Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/OPENSSH]: src/crypto/external/bsd/openssh/dist Import OpenSSH-8.8:
details: https://anonhg.NetBSD.org/src/rev/3bd05cff7def
branches: OPENSSH
changeset: 987481:3bd05cff7def
user: christos <christos%NetBSD.org@localhost>
date: Mon Sep 27 17:00:57 2021 +0000
description:
Import OpenSSH-8.8:
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path%openssh.com@localhost" to support
this.
Security
========
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Changes since OpenSSH 8.7
=========================
This release is motivated primarily by the above deprecation and
security fix.
New features
------------
* ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
directive to accept a "none" argument to specify the default
behaviour.
Bugfixes
--------
* scp(1): when using the SFTP protocol, continue transferring files
after a transfer error occurs, better matching original scp/rcp
behaviour.
* ssh(1): fixed a number of memory leaks in multiplexing,
* ssh-keygen(1): avoid crash when using the -Y find-principals
command.
* A number of documentation and manual improvements, including
bz#3340, PR#139, PR#215, PR#241, PR#257
Portability
-----------
* ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)
* ssh(1)/sshd(8): some fixes to the pselect(2) replacement
compatibility code. bz#3345
diffstat:
crypto/external/bsd/openssh/dist/channels.c | 8 ++-
crypto/external/bsd/openssh/dist/clientloop.c | 5 +-
crypto/external/bsd/openssh/dist/compat.c | 3 +-
crypto/external/bsd/openssh/dist/log.c | 9 ++-
crypto/external/bsd/openssh/dist/misc.c | 8 ++-
crypto/external/bsd/openssh/dist/myproposal.h | 6 +-
crypto/external/bsd/openssh/dist/readconf.c | 58 +++++++++++++++++++----
crypto/external/bsd/openssh/dist/readconf.h | 3 +-
crypto/external/bsd/openssh/dist/scp.1 | 42 ++++++++---------
crypto/external/bsd/openssh/dist/scp.c | 40 ++++++++-------
crypto/external/bsd/openssh/dist/servconf.c | 7 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 3 +-
crypto/external/bsd/openssh/dist/sftp-realpath.c | 3 +-
crypto/external/bsd/openssh/dist/sftp.c | 24 ++++----
crypto/external/bsd/openssh/dist/ssh-keygen.c | 5 +-
crypto/external/bsd/openssh/dist/ssh.1 | 17 +++++-
crypto/external/bsd/openssh/dist/ssh.c | 12 ++--
crypto/external/bsd/openssh/dist/ssh_config.5 | 30 ++++++-----
crypto/external/bsd/openssh/dist/sshd.8 | 11 +++-
crypto/external/bsd/openssh/dist/sshd_config.5 | 10 ++--
crypto/external/bsd/openssh/dist/version.h | 4 +-
21 files changed, 185 insertions(+), 123 deletions(-)
diffs (truncated from 893 to 300 lines):
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/channels.c
--- a/crypto/external/bsd/openssh/dist/channels.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/channels.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.407 2021/05/19 01:24:05 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -619,9 +619,11 @@
debug("channel %d: free: %s, nchannels %u", c->self,
c->remote_name ? c->remote_name : "???", n);
- if (c->type == SSH_CHANNEL_MUX_CLIENT)
+ if (c->type == SSH_CHANNEL_MUX_CLIENT) {
mux_remove_remote_forwardings(ssh, c);
- else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
+ free(c->mux_ctx);
+ c->mux_ctx = NULL;
+ } else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
free(c->mux_ctx);
c->mux_ctx = NULL;
}
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/clientloop.c
--- a/crypto/external/bsd/openssh/dist/clientloop.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/clientloop.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.369 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -1397,7 +1397,8 @@
* exit status to be returned. In that case, clear error code if the
* connection was deliberately terminated at this end.
*/
- if (options.session_type == SESSION_TYPE_NONE && received_signal == SIGTERM) {
+ if (options.session_type == SESSION_TYPE_NONE &&
+ received_signal == SIGTERM) {
received_signal = 0;
exit_status = 0;
}
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/compat.c
--- a/crypto/external/bsd/openssh/dist/compat.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/compat.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -67,7 +67,6 @@
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
- "OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/log.c
--- a/crypto/external/bsd/openssh/dist/log.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/log.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.59 2021/05/07 04:11:51 djm Exp $ */
+/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -311,6 +311,7 @@
int pri = LOG_INFO;
int saved_errno = errno;
log_handler_fn *tmp_handler;
+ const char *progname = argv0 != NULL ? argv0 : __progname;
if (!force && level > log_level)
return;
@@ -367,11 +368,13 @@
tmp_handler(level, force, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
- snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
+ snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
+ (log_on_stderr > 1) ? progname : "",
+ (log_on_stderr > 1) ? ": " : "",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
- openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
+ openlog_r(progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
}
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/misc.c
--- a/crypto/external/bsd/openssh/dist/misc.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/misc.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -2594,6 +2594,12 @@
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/myproposal.h
--- a/crypto/external/bsd/openssh/dist/myproposal.h Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/myproposal.h Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -46,7 +46,6 @@
"sk-ecdsa-sha2-nistp256-cert-v01%openssh.com@localhost," \
"rsa-sha2-512-cert-v01%openssh.com@localhost," \
"rsa-sha2-256-cert-v01%openssh.com@localhost," \
- "ssh-rsa-cert-v01%openssh.com@localhost," \
"ssh-ed25519," \
"ecdsa-sha2-nistp256," \
"ecdsa-sha2-nistp384," \
@@ -54,8 +53,7 @@
"sk-ssh-ed25519%openssh.com@localhost," \
"sk-ecdsa-sha2-nistp256%openssh.com@localhost," \
"rsa-sha2-512," \
- "rsa-sha2-256," \
- "ssh-rsa"
+ "rsa-sha2-256"
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305%openssh.com@localhost," \
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/readconf.c
--- a/crypto/external/bsd/openssh/dist/readconf.c Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/readconf.c Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -1997,11 +1997,23 @@
case oCanonicalizePermittedCNAMEs:
value = options->num_permitted_cnames != 0;
+ i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
- /* Either '*' for everything or 'list:list' */
- if (strcmp(arg, "*") == 0)
+ /*
+ * Either 'none' (only in first position), '*' for
+ * everything or 'list:list'
+ */
+ if (strcasecmp(arg, "none") == 0) {
+ if (i > 0 || ac > 0) {
+ error("%s line %d: keyword %s \"none\" "
+ "argument must appear alone.",
+ filename, linenum, keyword);
+ goto out;
+ }
+ arg2 = "";
+ } else if (strcmp(arg, "*") == 0) {
arg2 = arg;
- else {
+ } else {
lowercase(arg);
if ((arg2 = strchr(arg, ':')) == NULL ||
arg2[1] == '\0') {
@@ -2013,6 +2025,7 @@
*arg2 = '\0';
arg2++;
}
+ i++;
if (!*activep || value)
continue;
if (options->num_permitted_cnames >=
@@ -2267,6 +2280,20 @@
}
/*
+ * Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
+ * Allowed to be called on non-final configuration.
+ */
+int
+config_has_permitted_cnames(Options *options)
+{
+ if (options->num_permitted_cnames == 1 &&
+ strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
+ strcmp(options->permitted_cnames[0].target_list, "") == 0)
+ return 0;
+ return options->num_permitted_cnames > 0;
+}
+
+/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
* are processed in the following order: command line, user config file,
@@ -2627,6 +2654,15 @@
free(options->jump_host);
options->jump_host = NULL;
}
+ if (options->num_permitted_cnames == 1 &&
+ !config_has_permitted_cnames(options)) {
+ /* clean up CanonicalizePermittedCNAMEs=none */
+ free(options->permitted_cnames[0].source_list);
+ free(options->permitted_cnames[0].target_list);
+ memset(options->permitted_cnames, '\0',
+ sizeof(*options->permitted_cnames));
+ options->num_permitted_cnames = 0;
+ }
/* options->identity_agent distinguishes NULL from 'none' */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
@@ -3342,14 +3378,14 @@
printf("\n");
/* oCanonicalizePermittedCNAMEs */
- if ( o->num_permitted_cnames > 0) {
- printf("canonicalizePermittedcnames");
- for (i = 0; i < o->num_permitted_cnames; i++) {
- printf(" %s:%s", o->permitted_cnames[i].source_list,
- o->permitted_cnames[i].target_list);
- }
- printf("\n");
+ printf("canonicalizePermittedcnames");
+ if (o->num_permitted_cnames == 0)
+ printf(" none");
+ for (i = 0; i < o->num_permitted_cnames; i++) {
+ printf(" %s:%s", o->permitted_cnames[i].source_list,
+ o->permitted_cnames[i].target_list);
}
+ printf("\n");
/* oControlPersist */
if (o->control_persist == 0 || o->control_persist_timeout == 0)
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/readconf.h
--- a/crypto/external/bsd/openssh/dist/readconf.h Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/readconf.h Mon Sep 27 17:00:57 2021 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
@@ -228,6 +228,7 @@
int parse_ssh_uri(const char *, char **, char **, int *);
int default_ssh_port(void);
int option_clear_or_none(const char *);
+int config_has_permitted_cnames(Options *);
void dump_client_config(Options *o, const char *host);
void add_local_forward(Options *, const struct Forward *);
diff -r cd71300a7a7c -r 3bd05cff7def crypto/external/bsd/openssh/dist/scp.1
--- a/crypto/external/bsd/openssh/dist/scp.1 Thu Sep 02 11:22:28 2021 +0000
+++ b/crypto/external/bsd/openssh/dist/scp.1 Mon Sep 27 17:00:57 2021 +0000
@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.105 2021/09/20 06:53:56 djm Exp $
.\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: September 20 2021 $
.Dt SCP 1
.Os
.Sh NAME
@@ -37,9 +37,6 @@
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,7 @@
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the original SCP protocol (the default), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -112,7 +109,7 @@
.Xr ssh 1 .
.It Fl D Ar sftp_server_path
When using the SFTP protocol support via
-.Fl M ,
Home |
Main Index |
Thread Index |
Old Index