Porting HPN-SSH to split sshd listener.

OpenSSH is splitting sshd into a listener and an session daemon.
This commit is a first pass at porting HPN-SSH into that
configuration. It current passes all regression tests.
Functionality tests have not yet been conducted.

Author: rapier1

.depend

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [rapier1] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/FUNDING.yml

@@ -187,7 +187,7 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-5]|valgrind-unit)
+    valgrind-[1-7]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -198,17 +198,19 @@ case "$config" in
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into separate tests.
 	tests2="integrity try-ciphers"
-	tests3="krl forward-control sshsig agent-restrict kextype sftp"
-	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+	tests3="krl forward-control sshsig"
+	tests4="cert-userkey cert-hostkey"
 	tests5="rekey"
+	tests6="agent-restrict kextype sftp"
+	tests7="kextype sftp-perm keygen-comment percent"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind),
 		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
 		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
-		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
+		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5} ${tests6} ${tests7}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -222,6 +224,12 @@ case "$config" in
 	    valgrind-5)
 		LTESTS="${tests5}"
 		;;
+	    valgrind-6)
+		LTESTS="${tests6}"
+		;;
+	    valgrind-7)
+		LTESTS="${tests7}"
+		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;

.github/configs

@@ -17,5 +17,5 @@ if [ "x$LDFLAGS" != "x" ]; then
 	printf "LDFLAGS='$LDFLAGS' "
 fi
 
-echo ./configure ${CONFIGFLAGS}
-./configure ${CONFIGFLAGS} 2>&1
+echo ./configure ${CONFIGFLAGS} --with-privsep-user=sshd
+./configure ${CONFIGFLAGS} --with-privsep-user=sshd

.github/configure.sh

@@ -8,11 +8,10 @@ set -ex
 
 # If we want to test hostbased auth, set up the host for it.
 if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
-    sshconf=/usr/local/etc
+    sshconf=/usr/local/etc/hpnssh
     $SUDO mkdir -p "${sshconf}"
     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
-    $SUDO mkdir -p $sshconf
     $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
     $SUDO make install
     for key in $sshconf/ssh_host*key*.pub; do

.github/run_test.sh

@@ -27,6 +27,7 @@ esac
 TARGETS=$@
 
 INSTALL_FIDO_PPA="no"
+#COPY_PAM_MODULE="no"
 export DEBIAN_FRONTEND=noninteractive
 
 set -e
@@ -163,6 +164,14 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
+#need to copy the pam modules for sshd to hpnsshd on
+#macos with pam.
+#if [ "yes" = "$COPY_PAM_MODULE" ]; then
+#    if [ `uname` = "Darwin" }; then
+#	sudo cp /etc/pam.d/sshd /etc/pam.d/hpnsshd
+#    fi
+#fi
+
 tries=3
 while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
     case "$PACKAGER" in

.github/setup_ci.sh

@@ -2,8 +2,10 @@ name: C/C++ CI
 
 on:
   push:
+    branches: [ master, pre-stage, release_candidates, dev_major, dev_minor ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
   pull_request:
+    branches: [ master, release_candidates ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
 
 jobs:
@@ -17,52 +19,41 @@ jobs:
         target:
           - ubuntu-20.04
           - ubuntu-22.04
-          - macos-11
           - macos-12
           - macos-13
           - macos-14
           - windows-2019
           - windows-2022
         config: [default]
         # Then we include any extra configs we want to test for specific VMs.
-        # Valgrind slows things down quite a bit, so start them first.
         include:
-          - { target: windows-2019, config: cygwin-release }
-          - { target: windows-2022, config: cygwin-release }
-          - { target: ubuntu-20.04, config: valgrind-1 }
-          - { target: ubuntu-20.04, config: valgrind-2 }
-          - { target: ubuntu-20.04, config: valgrind-3 }
-          - { target: ubuntu-20.04, config: valgrind-4 }
-          - { target: ubuntu-20.04, config: valgrind-5 }
-          - { target: ubuntu-20.04, config: valgrind-unit }
-          - { target: ubuntu-20.04, config: c89 }
-          - { target: ubuntu-20.04, config: clang-6.0 }
-          - { target: ubuntu-20.04, config: clang-8 }
-          - { target: ubuntu-20.04, config: clang-9 }
-          - { target: ubuntu-20.04, config: clang-10 }
-          - { target: ubuntu-20.04, config: clang-11 }
-          - { target: ubuntu-20.04, config: clang-12-Werror }
-          - { target: ubuntu-20.04, config: clang-sanitize-address }
-          - { target: ubuntu-20.04, config: clang-sanitize-undefined }
-          - { target: ubuntu-20.04, config: gcc-sanitize-address }
-          - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
-          - { target: ubuntu-20.04, config: gcc-7 }
-          - { target: ubuntu-20.04, config: gcc-8 }
-          - { target: ubuntu-20.04, config: gcc-10 }
+          - { target: ubuntu-22.04, config: valgrind-1 }
+          - { target: ubuntu-22.04, config: valgrind-2 }
+          - { target: ubuntu-22.04, config: valgrind-3 }
+          - { target: ubuntu-22.04, config: valgrind-4 }
+#          - { target: ubuntu-22.04, config: valgrind-5 }
+          - { target: ubuntu-22.04, config: valgrind-6 }
+          - { target: ubuntu-22.04, config: valgrind-7 }
+# binn.c no longer works with c89 so remove this test.
+#          - { target: ubuntu-22.04, config: c89 }
+          - { target: ubuntu-22.04, config: clang-6.0 }
+          - { target: ubuntu-22.04, config: clang-8 }
+          - { target: ubuntu-22.04, config: clang-9 }
+          - { target: ubuntu-22.04, config: clang-10 }
+          - { target: ubuntu-22.04, config: clang-11 }
+          - { target: ubuntu-22.04, config: clang-12-Werror }
+          - { target: ubuntu-22.04, config: gcc-7 }
+          - { target: ubuntu-22.04, config: gcc-8 }
+          - { target: ubuntu-22.04, config: gcc-10 }
           - { target: ubuntu-22.04, config: gcc-11-Werror }
           - { target: ubuntu-22.04, config: gcc-12-Werror }
-          - { target: ubuntu-20.04, config: pam }
-          - { target: ubuntu-20.04, config: kitchensink }
+          - { target: ubuntu-22.04, config: pam }
+          - { target: ubuntu-22.04, config: kitchensink }
           - { target: ubuntu-22.04, config: hardenedmalloc }
-          - { target: ubuntu-20.04, config: tcmalloc }
-          - { target: ubuntu-20.04, config: musl }
-          - { target: ubuntu-latest, config: boringssl }
+          - { target: ubuntu-22.04, config: tcmalloc }
+#	  musl doesn't work because it doesn't know about linux/tcp.h
+#         - { target: ubuntu-20.04, config: musl }
           - { target: ubuntu-latest, config: libressl-master }
-          - { target: ubuntu-latest, config: libressl-3.2.6 }
-          - { target: ubuntu-latest, config: libressl-3.3.6 }
-          - { target: ubuntu-latest, config: libressl-3.4.3 }
-          - { target: ubuntu-latest, config: libressl-3.5.3 }
-          - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
           - { target: ubuntu-latest, config: libressl-3.8.4 }
           - { target: ubuntu-latest, config: libressl-3.9.1 }
@@ -94,26 +85,26 @@ jobs:
           - { target: ubuntu-latest, config: putty-0.80 }
           - { target: ubuntu-latest, config: putty-snapshot }
           - { target: ubuntu-latest, config: zlib-develop }
-          - { target: ubuntu-22.04, config: pam }
-          - { target: ubuntu-22.04, config: krb5 }
-          - { target: ubuntu-22.04, config: heimdal }
-          - { target: ubuntu-22.04, config: libedit }
-          - { target: ubuntu-22.04, config: sk }
-          - { target: ubuntu-22.04, config: selinux }
-          - { target: ubuntu-22.04, config: kitchensink }
-          - { target: ubuntu-22.04, config: without-openssl }
-          - { target: macos-11, config: pam }
-          - { target: macos-12, config: pam }
-          - { target: macos-13, config: pam }
-          - { target: macos-14, config: pam }
+          - { target: ubuntu-24.04, config: pam }
+          - { target: ubuntu-24.04, config: krb5 }
+          - { target: ubuntu-24.04, config: heimdal }
+          - { target: ubuntu-24.04, config: libedit }
+          - { target: ubuntu-24.04, config: sk }
+          - { target: ubuntu-24.04, config: selinux }
+          - { target: ubuntu-24.04, config: kitchensink }
+          - { target: ubuntu-24.04, config: without-openssl }
+          - { target: ubuntu-24.04, config: clang-sanitize-address }
+          - { target: ubuntu-24.04, config: clang-sanitize-undefined }
+          - { target: ubuntu-24.04, config: gcc-sanitize-address }
+          - { target: ubuntu-24.04, config: gcc-sanitize-undefined }
+# we know pam doesn't work because we can't install a new pam file
+# for hpnssh via the CI test methods
+#          - { target: macos-12, config: pam }
+#          - { target: macos-13, config: pam }
+#          - { target: macos-14, config: pam }
+>>>>>>> master
     runs-on: ${{ matrix.target }}
     steps:
-    - name: set cygwin git params
-      if: ${{ startsWith(matrix.target, 'windows') }}
-      run: git config --global core.autocrlf input
-    - name: install cygwin
-      if: ${{ startsWith(matrix.target, 'windows') }}
-      uses: cygwin/cygwin-install-action@master
     - uses: actions/checkout@main
     - name: setup CI system
       run: sh ./.github/setup_ci.sh ${{ matrix.config }}

.github/workflows/c-cpp.yml

@@ -1,26 +1,27 @@
 name: CIFuzz
 on:
   push:
-    paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/cifuzz.yml' ]
+    branches: [master, dev_minor, dev_major, release_candidates]
+    paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/cifuzz.yml' ]
 
 jobs:
   Fuzzing:
-    if: github.repository != 'openssh/openssh-portable-selfhosted'
+    if: github.repository != 'rapier1/hpn-ssh-selfhosted'
     runs-on: ubuntu-latest
     steps:
     - name: Build Fuzzers
       id: build
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
       with:
-        oss-fuzz-project-name: 'openssh'
+        oss-fuzz-project-name: 'hpn-ssh'
         dry-run: false
         language: c++
     - name: Run Fuzzers
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
-        oss-fuzz-project-name: 'openssh'
+        oss-fuzz-project-name: 'hpn-ssh'
         fuzz-seconds: 600
         dry-run: false
         language: c++
@@ -29,4 +30,4 @@ jobs:
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
-        path: ./out/artifacts
+        path: ./out/artifacts

.github/workflows/cifuzz.yml

@@ -0,0 +1,19 @@
+name: github-repo-stats
+
+on:
+  schedule:
+    # Run this once per day, towards the end of the day for keeping the most
+    # recent data point most meaningful (hours are interpreted in UTC).
+    - cron: "0 23 * * *"
+  workflow_dispatch: # Allow for running this manually.
+
+jobs:
+  j1:
+    name: github-repo-stats
+    runs-on: ubuntu-latest
+    steps:
+      - name: run-ghrs
+        # Use latest release.
+        uses: jgehrcke/github-repo-stats@RELEASE
+        with:
+          ghtoken: ${{ secrets.ghrs_github_api_token }}