defence-in-depth MaxAuthTries check in monitor; ok markus

Remove now-unused prototypes for ssh1 RSA functions. From lengyijun via
github PR#396.

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it

Remove now-unused compat bit SSH_BUG_RSASIGMD5. The code to set this
was removed in OpenSSH 7.7 when support for SSH implementations dating
back to before RFC standardization were removed. "burn it all" djm@

show more ...

make sure that UseDNS hostname lookup happens in the monitor and
not in the pledge(2)'d unprivileged process; fixes regression
caused by recent refactoring spotted by henning@

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less

refactor authorized_keys/principals handling

remove "struct ssh *" from arguments - this was only used to pass the
remote host/address. These can be passed in instead and the resulting
code is less tightly coupled to ssh_api.[ch]

ok dtucker@

show more ...

save an unneccessary alloc/free, based on patch from
Martin Vahlensieck; ok dtucker@

When it's the possessive of 'it', it's spelled "its", without the
apostrophe.

log signature algorithm during verification by monitor; ok markus

sshd side of hostbound public key auth

This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok marku

sshd side of hostbound public key auth

This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok markus@

show more ...

remove a bunch of %p in format strings; leftovers of debuggings
past. prompted by Michael Forney, ok dtucker@

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as som

Remove references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat
but not entirely equivalent. We retain the old name as deprecated alias
so config files continue to work and a reference in the man page for
people looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match. Man page help & ok jmc@, with & ok djm@

show more ...

Remove now-unused skey function prototypes leftover from skey removal.

do not pass file/func to monitor; noted by Ilja van Sprundel; ok djm@

don't sshbuf_get_u32() into an enum; reported by goetze AT
dovetail.com via bz3269

make ssh->kex->session_id a sshbuf instead of u_char*/size_t and
use that instead of global variables containing copies of it.
feedback/ok markus@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorith

Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to
HostbasedAcceptedAlgorithms, which more accurately reflects its effect.
This matches a previous change to PubkeyAcceptedAlgorithms. The previous
names are retained as aliases. ok djm@

show more ...

Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RS

Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted. Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading. The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@

show more ...

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced

Update/replace the experimental post-quantim hybrid key exchange
method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

show more ...

clean up passing of struct passwd from monitor to preauth privsep
process. No longer copy entire struct w/ pointer addresses, but
pass remaining scalar fields explicitly,

Prompted by Yuichiro NAITO,

clean up passing of struct passwd from monitor to preauth privsep
process. No longer copy entire struct w/ pointer addresses, but
pass remaining scalar fields explicitly,

Prompted by Yuichiro NAITO, feedback Thorsten Glaser; ok dtucker@

show more ...

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

variants of the log methods that append a ssherr.h string from
a supplied error code; ok markus@

revised log infrastructure for OpenSSH

log functions receive function, filename and line number of caller.
We can use this to selectively enable logging via pattern-lists.

ok markus@

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
u

support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

show more ...

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing).

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

show more ...