Page MenuHomeFreeBSD
Files F148354156

D28624.id83838.diff
No OneTemporary
Actions

D28624.id83838.diff
View Options

Index: INSTALL
===================================================================
--- INSTALL
+++ INSTALL
@@ -78,6 +78,15 @@
http://www.jmknoble.net/software/x11-ssh-askpass/
+TCP Wrappers:
+
+If you wish to use the TCP wrappers functionality you will need at least
+tcpd.h and libwrap.a, either in the standard include and library paths,
+or in the directory specified by --with-tcp-wrappers. Version 7.6 is
+known to work.
+
+http://ftp.porcupine.org/pub/security/index.html
+
LibEdit:
sftp supports command-line editing via NetBSD's libedit. If your platform
@@ -196,6 +205,9 @@
--with-osfsia, --without-osfsia will enable or disable OSF1's Security
Integration Architecture. The default for OSF1 machines is enable.
+--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
+support.
+
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
not support them directly (see the crypt(3/3c) man page). If enabled, the
Index: auth-pam.c
===================================================================
--- auth-pam.c
+++ auth-pam.c
@@ -105,6 +105,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "blacklist_client.h"
extern ServerOptions options;
extern struct sshbuf *loginmsg;
@@ -916,6 +917,8 @@
sshbuf_free(buffer);
return (0);
}
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
+ sshpam_authctxt->user);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user, sshpam_rhost);
Index: auth.c
===================================================================
--- auth.c
+++ auth.c
@@ -76,6 +76,7 @@
#include "ssherr.h"
#include "compat.h"
#include "channels.h"
+#include "blacklist_client.h"
/* import */
extern ServerOptions options;
@@ -331,8 +332,11 @@
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ if (authenticated)
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
+ }
if ((extra = format_method_key(authctxt)) == NULL) {
if (authctxt->auth_method_info != NULL)
@@ -586,6 +590,7 @@
aix_restoreauthdb();
#endif
if (pw == NULL) {
+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
@@ -600,7 +605,7 @@
if (!allowed_user(ssh, pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}
Index: auth2.c
===================================================================
--- auth2.c
+++ auth2.c
@@ -53,6 +53,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "ssherr.h"
+#include "blacklist_client.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
@@ -266,6 +267,10 @@
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
+ const char *from_host, *from_ip;
+#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
@@ -317,6 +322,28 @@
"not allowed: (%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
+ if (authctxt->pw != NULL &&
+ (lc = PRIVSEP(login_getpwclass(authctxt->pw))) != NULL) {
+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+ from_ip = ssh_remote_ipaddr(ssh);
+ if (!auth_hostok(lc, from_host, from_ip)) {
+ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ ssh_packet_disconnect(ssh,
+ "Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ ssh_packet_disconnect(ssh,
+ "Logins not available right now.");
+ }
+ PRIVSEP(login_close(lc));
+ }
+#endif /* HAVE_LOGIN_CAP */
+
/* reset state */
auth2_challenge_stop(ssh);
@@ -424,8 +451,10 @@
} else {
/* Allow initial try of "none" auth without failure penalty */
if (!partial && !authctxt->server_caused_failure &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
+ (authctxt->attempt > 1 || strcmp(method, "none") != 0)) {
authctxt->failures++;
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
+ }
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
Index: blacklist.c
===================================================================
--- /dev/null
+++ blacklist.c
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#include "ssh.h"
+#include "packet.h"
+#include "log.h"
+#include "misc.h"
+#include "servconf.h"
+#include <blacklist.h>
+#include "blacklist_client.h"
+
+static struct blacklist *blstate = NULL;
+
+/* import */
+extern ServerOptions options;
+
+/* internal definition from bl.h */
+struct blacklist *bl_create(bool, char *, void (*)(int, const char *, va_list));
+
+/* impedence match vsyslog() to sshd's internal logging levels */
+void
+im_log(int priority, const char *message, va_list args)
+{
+ LogLevel imlevel;
+
+ switch (priority) {
+ case LOG_ERR:
+ imlevel = SYSLOG_LEVEL_ERROR;
+ break;
+ case LOG_DEBUG:
+ imlevel = SYSLOG_LEVEL_DEBUG1;
+ break;
+ case LOG_INFO:
+ imlevel = SYSLOG_LEVEL_INFO;
+ break;
+ default:
+ imlevel = SYSLOG_LEVEL_DEBUG2;
+ }
+ do_log(imlevel, message, args);
+}
+
+void
+blacklist_init(void)
+{
+
+ if (options.use_blacklist)
+ blstate = bl_create(false, NULL, im_log);
+}
+
+void
+blacklist_notify(int action, const char *msg)
+{
+
+ if (blstate != NULL && packet_connection_is_on_socket())
+ (void)blacklist_r(blstate, action,
+ packet_get_connection_in(), msg);
+}
Index: blacklist_client.h
===================================================================
--- /dev/null
+++ blacklist_client.h
@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 2016 The FreeBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed by Kurt Lidl
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef BLACKLIST_CLIENT_H
+#define BLACKLIST_CLIENT_H
+
+#ifndef BLACKLIST_API_ENUM
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+#endif
+
+#ifdef USE_BLACKLIST
+void blacklist_init(void);
+void blacklist_notify(int, const char *);
+
+#define BLACKLIST_INIT() blacklist_init()
+#define BLACKLIST_NOTIFY(x,msg) blacklist_notify(x,msg)
+
+#else
+
+#define BLACKLIST_INIT()
+#define BLACKLIST_NOTIFY(x,msg)
+
+#endif
+
+
+#endif /* BLACKLIST_CLIENT_H */
Index: configure.ac
===================================================================
--- configure.ac
+++ configure.ac
@@ -1547,6 +1547,61 @@
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5512,6 +5567,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
Index: freebsd-configure.sh
===================================================================
--- /dev/null
+++ freebsd-configure.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+configure_args="
+ --prefix=/usr
+ --sysconfdir=/etc/ssh
+ --with-pam
+ --with-tcp-wrappers
+ --with-libedit
+ --with-ssl-engine
+ --without-xauth
+"
+
+set -e
+
+# generate config.h with krb5 and stash it
+sh configure $configure_args --with-kerberos5
+mv config.log config.log.orig
+mv config.h config.h.orig
+
+# generate config.h without krb5
+sh configure $configure_args --without-kerberos5
+
+# extract the difference
+echo '/* $Free''BSD$ */' > krb5_config.h
+diff -u config.h.orig config.h |
+ sed -n '/^-#define/s/^-//p' |
+ grep -Ff /dev/stdin config.h.orig >> krb5_config.h
Index: kex.c
===================================================================
--- kex.c
+++ kex.c
@@ -1184,7 +1184,7 @@
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
- version_addendum == NULL ? "" : " ",
+ (version_addendum == NULL || *version_addendum == '\0') ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
Index: krb5_config.h
===================================================================
--- /dev/null
+++ krb5_config.h
@@ -0,0 +1,11 @@
+/* $FreeBSD$ */
+#define GSSAPI 1
+#define HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE 1
+#define HAVE_GSSAPI_GSSAPI_H 1
+#define HAVE_GSSAPI_GSSAPI_KRB5_H 1
+#define HAVE_GSSAPI_H 1
+#define HAVE_KRB5_CC_NEW_UNIQUE 1
+#define HAVE_KRB5_FREE_ERROR_MESSAGE 1
+#define HAVE_KRB5_GET_ERROR_MESSAGE 1
+#define HEIMDAL 1
+#define KRB5 1
Index: monitor.h
===================================================================
--- monitor.h
+++ monitor.h
@@ -53,7 +53,8 @@
MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
- MONITOR_REQ_TERM = 50,
+ MONITOR_REQ_GETPWCLASS = 50, MONITOR_ANS_GETPWCLASS = 51,
+ MONITOR_REQ_TERM = 52,
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
Index: monitor.c
===================================================================
--- monitor.c
+++ monitor.c
@@ -115,6 +115,9 @@
int mm_answer_moduli(struct ssh *, int, struct sshbuf *);
int mm_answer_sign(struct ssh *, int, struct sshbuf *);
+#ifdef HAVE_LOGIN_CAP
+int mm_answer_login_getpwclass(int, struct sshbuf *);
+#endif
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -194,6 +197,9 @@
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
#endif
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+#ifdef HAVE_LOGIN_CAP
+ {MONITOR_REQ_GETPWCLASS, MON_ISAUTH, mm_answer_login_getpwclass},
+#endif
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
@@ -711,6 +717,48 @@
return (0);
}
+#ifdef HAVE_LOGIN_CAP
+int
+mm_answer_login_getpwclass(int sock, struct sshbuf *m)
+{
+ login_cap_t *lc;
+ struct passwd *pw;
+ int r;
+ u_int len;
+
+ debug3("%s", __func__);
+
+ pw = sshbuf_get_passwd(m);
+ if (pw == NULL)
+ fatal("%s: receive get struct passwd failed", __func__);
+
+ lc = login_getpwclass(pw);
+
+ sshbuf_reset(m);
+
+ if (lc == NULL) {
+ if (r = sshbuf_put_u8(m, 0) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ goto out;
+ }
+
+ if ((r = sshbuf_put_u8(m, 1)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_class)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_cap)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_style)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ login_close(lc);
+ out:
+ debug3("%s: sending MONITOR_ANS_GETPWCLASS", __func__);
+ mm_request_send(sock, MONITOR_ANS_GETPWCLASS, m);
+
+ sshbuf_free_passwd(pw);
+
+ return (0);
+}
+#endif
+
/* Retrieves the password entry and also checks if the user is permitted */
int
@@ -748,19 +796,8 @@
authctxt->pw = pwent;
authctxt->valid = 1;
- /* XXX don't sent pwent to unpriv; send fake class/dir/shell too */
if ((r = sshbuf_put_u8(m, 1)) != 0 ||
- (r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 ||
- (r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 ||
- (r = sshbuf_put_cstring(m, "*")) != 0 ||
-#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
- (r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 ||
-#endif
-#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
- (r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 ||
-#endif
- (r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 ||
- (r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0)
+ (r = sshbuf_put_passwd(m, pwent)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
out:
Index: monitor_wrap.h
===================================================================
--- monitor_wrap.h
+++ monitor_wrap.h
@@ -50,6 +50,10 @@
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
+#ifdef HAVE_LOGIN_CAP
+struct login_cap *mm_login_getpwclass(const struct passwd *pwd);
+void mm_login_close(struct login_cap *lc);
+#endif
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *,
Index: monitor_wrap.c
===================================================================
--- monitor_wrap.c
+++ monitor_wrap.c
@@ -243,6 +243,61 @@
return (0);
}
+#ifdef HAVE_LOGIN_CAP
+login_cap_t *
+mm_login_getpwclass(const struct passwd *pwent)
+{
+ int r;
+ struct sshbuf *m;
+ char rc;
+ login_cap_t *lc;
+
+ debug3("%s entering", __func__);
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_passwd(m, pwent)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GETPWCLASS, m);
+
+ debug3("%s: waiting for MONITOR_ANS_GETPWCLASS", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GETPWCLASS, m);
+
+ if ((r = sshbuf_get_u8(m, &rc)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ if (rc == 0) {
+ lc = NULL;
+ goto out;
+ }
+
+ lc = xmalloc(sizeof(*lc));
+ if ((r = sshbuf_get_cstring(m, &lc->lc_class, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &lc->lc_cap, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &lc->lc_style, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ out:
+ sshbuf_free(m);
+
+ return (lc);
+}
+#endif
+
+#ifdef HAVE_LOGIN_CAP
+void
+mm_login_close(login_cap_t *lc)
+{
+ if (lc == NULL)
+ return;
+ free(lc->lc_style);
+ free(lc->lc_class);
+ free(lc->lc_cap);
+ free(lc);
+}
+#endif
+
struct passwd *
mm_getpwnamallow(struct ssh *ssh, const char *username)
{
@@ -274,25 +329,9 @@
goto out;
}
- /* XXX don't like passing struct passwd like this */
- pw = xcalloc(sizeof(*pw), 1);
- if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (len != sizeof(*pw))
- fatal("%s: struct passwd size mismatch", __func__);
- memcpy(pw, p, sizeof(*pw));
-
- if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 ||
-#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
- (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 ||
-#endif
-#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
- (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 ||
-#endif
- (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ pw = sshbuf_get_passwd(m);
+ if (pw == NULL)
+ fatal("%s: receive get struct passwd failed", __func__);
out:
/* copy options block as a Match directive may have changed some */
Index: packet.c
===================================================================
--- packet.c
+++ packet.c
@@ -96,6 +96,7 @@
#include "packet.h"
#include "ssherr.h"
#include "sshbuf.h"
+#include "blacklist_client.h"
#ifdef PACKET_DEBUG
#define DBG(x) x
@@ -1882,6 +1883,7 @@
case SSH_ERR_NO_KEX_ALG_MATCH:
case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
if (ssh && ssh->kex && ssh->kex->failed_choice) {
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
ssh_packet_clear_keys(ssh);
errno = oerrno;
logdie("Unable to negotiate with %s: %s. "
Index: pathnames.h
===================================================================
--- pathnames.h
+++ pathnames.h
@@ -121,7 +121,7 @@
* Default location of askpass
*/
#ifndef _PATH_SSH_ASKPASS_DEFAULT
-#define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass"
+#define _PATH_SSH_ASKPASS_DEFAULT "/usr/local/bin/ssh-askpass"
#endif
/* Location of ssh-keysign for hostbased authentication */
@@ -141,7 +141,7 @@
/* xauth for X11 forwarding */
#ifndef _PATH_XAUTH
-#define _PATH_XAUTH "/usr/X11R6/bin/xauth"
+#define _PATH_XAUTH "/usr/local/bin/xauth"
#endif
/* UNIX domain socket for X11 server; displaynum will replace %u */
Index: readconf.h
===================================================================
--- readconf.h
+++ readconf.h
@@ -163,6 +163,8 @@
char *hostbased_key_types;
char *pubkey_key_types;
+ char *version_addendum; /* Appended to SSH banner */
+
char *jump_user;
char *jump_host;
int jump_port;
Index: readconf.c
===================================================================
--- readconf.c
+++ readconf.c
@@ -15,6 +15,9 @@
#include "includes.h"
#include <sys/types.h>
+#ifdef VMWARE_GUEST_WORKAROUND
+#include <sys/sysctl.h>
+#endif
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
@@ -67,6 +70,7 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
+#include "version.h"
/* Format of the configuration file:
@@ -141,6 +145,7 @@
typedef enum {
oBadOption,
+ oVersionAddendum,
oHost, oMatch, oInclude,
oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
oGatewayPorts, oExitOnForwardFailure,
@@ -310,6 +315,14 @@
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
+ { "versionaddendum", oVersionAddendum },
+
+ { "hpndisabled", oDeprecated },
+ { "hpnbuffersize", oDeprecated },
+ { "tcprcvbufpoll", oDeprecated },
+ { "tcprcvbuf", oDeprecated },
+ { "noneenabled", oUnsupported },
+ { "noneswitch", oUnsupported },
{ NULL, oBadOption }
};
@@ -1694,6 +1707,22 @@
multistate_ptr = multistate_requesttty;
goto parse_multistate;
+ case oVersionAddendum:
+ if (s == NULL)
+ fatal("%.200s line %d: Missing argument.", filename,
+ linenum);
+ len = strspn(s, WHITESPACE);
+ if (*activep && options->version_addendum == NULL) {
+ if (strcasecmp(s + len, "none") == 0)
+ options->version_addendum = xstrdup("");
+ else if (strchr(s + len, '\r') != NULL)
+ fatal("%.200s line %d: Invalid argument",
+ filename, linenum);
+ else
+ options->version_addendum = xstrdup(s + len);
+ }
+ return 0;
+
case oIgnoreUnknown:
charptr = &options->ignored_unknown;
goto parse_string;
@@ -1960,6 +1989,7 @@
initialize_options(Options * options)
{
memset(options, 'X', sizeof(*options));
+ options->version_addendum = NULL;
options->forward_agent = -1;
options->forward_agent_sock_path = NULL;
options->forward_x11 = -1;
@@ -2089,6 +2119,15 @@
char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
int r;
+#ifdef VMWARE_GUEST_WORKAROUND
+ char scval[7]; /* "vmware\0" */
+ size_t scsiz = sizeof(scval);
+ int vmwguest = 0;
+
+ if (sysctlbyname("kern.vm_guest", scval, &scsiz, NULL, 0) == 0 &&
+ strcmp(scval, "vmware") == 0)
+ vmwguest = 1;
+#endif
if (options->forward_agent == -1)
options->forward_agent = 0;
@@ -2136,7 +2175,7 @@
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
- options->check_host_ip = 1;
+ options->check_host_ip = 0;
if (options->strict_host_key_checking == -1)
options->strict_host_key_checking = SSH_STRICT_HOSTKEY_ASK;
if (options->compression == -1)
@@ -2200,8 +2239,14 @@
options->rekey_limit = 0;
if (options->rekey_interval == -1)
options->rekey_interval = 0;
+#if HAVE_LDNS
+ if (options->verify_host_key_dns == -1)
+ /* automatically trust a verified SSHFP record */
+ options->verify_host_key_dns = 1;
+#else
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
+#endif
if (options->server_alive_interval == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
@@ -2225,8 +2270,18 @@
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+ if (vmwguest)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ else
+#endif
options->ip_qos_interactive = IPTOS_DSCP_AF21;
if (options->ip_qos_bulk == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+ if (vmwguest)
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ else
+#endif
options->ip_qos_bulk = IPTOS_DSCP_CS1;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
@@ -2309,6 +2364,8 @@
/* options->hostname will be set in the main program if appropriate */
/* options->host_key_alias should not be set by default */
/* options->preferred_authentications will be set in ssh */
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
}
struct fwdarg {
Index: regress/unittests/sshkey/test_sshkey.c
===================================================================
--- regress/unittests/sshkey/test_sshkey.c
+++ regress/unittests/sshkey/test_sshkey.c
@@ -9,6 +9,7 @@
#include <sys/types.h>
#include <sys/param.h>
+#include <paths.h>
#include <stdio.h>
#ifdef HAVE_STDINT_H
#include <stdint.h>
@@ -80,7 +81,7 @@
critopts = sshbuf_new();
ASSERT_PTR_NE(critopts, NULL);
- put_opt(critopts, "force-command", "/usr/local/bin/nethack");
+ put_opt(critopts, "force-command", _PATH_LOCALBASE "/bin/nethack");
put_opt(critopts, "source-address", "192.168.0.0/24,127.0.0.1,::1");
exts = sshbuf_new();
Index: sandbox-capsicum.c
===================================================================
--- sandbox-capsicum.c
+++ sandbox-capsicum.c
@@ -30,6 +30,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@@ -70,6 +71,8 @@
struct rlimit rl_zero;
cap_rights_t rights;
+ caph_cache_tzdata();
+
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
Index: servconf.h
===================================================================
--- servconf.h
+++ servconf.h
@@ -224,6 +224,7 @@
int expose_userauth_info;
u_int64_t timing_secret;
char *sk_provider;
+ int use_blacklist;
} ServerOptions;
/* Information about the incoming connection as used by Match */
Index: servconf.c
===================================================================
--- servconf.c
+++ servconf.c
@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "version.h"
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -191,6 +192,7 @@
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
+ options->use_blacklist = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -262,6 +264,8 @@
(*lp)++;
}
+static const char *defaultkey = "[default]";
+
static void
array_append(const char *file, const int line, const char *directive,
char ***array, u_int *lp, const char *s)
@@ -275,6 +279,8 @@
{
char *apath = derelativise_path(path);
+ if (file == defaultkey && access(path, R_OK) != 0)
+ return;
array_append2(file, line, "HostKey",
&options->host_key_files, &options->host_key_file_userprovided,
&options->num_host_key_files, apath, userprovided);
@@ -299,24 +305,28 @@
/* Portable-specific options */
if (options->use_pam == -1)
- options->use_pam = 0;
+ options->use_pam = 1;
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
- servconf_add_hostkey("[default]", 0, options,
+ servconf_add_hostkey(defaultkey, 0, options,
_PATH_HOST_RSA_KEY_FILE, 0);
+ servconf_add_hostkey(defaultkey, 0, options,
+ _PATH_HOST_DSA_KEY_FILE, 0);
#ifdef OPENSSL_HAS_ECC
- servconf_add_hostkey("[default]", 0, options,
+ servconf_add_hostkey(defaultkey, 0, options,
_PATH_HOST_ECDSA_KEY_FILE, 0);
#endif
- servconf_add_hostkey("[default]", 0, options,
+ servconf_add_hostkey(defaultkey, 0, options,
_PATH_HOST_ED25519_KEY_FILE, 0);
#ifdef WITH_XMSS
- servconf_add_hostkey("[default]", 0, options,
+ servconf_add_hostkey(defaultkey, 0, options,
_PATH_HOST_XMSS_KEY_FILE, 0);
#endif /* WITH_XMSS */
}
+ if (options->num_host_key_files == 0)
+ fatal("No host key files found");
/* No certificates by default */
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@@ -329,7 +339,7 @@
if (options->login_grace_time == -1)
options->login_grace_time = 120;
if (options->permit_root_login == PERMIT_NOT_SET)
- options->permit_root_login = PERMIT_NO_PASSWD;
+ options->permit_root_login = PERMIT_NO;
if (options->ignore_rhosts == -1)
options->ignore_rhosts = 1;
if (options->ignore_user_known_hosts == -1)
@@ -339,7 +349,7 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 0;
+ options->x11_forwarding = 1;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -366,8 +376,8 @@
options->pubkey_authentication = 1;
if (options->pubkey_auth_options == -1)
options->pubkey_auth_options = 0;
- if (options->kerberos_authentication == -1)
- options->kerberos_authentication = 0;
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication = 0;
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
@@ -381,7 +391,7 @@
if (options->gss_strict_acceptor == -1)
options->gss_strict_acceptor = 1;
if (options->password_authentication == -1)
- options->password_authentication = 1;
+ options->password_authentication = 0;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
@@ -422,17 +432,17 @@
if (options->max_sessions == -1)
options->max_sessions = DEFAULT_SESSIONS_MAX;
if (options->use_dns == -1)
- options->use_dns = 0;
+ options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
if (options->num_authkeys_files == 0) {
- array_append("[default]", 0, "AuthorizedKeysFiles",
+ array_append(defaultkey, 0, "AuthorizedKeysFiles",
&options->authorized_keys_files,
&options->num_authkeys_files,
_PATH_SSH_USER_PERMITTED_KEYS);
- array_append("[default]", 0, "AuthorizedKeysFiles",
+ array_append(defaultkey, 0, "AuthorizedKeysFiles",
&options->authorized_keys_files,
&options->num_authkeys_files,
_PATH_SSH_USER_PERMITTED_KEYS2);
@@ -444,7 +454,7 @@
if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_DSCP_CS1;
if (options->version_addendum == NULL)
- options->version_addendum = xstrdup("");
+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -457,6 +467,8 @@
options->expose_userauth_info = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
+ if (options->use_blacklist == -1)
+ options->use_blacklist = 0;
assemble_algorithms(options);
@@ -535,6 +547,7 @@
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ sUseBlacklist,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -688,6 +701,13 @@
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
+
+ { "noneenabled", sUnsupported, SSHCFG_ALL },
+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
+ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -2358,6 +2378,10 @@
*charptr = xstrdup(arg);
break;
+ case sUseBlacklist:
+ intptr = &options->use_blacklist;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -2835,6 +2859,7 @@
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
Index: session.c
===================================================================
--- session.c
+++ session.c
@@ -994,6 +994,9 @@
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
+#else
+ extern char **environ;
+ char **senv, **var, *val;
#endif
/* Initialize the environment. */
@@ -1015,6 +1018,9 @@
}
#endif
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
#ifdef GSSAPI
/* Allow any GSSAPI methods that we've used to alter
* the child's environment as they see fit
@@ -1032,11 +1038,33 @@
child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
#endif
child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+ if (!options.use_pam) {
+ snprintf(buf, sizeof buf, "%.200s/%.50s",
+ _PATH_MAILDIR, pw->pw_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
+ }
#ifdef HAVE_LOGIN_CAP
- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
- else
- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+ child_set_env(&env, &envsize, "TERM", "su");
+ /*
+ * Temporarily swap out our real environment with an empty one,
+ * let setusercontext() apply any environment variables defined
+ * for the user's login class, copy those variables to the child,
+ * free the temporary environment, and restore the original.
+ */
+ senv = environ;
+ environ = xmalloc(sizeof(*environ));
+ *environ = NULL;
+ (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV|LOGIN_SETPATH);
+ for (var = environ; *var != NULL; ++var) {
+ if ((val = strchr(*var, '=')) != NULL) {
+ *val++ = '\0';
+ child_set_env(&env, &envsize, *var, val);
+ }
+ free(*var);
+ }
+ free(environ);
+ environ = senv;
#else /* HAVE_LOGIN_CAP */
# ifndef HAVE_CYGWIN
/*
@@ -1056,17 +1084,9 @@
# endif /* HAVE_CYGWIN */
#endif /* HAVE_LOGIN_CAP */
- if (!options.use_pam) {
- snprintf(buf, sizeof buf, "%.200s/%.50s",
- _PATH_MAILDIR, pw->pw_name);
- child_set_env(&env, &envsize, "MAIL", buf);
- }
-
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
if (s->term)
child_set_env(&env, &envsize, "TERM", s->term);
if (s->display)
@@ -1279,7 +1299,8 @@
do_nologin(struct passwd *pw)
{
FILE *f = NULL;
- char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
+ const char *nl;
+ char buf[1024], *def_nl = _PATH_NOLOGIN;
struct stat sb;
#ifdef HAVE_LOGIN_CAP
@@ -1291,11 +1312,8 @@
return;
nl = def_nl;
#endif
- if (stat(nl, &sb) == -1) {
- if (nl != def_nl)
- free(nl);
+ if (stat(nl, &sb) == -1)
return;
- }
/* /etc/nologin exists. Print its contents if we can and exit. */
logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
@@ -1373,7 +1391,7 @@
if (platform_privileged_uidswap()) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
perror("unable to set user context");
exit(1);
}
Index: ssh-agent.1
===================================================================
--- ssh-agent.1
+++ ssh-agent.1
@@ -43,7 +43,7 @@
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
-.Op Fl \&Dd
+.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl P Ar allowed_providers
@@ -130,6 +130,8 @@
.Xr ssh-add 1
overrides this value.
Without this option the default maximum lifetime is forever.
+.It Fl x
+Exit after the last client has disconnected.
.It Ar command Op Ar arg ...
If a command (and optional arguments) is given,
this is executed as a subprocess of the agent.
Index: ssh-agent.c
===================================================================
--- ssh-agent.c
+++ ssh-agent.c
@@ -171,15 +171,34 @@
/* Refuse signing of non-SSH messages for web-origin FIDO keys */
static int restrict_websafe = 1;
+/*
+ * Client connection count; incremented in new_socket() and decremented in
+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
+ * normally initialized to 1, it will never reach 0. However, if the -x
+ * option is specified, it is initialized to 0 in main(); in that case,
+ * ssh-agent will exit as soon as it has had at least one client but no
+ * longer has any.
+ */
+static int xcount = 1;
+
static void
close_socket(SocketEntry *e)
{
+ int last = 0;
+
+ if (e->type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount - 1);
+ if (--xcount == 0)
+ last = 1;
+ }
close(e->fd);
e->fd = -1;
e->type = AUTH_UNUSED;
sshbuf_free(e->input);
sshbuf_free(e->output);
sshbuf_free(e->request);
+ if (last)
+ cleanup_exit(0);
}
static void
@@ -961,6 +980,10 @@
{
u_int i, old_alloc, new_alloc;
+ if (type == AUTH_CONNECTION) {
+ debug("xcount %d -> %d", xcount, xcount + 1);
+ ++xcount;
+ }
set_nonblock(fd);
if (fd > max_fd)
@@ -1261,7 +1284,7 @@
usage(void)
{
fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+ "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
" [-P allowed_providers] [-t life]\n"
" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
@@ -1295,6 +1318,7 @@
/* drop */
setegid(getgid());
setgid(getgid());
+ setuid(geteuid());
platform_disable_tracing(0); /* strict=no */
@@ -1306,7 +1330,7 @@
__progname = ssh_get_progname(av[0]);
seed_rng();
- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1356,6 +1380,9 @@
usage();
}
break;
+ case 'x':
+ xcount = 0;
+ break;
default:
usage();
}
Index: ssh-gss.h
===================================================================
--- ssh-gss.h
+++ ssh-gss.h
@@ -28,10 +28,10 @@
#ifdef GSSAPI
-#ifdef HAVE_GSSAPI_H
-#include <gssapi.h>
-#elif defined(HAVE_GSSAPI_GSSAPI_H)
+#if defined(HAVE_GSSAPI_GSSAPI_H)
#include <gssapi/gssapi.h>
+#elif defined(HAVE_GSSAPI_H)
+#include <gssapi.h>
#endif
#ifdef KRB5
Index: ssh.1
===================================================================
--- ssh.1
+++ ssh.1
@@ -556,6 +556,7 @@
.It User
.It UserKnownHostsFile
.It VerifyHostKeyDNS
+.It VersionAddendum
.It VisualHostKey
.It XAuthLocation
.El
Index: ssh.c
===================================================================
--- ssh.c
+++ ssh.c
@@ -896,14 +896,14 @@
}
break;
case 'V':
- fprintf(stderr, "%s, %s\n",
- SSH_RELEASE,
-#ifdef WITH_OPENSSL
- OpenSSL_version(OPENSSL_VERSION)
-#else
- "without OpenSSL"
-#endif
- );
+ if (options.version_addendum &&
+ *options.version_addendum != '\0')
+ fprintf(stderr, "%s %s, %s\n", SSH_RELEASE,
+ options.version_addendum,
+ OPENSSL_VERSION_STRING);
+ else
+ fprintf(stderr, "%s, %s\n", SSH_RELEASE,
+ OPENSSL_VERSION_STRING);
if (opt == 'V')
exit(0);
break;
@@ -1165,13 +1165,8 @@
!use_syslog);
if (debug_flag)
- logit("%s, %s", SSH_RELEASE,
-#ifdef WITH_OPENSSL
- OpenSSL_version(OPENSSL_VERSION)
-#else
- "without OpenSSL"
-#endif
- );
+ /* version_addendum is always NULL at this point */
+ logit("%s, %s", SSH_RELEASE, OPENSSL_VERSION_STRING);
/* Parse the configuration files */
process_config_files(host_arg, pw, 0, &want_final_pass);
@@ -1387,6 +1382,23 @@
(unsigned long long)pw->pw_uid);
keyalias = options.host_key_alias ? options.host_key_alias : host_arg;
+ /* Find canonic host name. */
+ if (strchr(host, '.') == 0) {
+ struct addrinfo hints;
+ struct addrinfo *ai = NULL;
+ int errgai;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = options.address_family;
+ hints.ai_flags = AI_CANONNAME;
+ hints.ai_socktype = SOCK_STREAM;
+ errgai = getaddrinfo(host, NULL, &hints, &ai);
+ if (errgai == 0) {
+ if (ai->ai_canonname != NULL)
+ host = xstrdup(ai->ai_canonname);
+ freeaddrinfo(ai);
+ }
+ }
+
conn_hash_hex = ssh_connection_hash(thishost, host, portstr,
options.user);
Index: ssh_config
===================================================================
--- ssh_config
+++ ssh_config
@@ -25,7 +25,7 @@
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
-# CheckHostIP yes
+# CheckHostIP no
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
@@ -44,3 +44,5 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+# VerifyHostKeyDNS yes
+# VersionAddendum FreeBSD-20200214
Index: ssh_config.5
===================================================================
--- ssh_config.5
+++ ssh_config.5
@@ -420,8 +420,7 @@
.Cm no .
.It Cm CheckHostIP
If set to
-.Cm yes
-(the default),
+.Cm yes ,
.Xr ssh 1
will additionally check the host IP address in the
.Pa known_hosts
@@ -434,6 +433,8 @@
If the option is set to
.Cm no ,
the check will not be executed.
+The default is
+.Cm no .
.It Cm Ciphers
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
@@ -1772,12 +1773,23 @@
.Cm StrictHostKeyChecking
option.
The default is
-.Cm no .
+.Cm yes
+if compiled with LDNS and
+.Cm no
+otherwise.
.Pp
See also
.Sx VERIFYING HOST KEYS
in
.Xr ssh 1 .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-20180909 .
+The value
+.Cm none
+may be used to disable this.
.It Cm VisualHostKey
If this flag is set to
.Cm yes ,
@@ -1794,7 +1806,7 @@
.Xr xauth 1
program.
The default is
-.Pa /usr/X11R6/bin/xauth .
+.Pa /usr/local/bin/xauth .
.El
.Sh PATTERNS
A
Index: sshbuf-getput-basic.c
===================================================================
--- sshbuf-getput-basic.c
+++ sshbuf-getput-basic.c
@@ -28,6 +28,7 @@
# include <stdint.h>
#endif
+#include "xmalloc.h"
#include "ssherr.h"
#include "sshbuf.h"
@@ -631,3 +632,103 @@
}
return 0;
}
+
+/*
+ * store struct pwd
+ */
+int
+sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent)
+{
+ int r;
+
+ /*
+ * We never send pointer values of struct passwd.
+ * It is safe from wild pointer even if a new pointer member is added.
+ */
+
+ if ((r = sshbuf_put_u64(buf, sizeof(*pwent)) != 0) ||
+ (r = sshbuf_put_cstring(buf, pwent->pw_name)) != 0 ||
+ (r = sshbuf_put_cstring(buf, "*")) != 0 ||
+ (r = sshbuf_put_u32(buf, pwent->pw_uid)) != 0 ||
+ (r = sshbuf_put_u32(buf, pwent->pw_gid)) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
+ (r = sshbuf_put_time(buf, pwent->pw_change)) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ (r = sshbuf_put_cstring(buf, pwent->pw_gecos)) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ (r = sshbuf_put_cstring(buf, pwent->pw_class)) != 0 ||
+#endif
+ (r = sshbuf_put_cstring(buf, pwent->pw_dir)) != 0 ||
+ (r = sshbuf_put_cstring(buf, pwent->pw_shell)) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
+ (r = sshbuf_put_time(buf, pwent->pw_expire)) != 0 ||
+#endif
+ (r = sshbuf_put_u32(buf, pwent->pw_fields)) != 0) {
+ return r;
+ }
+ return 0;
+}
+
+/*
+ * extract struct pwd
+ */
+struct passwd *
+sshbuf_get_passwd(struct sshbuf *buf)
+{
+ struct passwd *pw;
+ u_int64_t len;
+ int r;
+
+ /* check if size of struct passwd is as same as sender's size */
+ r = sshbuf_get_u64(buf, &len);
+ if (r != 0 || len != sizeof(*pw))
+ return NULL;
+
+ pw = xcalloc(1, sizeof(*pw));
+ if (sshbuf_get_cstring(buf, &pw->pw_name, NULL) != 0 ||
+ sshbuf_get_cstring(buf, &pw->pw_passwd, NULL) != 0 ||
+ sshbuf_get_u32(buf, &pw->pw_uid) != 0 ||
+ sshbuf_get_u32(buf, &pw->pw_gid) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_CHANGE
+ sshbuf_get_time(buf, &pw->pw_change) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ sshbuf_get_cstring(buf, &pw->pw_gecos, NULL) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ sshbuf_get_cstring(buf, &pw->pw_class, NULL) != 0 ||
+#endif
+ sshbuf_get_cstring(buf, &pw->pw_dir, NULL) != 0 ||
+ sshbuf_get_cstring(buf, &pw->pw_shell, NULL) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_EXPIRE
+ sshbuf_get_time(buf, &pw->pw_expire) != 0 ||
+#endif
+ sshbuf_get_u32(buf, &pw->pw_fields) != 0) {
+ sshbuf_free_passwd(pw);
+ return NULL;
+ }
+ return pw;
+}
+
+/*
+ * free struct passwd obtained from sshbuf_get_passwd.
+ */
+void
+sshbuf_free_passwd(struct passwd *pwent)
+{
+ if (pwent == NULL)
+ return;
+ free(pwent->pw_shell);
+ free(pwent->pw_dir);
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ free(pwent->pw_class);
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ free(pwent->pw_gecos);
+#endif
+ free(pwent->pw_passwd);
+ free(pwent->pw_name);
+ free(pwent);
+}
Index: sshbuf.h
===================================================================
--- sshbuf.h
+++ sshbuf.h
@@ -176,6 +176,14 @@
int sshbuf_put_u16(struct sshbuf *buf, u_int16_t val);
int sshbuf_put_u8(struct sshbuf *buf, u_char val);
+#if defined(__FreeBSD__) && defined(__i386__)
+#define sshbuf_get_time(b, vp) sshbuf_get_u32((b), (u_int32_t *)(vp))
+#define sshbuf_put_time(b, v) sshbuf_put_u32((b), (u_int32_t)(v))
+#else
+#define sshbuf_get_time(b, vp) sshbuf_get_u64((b), (u_int64_t *)(vp))
+#define sshbuf_put_time(b, v) sshbuf_put_u64((b), (u_int64_t)(v))
+#endif
+
/* Functions to peek at the contents of a buffer without modifying it. */
int sshbuf_peek_u64(const struct sshbuf *buf, size_t offset,
u_int64_t *valp);
@@ -293,6 +301,21 @@
*/
char *sshbuf_dup_string(struct sshbuf *buf);
+/*
+ * store struct pwd
+ */
+int sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent);
+
+/*
+ * extract struct pwd
+ */
+struct passwd *sshbuf_get_passwd(struct sshbuf *buf);
+
+/*
+ * free struct passwd obtained from sshbuf_get_passwd.
+ */
+void sshbuf_free_passwd(struct passwd *pwent);
+
/*
* Fill a buffer from a file descriptor or filename. Both allocate the
* buffer for the caller.
Index: sshconnect.c
===================================================================
--- sshconnect.c
+++ sshconnect.c
@@ -1289,7 +1289,8 @@
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
+ if ((r = kex_exchange_identification(ssh, timeout_ms,
+ options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
/* Put the connection into non-blocking mode. */
Index: sshd.8
===================================================================
--- sshd.8
+++ sshd.8
@@ -65,7 +65,7 @@
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/rc.d/sshd .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -329,8 +329,9 @@
If the login is on a tty, records login time.
.It
Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
(unless root).
.It
Changes to run with normal user privileges.
@@ -355,7 +356,8 @@
option is set, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
-it; otherwise runs xauth.
+it; otherwise runs
+.Xr xauth 1 .
The
.Dq rc
files are given the X11
@@ -900,6 +902,12 @@
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -1002,6 +1010,7 @@
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
Index: sshd.c
===================================================================
--- sshd.c
+++ sshd.c
@@ -46,6 +46,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/mman.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
@@ -85,6 +86,14 @@
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
+#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H)
+#include <gssapi/gssapi.h>
+#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H)
+#include <gssapi.h>
+#endif
+#endif
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -123,6 +132,14 @@
#include "version.h"
#include "ssherr.h"
#include "sk-api.h"
+#include "blacklist_client.h"
+
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -373,7 +390,9 @@
kill(0, SIGTERM);
}
+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
/* XXX pre-format ipaddr/port so we don't need to access active_state */
+
/* Log error and exit. */
sigdie("Timeout before authentication for %s port %d",
ssh_remote_ipaddr(the_active_state),
@@ -911,14 +930,13 @@
static void
usage(void)
{
- fprintf(stderr, "%s, %s\n",
- SSH_RELEASE,
-#ifdef WITH_OPENSSL
- OpenSSL_version(OPENSSL_VERSION)
-#else
- "without OpenSSL"
-#endif
- );
+ if (options.version_addendum && *options.version_addendum != '\0')
+ fprintf(stderr, "%s %s, %s\n",
+ SSH_RELEASE,
+ options.version_addendum, OPENSSL_VERSION_STRING);
+ else
+ fprintf(stderr, "%s, %s\n",
+ SSH_RELEASE, OPENSSL_VERSION_STRING);
fprintf(stderr,
"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
" [-E log_file] [-f config_file] [-g login_grace_time]\n"
@@ -2032,6 +2050,10 @@
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ /* Avoid killing the process in high-pressure swapping environments. */
+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
+ debug("madvise(): %.200s", strerror(errno));
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2142,6 +2164,29 @@
ssh_signal(SIGQUIT, SIG_DFL);
ssh_signal(SIGCHLD, SIG_DFL);
ssh_signal(SIGINT, SIG_DFL);
+#ifdef GSSAPI
+ /*
+ * Force GSS-API to parse its configuration and load any
+ * mechanism plugins.
+ */
+ {
+ gss_OID_set mechs;
+ OM_uint32 minor_status;
+ gss_indicate_mechs(&minor_status, &mechs);
+ gss_release_oid_set(&minor_status, &mechs);
+ }
+#endif
+
+#ifdef __FreeBSD__
+ /*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
+#endif
/*
* Register our connection. This turns encryption off because we do
@@ -2179,9 +2224,32 @@
*/
remote_ip = ssh_remote_ipaddr(ssh);
+#ifdef HAVE_LOGIN_CAP
+ /* Also caches remote hostname for sandboxed child. */
+ auth_get_canonical_hostname(ssh, options.use_dns);
+#endif
+
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (packet_connection_is_on_socket()) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
rdomain = ssh_packet_rdomain_in(ssh);
@@ -2230,6 +2298,8 @@
fatal("%s: sshbuf_new failed", __func__);
auth_debug_reset();
+ BLACKLIST_INIT();
+
if (use_privsep) {
if (privsep_preauth(ssh) == 1)
goto authenticated;
Index: sshd_config
===================================================================
--- sshd_config
+++ sshd_config
@@ -10,6 +10,9 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -29,7 +32,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -53,11 +56,11 @@
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
+# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
# Kerberos options
@@ -70,7 +73,7 @@
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
+# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
@@ -79,12 +82,12 @@
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+#UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
@@ -95,12 +98,13 @@
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
-#UseDNS no
+#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
-#VersionAddendum none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20200214
# no default banner path
#Banner none
Index: sshd_config.5
===================================================================
--- sshd_config.5
+++ sshd_config.5
@@ -785,7 +785,7 @@
The system-wide
.Pa /etc/hosts.equiv
and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
are still used regardless of this setting.
.Pp
Accepted values are
@@ -1237,8 +1237,10 @@
are refused if the number of unauthenticated connections reaches full (60).
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
+See also
+.Cm UsePAM .
The default is
-.Cm yes .
+.Cm no .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1331,7 +1333,14 @@
or
.Cm no .
The default is
-.Cm prohibit-password .
+.Cm no .
+Note that if
+.Cm ChallengeResponseAuthentication
+and
+.Cm UsePAM
+are both
+.Cm yes ,
+this setting may be overridden by the PAM policy.
.Pp
If this option is set to
.Cm prohibit-password
@@ -1677,6 +1686,20 @@
.Cm TrustedUserCAKeys .
For more details on certificates, see the CERTIFICATES section in
.Xr ssh-keygen 1 .
+.It Cm UseBlacklist
+Specifies whether
+.Xr sshd 8
+attempts to send authentication success and failure messages
+to the
+.Xr blacklistd 8
+daemon.
+The default is
+.Cm no .
+For forward compatibility with an upcoming
+.Xr blacklistd
+rename, the
+.Cm UseBlocklist
+alias can be used instead.
.It Cm UseDNS
Specifies whether
.Xr sshd 8
@@ -1685,8 +1708,8 @@
very same IP address.
.Pp
If this option is set to
-.Cm no
-(the default) then only addresses and not host names may be used in
+.Cm no ,
+then only addresses and not host names may be used in
.Pa ~/.ssh/authorized_keys
.Cm from
and
@@ -1694,6 +1717,8 @@
.Cm Match
.Cm Host
directives.
+The default is
+.Dq yes .
.It Cm UsePAM
Enables the Pluggable Authentication Module interface.
If set to
@@ -1717,12 +1742,15 @@
.Xr sshd 8
as a non-root user.
The default is
-.Cm no .
+.Cm yes .
.It Cm VersionAddendum
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Cm none .
+.Qq FreeBSD-20180909 .
+The value
+.Cm none
+may be used to disable this.
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
@@ -1736,7 +1764,7 @@
or
.Cm no .
The default is
-.Cm no .
+.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the
@@ -1792,7 +1820,7 @@
.Cm none
to not use one.
The default is
-.Pa /usr/X11R6/bin/xauth .
+.Pa /usr/local/bin/xauth .
.El
.Sh TIME FORMATS
.Xr sshd 8
Index: umac128.c
===================================================================
--- umac128.c
+++ umac128.c
@@ -1,5 +1,12 @@
/* $OpenBSD: umac128.c,v 1.2 2018/02/08 04:12:32 dtucker Exp $ */
+/* undo ssh_namespace.h munging */
+#undef umac_new
+#undef umac_update
+#undef umac_final
+#undef umac_delete
+#undef umac_ctx
+
#define UMAC_OUTPUT_LEN 16
#define umac_new umac128_new
#define umac_update umac128_update
Index: version.h
===================================================================
--- version.h
+++ version.h
@@ -4,3 +4,11 @@
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+
+#define SSH_VERSION_FREEBSD "FreeBSD-20200214"
+
+#ifdef WITH_OPENSSL
+#define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION)
+#else
+#define OPENSSL_VERSION_STRING "without OpenSSL"
+#endif

File Metadata

Mime Type
text/plain
Expires
Wed, Mar 18, 8:03 AM (7 h, 15 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
29892592
Default Alt Text
D28624.id83838.diff (58 KB)

Event Timeline