
default, so actually make it do this. bz#2637 ok dtucker

Add a sshd_config DisableForwaring option that disables X11, agent,
TCP, tunnel and Unix domain socket forwarding, as well as anything
else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

Remove dead breaks, found via opencoverage.net. ok deraadt@

restore pre-auth compression support in the client -- the previous
commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

add a sIgnore opcode that silently ignores options and use it to
suppress noisy deprecation warnings for the Protocol directive.

req henning, ok markus

remove UseLogin option and support for having /bin/login manage
login sessions; ok deraadt markus dtucker

Remove more SSH1 server code:
* Drop sshd's -k option.
* Retire configuration keywords that only apply to protocol 1, as well as
the "protocol" keyword.
* Remove some related vestiges of protocol 1 support.

ok markus@

fix AuthenticationMethods during configuration re-parse;
reported by Juan Francisco Cantero Hurtado

ban AuthenticationMethods="" and accept AuthenticationMethods=any
for the default behaviour of not requiring multiple authentication

bz#2398 from Jakub Jelen; ok dtucker@

Fix inverted logic for updating StreamLocalBindMask which would cause the
server to set an invalid mask. ok djm@

fix overriding of StreamLocalBindMask and StreamLocalBindUnlink in
Match blocks; found the hard way Rogan Dawes

don't forget to include StreamLocalBindUnlink in the config
dump output

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

make sandboxed privilege separation the default, not just for new
installs; "absolutely" deraadt@

Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return
type of scan_scaled). Part of bz#2521, ok djm.

Support "none" as an argument for sshd_config ForceCommand and
ChrootDirectory. Useful inside Match blocks to override a global
default. bz#2486 ok dtucker@

Fix "PubkeyAcceptedKeyTypes +..." inside a Match block; ok dtucker@

Fix expansion of HostkeyAlgorithms=+...

Reported by Bryan Drewery

add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is enabled)
from djm, ok markus

Allow PermitRootLogin to be overridden by config

ok markus@ deeradt@

change default: PermitRootLogin without-password
matching install script changes coming as well
ok djm markus

Allow ssh_config and sshd_config kex parameters options be prefixed
by a '+' to indicate that the specified items be appended to the
default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Turn off DSA by default; add HostKeyAlgorithms to the server and
PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@

twiddle PermitRootLogin back

twiddle; (this commit marks the openssh-6.9 release)

put back default PermitRootLogin=no

reset default PermitRootLogin to 'yes' (momentarily, for release)

add knob to relax GSSAPI host credential check for multihomed hosts
bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)

add AuthorizedPrincipalsCommand that allows getting authorized_principals
from a subprocess rather than a file, which is quite useful in
deployments with large userbases

feedback and ok markus@

Remove pattern length argument from match_pattern_list(),
we only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

a couple of parse targets were missing activep checks, causing them
to be misapplied in match context;
bz#2272 diagnosis and original patch from Sami Hartikainen
ok dtucker@

make handling of AuthorizedPrincipalsFile=none more consistent
with other =none options; bz#2288 from Jakub Jelen; ok dtucker@

Allow ListenAddress, Port and AddressFamily in any order. bz#68,
ok djm@, jmc@ (for the man page bit).

Make sshd default to PermitRootLogin=no;
ok deraadt@ rpe@

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Two small fixes for sshd -T: ListenAddress'es are added to a list head so
reverse the order when printing them to ensure the behaviour remains the same,
and print StreamLocalBindMask as octal with leading zero. ok deraadt@

Check for and reject missing arguments for VersionAddendum and ForceCommand.
bz#2281, patch from plautrba at redhat com, ok djm@

Add some missing options to sshd -T and fix the output of VersionAddendum
HostCertificate. bz#2346, patch from jjelen at redhat com, ok djm.

increasing encounters with difficult DNS setups in darknets has
convinced me UseDNS off by default is better
ok djm

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow sshd to control what public key types will be
accepted. Currently defaults to all. Feedback & ok markus@

make internal handling of filename arguments of "none" more consistent
with ssh. "none" arguments are now replaced with NULL when the
configuration is finalised.

Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Fix crashes in the handling of the sshd config file found with the afl
fuzzer.

ok deraadt@ djm@

Remove unnecessary include: netinet/in_systm.h is not needed by these
programs.

ok deraadt@ millert@

whitespace

When dumping the server configuration (sshd -T), print correct KEX,
MAC and cipher defaults. Spotted by Iain Morgan

Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@

Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@

remove experimental, never-enabled JPAKE code; ok markus@

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

bz#2161 - fix AuthorizedKeysCommand inside a Match block and
rearrange things so the same error is harder to make next time;
with and ok dtucker@

Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com"
that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC
to build an authenticated encryption mode.

Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.

Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@

Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@

shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@

Disallow empty Match statements and add "Match all" which matches everything.
ok djm, man page help jmc@

fix comment

add cast to avoid format warning; from portable

add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
ok djm@

bye, bye xfree(); ok markus@

remove another now-unused variable

remove now-unused variables

switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@

Add RekeyLimit to sshd with the same syntax as the client allowing rekeying
based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.

Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@

make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@

Support multiple required authentication via an AuthenticationMethods
option. This option lists one or more comma-separated lists of
authentication method names. Successful completion of all the methods in
any list is required for authentication to complete;
feedback and ok markus@

new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.

patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@

Fix comment line length

handle long comments in config files better. bz#2025, ok markus

Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
prodded markus@ feedback dtucker@ "get it in" deraadt@

sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)

Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.

VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@

Add PermitOpen none option based on patch from Loganaden Velvindron
(bz #1949). ok djm@

Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.

introduce sandboxing of the pre-auth privsep child using systrace(4).

This introduces a new "UsePrivilegeSeparation=sandbox" option for
sshd_config that applies mandatory restrictions on the syscalls the
privsep child can perform. This prevents a compromised privsep child
from being used to attack other hosts (by opening sockets and proxying)
or probing local kernel attack surface.

The sandbox is implemented using systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option.

UsePrivilegeSeparation=sandbox will become the default in the future
so please start testing it now.

feedback dtucker@; ok markus@

reuse the multistate option arrays to pretty-print options for "sshd -T"

factor out multi-choice option parsing into a parse_multistate label
and some support structures; ok dtucker@

allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)

feedback and ok markus@ dtucker@

use a macro to define which string options to copy between configs
for Match. This avoids problems caused by forgetting to keep three
code locations in perfect sync and ordering

"this is at once beautiful and horrible" + ok dtucker@

Add comment documenting what should be after the preauth check. ok djm

the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile
and AuthorizedPrincipalsFile were not being correctly applied in
Match blocks, despite being overridable there; ok dtucker@

remove support for authorized_keys2; it is a relic from the early days
of protocol v.2 support and has been undocumented for many years;
ok markus@

print ipqos friendly string for sshd -T; ok markus

# sshd -Tf sshd_config|grep ipqos
ipqos lowdelay throughput

allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
hardcoding lowdelay/throughput.

bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@

prevent free() of string in .rodata when overriding AuthorizedKeys in
a Match block; patch from rein AT basefarm.no

add a KexAlgorithms knob to the client and server configuration to allow
selection of which key exchange methods are used by ssh(1) and sshd(8)
and their order of preference.

ok markus@

pick up ECDSA host key by default; ok djm@

expose some more sshd_config options inside Match blocks:
AuthorizedKeysFile AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly PermitTunnel
bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@

add some optional indirection to matching of principal names listed
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.

When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.

For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.

These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.

feedback and ok markus@

from portable: getcwd(NULL, 0) doesn't work on all platforms, so
use a stack buffer; ok dtucker@

do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
free() (not xfree()) the buffer returned by getcwd()

unbreak AuthorizedKeys option with a $HOME-relative path; reported by
vinschen AT redhat.com, ok dtucker@

Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
are trusted to authenticate users (in addition than doing it per-user
in authorized_keys).

Add a RevokedKeys option to sshd_config and a @revoked marker to
known_hosts to allow keys to me revoked and banned for user or host
authentication.

feedback and ok markus@

Add support for certificate key types for users and hosts.

OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.

Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.

Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.

Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.

Documentation on the format of certificates is in the file
PROTOCOL.certkeys

feedback and ok markus@

avoid run-time failures when specifying hostkeys via a relative
path by prepending the cwd in these cases; bz#1290; ok dtucker@

Add ChrootDirectory to sshd.c test-mode output

Remove RoutingDomain from ssh since it's now not needed. It can be replaced
with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures
that trafic such as DNS lookups stays withing the specified routingdomain.

For example (from reyk):
# route -T 2 exec /usr/sbin/sshd
or inherited from the parent process
$ route -T 2 exec sh
$ ssh 10.1.2.3

ok deraadt@ markus@ stevesk@ reyk@

Rename RDomain config option to RoutingDomain to be more clear and
consistent with other options.

NOTE: if you currently use RDomain in the ssh client or server config,
or ssh/sshd -o, you must update to use RoutingDomain.

ok markus@ djm@

validate routing domain is in range 0-RT_TABLEID_MAX.
'Looks right' deraadt@

Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt

Fixed a few the-the misspellings in comments. Skipped a bunch in binutils,gcc and so on. ok jmc@

make a2port() return -1 when it encounters an invalid port number
rather than 0, which it will now treat as valid (needed for future work)

adjust current consumers of a2port() to check its return value is <= 0,
which in turn required some things to be converted from u_short => int

make use of int vs. u_short consistent in some other places too

feedback & ok markus@

channel_print_adm_permitted_opens() should deal with all the printing
for that config option. suggested by markus@; ok markus@ djm@
dtucker@

USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing
kerberosgetafstoken. ok dtucker@

passord -> password;
fixes user/5975 from Rene Maroufi

Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.

This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.

This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).

"just commit it. It isn't too intrusive." deraadt@

include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov

support setting PermitEmptyPasswords in a Match block
requested in PR3891; ok dtucker@

do not try to print options that have been compile-time disabled
in config test mode (sshd -T); report from nix-corp AT esperi.org.uk
ok dtucker@

support negation of groups in "Match group" block (bz#1315); ok dtucker@

increase default size of ssh protocol 1 ephemeral key from 768 to 1024
bits; prodded by & ok dtucker@ ok deraadt@

Allow MaxAuthTries within a Match block. ok djm@

support CIDR address matching in .ssh/authorized_keys from="..." stanzas

ok and extensive testing dtucker@

Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm

support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:

Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes

addrmatch.c code mostly lifted from flowd's addr.c

feedback and ok dtucker@

Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.

Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().

bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com

ok markus@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:

``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''

ok djm@, ok and a mild frown markus@

delay ~ expansion for ChrootDirectory so it expands to the logged-in user's
home, rather than the user who starts sshd (probably root)

add sshd_config ChrootDirectory option to chroot(2) users to a directory and
tweak internal sftp server to work with it (no special files in chroot
required). ok markus@

Allow PermitRootLogin in a Match block. Allows for, eg, permitting root
only from the local network. ok markus@, man page bit ok jmc@

Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch
from Dmitry V. Levin, ok djm@

Add a small helper function to consistently handle the EAI_SYSTEM error
code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417.
ok markus@ stevesk@

Remove debug() left over from development. ok deraadt@

Move C/R -> kbdint special case to after the defaults have been
loaded, which makes ChallengeResponse default to yes again. This
was broken by the Match changes and not fixed properly subsequently.
Found by okan at demirmen.com, ok djm@ "please do it" deraadt@

Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.

Check activep so Match and GatewayPorts work together; ok markus@

Teach Match how handle config directives that are used before authentication.
This allows configurations such as permitting password authentication from
the local net only while requiring pubkey from offsite. ok djm@, man page
bits ok jmc@

Make "PermitOpen all" first-match within a block to match the way other
options work. ok markus@ djm@

Make PermitOpen work with multiple values like the man pages says. bz #1267
with details from peter at dmtz.com, with & ok djm@

Add ability to match groups to Match keyword in sshd_config. Feedback djm@,
stevesk@, ok stevesk@.

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

clean extra spaces

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@

Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config. Feedback & ok djm@,
man page corrections & ok jmc@

Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@

Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port forwarding
only two specific host/port pairs. Useful when combined with Match.

If permitopen is used in both sshd_config and a key option, both must allow
a given connection before it will be permitted.

Note that users can still use external forwarders such as netcat, so to be
those must be controlled too for the limits to be effective.

Feedback & ok djm@, man page corrections & ok jmc@.

move #include <unistd.h> out of includes.h

move #include <netdb.h> out of includes.h; ok djm@

Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.

Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg

AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no

will allow port forwarding by all users except "anoncvs".

Currently only a very small subset of directives are supported.

ok djm@

move #include <sys/socket.h> out of includes.h

support arguments to Subsystem commands; ok markus@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

Correct strdelim null test; ok djm@

potential NULL pointer dereferences detected by Coverity
via elad AT netbsd.org; ok deraadt@

branches: 1.146.2;
two changes to the new ssh tunnel support. this breaks compatibility
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).

ok djm@, man page bits by jmc@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

branches: 1.144.2;
Unbreak sshd ListenAddress for bare IPv6 addresses.
Report from Janusz Mucka; ok djm@

add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@

make this -Wsign-compare clean; ok avsm@ markus@

check return value from strdelim() for NULL (AddressFamily); mpech

branches: 1.140.2;
spacing

bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote forwards
to bind to client-specified ports.

ok markus@

bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz
ok deraadt@

branches: 1.137.2;
Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr
ok markus@, djm@

Fix minor leak; "looks right" deraadt@

spaces

re-exec sshd on accept(); initial work, final debugging and ok markus@

Add MaxAuthTries sshd config option; ok markus@

make two tiny header files go away; djm ok

bz #815: implement ability to pass specified environment variables from the
client to the server; ok markus@

branches: 1.130.2;
implement KerberosGetAFSToken server option. ok markus@, beck@

rename keepalive to tcpkeepalive; the old name causes too much
confusion; ok djm, dtucker; with help from jmc@

GSSAPICleanupCreds -> GSSAPICleanupCredentials

branches: 1.127.2;
remove unused kerberos code; ok henning@

remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
fgsch@, miod@, henning@, jakob@ and others

remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
test+ok henning@

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

warn for unsupported config option. ok markus@

disable kerberos when not supported. ok markus@

always parse kerberos options. ok djm@ markus@

Don't include <krb.h> when compiling with Kerberos 5 support

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.116.2;
print sshd_config filename in debug2 mode.

branches: 1.115.2;
default LoginGraceTime to 2m; 1m may be too short for slow systems.
ok markus@

change LoginGraceTime default to 1 minute; ok mouring@ markus@

add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt

minor KNF. things the fingers do while you read

allow Compression=yes/no in sshd_config

re-enable privsep and disable setuid for post-3.2.2

disable privsep and enable setuid for the 3.2.2 release

enable privsep by default; provos ok

do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@

No, afs requires explicit enabling

branches: 1.105.2;
for unprivileged user, group do:
pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw). ok provos@

_PATH_PRIVSEP_CHROOT_DIR; ok provos@

UnprivUser/UnprivGroup usable now--specify numeric user/group; ok
provos@

integrate privilege separated openssh; its turned off by default for now.
work done by me and markus@

add SYSLOG_FACILITY_NOT_SET = -1, SYSLOG_LEVEL_NOT_SET = -1,
fixes arm/netbsd; based on patch from bjh21@netbsd.org; ok djm@

s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@

add X11UseLocalhost; ok markus@

typo in error message; from djast@cs.toronto.edu

protocol 2 HostKey code default is now /etc/ssh_host_rsa_key and
/etc/ssh_host_dsa_key like we have in sshd_config. ok markus@

remove #ifdef _PATH_XAUTH/#endif; ok markus@

basic KNF done while i was looking for something else

add -o to sshd, too. ok deraadt@

minor KNF

enum/int type cleanup where it made sense to do so; ok markus@

enable authorized_keys2 again. tested by fries@

make AuthorizedKeysFile2 fallback to AuthorizedKeysFile if AuthorizedKeysFile is specified.

branches: 1.89.2;
deprecate CheckMail. ok markus@

make it compilable in all 4 combination of KRB4/KRB5 settings. dugsong ok

XXX isn't it sensitive to the order of -I/usr/include/kerberosIV and
-I/usr/include/kerberosV?

fix ``MaxStartups max''; ok markus@

#include <kafs.h>

Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

move the path for xauth to pathnames.h

configurable authorized_keys{,2} location; originally from peter@; ok djm@

sshd command-line arguments and configuration file options that
specify time may be expressed using a sequence of the form:
time[qualifier], where time is a positive integer value and qualifier
is one of the following:
<none>,s,m,h,d,w
Examples:
600 600 seconds (10 minutes)
10m 10 minutes
1h30m 1 hour 30 minutes (90 minutes)
ok markus@

improved kbd-interactive support. work by per@appgate.com and me

remove "\n" from fatal()

branches: 1.78.2;
use fatal() or error() vs. fprintf(); ok markus@

Add options ClientAliveInterval and ClientAliveCountMax to sshd.
This gives the ability to do a "keepalive" via the encrypted channel
which can't be spoofed (unlike TCP keepalives). Useful for when you want
to use ssh connections to authenticate people for something, and know
relatively quickly when they are no longer authenticated. Disabled
by default (of course). ok markus@

robust port validation; ok markus@ jakob@

implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2)
similar to RhostRSAAuthentication unless you enable (the experimental)
HostbasedUsesNameFromPacketOnly option. please test. :)

in addition to:
ListenAddress host|ipv4_addr|ipv6_addr
permit:
ListenAddress [host|ipv4_addr|ipv6_addr]:port
ListenAddress host|ipv4_addr:port
sshd.8 updates coming. ok markus@

correct comment; ok markus@

PrintLastLog option; from chip@valinux.com with some minor
changes by me. ok markus@

sync error message; ok markus@

log functions should not be passed strings that end in newline as they
get passed on to syslog() and when logging to stderr, do_log() appends
its own newline.

kill obsolete RandomSeed; ok markus@ deraadt@

grammar; slade@shore.net

PermitRootLogin={yes,without-password,forced-commands-only,no}
(before this change, root could login even if PermitRootLogin==no)

1) clean up the MAC support for SSH-2
2) allow you to specify the MAC with 'ssh -m'
3) or the 'MACs' keyword in ssh(d)_config
4) add hmac-{md5,sha1}-96
ok stevesk@, provos@

unexpand and remove end-of-line whitespace; ok markus@

make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@

rename skey -> challenge response.
auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

Check for NULL return from strdelim; ok markus

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

only auth-chall.c needs #ifdef SKEY

log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many systems

implement option 'Banner /etc/issue.net' for ssh2, move version to
2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner
is enabled).

rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE
syslog priority changes:
fatal() LOG_ERR -> LOG_CRIT
log() LOG_INFO -> LOG_NOTICE

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

add support for RSA to SSH2. please test.

there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.

you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.

SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.

IdentityFile2, HostDsaKey and DSAAuthentication are obsolete.
you can use multiple IdentityFile and HostKey for all types of keys.

the option DSAAuthentication is replaced by PubkeyAuthetication.

branches: 1.53.2;
AllowTcpForwarding; from naddy@

add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

random early drop; ok theo, niels

allow leading whitespace. ok niels

allow multiple whitespace but only one '=' between tokens, bug report from
Ralf S. Engelschall <rse@engelschall.com> but different fix. okay deraadt@

strtok() --> strsep(). (niels@ ok)

MaxStartups: limit number of unauthenticated connections, work by theo and me

OpenBSD tag

include = in WHITESPACE; markus ok

add support for ssh v2 subsystems. ok markus@.

xauth_location support; pr 1234

check strtok() != NULL; ok niels@

branches: 1.40.2;
complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only)

add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8

GatewayPorts for sshd, ok deraadt@

s/DsaKey/HostDSAKey/, document option

PidFile, pr 1210

ssh/sshd default to proto 1 and 2

whitespace cleanup

add Cipher and Protocol options to ssh/sshd, e.g.:
ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers arcfour,3des-cbc'

ssh2 server side, see README.openssh2; enable with 'sshd -2'

typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de

sync with sshd_config

ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features:
sshd allows multiple ListenAddress and Port options. note that libwrap is
not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and
fujiwara@rcac.tdi.co.jp)

strcasecmp instead of tolower

KNF, final part 3

much more KNF

KNF part 1

remove unused index (-Wall)

bugfix: loglevels are per host in clientconfig,
factor out common log-level parsing code.

print _all_ bad options found in configfile

IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert

add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd,
obsoletes QuietMode and FascistLogging in sshd.

server-logs default to AUTH (consistence with sample sshd_config)

default KerberosOrLocalPassword to 'yes'

remove AllowHosts, DenyHosts, SilentDeny server access control cruft - replace with LIBWRAP moved to child. ok markus@ deraat@

refuse to start if there is no configuration file for sshd. ok: deraadt

PermitRootLogin={yes,no,without-password}, default=yes, ok deraadt,niels

SilentDeny, don't log/answer refused connections, deraadt@

Allow/Deny Users/Groups, from zzlevo@dd.chalmers.se, ok deraadt@

UseLogin, default=no, from kpa@gmx.net, ok deraadt@

You have Mail. Email fuer Dich. Karsten Patzwaldt <kpa@gmx.net> default=no

add skey to sshd:

1) pass *pw to auth_password() not user_name, do_authentication already
keeps private copy of struct passwd for current user.
2) limit authentication attemps to 5, otherwise
ssh -o 'NumberOfPasswordPrompts 100000' host
lets you enter 100000 passwds
3) make s/key a run-time option in /etc/sshd_config
4) generate fake skeys,
for s/key for nonexisting users, too
limit auth-tries for nonexisting users, too.
Note that
% ssh -l nonexisting-user -o 'NumberOfPasswordPrompts 100000' host
has NO limits in ssh-1.2.27

Wall

randomseed is really gone now

get rid of references to randomseedfile we dont need it. for sshd
just spit out a warning that the configuration option is obsolete.

do not bother with dinosaur pacification

fix server krb4 option initialization

update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages

GatewayPorts and ssh -g; markus.friedl@informatik.uni-erlangen.de

X11DisplayOffset; aaron

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

fix incorrect debug option name introduce in previous commit

Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.

After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.

This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.

feedback/ok markus@ deraadt@

NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.

Separate parsing of string array options from applying them to the
active configuration. This fixes the config parser from erroneously
rejecting cases like:

AuthenticationMethods password
Match User ivy
AuthenticationMethods any

bz3657 ok markus@

don't append a gratuitous space to the end of subsystem arguments;
bz3667

add ChannelTimeout support to the client, mirroring the same option
in the server. ok markus@

fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here is
char**, so harmless); spotted in CID 416964

allow override of Sybsystem directives in sshd Match blocks

allocate the subsystems array as necessary and remove the fixed limit of
subsystems. Saves a few kb of memory in the server and makes it more like
the other options.

preserve quoting of Subsystem commands and arguments. This may change
behaviour of exotic configurations, but the most common subsystem
configuration (sftp-server) is unlikely to be affected.

downgrade duplicate Subsystem directives from being a fatal error
to being a debug message to match behaviour with just about all other
directives.

make PerSourceMaxStartups first-match-wins; ok dtucker@

move other RCSIDs to before their respective license blocks too
no code change

better validate CASignatureAlgorithms in ssh_config and sshd_config.

Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.

part of bz3577; ok dtucker@

Store timeouts as int, not u_int as they are limited to INT_MAX.
Fixes sign compare warnings systems with 32-bit time_t due to type
promotion. OK djm@

fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears
previously in configuration. Reported by John Meyers in bz3574
ok dtucker@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

actually print "channeltimeout none" in config dump mode;
spotted via Coverity CID 405022

Add a sshd_config UnusedConnectionTimeout option to terminate
client connections that have no open channels for some length
of time. This complements the recently-added ChannelTimeout
option that terminates inactive channels after a timeout.

ok markus@

Implement channel inactivity timeouts

This adds a sshd_config ChannelTimeouts directive that allows channels that
have not seen traffic in a configurable interval to be automatically closed.
Different timeouts may be applied to session, X11, agent and TCP forwarding
channels.

Note: this only affects channels over an opened SSH connection and not
the connection itself. Most clients close the connection when their channels
go away, with a notable exception being ssh(1) in multiplexing mode.

ok markus dtucker

Remove some set but otherwise unused variables, spotted in -portable by
clang 16's -Wunused-but-set-variable. ok djm@

Check for and disallow MaxStartups values less than or equal to zero
during config parsing, rather than faling later at runtime. bz#3489,
ok djm@

Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit
will be ignored for user and host-based authentication.

Feedback deraadt@ ok markus@

Make SetEnv directives first-match-wins in both sshd_config and
sshd_config; previously if the same name was reused then the last
would win (which is the opposite to how the config is supposed to
work).

While there, make the ssh_config parsing more like sshd_config.

bz3438, ok dtucker

don't try to resolve ListenAddress directives in the sshd re-exec
path - we're never going to use the result and if the operation fails
then it can prevent connections from being accepted. Reported by
Aaron Poffenberger; with / ok dtucker@

Switch hpdelim interface to accept only ":" as delimiter.

Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports. These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2
in the other cases. ok djm@

revision 1.381 neglected to remove sChallengeResponseAuthentication
from the enum. Noticed by christos@zoulas.com. OK dtucker@

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@

switch sshd_config parsing to argv_split()

similar to the previous commit, this switches sshd_config parsing to
the newer tokeniser. Config parsing will be a little stricter wrt
quote correctness and directives appearing without arguments.

feedback and ok markus@

tested in snaps for the last five or so days - thanks Theo and those who
caught bugs

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Add ModuliFile keyword to sshd_config to specify the location of the
"moduli" file containing the groups for DH-GEX. This will allow us to
run tests against arbitrary moduli files without having to install them.
ok djm@

Put obsolete aliases for hostbasedalgorithms and pubkeyacceptedalgorithms
after their current names so that the config-dump mode finds and uses
the current names. Spotted by Phil Pennock.

factor out opt_array_append; ok djm@

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@