begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

show more ...

include time.h for time(3)/nanosleep(2); from Ian McKellar

use path_absolute() for pathname checks; from Manoj Ampalam

log certificate fingerprint in authentication success/failure message
(previously we logged only key ID and CA key fingerprint).

ok markus@

s/wuth/with/ in comment

sshd: switch authentication to sshbuf API; ok djm@

permitlisten option for authorized_keys; ok markus@

make UID available as a %-expansion everywhere that the username is
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for thi

make UID available as a %-expansion everywhere that the username is
available currently. In the client this is via %i, in the server %U
(since %i was already used in the client in some places for this, but
used for something different in the server);
bz#2870, ok dtucker@

show more ...

Do not ban PTY allocation when a sshd session is restricted because
the user password is expired as it breaks password change dialog.

regression in openssh-7.7 reported by Daniel Wagner

add valid-before="[time]" authorized_keys option. A simple way of
giving a key an expiry date. ok markus@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

move subprocess() so scp/sftp do not need uidswap.o; ok djm@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

show more ...

Move several subprocess-related functions from various locations to
misc.c. Extend subprocess() to offer a little more control over stdio
disposition.

feedback & ok dtucker@

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

switch from Key typedef with struct sshkey; ok djm@

allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717

Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net,
ok deraadt@

unbreak DenyUsers; reported by henning@

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and

Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.

Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)

show more ...

remove ssh1 server code; ok djm@

Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and
reverse DNS not matching. We haven't supported IP-based auth methods
for a very long time so it's now misleading. part of bz#2

Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and
reverse DNS not matching. We haven't supported IP-based auth methods
for a very long time so it's now misleading. part of bz#2585, ok markus@

show more ...

refactor canohost.c: move functions that cache results closer to the
places that use them (authn and session code). After this, no state is
cached in canohost.c

feedback and ok markus@

fix inverted logic that broke PermitRootLogin;
reported by Mantas Mikulenas; ok markus@

add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is en

add prohibit-password as a synonymn for without-password, since the
without-password is causing too many questions. Harden it to ban all
but pubkey, hostbased, and GSSAPI auth (when the latter is enabled)
from djm, ok markus

show more ...