[openssh-commits] [openssh] branch V_9_6 created (now 8241b9c0)

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Dec 19 02:08:00 AEDT 2023


This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch V_9_6
in repository openssh.

        at  8241b9c0  crank versions

This branch includes the following new commits:

       new  1edb00c5  upstream: implement "strict key exchange" in ssh and sshd
       new  a7ed931c  upstream: add "ext-info-in-auth at openssh.com" extension
       new  881d9c6a  upstream: apply destination constraints to all p11 keys
       new  4448a293  upstream: Make it possible to load certs from PKCS#11 tokens
       new  0cb50eef  upstream: stricter handling of channel window limits
       new  7ef3787c  upstream: ban user/hostnames with most shell metacharacters
       new  6d51feab  upstream: ssh-agent: record failed session-bind attempts
       new  cdddd664  upstream: openssh-9.6
       new  2f512f86  upstream: regress test for constrained PKCS#11 keys
       new  e48cdee8  upstream: regress test for agent PKCS#11-backed certificates
       new  2f2c65cb  depend
       new  8241b9c0  crank versions

The 12 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
Author: Damien Miller <djm at mindrot.org>
Date:   Tue Dec 19 01:59:50 2023 +1100

    crank versions

commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
Author: Damien Miller <djm at mindrot.org>
Date:   Tue Dec 19 01:59:06 2023 +1100

    depend

commit e48cdee8e19059203b1aeeabec2350b8375fa61f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:50:08 2023 +0000

    upstream: regress test for agent PKCS#11-backed certificates
    
    OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9

commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:49:39 2023 +0000

    upstream: regress test for constrained PKCS#11 keys
    
    OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff

commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:48:44 2023 +0000

    upstream: openssh-9.6
    
    OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b

commit 7ef3787c84b6b524501211b11a26c742f829af1a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:47:44 2023 +0000

    upstream: ban user/hostnames with most shell metacharacters
    
    This makes ssh(1) refuse user or host names provided on the
    commandline that contain most shell metacharacters.
    
    Some programs that invoke ssh(1) using untrusted data do not filter
    metacharacters in arguments they supply. This could create
    interactions with user-specified ProxyCommand and other directives
    that allow shell injection attacks to occur.
    
    It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
    but getting this stuff right can be tricky, so this should prevent
    most obvious ways of creating risky situations. It however is not
    and cannot be perfect: ssh(1) has no practical way of interpreting
    what shell quoting rules are in use and how they interact with the
    user's specified ProxyCommand.
    
    To allow configurations that use strange user or hostnames to
    continue to work, this strictness is applied only to names coming
    from the commandline. Names specified using User or Hostname
    directives in ssh_config(5) are not affected.
    
    feedback/ok millert@ markus@ dtucker@ deraadt@
    
    OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9

commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:48:08 2023 +0000

    upstream: ssh-agent: record failed session-bind attempts
    
    Record failed attempts to session-bind a connection and refuse signing
    operations on that connection henceforth.
    
    Prevents a future situation where we add a new hostkey type that is not
    recognised by an older ssh-agent, that consequently causes session-bind
    to fail (this situation is only likely to arise when people mix ssh(1)
    and ssh-agent(1) of different versions on the same host). Previously,
    after such a failure the agent socket would be considered unbound and
    not subject to restriction.
    
    Spotted by Jann Horn
    
    OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e

commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:46:56 2023 +0000

    upstream: Make it possible to load certs from PKCS#11 tokens
    
    Adds a protocol extension to allow grafting certificates supplied by
    ssh-add to keys loaded from PKCS#11 tokens in the agent.
    
    feedback/ok markus@
    
    OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f

commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:47:20 2023 +0000

    upstream: stricter handling of channel window limits
    
    This makes ssh/sshd more strict in handling non-compliant peers that
    send more data than the advertised channel window allows. Previously
    the additional data would be silently discarded. This change will
    cause ssh/sshd to terminate the connection if the channel window is
    exceeded by more than a small grace allowance.
    
    ok markus@
    
    OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037

commit a7ed931caeb68947d30af8a795f4108b6efad761
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:45:49 2023 +0000

    upstream: add "ext-info-in-auth at openssh.com" extension
    
    This adds another transport protocol extension to allow a sshd to send
    SSH2_MSG_EXT_INFO during user authentication, after the server has
    learned the username that is being logged in to.
    
    This lets sshd to update the acceptable signature algoritms for public
    key authentication, and allows these to be varied via sshd_config(5)
    "Match" directives, which are evaluated after the server learns the
    username being authenticated.
    
    Full details in the PROTOCOL file
    
    OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779

commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:46:12 2023 +0000

    upstream: apply destination constraints to all p11 keys
    
    Previously applied only to the first key returned from each token.
    
    ok markus@
    
    OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d

commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 18 14:45:17 2023 +0000

    upstream: implement "strict key exchange" in ssh and sshd
    
    This adds a protocol extension to improve the integrity of the SSH
    transport protocol, particular in and around the initial key exchange
    (KEX) phase.
    
    Full details of the extension are in the PROTOCOL file.
    
    with markus@
    
    OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list