| Age | Commit message (Collapse) | Author |
|---|
|
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
ok markus@ deraadt@
OpenBSD-Commit-ID: 02a8730a570b63fa8acd9913ec66353735dea42c
|
|
compression support (which is requested as the name "zlib"). Compression
starts very early in the session. Relative early in OpenSSH lifetime, privsep
was added to sshd, and this required a shared-memory hack so the two
processes could see what was going on in the dataflow. This shared-memory
hack was soon recognized as a tremendous complexity risk, because it put libz
(which very much trusts it's memory) in a dangerous place, and a new option
("zlib@openssh.com") was added begins compression after authentication (aka
delayed-compression). That change also permitted removal of the
shared-memory hack. Despite removal from the server, the old "zlib" support
remained in the client, to allow negotiation with non-OpenSSH daemons which
lack the delayed-compression option. This commit deletes support for the
older "zlib" option in the client. It reduces our featureset in a small way,
and encourages other servers to move to a better design. The SSH protocol is
different enough that compressed-key-material attacks like BEAST are
unlikely, but who wants to take the chance? We encourage other ssh servers
who care about optional compression support to add delayed-zlib support.
(Some already do "zlib@openssh.com") ok djm markus
OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
|
|
we can make the algorithm available without the @openssh.com suffix too. ok
markus@ deraadt@
OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
|
|
binaries. This step splits sshd into a listener and a session binary. More
splits are planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
OpenBSD-Commit-ID: 43c04a1ab96cdbdeb53d2df0125a6d42c5f19934
|
|
OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
|
|
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
|
|
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
|
|
This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG
to implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
ok markus@
OpenBSD-Commit-ID: b6b3c4cb2084c62f85a8dc67cf74954015eb547f
|
|
This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.
OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b
|
|
UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2
for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2
signatures for RSA keys if the client proposed these algorithms in initial
KEX. bz3375
Mostly by Dmitry Belyavskiy with some tweaks by me.
ok markus@
OpenBSD-Commit-ID: c17ba0c3236340d2c6a248158ebed042ac6a8029
|
|
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.
Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.
Note: nothing in kex.c actually sets the new flag yet
ok markus@
OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
|
|
These will be used later for agent session ID / hostkey binding
ok markus@
OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
|
|
types once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via
oss-fuzz #30078).
ok markus@
OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
|
|
and use that instead of global variables containing copies of it. feedback/ok
markus@
OpenBSD-Commit-ID: a4b1b1ca4afd2e37cb9f64f737b30a6a7f96af68
|
|
exchange method based on Streamlined NTRU Prime (coupled with X25519).
The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.
The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).
Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself
(note this both the updated method and the one that it replaced are
disabled by default)
OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
|
|
key (commitid VtF8vozGOF8DMKVg). We now do this a simpler way that needs less
plumbing.
ok markus@
OpenBSD-Commit-ID: fb92d25b216bff8c136da818ac2221efaadf18ed
|
|
certificate host key to a plain key. This occurs when the user connects to a
host with a certificate host key but no corresponding CA key configured in
known_hosts; feedback and ok markus@
OpenBSD-Commit-ID: 2ada81853ff9ee7824c62f440bcf4ad62030c901
|
|
Prompted by Jakub Jelen
|
|
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
|
|
refactoring but not since
OpenBSD-Commit-ID: bb28ebda8f7c490b87b37954044a6cdd43a7eb2c
|
|
rather than pointer+length; ok markus@
OpenBSD-Commit-ID: ef0c89c52ccc89817a13a5205725148a28492bf7
|
|
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
|
|
rather than pointer+len
suggested by me; implemented by markus@ ok me
OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
|
|
DH-like KEX methods have moved to KEM
from markus@ ok djm@
OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
|
|
from markus@ ok djm@
OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
|
|
from markus@ ok djm@
OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
|
|
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
|
|
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
|
|
almost exactly across client and server for several KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
|
|
both the client and server implementations for most KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
|
|
plain DH KEX and DH GEX in both the client and server implementations
from markus@ ok djm@
OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
|
|
and the server
from markus@ ok djm@
OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
|
|
with & ok markus@
OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
|
|
ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.
Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).
Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@
OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
|
|
KEX. It shouldn't be sent in subsequent ones, but if it is present we should
ignore it.
This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
these clients. Reported by Jakub Jelen via bz2929; ok dtucker@
OpenBSD-Commit-ID: 91564118547f7807030ec537480303e2371902f9
|
|
|
|
OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
|
|
This time, make sure to not remove things that are necessary for
pre-auth compression on the client. Add a comment that pre-auth
compression is still supported in the client.
ok markus@
OpenBSD-Commit-ID: 282c6fec7201f18a5c333bbb68d9339734d2f784
|
|
OpenBSD-Commit-ID: 2dd5dc17cbc23195be4299fa93be2707a0e08ad9
|
|
It turns out we still support pre-auth compression on the client.
Therefore revert the previous two commits:
date: 2018/07/06 09:06:14; author: sf; commitid: yZVYKIRtUZWD9CmE;
Rename COMP_DELAYED to COMP_ZLIB
Only delayed compression is supported nowadays.
ok markus@
date: 2018/07/06 09:05:01; author: sf; commitid: rEGuT5UgI9f6kddP;
Remove leftovers from pre-authentication compression
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.
ok markus@
OpenBSD-Commit-ID: cdfef526357e4e1483c86cf599491b2dafb77772
|
|
Only delayed compression is supported nowadays.
ok markus@
OpenBSD-Commit-ID: 5b1dbaf3d9a4085aaa10fec0b7a4364396561821
|
|
Support for this has been removed in 2016.
COMP_DELAYED will be renamed in a later commit.
ok markus@
OpenBSD-Commit-ID: 6a99616c832627157113fcb0cf5a752daf2e6b58
|
|
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
|
|
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
|
|
protocol handlers all get struct ssh passed; ok djm@
Upstream-ID: 0ca9ea2a5d01a6d2ded94c5024456a930c5bfb5d
|
|
remove miscellaneous SSH1 leftovers; ok markus@
Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
|
|
put back some pre-auth zlib bits that I shouldn't have
removed - they are still used by the client. Spotted by naddy@
Upstream-ID: 80919468056031037d56a1f5b261c164a6f90dc2
|
|
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
|
|
missing bit from previous commit
Upstream-ID: 438d5ed6338b28b46e822eb13eee448aca31df37
|
|
add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03
diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)
based on patch from Mark D. Baushke and Darren Tucker
ok markus@
Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
|
