mirror of
https://git.FreeBSD.org/src.git
synced 2024-10-18 02:19:39 +00:00
ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
This commit is contained in:
commit
87c1498d1a
@ -121,7 +121,7 @@ sftp-common.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c
|
||||
sftp-glob.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sftp.h sftp-common.h sftp-client.h openbsd-compat/glob.h
|
||||
sftp-realpath.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sftp.h misc.h xmalloc.h
|
||||
sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
|
||||
sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshbuf.h ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h
|
||||
sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h
|
||||
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
|
||||
|
21
crypto/openssh/.github/configs
vendored
21
crypto/openssh/.github/configs
vendored
@ -38,13 +38,13 @@ case "$config" in
|
||||
CC="clang-12"
|
||||
# clang's implicit-fallthrough requires that the code be annotated with
|
||||
# __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
|
||||
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough"
|
||||
CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough -Wno-error=unused-parameter"
|
||||
CONFIGFLAGS="--with-pam --with-Werror"
|
||||
;;
|
||||
gcc-11-Werror)
|
||||
CC="gcc"
|
||||
# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
|
||||
CFLAGS="-Wall -Wextra -Wno-format-truncation -O2 -Wimplicit-fallthrough=4"
|
||||
CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
|
||||
CONFIGFLAGS="--with-pam --with-Werror"
|
||||
;;
|
||||
clang*|gcc*)
|
||||
@ -145,10 +145,23 @@ case "$config" in
|
||||
esac
|
||||
|
||||
case "${TARGET_HOST}" in
|
||||
aix*)
|
||||
# These are slow real or virtual machines so skip the slowest tests
|
||||
# (which tend to be thw ones that transfer lots of data) so that the
|
||||
# test run does not time out.
|
||||
# The agent-restrict test fails due to some quoting issue when run
|
||||
# with sh or ksh so specify bash for now.
|
||||
TEST_TARGET="t-exec TEST_SHELL=bash"
|
||||
SKIP_LTESTS="rekey sftp"
|
||||
;;
|
||||
dfly58*|dfly60*)
|
||||
# scp 3-way connection hangs on these so skip until sorted.
|
||||
SKIP_LTESTS=scp3
|
||||
;;
|
||||
fbsd6)
|
||||
# Native linker is not great with PIC so OpenSSL is built w/out.
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
|
||||
;;
|
||||
hurd)
|
||||
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
|
||||
;;
|
||||
@ -173,6 +186,10 @@ case "${TARGET_HOST}" in
|
||||
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
|
||||
;;
|
||||
openwrt-*)
|
||||
CONFIGFLAGS="${CONFIGFLAGS} --without-openssl --without-zlib"
|
||||
TEST_TARGET="t-exec"
|
||||
;;
|
||||
sol10|sol11)
|
||||
# sol10 VM is 32bit and the unit tests are slow.
|
||||
# sol11 has 4 test configs so skip unit tests to speed up.
|
||||
|
25
crypto/openssh/.github/setup_ci.sh
vendored
25
crypto/openssh/.github/setup_ci.sh
vendored
@ -80,7 +80,7 @@ for TARGET in $TARGETS; do
|
||||
INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
|
||||
case ${INSTALL_LIBRESSL} in
|
||||
master) ;;
|
||||
*) INSTALL_LIBRESSL="v$(echo ${TARGET} | cut -f2 -d-)" ;;
|
||||
*) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
|
||||
esac
|
||||
PACKAGES="${PACKAGES} putty-tools"
|
||||
;;
|
||||
@ -122,11 +122,20 @@ if [ ! -z "${INSTALL_OPENSSL}" ]; then
|
||||
fi
|
||||
|
||||
if [ ! -z "${INSTALL_LIBRESSL}" ]; then
|
||||
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
|
||||
git clone https://github.com/libressl-portable/portable.git &&
|
||||
cd ${HOME}/libressl/portable &&
|
||||
git checkout ${INSTALL_LIBRESSL} &&
|
||||
sh update.sh && sh autogen.sh &&
|
||||
./configure --prefix=/opt/libressl &&
|
||||
make -j2 && sudo make install)
|
||||
if [ "${INSTALL_LIBRESSL}" = "master" ]; then
|
||||
(mkdir -p ${HOME}/libressl && cd ${HOME}/libressl &&
|
||||
git clone https://github.com/libressl-portable/portable.git &&
|
||||
cd ${HOME}/libressl/portable &&
|
||||
git checkout ${INSTALL_LIBRESSL} &&
|
||||
sh update.sh && sh autogen.sh &&
|
||||
./configure --prefix=/opt/libressl &&
|
||||
make -j2 && sudo make install)
|
||||
else
|
||||
LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
|
||||
(cd ${HOME} &&
|
||||
wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
|
||||
tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
|
||||
cd libressl-${INSTALL_LIBRESSL} &&
|
||||
./configure --prefix=/opt/libressl && make -j2 && sudo make install)
|
||||
fi
|
||||
fi
|
||||
|
3
crypto/openssh/.github/workflows/c-cpp.yml
vendored
3
crypto/openssh/.github/workflows/c-cpp.yml
vendored
@ -46,6 +46,7 @@ jobs:
|
||||
- { os: ubuntu-latest, configs: libressl-3.2.6 }
|
||||
- { os: ubuntu-latest, configs: libressl-3.3.4 }
|
||||
- { os: ubuntu-latest, configs: libressl-3.4.1 }
|
||||
- { os: ubuntu-latest, configs: libressl-3.5.0 }
|
||||
- { os: ubuntu-latest, configs: openssl-master }
|
||||
- { os: ubuntu-latest, configs: openssl-noec }
|
||||
- { os: ubuntu-latest, configs: openssl-1.0.1 }
|
||||
@ -54,7 +55,9 @@ jobs:
|
||||
- { os: ubuntu-latest, configs: openssl-1.1.0h }
|
||||
- { os: ubuntu-latest, configs: openssl-1.1.1 }
|
||||
- { os: ubuntu-latest, configs: openssl-1.1.1k }
|
||||
- { os: ubuntu-latest, configs: openssl-1.1.1m }
|
||||
- { os: ubuntu-latest, configs: openssl-3.0.0 }
|
||||
- { os: ubuntu-latest, configs: openssl-3.0.1 }
|
||||
- { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
|
||||
- { os: ubuntu-latest, configs: openssl-3.0 } # stable branch
|
||||
- { os: ubuntu-18.04, configs: pam }
|
||||
|
@ -16,9 +16,11 @@ jobs:
|
||||
# default config. "os" corresponds to a label associated with the worker.
|
||||
matrix:
|
||||
os:
|
||||
- aix51
|
||||
- ARM64
|
||||
- alpine
|
||||
- bbone
|
||||
- debian-i386
|
||||
- dfly30
|
||||
- dfly48
|
||||
- dfly58
|
||||
@ -40,6 +42,8 @@ jobs:
|
||||
- obsd70
|
||||
- obsdsnap
|
||||
- openindiana
|
||||
- openwrt-mips
|
||||
- openwrt-mipsel
|
||||
# - rocky84
|
||||
- sol10
|
||||
- sol11
|
||||
@ -49,6 +53,7 @@ jobs:
|
||||
# Then we include any extra configs we want to test for specific VMs.
|
||||
include:
|
||||
- { os: ARM64, configs: pam }
|
||||
- { os: debian-i386, configs: pam }
|
||||
- { os: dfly30, configs: without-openssl}
|
||||
- { os: dfly48, configs: pam }
|
||||
- { os: dfly58, configs: pam }
|
||||
@ -87,7 +92,7 @@ jobs:
|
||||
run: vmrun make
|
||||
- name: make tests
|
||||
run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
|
||||
timeout-minutes: 300
|
||||
timeout-minutes: 600
|
||||
- name: save logs
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v2
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,4 @@
|
||||
# uncomment if you run a non bourne compatible shell. Ie. csh
|
||||
#SHELL = @SH@
|
||||
SHELL=@SH@
|
||||
|
||||
AUTORECONF=autoreconf
|
||||
|
||||
@ -688,7 +687,7 @@ SK_DUMMY_LIBRARY=@SK_DUMMY_LIBRARY@
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -o $@
|
||||
|
||||
regress/misc/sk-dummy/sk-dummy.so: $(SK_DUMMY_OBJS)
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -fPIC -shared -o $@ $(SK_DUMMY_OBJS) \
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) $(PICFLAG) -shared -o $@ $(SK_DUMMY_OBJS) \
|
||||
-L. -Lopenbsd-compat -lopenbsd-compat $(LDFLAGS_NOPIE) $(LIBS)
|
||||
|
||||
regress-binaries: regress-prep $(LIBCOMPAT) \
|
||||
|
@ -492,7 +492,7 @@ This request asks the server to call fsync(2) on an open file handle.
|
||||
string "fsync@openssh.com"
|
||||
string handle
|
||||
|
||||
One receiving this request, a server will call fsync(handle_fd) and will
|
||||
On receiving this request, a server will call fsync(handle_fd) and will
|
||||
respond with a SSH_FXP_STATUS message.
|
||||
|
||||
This extension is advertised in the SSH_FXP_VERSION hello with version
|
||||
@ -576,6 +576,43 @@ Its reply is the same format as that of SSH2_FXP_REALPATH.
|
||||
This extension is advertised in the SSH_FXP_VERSION hello with version
|
||||
"1".
|
||||
|
||||
4.10. sftp: Extension request "copy-data"
|
||||
|
||||
This request asks the server to copy data from one open file handle and
|
||||
write it to a different open file handle. This avoids needing to transfer
|
||||
the data across the network twice (a download followed by an upload).
|
||||
|
||||
byte SSH_FXP_EXTENDED
|
||||
uint32 id
|
||||
string "copy-data"
|
||||
string read-from-handle
|
||||
uint64 read-from-offset
|
||||
uint64 read-data-length
|
||||
string write-to-handle
|
||||
uint64 write-to-offset
|
||||
|
||||
The server will copy read-data-length bytes starting from
|
||||
read-from-offset from the read-from-handle and write them to
|
||||
write-to-handle starting from write-to-offset, and then respond with a
|
||||
SSH_FXP_STATUS message.
|
||||
|
||||
It's equivalent to issuing a series of SSH_FXP_READ requests on
|
||||
read-from-handle and a series of requests of SSH_FXP_WRITE on
|
||||
write-to-handle.
|
||||
|
||||
If read-from-handle and write-to-handle are the same, the server will
|
||||
fail the request and respond with a SSH_FX_INVALID_PARAMETER message.
|
||||
|
||||
If read-data-length is 0, then the server will read data from the
|
||||
read-from-handle until EOF is reached.
|
||||
|
||||
This extension is advertised in the SSH_FXP_VERSION hello with version
|
||||
"1".
|
||||
|
||||
This request is identical to the "copy-data" request documented in:
|
||||
|
||||
https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
|
||||
|
||||
5. Miscellaneous changes
|
||||
|
||||
5.1 Public key format
|
||||
@ -612,4 +649,4 @@ master instance and later clients.
|
||||
OpenSSH extends the usual agent protocol. These changes are documented
|
||||
in the PROTOCOL.agent file.
|
||||
|
||||
$OpenBSD: PROTOCOL,v 1.43 2021/12/19 22:15:42 djm Exp $
|
||||
$OpenBSD: PROTOCOL,v 1.44 2022/03/31 03:05:49 djm Exp $
|
||||
|
@ -1,4 +1,4 @@
|
||||
See https://www.openssh.com/releasenotes.html#8.9p1 for the release notes.
|
||||
See https://www.openssh.com/releasenotes.html#9.0p1 for the release notes.
|
||||
|
||||
Please read https://www.openssh.com/report.html for bug reporting
|
||||
instructions and note that we do not use Github for bug reporting or
|
||||
|
@ -103,62 +103,18 @@ int
|
||||
allowed_user(struct ssh *ssh, struct passwd * pw)
|
||||
{
|
||||
struct stat st;
|
||||
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
||||
const char *hostname = NULL, *ipaddr = NULL;
|
||||
u_int i;
|
||||
int r;
|
||||
#ifdef USE_SHADOW
|
||||
struct spwd *spw = NULL;
|
||||
#endif
|
||||
|
||||
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
||||
if (!pw || !pw->pw_name)
|
||||
return 0;
|
||||
|
||||
#ifdef USE_SHADOW
|
||||
if (!options.use_pam)
|
||||
spw = getspnam(pw->pw_name);
|
||||
#ifdef HAS_SHADOW_EXPIRE
|
||||
if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
|
||||
if (!options.use_pam && platform_locked_account(pw)) {
|
||||
logit("User %.100s not allowed because account is locked",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
#endif /* HAS_SHADOW_EXPIRE */
|
||||
#endif /* USE_SHADOW */
|
||||
|
||||
/* grab passwd field for locked account check */
|
||||
passwd = pw->pw_passwd;
|
||||
#ifdef USE_SHADOW
|
||||
if (spw != NULL)
|
||||
#ifdef USE_LIBIAF
|
||||
passwd = get_iaf_password(pw);
|
||||
#else
|
||||
passwd = spw->sp_pwdp;
|
||||
#endif /* USE_LIBIAF */
|
||||
#endif
|
||||
|
||||
/* check for locked account */
|
||||
if (!options.use_pam && passwd && *passwd) {
|
||||
int locked = 0;
|
||||
|
||||
#ifdef LOCKED_PASSWD_STRING
|
||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_PREFIX
|
||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||
strlen(LOCKED_PASSWD_PREFIX)) == 0)
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_SUBSTR
|
||||
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef USE_LIBIAF
|
||||
free((void *) passwd);
|
||||
#endif /* USE_LIBIAF */
|
||||
if (locked) {
|
||||
logit("User %.100s not allowed because account is locked",
|
||||
pw->pw_name);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.112 2021/12/19 22:12:30 djm Exp $ */
|
||||
/* $OpenBSD: auth2-pubkey.c,v 1.113 2022/02/27 01:33:59 naddy Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -166,8 +166,8 @@ userauth_pubkey(struct ssh *ssh, const char *method)
|
||||
goto done;
|
||||
}
|
||||
if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
|
||||
logit_f("key type %s not in PubkeyAcceptedAlgorithms",
|
||||
sshkey_ssh_name(key));
|
||||
logit_f("signature algorithm %s not in "
|
||||
"PubkeyAcceptedAlgorithms", pkalg);
|
||||
goto done;
|
||||
}
|
||||
if ((r = sshkey_check_cert_sigtype(key,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.c,v 1.413 2022/02/17 10:58:27 djm Exp $ */
|
||||
/* $OpenBSD: channels.c,v 1.415 2022/03/30 21:10:25 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -432,21 +432,25 @@ channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
|
||||
c->io_want &= ~SSH_CHAN_IO_RFD;
|
||||
c->io_ready &= ~SSH_CHAN_IO_RFD;
|
||||
c->rfd = -1;
|
||||
c->pfds[0] = -1;
|
||||
}
|
||||
if (*fdp == c->wfd) {
|
||||
c->io_want &= ~SSH_CHAN_IO_WFD;
|
||||
c->io_ready &= ~SSH_CHAN_IO_WFD;
|
||||
c->wfd = -1;
|
||||
c->pfds[1] = -1;
|
||||
}
|
||||
if (*fdp == c->efd) {
|
||||
c->io_want &= ~SSH_CHAN_IO_EFD;
|
||||
c->io_ready &= ~SSH_CHAN_IO_EFD;
|
||||
c->efd = -1;
|
||||
c->pfds[2] = -1;
|
||||
}
|
||||
if (*fdp == c->sock) {
|
||||
c->io_want &= ~SSH_CHAN_IO_SOCK;
|
||||
c->io_ready &= ~SSH_CHAN_IO_SOCK;
|
||||
c->sock = -1;
|
||||
c->pfds[3] = -1;
|
||||
}
|
||||
|
||||
ret = close(fd);
|
||||
@ -2475,10 +2479,13 @@ dump_channel_poll(const char *func, const char *what, Channel *c,
|
||||
u_int pollfd_offset, struct pollfd *pfd)
|
||||
{
|
||||
#ifdef DEBUG_CHANNEL_POLL
|
||||
debug3_f("channel %d: rfd r%d w%d e%d s%d "
|
||||
"pfd[%u].fd=%d want 0x%02x ev 0x%02x ready 0x%02x rev 0x%02x",
|
||||
c->self, c->rfd, c->wfd, c->efd, c->sock, pollfd_offset, pfd->fd,
|
||||
c->io_want, pfd->events, c->io_ready, pfd->revents);
|
||||
debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "
|
||||
"io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "
|
||||
"pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,
|
||||
c->rfd, c->wfd, c->efd, c->sock,
|
||||
c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],
|
||||
c->io_want, c->io_ready,
|
||||
pollfd_offset, pfd->fd, pfd->events, pfd->revents);
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -2487,7 +2494,7 @@ static void
|
||||
channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
|
||||
struct pollfd *pfd, u_int npfd)
|
||||
{
|
||||
u_int p = *next_pollfd;
|
||||
u_int ev, p = *next_pollfd;
|
||||
|
||||
if (c == NULL)
|
||||
return;
|
||||
@ -2496,7 +2503,7 @@ channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
|
||||
fatal_f("channel %d: bad pfd offset %u (max %u)",
|
||||
c->self, p, npfd);
|
||||
}
|
||||
c->pollfd_offset = -1;
|
||||
c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1;
|
||||
/*
|
||||
* prepare c->rfd
|
||||
*
|
||||
@ -2505,69 +2512,82 @@ channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
|
||||
* IO too.
|
||||
*/
|
||||
if (c->rfd != -1) {
|
||||
if (c->pollfd_offset == -1)
|
||||
c->pollfd_offset = p;
|
||||
pfd[p].fd = c->rfd;
|
||||
pfd[p].events = 0;
|
||||
ev = 0;
|
||||
if ((c->io_want & SSH_CHAN_IO_RFD) != 0)
|
||||
pfd[p].events |= POLLIN;
|
||||
ev |= POLLIN;
|
||||
/* rfd == wfd */
|
||||
if (c->wfd == c->rfd &&
|
||||
(c->io_want & SSH_CHAN_IO_WFD) != 0)
|
||||
pfd[p].events |= POLLOUT;
|
||||
if (c->wfd == c->rfd) {
|
||||
if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
|
||||
ev |= POLLOUT;
|
||||
}
|
||||
/* rfd == efd */
|
||||
if (c->efd == c->rfd &&
|
||||
(c->io_want & SSH_CHAN_IO_EFD_R) != 0)
|
||||
pfd[p].events |= POLLIN;
|
||||
if (c->efd == c->rfd &&
|
||||
(c->io_want & SSH_CHAN_IO_EFD_W) != 0)
|
||||
pfd[p].events |= POLLOUT;
|
||||
if (c->efd == c->rfd) {
|
||||
if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
|
||||
ev |= POLLIN;
|
||||
if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
|
||||
ev |= POLLOUT;
|
||||
}
|
||||
/* rfd == sock */
|
||||
if (c->sock == c->rfd &&
|
||||
(c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
|
||||
pfd[p].events |= POLLIN;
|
||||
if (c->sock == c->rfd &&
|
||||
(c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
|
||||
pfd[p].events |= POLLOUT;
|
||||
dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
|
||||
p++;
|
||||
if (c->sock == c->rfd) {
|
||||
if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
|
||||
ev |= POLLIN;
|
||||
if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
|
||||
ev |= POLLOUT;
|
||||
}
|
||||
/* Pack a pfd entry if any event armed for this fd */
|
||||
if (ev != 0) {
|
||||
c->pfds[0] = p;
|
||||
pfd[p].fd = c->rfd;
|
||||
pfd[p].events = ev;
|
||||
dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
|
||||
p++;
|
||||
}
|
||||
}
|
||||
/* prepare c->wfd (if not already handled above) */
|
||||
/* prepare c->wfd if wanting IO and not already handled above */
|
||||
if (c->wfd != -1 && c->rfd != c->wfd) {
|
||||
if (c->pollfd_offset == -1)
|
||||
c->pollfd_offset = p;
|
||||
pfd[p].fd = c->wfd;
|
||||
pfd[p].events = 0;
|
||||
if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
|
||||
pfd[p].events = POLLOUT;
|
||||
dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
|
||||
p++;
|
||||
ev = 0;
|
||||
if ((c->io_want & SSH_CHAN_IO_WFD))
|
||||
ev |= POLLOUT;
|
||||
/* Pack a pfd entry if any event armed for this fd */
|
||||
if (ev != 0) {
|
||||
c->pfds[1] = p;
|
||||
pfd[p].fd = c->wfd;
|
||||
pfd[p].events = ev;
|
||||
dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
|
||||
p++;
|
||||
}
|
||||
}
|
||||
/* prepare c->efd (if not already handled above) */
|
||||
/* prepare c->efd if wanting IO and not already handled above */
|
||||
if (c->efd != -1 && c->rfd != c->efd) {
|
||||
if (c->pollfd_offset == -1)
|
||||
c->pollfd_offset = p;
|
||||
pfd[p].fd = c->efd;
|
||||
pfd[p].events = 0;
|
||||
ev = 0;
|
||||
if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
|
||||
pfd[p].events |= POLLIN;
|
||||
ev |= POLLIN;
|
||||
if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
|
||||
pfd[p].events |= POLLOUT;
|
||||
dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
|
||||
p++;
|
||||
ev |= POLLOUT;
|
||||
/* Pack a pfd entry if any event armed for this fd */
|
||||
if (ev != 0) {
|
||||
c->pfds[2] = p;
|
||||
pfd[p].fd = c->efd;
|
||||
pfd[p].events = ev;
|
||||
dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
|
||||
p++;
|
||||
}
|
||||
}
|
||||
/* prepare c->sock (if not already handled above) */
|
||||
/* prepare c->sock if wanting IO and not already handled above */
|
||||
if (c->sock != -1 && c->rfd != c->sock) {
|
||||
if (c->pollfd_offset == -1)
|
||||
c->pollfd_offset = p;
|
||||
pfd[p].fd = c->sock;
|
||||
pfd[p].events = 0;
|
||||
ev = 0;
|
||||
if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
|
||||
pfd[p].events |= POLLIN;
|
||||
ev |= POLLIN;
|
||||
if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
|
||||
pfd[p].events |= POLLOUT;
|
||||
dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
|
||||
p++;
|
||||
ev |= POLLOUT;
|
||||
/* Pack a pfd entry if any event armed for this fd */
|
||||
if (ev != 0) {
|
||||
c->pfds[3] = p;
|
||||
pfd[p].fd = c->sock;
|
||||
pfd[p].events = 0;
|
||||
dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
|
||||
p++;
|
||||
}
|
||||
}
|
||||
*next_pollfd = p;
|
||||
}
|
||||
@ -2614,13 +2634,15 @@ channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp,
|
||||
}
|
||||
|
||||
static void
|
||||
fd_ready(Channel *c, u_int p, struct pollfd *pfds, int fd,
|
||||
fd_ready(Channel *c, int p, struct pollfd *pfds, u_int npfd, int fd,
|
||||
const char *what, u_int revents_mask, u_int ready)
|
||||
{
|
||||
struct pollfd *pfd = &pfds[p];
|
||||
|
||||
if (fd == -1)
|
||||
return;
|
||||
if (p == -1 || (u_int)p >= npfd)
|
||||
fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd);
|
||||
dump_channel_poll(__func__, what, c, p, pfd);
|
||||
if (pfd->fd != fd) {
|
||||
fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "
|
||||
@ -2643,11 +2665,12 @@ void
|
||||
channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
|
||||
{
|
||||
struct ssh_channels *sc = ssh->chanctxt;
|
||||
u_int i, p;
|
||||
u_int i;
|
||||
int p;
|
||||
Channel *c;
|
||||
|
||||
#ifdef DEBUG_CHANNEL_POLL
|
||||
for (p = 0; p < npfd; p++) {
|
||||
for (p = 0; p < (int)npfd; p++) {
|
||||
if (pfd[p].revents == 0)
|
||||
continue;
|
||||
debug_f("pfd[%u].fd %d rev 0x%04x",
|
||||
@ -2658,13 +2681,8 @@ channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
|
||||
/* Convert pollfd into c->io_ready */
|
||||
for (i = 0; i < sc->channels_alloc; i++) {
|
||||
c = sc->channels[i];
|
||||
if (c == NULL || c->pollfd_offset < 0)
|
||||
if (c == NULL)
|
||||
continue;
|
||||
if ((u_int)c->pollfd_offset >= npfd) {
|
||||
/* shouldn't happen */
|
||||
fatal_f("channel %d: (before) bad pfd %u (max %u)",
|
||||
c->self, c->pollfd_offset, npfd);
|
||||
}
|
||||
/* if rfd is shared with efd/sock then wfd should be too */
|
||||
if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd &&
|
||||
(c->rfd == c->efd || c->rfd == c->sock)) {
|
||||
@ -2673,56 +2691,52 @@ channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
|
||||
c->self, c->rfd, c->wfd, c->efd, c->sock);
|
||||
}
|
||||
c->io_ready = 0;
|
||||
p = c->pollfd_offset;
|
||||
/* rfd, potentially shared with wfd, efd and sock */
|
||||
if (c->rfd != -1) {
|
||||
fd_ready(c, p, pfd, c->rfd, "rfd", POLLIN,
|
||||
SSH_CHAN_IO_RFD);
|
||||
if (c->rfd != -1 && (p = c->pfds[0]) != -1) {
|
||||
fd_ready(c, p, pfd, npfd, c->rfd,
|
||||
"rfd", POLLIN, SSH_CHAN_IO_RFD);
|
||||
if (c->rfd == c->wfd) {
|
||||
fd_ready(c, p, pfd, c->wfd, "wfd/r", POLLOUT,
|
||||
SSH_CHAN_IO_WFD);
|
||||
fd_ready(c, p, pfd, npfd, c->wfd,
|
||||
"wfd/r", POLLOUT, SSH_CHAN_IO_WFD);
|
||||
}
|
||||
if (c->rfd == c->efd) {
|
||||
fd_ready(c, p, pfd, c->efd, "efdr/r", POLLIN,
|
||||
SSH_CHAN_IO_EFD_R);
|
||||
fd_ready(c, p, pfd, c->efd, "efdw/r", POLLOUT,
|
||||
SSH_CHAN_IO_EFD_W);
|
||||
fd_ready(c, p, pfd, npfd, c->efd,
|
||||
"efdr/r", POLLIN, SSH_CHAN_IO_EFD_R);
|
||||
fd_ready(c, p, pfd, npfd, c->efd,
|
||||
"efdw/r", POLLOUT, SSH_CHAN_IO_EFD_W);
|
||||
}
|
||||
if (c->rfd == c->sock) {
|
||||
fd_ready(c, p, pfd, c->sock, "sockr/r", POLLIN,
|
||||
SSH_CHAN_IO_SOCK_R);
|
||||
fd_ready(c, p, pfd, c->sock, "sockw/r", POLLOUT,
|
||||
SSH_CHAN_IO_SOCK_W);
|
||||
fd_ready(c, p, pfd, npfd, c->sock,
|
||||
"sockr/r", POLLIN, SSH_CHAN_IO_SOCK_R);
|
||||
fd_ready(c, p, pfd, npfd, c->sock,
|
||||
"sockw/r", POLLOUT, SSH_CHAN_IO_SOCK_W);
|
||||
}
|
||||
p++;
|
||||
dump_channel_poll(__func__, "rfd", c, p, pfd);
|
||||
}
|
||||
/* wfd */
|
||||
if (c->wfd != -1 && c->wfd != c->rfd) {
|
||||
fd_ready(c, p, pfd, c->wfd, "wfd", POLLOUT,
|
||||
SSH_CHAN_IO_WFD);
|
||||
p++;
|
||||
if (c->wfd != -1 && c->wfd != c->rfd &&
|
||||
(p = c->pfds[1]) != -1) {
|
||||
fd_ready(c, p, pfd, npfd, c->wfd,
|
||||
"wfd", POLLOUT, SSH_CHAN_IO_WFD);
|
||||
dump_channel_poll(__func__, "wfd", c, p, pfd);
|
||||
}
|
||||
/* efd */
|
||||
if (c->efd != -1 && c->efd != c->rfd) {
|
||||
fd_ready(c, p, pfd, c->efd, "efdr", POLLIN,
|
||||
SSH_CHAN_IO_EFD_R);
|
||||
fd_ready(c, p, pfd, c->efd, "efdw", POLLOUT,
|
||||
SSH_CHAN_IO_EFD_W);
|
||||
p++;
|
||||
if (c->efd != -1 && c->efd != c->rfd &&
|
||||
(p = c->pfds[2]) != -1) {
|
||||
fd_ready(c, p, pfd, npfd, c->efd,
|
||||
"efdr", POLLIN, SSH_CHAN_IO_EFD_R);
|
||||
fd_ready(c, p, pfd, npfd, c->efd,
|
||||
"efdw", POLLOUT, SSH_CHAN_IO_EFD_W);
|
||||
dump_channel_poll(__func__, "efd", c, p, pfd);
|
||||
}
|
||||
/* sock */
|
||||
if (c->sock != -1 && c->sock != c->rfd) {
|
||||
fd_ready(c, p, pfd, c->sock, "sockr", POLLIN,
|
||||
SSH_CHAN_IO_SOCK_R);
|
||||
fd_ready(c, p, pfd, c->sock, "sockw", POLLOUT,
|
||||
SSH_CHAN_IO_SOCK_W);
|
||||
p++;
|
||||
}
|
||||
|
||||
if (p > npfd) {
|
||||
/* shouldn't happen */
|
||||
fatal_f("channel %d: (after) bad pfd %u (max %u)",
|
||||
c->self, c->pollfd_offset, npfd);
|
||||
if (c->sock != -1 && c->sock != c->rfd &&
|
||||
(p = c->pfds[3]) != -1) {
|
||||
fd_ready(c, p, pfd, npfd, c->sock,
|
||||
"sockr", POLLIN, SSH_CHAN_IO_SOCK_R);
|
||||
fd_ready(c, p, pfd, npfd, c->sock,
|
||||
"sockw", POLLOUT, SSH_CHAN_IO_SOCK_W);
|
||||
dump_channel_poll(__func__, "sock", c, p, pfd);
|
||||
}
|
||||
}
|
||||
channel_handler(ssh, CHAN_POST, NULL);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: channels.h,v 1.141 2022/01/22 00:49:34 djm Exp $ */
|
||||
/* $OpenBSD: channels.h,v 1.142 2022/03/30 21:10:25 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -138,7 +138,7 @@ struct Channel {
|
||||
int sock; /* sock fd */
|
||||
u_int io_want; /* bitmask of SSH_CHAN_IO_* */
|
||||
u_int io_ready; /* bitmask of SSH_CHAN_IO_* */
|
||||
int pollfd_offset; /* base offset into pollfd array (or -1) */
|
||||
int pfds[4]; /* pollfd entries for rfd/wfd/efd/sock */
|
||||
int ctl_chan; /* control channel (multiplexed connections) */
|
||||
int isatty; /* rfd is a tty */
|
||||
#ifdef _AIX
|
||||
|
@ -334,6 +334,10 @@
|
||||
*/
|
||||
#define HAVE_DECL_BZERO 1
|
||||
|
||||
/* Define to 1 if you have the declaration of `ftruncate', and to 0 if you
|
||||
don't. */
|
||||
#define HAVE_DECL_FTRUNCATE 1
|
||||
|
||||
/* Define to 1 if you have the declaration of `getpeereid', and to 0 if you
|
||||
don't. */
|
||||
#define HAVE_DECL_GETPEEREID 1
|
||||
@ -847,6 +851,9 @@
|
||||
/* Define if you have isblank(3C). */
|
||||
#define HAVE_ISBLANK 1
|
||||
|
||||
/* Define to 1 if you have the `killpg' function. */
|
||||
#define HAVE_KILLPG 1
|
||||
|
||||
/* Define to 1 if you have the `krb5_cc_new_unique' function. */
|
||||
/* #undef HAVE_KRB5_CC_NEW_UNIQUE */
|
||||
|
||||
|
@ -48,6 +48,8 @@ AC_PATH_PROG([SED], [sed])
|
||||
AC_PATH_PROG([TEST_MINUS_S_SH], [bash])
|
||||
AC_PATH_PROG([TEST_MINUS_S_SH], [ksh])
|
||||
AC_PATH_PROG([TEST_MINUS_S_SH], [sh])
|
||||
AC_PATH_PROG([SH], [bash])
|
||||
AC_PATH_PROG([SH], [ksh])
|
||||
AC_PATH_PROG([SH], [sh])
|
||||
AC_PATH_PROG([GROFF], [groff])
|
||||
AC_PATH_PROG([NROFF], [nroff awf])
|
||||
@ -1933,6 +1935,7 @@ AC_CHECK_FUNCS([ \
|
||||
inet_ntoa \
|
||||
inet_ntop \
|
||||
innetgr \
|
||||
killpg \
|
||||
llabs \
|
||||
localtime_r \
|
||||
login_getcapbool \
|
||||
@ -2149,6 +2152,12 @@ AC_CHECK_DECLS([O_NONBLOCK], , ,
|
||||
#endif
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS([ftruncate], , ,
|
||||
[
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
])
|
||||
|
||||
AC_CHECK_DECLS([readv, writev], , , [
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
@ -3631,8 +3640,8 @@ AC_RUN_IFELSE(
|
||||
select_works_with_rlimit=yes],
|
||||
[AC_MSG_RESULT([no])
|
||||
select_works_with_rlimit=no],
|
||||
[AC_MSG_WARN([cross compiling: assuming yes])
|
||||
select_works_with_rlimit=yes]
|
||||
[AC_MSG_WARN([cross compiling: assuming no])
|
||||
select_works_with_rlimit=no]
|
||||
)
|
||||
|
||||
AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[
|
||||
|
@ -1,4 +1,4 @@
|
||||
%global ver 8.9p1
|
||||
%global ver 9.0p1
|
||||
%global rel 1%{?dist}
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
|
@ -13,7 +13,7 @@
|
||||
|
||||
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||
Name: openssh
|
||||
Version: 8.9p1
|
||||
Version: 9.0p1
|
||||
URL: https://www.openssh.com/
|
||||
Release: 1
|
||||
Source0: openssh-%{version}.tar.gz
|
||||
|
@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
|
||||
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
/* Trivial function to help test for -fzero-call-used-regs */
|
||||
void f(int n) {}
|
||||
int main(int argc, char **argv) {
|
||||
(void)argv;
|
||||
/* Some math to catch -ftrapv problems in the toolchain */
|
||||
@ -21,6 +23,7 @@ int main(int argc, char **argv) {
|
||||
float l = i * 2.1;
|
||||
double m = l / 0.5;
|
||||
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
|
||||
f(0);
|
||||
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
|
||||
/*
|
||||
* Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: misc.c,v 1.174 2022/02/11 00:43:56 dtucker Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.175 2022/03/20 08:51:21 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
|
||||
@ -1069,16 +1069,21 @@ addargs(arglist *args, char *fmt, ...)
|
||||
r = vasprintf(&cp, fmt, ap);
|
||||
va_end(ap);
|
||||
if (r == -1)
|
||||
fatal("addargs: argument too long");
|
||||
fatal_f("argument too long");
|
||||
|
||||
nalloc = args->nalloc;
|
||||
if (args->list == NULL) {
|
||||
nalloc = 32;
|
||||
args->num = 0;
|
||||
} else if (args->num+2 >= nalloc)
|
||||
} else if (args->num > (256 * 1024))
|
||||
fatal_f("too many arguments");
|
||||
else if (args->num >= args->nalloc)
|
||||
fatal_f("arglist corrupt");
|
||||
else if (args->num+2 >= nalloc)
|
||||
nalloc *= 2;
|
||||
|
||||
args->list = xrecallocarray(args->list, args->nalloc, nalloc, sizeof(char *));
|
||||
args->list = xrecallocarray(args->list, args->nalloc,
|
||||
nalloc, sizeof(char *));
|
||||
args->nalloc = nalloc;
|
||||
args->list[args->num++] = cp;
|
||||
args->list[args->num] = NULL;
|
||||
@ -1095,10 +1100,12 @@ replacearg(arglist *args, u_int which, char *fmt, ...)
|
||||
r = vasprintf(&cp, fmt, ap);
|
||||
va_end(ap);
|
||||
if (r == -1)
|
||||
fatal("replacearg: argument too long");
|
||||
fatal_f("argument too long");
|
||||
if (args->list == NULL || args->num >= args->nalloc)
|
||||
fatal_f("arglist corrupt");
|
||||
|
||||
if (which >= args->num)
|
||||
fatal("replacearg: tried to replace invalid arg %d >= %d",
|
||||
fatal_f("tried to replace invalid arg %d >= %d",
|
||||
which, args->num);
|
||||
free(args->list[which]);
|
||||
args->list[which] = cp;
|
||||
@ -1109,13 +1116,15 @@ freeargs(arglist *args)
|
||||
{
|
||||
u_int i;
|
||||
|
||||
if (args->list != NULL) {
|
||||
if (args == NULL)
|
||||
return;
|
||||
if (args->list != NULL && args->num < args->nalloc) {
|
||||
for (i = 0; i < args->num; i++)
|
||||
free(args->list[i]);
|
||||
free(args->list);
|
||||
args->nalloc = args->num = 0;
|
||||
args->list = NULL;
|
||||
}
|
||||
args->nalloc = args->num = 0;
|
||||
args->list = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: monitor.c,v 1.231 2022/01/28 06:18:42 guenther Exp $ */
|
||||
/* $OpenBSD: monitor.c,v 1.232 2022/02/25 02:09:27 djm Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||
@ -709,7 +709,6 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
int
|
||||
mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
{
|
||||
char *username;
|
||||
struct passwd *pwent;
|
||||
int r, allowed = 0;
|
||||
u_int i;
|
||||
@ -719,14 +718,12 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
if (authctxt->attempt++ != 0)
|
||||
fatal_f("multiple attempts for getpwnam");
|
||||
|
||||
if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0)
|
||||
if ((r = sshbuf_get_cstring(m, &authctxt->user, NULL)) != 0)
|
||||
fatal_fr(r, "parse");
|
||||
|
||||
pwent = getpwnamallow(ssh, username);
|
||||
pwent = getpwnamallow(ssh, authctxt->user);
|
||||
|
||||
authctxt->user = xstrdup(username);
|
||||
setproctitle("%s [priv]", pwent ? username : "unknown");
|
||||
free(username);
|
||||
setproctitle("%s [priv]", pwent ? authctxt->user : "unknown");
|
||||
|
||||
sshbuf_reset(m);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: myproposal.h,v 1.70 2021/11/10 06:29:25 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.71 2022/03/30 21:13:23 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
@ -25,12 +25,12 @@
|
||||
*/
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
"sntrup761x25519-sha512@openssh.com," \
|
||||
"curve25519-sha256," \
|
||||
"curve25519-sha256@libssh.org," \
|
||||
"ecdh-sha2-nistp256," \
|
||||
"ecdh-sha2-nistp384," \
|
||||
"ecdh-sha2-nistp521," \
|
||||
"sntrup761x25519-sha512@openssh.com," \
|
||||
"diffie-hellman-group-exchange-sha256," \
|
||||
"diffie-hellman-group16-sha512," \
|
||||
"diffie-hellman-group18-sha512," \
|
||||
|
@ -79,7 +79,7 @@ _rs_init(u_char *buf, size_t n)
|
||||
{
|
||||
if (n < KEYSZ + IVSZ)
|
||||
return;
|
||||
chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
|
||||
chacha_keysetup(&rs, buf, KEYSZ * 8);
|
||||
chacha_ivsetup(&rs, buf + KEYSZ);
|
||||
}
|
||||
|
||||
|
@ -107,7 +107,7 @@ const char *strerror(int e)
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_UTIMES
|
||||
int utimes(char *filename, struct timeval *tvp)
|
||||
int utimes(const char *filename, struct timeval *tvp)
|
||||
{
|
||||
struct utimbuf ub;
|
||||
|
||||
@ -412,6 +412,14 @@ getsid(pid_t pid)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_KILLPG
|
||||
int
|
||||
killpg(pid_t pgrp, int sig)
|
||||
{
|
||||
return kill(pgrp, sig);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef FFLUSH_NULL_BUG
|
||||
#undef fflush
|
||||
int _ssh_compat_fflush(FILE *f)
|
||||
|
@ -62,7 +62,7 @@ struct timeval {
|
||||
}
|
||||
#endif /* HAVE_STRUCT_TIMEVAL */
|
||||
|
||||
int utimes(char *, struct timeval *);
|
||||
int utimes(const char *, struct timeval *);
|
||||
#endif /* HAVE_UTIMES */
|
||||
|
||||
#ifndef AT_FDCWD
|
||||
|
@ -91,11 +91,11 @@ ppoll(struct pollfd *fds, nfds_t nfds, const struct timespec *tmoutp,
|
||||
fds[i].revents = 0;
|
||||
if (fd == -1)
|
||||
continue;
|
||||
if (FD_ISSET(fd, readfds))
|
||||
if ((fds[i].events & POLLIN) && FD_ISSET(fd, readfds))
|
||||
fds[i].revents |= POLLIN;
|
||||
if (FD_ISSET(fd, writefds))
|
||||
if ((fds[i].events & POLLOUT) && FD_ISSET(fd, writefds))
|
||||
fds[i].revents |= POLLOUT;
|
||||
if (FD_ISSET(fd, exceptfds))
|
||||
if ((fds[i].events & POLLPRI) && FD_ISSET(fd, exceptfds))
|
||||
fds[i].revents |= POLLPRI;
|
||||
}
|
||||
|
||||
|
@ -1,10 +1,12 @@
|
||||
/* OPENBSD ORIGINAL: lib/libc/crypt/chacha_private.h */
|
||||
|
||||
/*
|
||||
chacha-merged.c version 20080118
|
||||
D. J. Bernstein
|
||||
Public domain.
|
||||
*/
|
||||
|
||||
/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
|
||||
/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
|
||||
|
||||
typedef unsigned char u8;
|
||||
typedef unsigned int u32;
|
||||
@ -52,7 +54,7 @@ static const char sigma[16] = "expand 32-byte k";
|
||||
static const char tau[16] = "expand 16-byte k";
|
||||
|
||||
static void
|
||||
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
|
||||
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
|
||||
{
|
||||
const char *constants;
|
||||
|
||||
|
@ -89,7 +89,7 @@ struct __res_state _res;
|
||||
|
||||
#ifndef GETSHORT
|
||||
#define GETSHORT(s, cp) { \
|
||||
register u_char *t_cp = (u_char *)(cp); \
|
||||
u_char *t_cp = (u_char *)(cp); \
|
||||
(s) = ((u_int16_t)t_cp[0] << 8) \
|
||||
| ((u_int16_t)t_cp[1]) \
|
||||
; \
|
||||
@ -99,7 +99,7 @@ struct __res_state _res;
|
||||
|
||||
#ifndef GETLONG
|
||||
#define GETLONG(l, cp) { \
|
||||
register u_char *t_cp = (u_char *)(cp); \
|
||||
u_char *t_cp = (u_char *)(cp); \
|
||||
(l) = ((u_int32_t)t_cp[0] << 24) \
|
||||
| ((u_int32_t)t_cp[1] << 16) \
|
||||
| ((u_int32_t)t_cp[2] << 8) \
|
||||
@ -109,36 +109,35 @@ struct __res_state _res;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* If the system doesn't have _getshort/_getlong or that are not exactly what
|
||||
* we need then use local replacements, avoiding name collisions.
|
||||
*/
|
||||
#if !defined(HAVE__GETSHORT) || !defined(HAVE__GETLONG) || \
|
||||
!defined(HAVE_DECL__GETSHORT) || HAVE_DECL__GETSHORT == 0 || \
|
||||
!defined(HAVE_DECL__GETLONG) || HAVE_DECL__GETLONG == 0
|
||||
#define _getshort(x) (_ssh_compat_getshort(x))
|
||||
#define _getlong(x) (_ssh_compat_getlong(x))
|
||||
/*
|
||||
* Routines to insert/extract short/long's.
|
||||
*/
|
||||
|
||||
#ifndef HAVE__GETSHORT
|
||||
static u_int16_t
|
||||
_getshort(msgp)
|
||||
register const u_char *msgp;
|
||||
_getshort(const u_char *msgp)
|
||||
{
|
||||
register u_int16_t u;
|
||||
u_int16_t u;
|
||||
|
||||
GETSHORT(u, msgp);
|
||||
return (u);
|
||||
}
|
||||
#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
|
||||
u_int16_t _getshort(register const u_char *);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE__GETLONG
|
||||
static u_int32_t
|
||||
_getlong(msgp)
|
||||
register const u_char *msgp;
|
||||
_getlong(const u_char *msgp)
|
||||
{
|
||||
register u_int32_t u;
|
||||
u_int32_t u;
|
||||
|
||||
GETLONG(u, msgp);
|
||||
return (u);
|
||||
}
|
||||
#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
|
||||
u_int32_t _getlong(register const u_char *);
|
||||
#endif
|
||||
|
||||
/* ************** */
|
||||
|
@ -65,6 +65,10 @@ int bindresvport_sa(int sd, struct sockaddr *sa);
|
||||
void closefrom(int);
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_DECL_FTRUNCATE) && HAVE_DECL_FTRUNCATE == 0
|
||||
int ftruncate(int filedes, off_t length);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_GETLINE
|
||||
#include <stdio.h>
|
||||
ssize_t getline(char **, size_t *, FILE *);
|
||||
@ -78,6 +82,10 @@ int getpagesize(void);
|
||||
char *getcwd(char *pt, size_t size);
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_KILLPG
|
||||
int killpg(pid_t, int);
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_DECL_MEMMEM) && HAVE_DECL_MEMMEM == 0
|
||||
void *memmem(const void *, size_t, const void *, size_t);
|
||||
#endif
|
||||
|
@ -18,6 +18,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
@ -197,3 +198,53 @@ platform_krb5_get_principal_name(const char *pw_name)
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* returns 1 if account is locked */
|
||||
int
|
||||
platform_locked_account(struct passwd *pw)
|
||||
{
|
||||
int locked = 0;
|
||||
char *passwd = pw->pw_passwd;
|
||||
#ifdef USE_SHADOW
|
||||
struct spwd *spw = NULL;
|
||||
#ifdef USE_LIBIAF
|
||||
char *iaf_passwd = NULL;
|
||||
#endif
|
||||
|
||||
spw = getspnam(pw->pw_name);
|
||||
#ifdef HAS_SHADOW_EXPIRE
|
||||
if (spw != NULL && auth_shadow_acctexpired(spw))
|
||||
return 1;
|
||||
#endif /* HAS_SHADOW_EXPIRE */
|
||||
|
||||
if (spw != NULL)
|
||||
#ifdef USE_LIBIAF
|
||||
iaf_passwd = passwd = get_iaf_password(pw);
|
||||
#else
|
||||
passwd = spw->sp_pwdp;
|
||||
#endif /* USE_LIBIAF */
|
||||
#endif
|
||||
|
||||
/* check for locked account */
|
||||
if (passwd && *passwd) {
|
||||
#ifdef LOCKED_PASSWD_STRING
|
||||
if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_PREFIX
|
||||
if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
|
||||
strlen(LOCKED_PASSWD_PREFIX)) == 0)
|
||||
locked = 1;
|
||||
#endif
|
||||
#ifdef LOCKED_PASSWD_SUBSTR
|
||||
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
|
||||
locked = 1;
|
||||
#endif
|
||||
}
|
||||
#ifdef USE_LIBIAF
|
||||
if (iaf_passwd != NULL)
|
||||
freezero(iaf_passwd, strlen(iaf_passwd));
|
||||
#endif /* USE_LIBIAF */
|
||||
|
||||
return locked;
|
||||
}
|
||||
|
@ -28,6 +28,7 @@ void platform_setusercontext(struct passwd *);
|
||||
void platform_setusercontext_post_groups(struct passwd *);
|
||||
char *platform_get_krb5_client(const char *);
|
||||
char *platform_krb5_get_principal_name(const char *);
|
||||
int platform_locked_account(struct passwd *);
|
||||
int platform_sys_dir_uid(uid_t);
|
||||
void platform_disable_tracing(int);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: scp.c,v 1.245 2022/02/10 04:12:38 djm Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.247 2022/03/20 08:52:17 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@ -968,7 +968,7 @@ do_sftp_connect(char *host, char *user, int port, char *sftp_direct,
|
||||
return NULL;
|
||||
|
||||
} else {
|
||||
args.list = NULL;
|
||||
freeargs(&args);
|
||||
addargs(&args, "sftp-server");
|
||||
if (do_cmd(sftp_direct, host, NULL, -1, 0, "sftp",
|
||||
reminp, remoutp, pidp) < 0)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
/* $OpenBSD: servconf.c,v 1.383 2022/02/08 08:59:12 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.c,v 1.384 2022/03/18 04:04:11 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@ -2542,7 +2542,7 @@ parse_server_match_config(ServerOptions *options,
|
||||
|
||||
initialize_server_options(&mo);
|
||||
parse_server_config(&mo, "reprocess config", cfg, includes,
|
||||
connectinfo);
|
||||
connectinfo, 0);
|
||||
copy_set_server_options(options, &mo, 0);
|
||||
}
|
||||
|
||||
@ -2720,12 +2720,13 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
void
|
||||
parse_server_config(ServerOptions *options, const char *filename,
|
||||
struct sshbuf *conf, struct include_list *includes,
|
||||
struct connection_info *connectinfo)
|
||||
struct connection_info *connectinfo, int reexec)
|
||||
{
|
||||
int active = connectinfo ? 0 : 1;
|
||||
parse_server_config_depth(options, filename, conf, includes,
|
||||
connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
||||
process_queued_listen_addrs(options);
|
||||
if (!reexec)
|
||||
process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
static const char *
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: servconf.h,v 1.155 2021/07/02 05:11:21 dtucker Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.156 2022/03/18 04:04:11 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -298,7 +298,7 @@ int process_server_config_line(ServerOptions *, char *, const char *, int,
|
||||
void process_permitopen(struct ssh *ssh, ServerOptions *options);
|
||||
void load_server_config(const char *, struct sshbuf *);
|
||||
void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
|
||||
struct include_list *includes, struct connection_info *);
|
||||
struct include_list *includes, struct connection_info *, int);
|
||||
void parse_server_match_config(ServerOptions *,
|
||||
struct include_list *includes, struct connection_info *);
|
||||
int parse_server_match_testspec(struct connection_info *, char *);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-client.c,v 1.161 2022/01/17 21:41:04 djm Exp $ */
|
||||
/* $OpenBSD: sftp-client.c,v 1.162 2022/03/31 03:07:03 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -103,6 +103,7 @@ struct sftp_conn {
|
||||
#define SFTP_EXT_LSETSTAT 0x00000020
|
||||
#define SFTP_EXT_LIMITS 0x00000040
|
||||
#define SFTP_EXT_PATH_EXPAND 0x00000080
|
||||
#define SFTP_EXT_COPY_DATA 0x00000100
|
||||
u_int exts;
|
||||
u_int64_t limit_kbps;
|
||||
struct bwlimit bwlimit_in, bwlimit_out;
|
||||
@ -534,6 +535,10 @@ do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests,
|
||||
strcmp((char *)value, "1") == 0) {
|
||||
ret->exts |= SFTP_EXT_PATH_EXPAND;
|
||||
known = 1;
|
||||
} else if (strcmp(name, "copy-data") == 0 &&
|
||||
strcmp((char *)value, "1") == 0) {
|
||||
ret->exts |= SFTP_EXT_COPY_DATA;
|
||||
known = 1;
|
||||
}
|
||||
if (known) {
|
||||
debug2("Server supports extension \"%s\" revision %s",
|
||||
@ -1078,6 +1083,121 @@ do_expand_path(struct sftp_conn *conn, const char *path)
|
||||
return do_realpath_expand(conn, path, 1);
|
||||
}
|
||||
|
||||
int
|
||||
do_copy(struct sftp_conn *conn, const char *oldpath, const char *newpath)
|
||||
{
|
||||
Attrib junk, *a;
|
||||
struct sshbuf *msg;
|
||||
u_char *old_handle, *new_handle;
|
||||
u_int mode, status, id;
|
||||
size_t old_handle_len, new_handle_len;
|
||||
int r;
|
||||
|
||||
/* Return if the extension is not supported */
|
||||
if ((conn->exts & SFTP_EXT_COPY_DATA) == 0) {
|
||||
error("Server does not support copy-data extension");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Make sure the file exists, and we can copy its perms */
|
||||
if ((a = do_stat(conn, oldpath, 0)) == NULL)
|
||||
return -1;
|
||||
|
||||
/* Do not preserve set[ug]id here, as we do not preserve ownership */
|
||||
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
|
||||
mode = a->perm & 0777;
|
||||
|
||||
if (!S_ISREG(a->perm)) {
|
||||
error("Cannot copy non-regular file: %s", oldpath);
|
||||
return -1;
|
||||
}
|
||||
} else {
|
||||
/* NB: The user's umask will apply to this */
|
||||
mode = 0666;
|
||||
}
|
||||
|
||||
/* Set up the new perms for the new file */
|
||||
attrib_clear(a);
|
||||
a->perm = mode;
|
||||
a->flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
|
||||
|
||||
if ((msg = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
attrib_clear(&junk); /* Send empty attributes */
|
||||
|
||||
/* Open the old file for reading */
|
||||
id = conn->msg_id++;
|
||||
if ((r = sshbuf_put_u8(msg, SSH2_FXP_OPEN)) != 0 ||
|
||||
(r = sshbuf_put_u32(msg, id)) != 0 ||
|
||||
(r = sshbuf_put_cstring(msg, oldpath)) != 0 ||
|
||||
(r = sshbuf_put_u32(msg, SSH2_FXF_READ)) != 0 ||
|
||||
(r = encode_attrib(msg, &junk)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
send_msg(conn, msg);
|
||||
debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, oldpath);
|
||||
|
||||
sshbuf_reset(msg);
|
||||
|
||||
old_handle = get_handle(conn, id, &old_handle_len,
|
||||
"remote open(\"%s\")", oldpath);
|
||||
if (old_handle == NULL) {
|
||||
sshbuf_free(msg);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Open the new file for writing */
|
||||
id = conn->msg_id++;
|
||||
if ((r = sshbuf_put_u8(msg, SSH2_FXP_OPEN)) != 0 ||
|
||||
(r = sshbuf_put_u32(msg, id)) != 0 ||
|
||||
(r = sshbuf_put_cstring(msg, newpath)) != 0 ||
|
||||
(r = sshbuf_put_u32(msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|
|
||||
SSH2_FXF_TRUNC)) != 0 ||
|
||||
(r = encode_attrib(msg, a)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
send_msg(conn, msg);
|
||||
debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, newpath);
|
||||
|
||||
sshbuf_reset(msg);
|
||||
|
||||
new_handle = get_handle(conn, id, &new_handle_len,
|
||||
"remote open(\"%s\")", newpath);
|
||||
if (new_handle == NULL) {
|
||||
sshbuf_free(msg);
|
||||
free(old_handle);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Copy the file data */
|
||||
id = conn->msg_id++;
|
||||
if ((r = sshbuf_put_u8(msg, SSH2_FXP_EXTENDED)) != 0 ||
|
||||
(r = sshbuf_put_u32(msg, id)) != 0 ||
|
||||
(r = sshbuf_put_cstring(msg, "copy-data")) != 0 ||
|
||||
(r = sshbuf_put_string(msg, old_handle, old_handle_len)) != 0 ||
|
||||
(r = sshbuf_put_u64(msg, 0)) != 0 ||
|
||||
(r = sshbuf_put_u64(msg, 0)) != 0 ||
|
||||
(r = sshbuf_put_string(msg, new_handle, new_handle_len)) != 0 ||
|
||||
(r = sshbuf_put_u64(msg, 0)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
send_msg(conn, msg);
|
||||
debug3("Sent message copy-data \"%s\" 0 0 -> \"%s\" 0",
|
||||
oldpath, newpath);
|
||||
|
||||
status = get_status(conn, id);
|
||||
if (status != SSH2_FX_OK)
|
||||
error("Couldn't copy file \"%s\" to \"%s\": %s", oldpath,
|
||||
newpath, fx2txt(status));
|
||||
|
||||
/* Clean up everything */
|
||||
sshbuf_free(msg);
|
||||
do_close(conn, old_handle, old_handle_len);
|
||||
do_close(conn, new_handle, new_handle_len);
|
||||
free(old_handle);
|
||||
free(new_handle);
|
||||
|
||||
return status == SSH2_FX_OK ? 0 : -1;
|
||||
}
|
||||
|
||||
int
|
||||
do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
|
||||
int force_legacy)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-client.h,v 1.35 2022/01/01 01:55:30 jsg Exp $ */
|
||||
/* $OpenBSD: sftp-client.h,v 1.36 2022/03/31 03:07:03 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
@ -125,6 +125,9 @@ int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
|
||||
/* Rename 'oldpath' to 'newpath' */
|
||||
int do_rename(struct sftp_conn *, const char *, const char *, int);
|
||||
|
||||
/* Copy 'oldpath' to 'newpath' */
|
||||
int do_copy(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
/* Link 'oldpath' to 'newpath' */
|
||||
int do_hardlink(struct sftp_conn *, const char *, const char *);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-glob.c,v 1.29 2019/11/13 04:47:52 deraadt Exp $ */
|
||||
/* $OpenBSD: sftp-glob.c,v 1.30 2022/02/25 09:46:24 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -51,7 +51,7 @@ fudge_opendir(const char *path)
|
||||
|
||||
r = xcalloc(1, sizeof(*r));
|
||||
|
||||
if (do_readdir(cur.conn, (char *)path, &r->dir)) {
|
||||
if (do_readdir(cur.conn, path, &r->dir)) {
|
||||
free(r);
|
||||
return(NULL);
|
||||
}
|
||||
@ -112,7 +112,7 @@ fudge_lstat(const char *path, struct stat *st)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
if (!(a = do_lstat(cur.conn, (char *)path, 1)))
|
||||
if (!(a = do_lstat(cur.conn, path, 1)))
|
||||
return(-1);
|
||||
|
||||
attrib_to_stat(a, st);
|
||||
@ -125,7 +125,7 @@ fudge_stat(const char *path, struct stat *st)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
if (!(a = do_stat(cur.conn, (char *)path, 1)))
|
||||
if (!(a = do_stat(cur.conn, path, 1)))
|
||||
return(-1);
|
||||
|
||||
attrib_to_stat(a, st);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp-server.c,v 1.139 2022/02/01 23:32:51 djm Exp $ */
|
||||
/* $OpenBSD: sftp-server.c,v 1.140 2022/03/31 03:05:49 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
|
||||
*
|
||||
@ -44,6 +44,7 @@
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
#include "atomicio.h"
|
||||
#include "xmalloc.h"
|
||||
#include "sshbuf.h"
|
||||
#include "ssherr.h"
|
||||
@ -119,6 +120,7 @@ static void process_extended_fsync(u_int32_t id);
|
||||
static void process_extended_lsetstat(u_int32_t id);
|
||||
static void process_extended_limits(u_int32_t id);
|
||||
static void process_extended_expand(u_int32_t id);
|
||||
static void process_extended_copy_data(u_int32_t id);
|
||||
static void process_extended(u_int32_t id);
|
||||
|
||||
struct sftp_handler {
|
||||
@ -164,6 +166,7 @@ static const struct sftp_handler extended_handlers[] = {
|
||||
{ "limits", "limits@openssh.com", 0, process_extended_limits, 0 },
|
||||
{ "expand-path", "expand-path@openssh.com", 0,
|
||||
process_extended_expand, 0 },
|
||||
{ "copy-data", "copy-data", 0, process_extended_copy_data, 1 },
|
||||
{ NULL, NULL, 0, NULL, 0 }
|
||||
};
|
||||
|
||||
@ -720,6 +723,7 @@ process_init(void)
|
||||
compose_extension(msg, "lsetstat@openssh.com", "1");
|
||||
compose_extension(msg, "limits@openssh.com", "1");
|
||||
compose_extension(msg, "expand-path@openssh.com", "1");
|
||||
compose_extension(msg, "copy-data", "1");
|
||||
|
||||
send_msg(msg);
|
||||
sshbuf_free(msg);
|
||||
@ -1592,6 +1596,94 @@ process_extended_expand(u_int32_t id)
|
||||
free(path);
|
||||
}
|
||||
|
||||
static void
|
||||
process_extended_copy_data(u_int32_t id)
|
||||
{
|
||||
u_char buf[64*1024];
|
||||
int read_handle, read_fd, write_handle, write_fd;
|
||||
u_int64_t len, read_off, read_len, write_off;
|
||||
int r, copy_until_eof, status = SSH2_FX_OP_UNSUPPORTED;
|
||||
size_t ret;
|
||||
|
||||
if ((r = get_handle(iqueue, &read_handle)) != 0 ||
|
||||
(r = sshbuf_get_u64(iqueue, &read_off)) != 0 ||
|
||||
(r = sshbuf_get_u64(iqueue, &read_len)) != 0 ||
|
||||
(r = get_handle(iqueue, &write_handle)) != 0 ||
|
||||
(r = sshbuf_get_u64(iqueue, &write_off)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
debug("request %u: copy-data from \"%s\" (handle %d) off %llu len %llu "
|
||||
"to \"%s\" (handle %d) off %llu",
|
||||
id, handle_to_name(read_handle), read_handle,
|
||||
(unsigned long long)read_off, (unsigned long long)read_len,
|
||||
handle_to_name(write_handle), write_handle,
|
||||
(unsigned long long)write_off);
|
||||
|
||||
/* For read length of 0, we read until EOF. */
|
||||
if (read_len == 0) {
|
||||
read_len = (u_int64_t)-1 - read_off;
|
||||
copy_until_eof = 1;
|
||||
} else
|
||||
copy_until_eof = 0;
|
||||
|
||||
read_fd = handle_to_fd(read_handle);
|
||||
write_fd = handle_to_fd(write_handle);
|
||||
|
||||
/* Disallow reading & writing to the same handle or same path or dirs */
|
||||
if (read_handle == write_handle || read_fd < 0 || write_fd < 0 ||
|
||||
!strcmp(handle_to_name(read_handle), handle_to_name(write_handle))) {
|
||||
status = SSH2_FX_FAILURE;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (lseek(read_fd, read_off, SEEK_SET) < 0) {
|
||||
status = errno_to_portable(errno);
|
||||
error("%s: read_seek failed", __func__);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if ((handle_to_flags(write_handle) & O_APPEND) == 0 &&
|
||||
lseek(write_fd, write_off, SEEK_SET) < 0) {
|
||||
status = errno_to_portable(errno);
|
||||
error("%s: write_seek failed", __func__);
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Process the request in chunks. */
|
||||
while (read_len > 0 || copy_until_eof) {
|
||||
len = MINIMUM(sizeof(buf), read_len);
|
||||
read_len -= len;
|
||||
|
||||
ret = atomicio(read, read_fd, buf, len);
|
||||
if (ret == 0 && errno == EPIPE) {
|
||||
status = copy_until_eof ? SSH2_FX_OK : SSH2_FX_EOF;
|
||||
break;
|
||||
} else if (ret == 0) {
|
||||
status = errno_to_portable(errno);
|
||||
error("%s: read failed: %s", __func__, strerror(errno));
|
||||
break;
|
||||
}
|
||||
len = ret;
|
||||
handle_update_read(read_handle, len);
|
||||
|
||||
ret = atomicio(vwrite, write_fd, buf, len);
|
||||
if (ret != len) {
|
||||
status = errno_to_portable(errno);
|
||||
error("%s: write failed: %llu != %llu: %s", __func__,
|
||||
(unsigned long long)ret, (unsigned long long)len,
|
||||
strerror(errno));
|
||||
break;
|
||||
}
|
||||
handle_update_write(write_handle, len);
|
||||
}
|
||||
|
||||
if (read_len == 0)
|
||||
status = SSH2_FX_OK;
|
||||
|
||||
out:
|
||||
send_status(id, status);
|
||||
}
|
||||
|
||||
static void
|
||||
process_extended(u_int32_t id)
|
||||
{
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: sftp.1,v 1.138 2021/07/02 05:11:21 dtucker Exp $
|
||||
.\" $OpenBSD: sftp.1,v 1.140 2022/03/31 17:27:27 naddy Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: July 2 2021 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SFTP 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -126,7 +126,7 @@ Batch mode reads a series of commands from an input
|
||||
.Ar batchfile
|
||||
instead of
|
||||
.Em stdin .
|
||||
Since it lacks user interaction it should be used in conjunction with
|
||||
Since it lacks user interaction, it should be used in conjunction with
|
||||
non-interactive authentication to obviate the need to enter a password
|
||||
at connection time (see
|
||||
.Xr sshd 8
|
||||
@ -144,7 +144,7 @@ will abort if any of the following
|
||||
commands fail:
|
||||
.Ic get , put , reget , reput , rename , ln ,
|
||||
.Ic rm , mkdir , chdir , ls ,
|
||||
.Ic lchdir , chmod , chown ,
|
||||
.Ic lchdir , copy , cp , chmod , chown ,
|
||||
.Ic chgrp , lpwd , df , symlink ,
|
||||
and
|
||||
.Ic lmkdir .
|
||||
@ -400,6 +400,18 @@ If the
|
||||
flag is specified, then symlinks will not be followed.
|
||||
Note that this is only supported by servers that implement
|
||||
the "lsetstat@openssh.com" extension.
|
||||
.It Ic copy Ar oldpath Ar newpath
|
||||
Copy remote file from
|
||||
.Ar oldpath
|
||||
to
|
||||
.Ar newpath .
|
||||
.Pp
|
||||
Note that this is only supported by servers that implement the "copy-data"
|
||||
extension.
|
||||
.It Ic cp Ar oldpath Ar newpath
|
||||
Alias to
|
||||
.Ic copy
|
||||
command.
|
||||
.It Xo Ic df
|
||||
.Op Fl hi
|
||||
.Op Ar path
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */
|
||||
/* $OpenBSD: sftp.c,v 1.214 2022/03/31 03:07:03 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
|
||||
*
|
||||
@ -137,6 +137,7 @@ enum sftp_command {
|
||||
I_CHGRP,
|
||||
I_CHMOD,
|
||||
I_CHOWN,
|
||||
I_COPY,
|
||||
I_DF,
|
||||
I_GET,
|
||||
I_HELP,
|
||||
@ -180,6 +181,8 @@ static const struct CMD cmds[] = {
|
||||
{ "chgrp", I_CHGRP, REMOTE },
|
||||
{ "chmod", I_CHMOD, REMOTE },
|
||||
{ "chown", I_CHOWN, REMOTE },
|
||||
{ "copy", I_COPY, REMOTE },
|
||||
{ "cp", I_COPY, REMOTE },
|
||||
{ "df", I_DF, REMOTE },
|
||||
{ "dir", I_LS, REMOTE },
|
||||
{ "exit", I_QUIT, NOARGS },
|
||||
@ -286,6 +289,8 @@ help(void)
|
||||
"chgrp [-h] grp path Change group of file 'path' to 'grp'\n"
|
||||
"chmod [-h] mode path Change permissions of file 'path' to 'mode'\n"
|
||||
"chown [-h] own path Change owner of file 'path' to 'own'\n"
|
||||
"copy oldpath newpath Copy remote file\n"
|
||||
"cp oldpath newpath Copy remote file\n"
|
||||
"df [-hi] [path] Display statistics for current directory or\n"
|
||||
" filesystem containing 'path'\n"
|
||||
"exit Quit sftp\n"
|
||||
@ -1369,6 +1374,10 @@ parse_args(const char **cpp, int *ignore_errors, int *disable_echo, int *aflag,
|
||||
if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1)
|
||||
return -1;
|
||||
goto parse_two_paths;
|
||||
case I_COPY:
|
||||
if ((optidx = parse_no_flags(cmd, argv, argc)) == -1)
|
||||
return -1;
|
||||
goto parse_two_paths;
|
||||
case I_RENAME:
|
||||
if ((optidx = parse_rename_flags(cmd, argv, argc, lflag)) == -1)
|
||||
return -1;
|
||||
@ -1536,6 +1545,11 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
|
||||
err = process_put(conn, path1, path2, *pwd, pflag,
|
||||
rflag, aflag, fflag);
|
||||
break;
|
||||
case I_COPY:
|
||||
path1 = make_absolute(path1, *pwd);
|
||||
path2 = make_absolute(path2, *pwd);
|
||||
err = do_copy(conn, path1, path2);
|
||||
break;
|
||||
case I_RENAME:
|
||||
path1 = make_absolute(path1, *pwd);
|
||||
path2 = make_absolute(path2, *pwd);
|
||||
@ -2272,7 +2286,6 @@ static void
|
||||
connect_to_server(char *path, char **args, int *in, int *out)
|
||||
{
|
||||
int c_in, c_out;
|
||||
|
||||
#ifdef USE_PIPES
|
||||
int pin[2], pout[2];
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.73 2022/03/31 17:27:27 naddy Exp $
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: June 22 2020 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSH-AGENT 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -83,12 +83,12 @@ This is the default if
|
||||
looks like it's a csh style of shell.
|
||||
.It Fl D
|
||||
Foreground mode.
|
||||
When this option is specified
|
||||
When this option is specified,
|
||||
.Nm
|
||||
will not fork.
|
||||
.It Fl d
|
||||
Debug mode.
|
||||
When this option is specified
|
||||
When this option is specified,
|
||||
.Nm
|
||||
will not fork and will write debug information to standard error.
|
||||
.It Fl E Ar fingerprint_hash
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.448 2022/02/01 23:32:51 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.450 2022/03/18 02:32:22 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -3538,6 +3538,13 @@ main(int argc, char **argv)
|
||||
return sig_sign(identity_file, cert_principals,
|
||||
argc, argv, opts, nopts);
|
||||
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
|
||||
/* NB. cert_principals is actually namespace, via -n */
|
||||
if (cert_principals == NULL ||
|
||||
*cert_principals == '\0') {
|
||||
error("Too few arguments for check-novalidate: "
|
||||
"missing namespace");
|
||||
exit(1);
|
||||
}
|
||||
if (ca_key_path == NULL) {
|
||||
error("Too few arguments for check-novalidate: "
|
||||
"missing signature file");
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: November 30 2019 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSH-KEYSIGN 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -77,7 +77,7 @@ must be set-uid root if host-based authentication is used.
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
If these files exist they are assumed to contain public certificate
|
||||
If these files exist, they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
|
@ -33,9 +33,9 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.429 2022/02/06 00:29:03 jsg Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.430 2022/03/31 17:27:27 naddy Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd $Mdocdate: February 6 2022 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -707,7 +707,7 @@ argument is
|
||||
the listen port will be dynamically allocated on the server and reported
|
||||
to the client at run time.
|
||||
When used together with
|
||||
.Ic -O forward
|
||||
.Ic -O forward ,
|
||||
the allocated port will be printed to the standard output.
|
||||
.Pp
|
||||
.It Fl S Ar ctl_path
|
||||
@ -1047,7 +1047,7 @@ the user a normal shell as an interactive session.
|
||||
All communication with
|
||||
the remote command or shell will be automatically encrypted.
|
||||
.Pp
|
||||
If an interactive session is requested
|
||||
If an interactive session is requested,
|
||||
.Nm
|
||||
by default will only request a pseudo-terminal (pty) for interactive
|
||||
sessions when the client has one.
|
||||
@ -1057,7 +1057,7 @@ and
|
||||
.Fl t
|
||||
can be used to override this behaviour.
|
||||
.Pp
|
||||
If a pseudo-terminal has been allocated the
|
||||
If a pseudo-terminal has been allocated, the
|
||||
user may use the escape characters noted below.
|
||||
.Pp
|
||||
If no pseudo-terminal has been allocated,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh.c,v 1.573 2022/02/08 08:59:12 dtucker Exp $ */
|
||||
/* $OpenBSD: ssh.c,v 1.574 2022/03/30 04:33:09 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -697,7 +697,7 @@ main(int ac, char **av)
|
||||
|
||||
again:
|
||||
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
|
||||
"AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
"AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
|
||||
switch (opt) {
|
||||
case '1':
|
||||
fatal("SSH protocol v.1 is no longer supported");
|
||||
|
@ -46,4 +46,4 @@
|
||||
# RekeyLimit 1G 1h
|
||||
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
||||
# VerifyHostKeyDNS yes
|
||||
# VersionAddendum FreeBSD-20220413
|
||||
# VersionAddendum FreeBSD-20220415
|
||||
|
@ -33,9 +33,9 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.369 2022/02/15 05:13:36 djm Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.371 2022/03/31 17:58:44 naddy Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd $Mdocdate: February 15 2022 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -1168,9 +1168,9 @@ character, then the specified algorithms will be placed at the head of the
|
||||
default set.
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,
|
||||
diffie-hellman-group18-sha512,
|
||||
@ -1584,7 +1584,7 @@ If forwarding to a specific destination then the second argument must be
|
||||
or a Unix domain socket path,
|
||||
otherwise if no destination argument is specified then the remote forwarding
|
||||
will be established as a SOCKS proxy.
|
||||
When acting as a SOCKS proxy the destination of the connection can be
|
||||
When acting as a SOCKS proxy, the destination of the connection can be
|
||||
restricted by
|
||||
.Cm PermitRemoteOpen .
|
||||
.Pp
|
||||
@ -1979,7 +1979,7 @@ in
|
||||
Specifies a string to append to the regular version string to identify
|
||||
OS- or site-specific modifications.
|
||||
The default is
|
||||
.Dq FreeBSD-20220413 .
|
||||
.Dq FreeBSD-20220415 .
|
||||
The value
|
||||
.Cm none
|
||||
may be used to disable this.
|
||||
|
@ -33,9 +33,9 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $
|
||||
.\" $OpenBSD: sshd.8,v 1.318 2022/03/31 17:27:27 naddy Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd $Mdocdate: September 10 2021 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -652,7 +652,7 @@ Enable all restrictions, i.e. disable port, agent and X11 forwarding,
|
||||
as well as disabling PTY allocation
|
||||
and execution of
|
||||
.Pa ~/.ssh/rc .
|
||||
If any future restriction capabilities are added to authorized_keys files
|
||||
If any future restriction capabilities are added to authorized_keys files,
|
||||
they will be included in this set.
|
||||
.It Cm tunnel="n"
|
||||
Force a
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshd.c,v 1.584 2022/03/01 01:59:19 djm Exp $ */
|
||||
/* $OpenBSD: sshd.c,v 1.585 2022/03/18 04:04:11 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -1806,7 +1806,7 @@ main(int ac, char **av)
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
cfg, &includes, NULL);
|
||||
cfg, &includes, NULL, rexeced_flag);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
if (options.moduli_file != NULL)
|
||||
|
@ -105,7 +105,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#UseBlacklist no
|
||||
#VersionAddendum FreeBSD-20220413
|
||||
#VersionAddendum FreeBSD-20220415
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
@ -33,9 +33,9 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.339 2021/12/04 00:05:39 naddy Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.340 2022/03/31 17:58:44 naddy Exp $
|
||||
.\" $FreeBSD$
|
||||
.Dd $Mdocdate: December 4 2021 $
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -962,9 +962,9 @@ sntrup761x25519-sha512@openssh.com
|
||||
.Pp
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
sntrup761x25519-sha512@openssh.com,
|
||||
diffie-hellman-group-exchange-sha256,
|
||||
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
diffie-hellman-group14-sha256
|
||||
@ -1806,7 +1806,7 @@ The default is
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
sent by the server upon connection.
|
||||
The default is
|
||||
.Qq FreeBSD-20220413 .
|
||||
.Qq FreeBSD-20220415 .
|
||||
The value
|
||||
.Cm none
|
||||
may be used to disable this.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshsig.c,v 1.28 2022/02/01 23:34:47 djm Exp $ */
|
||||
/* $OpenBSD: sshsig.c,v 1.29 2022/03/30 04:27:51 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Google LLC
|
||||
*
|
||||
@ -739,7 +739,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
|
||||
return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */
|
||||
|
||||
/* format: identity[,identity...] [option[,option...]] key */
|
||||
if ((tmp = strdelimw(&cp)) == NULL) {
|
||||
if ((tmp = strdelimw(&cp)) == NULL || cp == NULL) {
|
||||
error("%s:%lu: invalid line", path, linenum);
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
@ -777,6 +777,11 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
}
|
||||
if (cp == NULL || *cp == '\0') {
|
||||
error("%s:%lu: missing key", path, linenum);
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
}
|
||||
*cp++ = '\0';
|
||||
skip_space(&cp);
|
||||
if (sshkey_read(key, &cp) != 0) {
|
||||
|
@ -6,7 +6,7 @@
|
||||
#define SSH_PORTABLE "p1"
|
||||
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
|
||||
#define SSH_VERSION_FREEBSD "FreeBSD-20220413"
|
||||
#define SSH_VERSION_FREEBSD "FreeBSD-20220415"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: xmalloc.c,v 1.36 2019/11/12 22:32:48 djm Exp $ */
|
||||
/* $OpenBSD: xmalloc.c,v 1.37 2022/03/13 23:27:54 cheloha Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -91,8 +91,7 @@ xstrdup(const char *str)
|
||||
|
||||
len = strlen(str) + 1;
|
||||
cp = xmalloc(len);
|
||||
strlcpy(cp, str, len);
|
||||
return cp;
|
||||
return memcpy(cp, str, len);
|
||||
}
|
||||
|
||||
int
|
||||
|
Loading…
Reference in New Issue
Block a user