instead of manual pointer fiddling. Should make the code safer and easier to
read. feedback/ok markus@
OpenBSD-Commit-ID: 5ebd841fbd78d8395774f002a19c1ddcf91ad047
support rekeying. AFAIK this is only an ancient Sun SSH version.
If such an implementation tries to interoperate with OpenSSH, it
will eventually fail when the transport needs rekeying.
This is probably long enough to use it to download a modern SSH
implementation that lacks this problem :)
ok markus@ deraadt@
OpenBSD-Commit-ID: 228a502fee808cf8b7caee23169eb6a1ab1c331a
pre-authentication phase
OpenSSH doesn't support rekeying before authentication completes to
minimise pre-auth attack surface.
Given LoginGraceTime, MaxAuthTries and strict KEX, it would be
difficult to send enough data or packets before authentication
completes to reach a point where rekeying is required, but we'd
prefer it to be completely impossible.
So this applies the default volume/packet rekeying limits to the
pre-auth phase. If these limits are exceeded the connection will
simply be closed.
ok dtucker markus
OpenBSD-Commit-ID: 70415098db739058006e4ebd1630b6bae8cc8bf6
sections (which are now unconditionally refused) and for certificates with
wildcard principals (which should only be accepted in host certs)
OpenBSD-Regress-ID: fdca88845a68424060547b4f9f32f90a7cf82e73
certificates were originally specified to represent any principal if the
principals list was empty.
This was, in retrospect, a mistake as it created a fail-open
situation if a CA could be convinced to accidentally sign a
certificate with no principals. This actually happened in a 3rd-
party CA product (CVE-2024-7594).
Somewhat fortunately, the main pathway for using certificates in
sshd (TrustedUserCAKeys) never supported empty-principals
certificates, so the blast radius of such mistakes was
substantially reduced.
This change removes this footcannon and requires all certificates
include principals sections. It also fixes interpretation of
wildcard principals, and properly enables them for host
certificates only.
This is a behaviour change that will permanently break uses of
certificates with empty principals sections.
ok markus@
OpenBSD-Commit-ID: 0a901f03c567c100724a492cf91e02939904712e
field. This value is supposed to be the number of handles a server will allow
to be opened and not a number of outstanding read/write requests that can be
sent during an upload/download.
ok markus@
OpenBSD-Commit-ID: 14ebb6690acbd488e748ce8ce3302bd7e1e8a5b0
get a running mux process to show information about what channels are
currently open; ok dtucker@ markus@
OpenBSD-Commit-ID: 80bb3953b306a50839f9a4bc5679faebc32e5bb8
Match blocks at startup rather than failing later at runtime;
noticed via bz#3906; ok dtucker
OpenBSD-Commit-ID: e6035ff0baa375de6c9f22c883ed530a8649dfed
applied to login attempts for usernames that do not match real accounts.
Defaults to 5s to match 'authfail' but allows administrators to block such
sources for longer if desired. with & ok djm@
OpenBSD-Commit-ID: bb62797bcf2adceb96f608ce86d0bb042aff5834
whether it accepts delgated credentials offered by the client. This option
mirrors GssDelegateCreds in ssh_config.
From Dmitry Belyavskiy via GHPR614; ok dtucker@
OpenBSD-Commit-ID: ac419354edb26cef9ad15692e0bed17a03997786
flag that forcing a command doesn't automatically disable forwarding. Add one
next to the sshd_config(5) ForceCommand directive too.
feedback deraadt@
OpenBSD-Commit-ID: bfe38b4d3cfbadbb8bafe38bc256f5a17a0ee75c
allowing penalties to be less than a second. This is useful if you need to
penalise things you expect to occur at >=1 QPS.
feedback dtucker / deraadt; ok deraadt@
OpenBSD-Commit-ID: 89198be755722131b45a52d22d548e4c602201f0
such as "3w2d4h5m10.5s", into a floating point number of seconds.
Reimplement the existing convtime() function using convtime_double()
(it just drops the fractional seconds)
lots of feedback deraadt@ / dtucker@; ok deraadt@
OpenBSD-Commit-ID: 053cdd0c72325a20efc6613caa847473fb89e36f
that shows connection information, similar to the ~I escapechar.
This is the first use of the mux extension mechanism, so it should be
both forward and backward compatible: a new client talking to an old
server will not allow the "conninfo" request to be sent, but everything
else should work seamlessly. feedback and ok djm@
OpenBSD-Commit-ID: 50f047a85da277360558cabdfed59cb66f754341
only display peer information for TCP connections including source address
and port This provides enough information to uniquely identify a connection
on the host or network.
OpenBSD-Commit-ID: aa18a4af2de41c298d1195d2566808585f8ce964
