[openssh-commits] [openssh] branch master updated (adb0ea00 -> 266678e1)
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Dec 20 09:28:25 AEDT 2021
This is an automated email from the git hooks/post-receive script.
djm pushed a change to branch master
in repository openssh.
from adb0ea00 Correct value for IPTOS_DSCP_LE.
new 26ca33d1 upstream: better error message for FIDO keys when we can't match
new b42c61d6 upstream: Record session ID, host key and sig at intital KEX
new e9497ecf upstream: ssh client side of binding
new 4c1e3ce8 upstream: ssh-agent side of binding
new 5e950d76 upstream: ssh-add side of destination constraints
new ce943912 upstream: ssh-add side of destination constraints
new 39f00dcf upstream: ssh-agent side of destination constraints
new dbb339f0 upstream: prepare for multiple names for authmethods
new 288fd021 upstream: sshd side of hostbound public key auth
new 94ae0c6f upstream: client side of host-bound pubkey authentication
new 3e16365a upstream: EXT_INFO negotiation of hostbound pubkey auth
new baaff0ff upstream: agent support for parsing hostkey-bound signatures
new a6d7677c upstream: Use hostkey parsed from hostbound userauth request
new 34b1e9cc upstream: document destination-constrained keys
new c385abf7 upstream: PubkeyAuthentication=yes|no|unbound|host-bound
new 3d00024b upstream: document agent protocol extensions
new 266678e1 upstream: document host-bound publickey authentication
The 17 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 266678e19eb0e86fdf865b431b6e172e7a95bf48
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:15:42 2021 +0000
upstream: document host-bound publickey authentication
OpenBSD-Commit-ID: ea6ed91779a81f06d961e30ecc49316b3d71961b
commit 3d00024b3b156aa9bbd05d105f1deb9cb088f6f7
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:15:21 2021 +0000
upstream: document agent protocol extensions
OpenBSD-Commit-ID: 09e8bb391bbaf24c409b75a4af44e0cac65405a7
commit c385abf76511451bcba78568167b1cd9e90587d5
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:14:47 2021 +0000
upstream: PubkeyAuthentication=yes|no|unbound|host-bound
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.
feedback / ok markus@
OpenBSD-Commit-ID: ee52580db95c355cf6d563ba89974c210e603b1a
commit 34b1e9cc7654f41cd4c5b1cc290b999dcf6579bb
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:14:12 2021 +0000
upstream: document destination-constrained keys
feedback / ok markus@
OpenBSD-Commit-ID: cd8c526c77268f6d91c06adbee66b014d22d672e
commit a6d7677c4abcfba268053e5867f2acabe3aa371b
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:13:55 2021 +0000
upstream: Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
ok markus@
OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
commit baaff0ff4357cc5a079621ba6e2d7e247b765061
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:13:33 2021 +0000
upstream: agent support for parsing hostkey-bound signatures
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00 at openssh.com userauth attempts.
Extract hostkey from these blobs.
ok markus@
OpenBSD-Commit-ID: 81c064255634c1109477dc65c3e983581d336df8
commit 3e16365a79cdeb2d758cf1da6051b1c5266ceed7
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:13:12 2021 +0000
upstream: EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound at openssh.com to
advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").
ok markus@
OpenBSD-Commit-ID: 4cdb2ca5017ec1ed7a9d33bda95c1d6a97b583b0
commit 94ae0c6f0e35903b695e033bf4beacea1d376bb1
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:12:54 2021 +0000
upstream: client side of host-bound pubkey authentication
Add kex->flags member to enable the publickey-hostbound-v00 at openssh.com
authentication method.
Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.
Note: nothing in kex.c actually sets the new flag yet
ok markus@
OpenBSD-Commit-ID: 5a6fce8c6c8a77a80ee1526dc467d91036a5910d
commit 288fd0218dbfdcb05d9fbd1885904bed9b6d42e6
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:12:30 2021 +0000
upstream: sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.
feedback / ok markus@
OpenBSD-Commit-ID: 7ea01bb7238a560c1bfb426fda0c10a8aac07862
commit dbb339f015c33d63484261d140c84ad875a9e548
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:12:07 2021 +0000
upstream: prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their
primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.
ok markus@
OpenBSD-Commit-ID: 9e613fcb44b8168823195602ed3d09ffd7994559
commit 39f00dcf44915f20684160f0a88d3ef8a3278351
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:11:39 2021 +0000
upstream: ssh-agent side of destination constraints
Gives ssh-agent the ability to parse restrict-destination-v00 at openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: 84a7fb81106c2d609a6ac17469436df16d196319
commit ce943912df812c573a33d00bf9e5435b7fcca3f7
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:11:06 2021 +0000
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1 at host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00 at openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: 6b52cd2b637f3d29ef543f0ce532a2bce6d86af5
commit 5e950d765727ee0b20fc3d2cbb0c790b21ac2425
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:10:24 2021 +0000
upstream: ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1 at host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00 at openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
OpenBSD-Commit-ID: ef47fa9ec0e3c2a82e30d37ef616e245df73163e
commit 4c1e3ce85e183a9d0c955c88589fed18e4d6a058
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:09:23 2021 +0000
upstream: ssh-agent side of binding
record session ID/hostkey/forwarding status for each active socket.
Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.
ok markus@
OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
commit e9497ecf73f3c16667288bce48d4e3d7e746fea1
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:08:48 2021 +0000
upstream: ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind at openssh.com" agent extension.
ok markus@
OpenBSD-Commit-ID: 2f154844fe13167d3ab063f830d7455fcaa99135
commit b42c61d6840d16ef392ed0f365e8c000734669aa
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:08:06 2021 +0000
upstream: Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
OpenBSD-Commit-ID: a9af29e33772b18e3e867c6fa8ab35e1694a81fe
commit 26ca33d186473d58a32d812e19273ce078b6ffff
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Dec 7 22:06:45 2021 +0000
upstream: better error message for FIDO keys when we can't match
them to a token
OpenBSD-Commit-ID: 58255c2a1980088f4ed144db67d879ada2607650
Summary of changes:
.skipped-commit-ids | 1 +
PROTOCOL | 69 ++++--
PROTOCOL.agent | 85 ++++++-
auth.h | 5 +-
auth2-gss.c | 5 +-
auth2-hostbased.c | 7 +-
auth2-kbdint.c | 5 +-
auth2-none.c | 5 +-
auth2-passwd.c | 5 +-
auth2-pubkey.c | 40 +++-
auth2.c | 28 ++-
authfd.c | 116 ++++++++-
authfd.h | 35 ++-
clientloop.c | 8 +-
kex.c | 24 +-
kex.h | 11 +-
kexgen.c | 35 ++-
kexgexc.c | 24 +-
kexgexs.c | 14 +-
monitor.c | 26 +-
readconf.c | 18 +-
readconf.h | 7 +-
sk-usbhid.c | 5 +-
ssh-add.1 | 84 ++++++-
ssh-add.c | 187 +++++++++++++--
ssh-agent.c | 672 +++++++++++++++++++++++++++++++++++++++++++++++++---
sshconnect.c | 4 +-
sshconnect2.c | 70 ++++--
28 files changed, 1440 insertions(+), 155 deletions(-)
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list