summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/serverloop.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* highly polished whitespace, mostly fixing spaces-for-tab and baddjm2021-04-031-2/+2
| | | | indentation on continuation lines. Prompted by GHPR#185
* make ssh->kex->session_id a sshbuf instead of u_char*/size_t anddjm2021-01-271-3/+3
| | | | | use that instead of global variables containing copies of it. feedback/ok markus@
* use the new variant log macros instead of prepending __func__ anddjm2020-10-181-45/+37
| | | | appending ssh_err(r) manually; ok markus@
* start ClientAliveInterval bookkeeping before first pass throughdjm2020-07-031-1/+3
| | | | | select() loop; fixed theoretical case where busy sshd may ignore timeouts from client; inspired by and ok dtucker
* use sshpkt_fatal() instead of plain fatal() for ssh_packet_write_poll()djm2020-01-301-4/+5
| | | | failures here too as the former yields better error messages; ok dtucker@
* make sshd_config:ClientAliveCountMax=0 disable the connection killingdjm2020-01-251-2/+3
| | | | | | behaviour, rather than killing the connection after sending the first liveness test probe (regardless of whether the client was responsive) bz2627; ok markus
* unrevert this:djm2020-01-251-5/+3
| | | | | | | | | | > revision 1.217 > date: 2019/11/27 03:34:04; author: dtucker; state: Exp; lines: +5 -7; commitid: wkiMn49XJyjzoJIs; > Make channel_id u_int32_t and remove unnecessary check and cast that were > left over from the type conversion. Noted by t-hashida@amiya.co.jp in > bz#3098, ok markus@ djm@ Darren was right the first time; ok dtucker@ "agreed" markus@
* Replace all calls to signal(2) with a wrapper around sigaction(2).dtucker2020-01-231-5/+5
| | | | | | This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
* Revert previous commit. The channels code still uses int in many placesdtucker2019-11-271-5/+7
| | | | for channel ids so the INT_MAX check still makes sense.
* Make channel_id u_int32_t and remove unnecessary check and cast that weredtucker2019-11-271-7/+5
| | | | | left over from the type conversion. Noted by t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-4/+4
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* fix interaction between ClientAliveInterval and RekeyLimit that coulddjm2019-03-271-3/+4
| | | | | cause connection to close incorrectly; Report and patch from Jakub Jelen in bz#2757; ok dtucker@ markus@
* Reset last-seen time when sending a keepalive. Prevents sending twodtucker2019-03-061-6/+9
| | | | | | keepalives successively and prematurely terminating connection when ClientAliveCount=1. While there, collapse two similar tests into one. ok markus@
* fix error in refactor: use ssh_packet_disconnect() instead ofdjm2019-01-191-4/+6
| | | | | sshpkt_error(). The first one logs the error and exits (what we want) instead of just logging and blundering on.
* remove last references to active_statedjm2019-01-191-3/+3
| | | | with & ok markus@
* convert serverloop.c to new packet APIdjm2019-01-191-152/+204
| | | | with & ok markus@
* begin landing remaining refactoring of packet parsing API, starteddjm2019-01-191-1/+4
| | | | | | | | | | | almost exactly six years ago. This change stops including the old packet_* API by default and makes each file that requires the old API include it explicitly. We will commit file-by-file refactoring to remove the old API in consistent steps. with & ok markus@
* Remove uid checks from low port binds. Now that ssh cannot bedtucker2018-07-271-1/+12
| | | | | | | setuid and sshd always has privsep on, we can remove the uid checks for low port binds and just let the system do the check. We leave a sanity check for the !privsep case so long as the code is stil there. with & ok djm@
* remove legacy key emulation layer; ok djm@markus2018-07-111-2/+2
|
* sshd: switch config to sshbuf API; ok djm@markus2018-07-091-2/+2
|
* fix some over-long lines and __func__ up some debug messagesdjm2018-06-081-9/+9
|
* switch over to the new authorized_keys options API and remove thedjm2018-03-031-15/+18
| | | | | | | | | legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@
* Don't reset signal handlers inside handlers.dtucker2018-02-111-2/+1
| | | | | | | | | The signal handlers from the original ssh1 code on which OpenSSH is based assume unreliable signals and reinstall their handlers. Since OpenBSD (and pretty much every current system) has reliable signals this is not needed. In the unlikely even that -portable is still being used on such systems we will deal with it in the compat layer. ok deraadt@
* Drop compatibility hacks for some ancient SSH implementations, includingdjm2018-01-231-5/+3
| | | | | | | | | | ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@
* unbreak hostkey rotation; attempting to sign with a desired signaturedjm2017-12-181-3/+11
| | | | | algorithm of kex->hostkey_alg is incorrect when the key type isn't capable of making those signatures. ok markus@
* pass negotiated signing algorithm though to sshkey_verify() anddjm2017-12-181-2/+3
| | | | | check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
* Put remote client info back into the ClientAlive connection terminationdtucker2017-12-101-2/+4
| | | | message. Based in part on diff from lars.nooden at gmail, ok djm
* Expose devices allocated for tun/tap forwarding.djm2017-10-231-2/+21
| | | | | | | | | | | At the client, the device may be obtained from a new %T expansion for LocalCommand. At the server, the allocated devices will be listed in a SSH_TUNNEL variable exposed to the environment of any user sessions started after the tunnel forwarding was established. ok markus
* Make remote channel ID a u_intdjm2017-09-121-1/+5
| | | | | | | | | | | Previously we tracked the remote channel IDs in an int, but this is strictly incorrect: the wire protocol uses uint32 and there is nothing in-principle stopping a SSH implementation from sending, say, 0xffff0000. In practice everyone numbers their channels sequentially, so this has never been a problem. ok markus@
* refactor channels.cdjm2017-09-121-53/+52
| | | | | | | | | | | | | | | | | | Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
* pass packet state down to some of the channels function (moredjm2017-08-301-4/+4
| | | | to come...); ok markus@
* Tweak previous keepalive commit: if last_time + keepalive <= nowdtucker2017-08-111-2/+2
| | | | | instead of just "<" so client_alive_check will fire if the select happens to return on exact second of the timeout. ok djm@
* Keep track of the last time we actually heard from the client anddtucker2017-08-111-3/+15
| | | | | | | | | use this to also schedule a client_alive_check(). Prevents activity on a forwarded port from indefinitely preventing the select timeout so that client_alive_check() will eventually (although not optimally) be called. Analysis by willchan at google com via bz#2756, feedback & ok djm@
* remove now obsolete ctx from ssh_dispatch_run; ok djm@markus2017-05-311-2/+2
|
* protocol handlers all get struct ssh passed; ok djm@markus2017-05-301-5/+5
|
* Return true reason for port forwarding failures where feasible ratherdtucker2017-02-011-7/+10
| | | | than always "administratively prohibited". bz#2674, ok djm@
* unbreak Unix domain socket forwarding for root; ok markus@djm2017-01-041-8/+13
|
* disable Unix-domain socket forwarding when privsep is disableddjm2016-12-141-3/+5
|
* Add a sshd_config DisableForwaring option that disables X11, agent,djm2016-11-301-5/+5
| | | | | | | | | TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@
* Factor out "can bind to low ports" check into its own function. This will makedtucker2016-10-231-3/+3
| | | | | it easier for Portable to support platforms with permissions models other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@.
* Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitionsderaadt2016-09-121-5/+4
| | | | | rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
* remove ssh1 server code; ok djm@markus2016-08-131-547/+20
|
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-5/+7
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* fix ClientAliveInterval when a time-based RekeyLimit is set;djm2016-03-041-13/+15
| | | | | | previously keepalive packets were not being sent. bz#2252 report and analysis by Christian Wittenhorst and Garrett Lee feedback and ok dtucker@
* refactor activation of rekeyingdjm2016-02-081-13/+7
| | | | | | | | | | | This makes automatic rekeying internal to the packet code (previously the server and client loops needed to assist). In doing to it makes application of rekey limits more accurate by accounting for packets about to be sent as well as packets queued during rekeying events themselves. Based on a patch from dtucker@ which was in turn based on a patch Aleksander Adamowski in bz#2521; ok markus@
* remove roaming support; ok djm@markus2016-01-141-6/+2
|
* implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)markus2015-12-041-2/+2
| | | | | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
* don't include port number in tcpip-forward replies for requestsdjm2015-11-281-2/+3
| | | | | that don't allocate a port; bz#2509 diagnosed by Ron Frederick ok markus
* UpdateHostKeys fixes:djm2015-02-201-5/+5
| | | | | | | | | | | | | | I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
* Revise hostkeys@openssh.com hostkey learning extension.djm2015-02-161-4/+84
| | | | | | | | | | The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.