Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server

Add some server debugging for hostbased auth.

auth_debug_add queues messages about the auth process which is sent to
the client after successful authentication. This also sends those to
the server debug log to aid in debugging. From bz#3507, ok djm@

show more ...

move auth_openprincipals() and auth_openkeyfile() over to
auth2-pubkeyfile.c too; they make more sense there.

split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to every

split the low-level file handling functions out from auth2-pubkey.c

Put them in a new auth2-pubkeyfile.c to make it easier to refer to them
(e.g. in unit/fuzz tests) without having to refer to everything else
pubkey auth brings in.

ok dtucker@

show more ...

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

show more ...

Check sshauthopt_new() for NULL. bz#3425, from tessgauthier at
microsoft.com. ok djm@

randomise the password used in fakepw

Remove comment referencing now-removed RhostsRSAAuthentication. ok djm@

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable stri

move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

show more ...

load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys(

load_hostkeys()/hostkeys_foreach() variants for FILE*

Add load_hostkeys_file() and hostkeys_foreach_file() that accept a
FILE* argument instead of opening the file directly.

Original load_hostkeys() and hostkeys_foreach() are implemented using
these new interfaces.

Add a u_int note field to the hostkey_entry and hostkey_foreach_line
structs that is passed directly from the load_hostkeys() and
hostkeys_foreach() call. This is a lightweight way to annotate results
between different invocations of load_hostkeys().

ok markus@

show more ...

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
u

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

show more ...

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jel

Add a sshd_config "Include" directive to allow inclusion of files.
This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub
Jelen in bz2468; feedback and ok markus@

show more ...

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

show more ...

strdup may return NULL if memory allocation fails. Use the safer xstrdup
which fatals on allocation failures.

ok markus@

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
t

add a "no-touch-required" option for authorized_keys and a similar
extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched
their key to authorize them.

feedback deraadt, ok markus

show more ...

potential NULL dereference for revoked hostkeys; reported by
krishnaiah bommu

remove some duplicate #includes

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

convert auth.c to new packet API

with & ok markus@

convert servconf.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

show more ...