Merge 10.0p2 #796
Open
Merge 10.0p2 #796
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If set, this will terminate the connection at the first authentication request (this is the earliest we can evaluate sshd_config Match blocks) ok markus@ OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c
PerSourcePenalties This allows penalising connection sources that have had connections dropped by the RefuseConnection option. ok markus@ OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6
options. This allows writing Match conditions that trigger for invalid username. E.g. PerSourcePenalties refuseconnection:90s Match invalid-user RefuseConnection yes Will effectively penalise bots try to guess passwords for bogus accounts, at the cost of implicitly revealing which accounts are invalid. feedback markus@ OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07
OpenBSD-Commit-ID: 2c84a9b517283e9711e2812c1f268081dcb02081
implementation in SUPERCOP 20201130 to the "compact" implementation in SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel J Bernstein for pointing out the new implementation (and of course for writing it). tested in snaps/ok deraadt@ OpenBSD-Commit-ID: bf1a77924c125ecdbf03e2f3df8ad13bd3dafdcb
Simpler and removes some code with the old-style BSD license.
OpenBSD-Commit-ID: d899c13b0e8061d209298eaf58fe53e3643e967c
OpenBSD-Commit-ID: 1c81f37b138b8b66abba811fec836388a0f3e6da
relies on using -fwrapv to provide defined over/underflow behaviour, but we use -ftrapv to catch integer errors and abort the program. ok dtucker@ OpenBSD-Commit-ID: 8933369b33c17b5f02479503d0a92d87bc3a574b
key values need to be static to persist across invocations; spotted by the Qualys Security Advisory team.
OpenBSD-Commit-ID: 303417285f1a73b9cb7a2ae78d3f493bbbe31f98
OpenBSD-Commit-ID: 3fb621a58e04b759a875ad6a33f35bb57ca80231
OpenBSD-Commit-ID: 81869ee6356fdbff19dae6ff757095e6b24de712
02e16ad did a copy-paste for utmpx, but forgot to change the ifdef appropriately
Fixes compile error on Void Linux/Musl
From Void Linux
OpenBSD-Commit-ID: 22072bfa1df1391858ae7768a6c627e08593a91e
criteria tokeniser to a more shell-like one. Apparently the old tokeniser (accidentally?) allowed "Match criteria=argument" as well as the "Match criteria argument" syntax that we tested for. People were using this syntax so this adds back support for "Match criteria=argument" bz3739 ok dtucker OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
original diff had a couple of errors, which i've fixed OpenBSD-Commit-ID: f37ad5888adbc0d4e1cd6b6de237841f4b1e650d
OpenBSD-Commit-ID: 3a63e4e11d455704f684c28715d61b17f91e0996
negated Matches; spotted by phessler@ ok deraadt@ OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
exchange in sshd by default. Specifically, this removes the diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. ok markus@ OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da
OpenBSD-Commit-ID: fdd056e7854294834d54632b4282b877cfe4c12e
there has been traffic on a X11 forwarding channel recently. Should fix X11 forwarding performance problems when this setting is enabled. Patch from Antonio Larrosa via bz3655 OpenBSD-Commit-ID: 820284a92eb4592fcd3d181a62c1b86b08a4a7ab
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
fix bash test on Windows by retrieving exit code from child process
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull Request Overview
This PR merges upstream OpenSSH version 10.0p2, focusing primarily on Windows compatibility improvements and necessary updates to align with upstream changes.
Key changes include:
- Updates version strings from 9.8 to 10.0 across the codebase
- Windows-specific compatibility improvements for authentication and session handling
- Major refactoring of SSH signature handling and cryptography backend
- Addition of new sshd-auth process and related infrastructure
Reviewed Changes
Copilot reviewed 201 out of 207 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| version.h | Version string update from 9.8 to 10.0 |
| sshsig.c | Signature handling improvements and RSA algorithm selection |
| sshkey.h/.c | Major cryptography backend refactoring with EVP_PKEY integration |
| sshd_config.5/.0 | Configuration documentation updates and new options |
| sshd.c | Connection handling and process management improvements |
| sshd-session.c | Session process refactoring and Windows compatibility |
| sshd-auth.c | New authentication process for privilege separation |
| ssh*.c | Various client-side improvements and configuration handling |
Comments suppressed due to low confidence (5)
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Summary
convertToForwardslashfor relative AuthorizedKeysPathsshd-auth.vcxprojand updateWin32-OpenSSH.slnprivsep_unauth_childlogic that is now handled by sshd-authPR Context