convert auth.c to new packet API

with & ok markus@

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old

begin landing remaining refactoring of packet parsing API, started
almost exactly six years ago.

This change stops including the old packet_* API by default and makes
each file that requires the old API include it explicitly. We will
commit file-by-file refactoring to remove the old API in consistent
steps.

with & ok markus@

show more ...

fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options.
If only RSA-SHA2 siganture types were specified, then authentication would
always fail for RSA keys as the monitor checks only

fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options.
If only RSA-SHA2 siganture types were specified, then authentication would
always fail for RSA keys as the monitor checks only the base key (not the
signature algorithm) type against *AcceptedKeyTypes.
bz#2746; reported by Jakub Jelen; ok dtucker

show more ...

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

remove unused zlib.h

remove legacy key emulation layer; ok djm@

kerberos/gssapi fixes for buffer removal

sshd: switch monitor to sshbuf API; lots of help & ok djm@

sshd: switch authentication to sshbuf API; ok djm@

sshd: switch loginmsg to sshbuf API; ok djm@

switch over to the new authorized_keys options API and remove the
legacy one.

Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.

feedback and ok markus@

Add a couple of non-negativity checks to avoid close(-1).

ok djm

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hack

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

show more ...

revert stricter key type / signature type checking in userauth path;
too much software generates inconsistent messages, so we need a
better plan.

pass negotiated signing algorithm though to sshkey_verify() and
check that the negotiated algorithm matches the type in the
signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

replace statically-sized arrays in ServerOptions with dynamic ones
managed by xrecallocarray, removing some arbitrary (though large)
limits and saving a bit of memory; "much nicer" markus@

Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

show more ...

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

use SO_ZEROIZE for privsep communication (if available)

clear session keys from memory; ok djm@

switch auth2-pubkey.c to modern APIs; with & ok djm@

switch from Key typedef with struct sshkey; ok djm@

use ssh_packet_set_log_preamble() to include connection username
in packet log messages, e.g.

Connection closed by invalid user foo 10.1.1.1 port 44056 [preauth]

ok markus@ bz#113

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf

Remove support for pre-authentication compression. Doing compression
early in the protocol probably seemed reasonable in the 1990s, but
today it's clearly a bad idea in terms of both cryptography (cf.
multiple compression oracle attacks in TLS) and attack surface.

Moreover, to support it across privilege-separation zlib needed
the assistance of a complex shared-memory manager that made the
required attack surface considerably larger.

Prompted by Guido Vranken pointing out a compiler-elided security
check in the shared memory manager found by Stack
(http://css.csail.mit.edu/stack/); ok deraadt@ markus@

NB. pre-auth authentication has been disabled by default in sshd
for >10 years.

show more ...