[openssh-commits] [openssh] branch master updated (cc80d51d -> 81c1099d)
git+noreply at mindrot.org
git+noreply at mindrot.org
Fri Jun 7 04:04:52 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a change to branch master
in repository openssh.
from cc80d51d remove PRIVSEP macros for osx
new 49b55e44 upstream: enable -fret-clean on amd64, for libc libcrypto ld.so
new 916b0b61 whitespace
new 81c1099d upstream: Add a facility to sshd(8) to penalise particular
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 81c1099d22b81ebfd20a334ce986c4f753b0db29
Author: djm at openbsd.org <djm at openbsd.org>
Date: Thu Jun 6 17:15:25 2024 +0000
upstream: Add a facility to sshd(8) to penalise particular
problematic client behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
commit 916b0b6174e203cf2c5ec9bcf409472eb7ffbf43
Author: Damien Miller <djm at mindrot.org>
Date: Fri Jun 7 03:31:02 2024 +1000
whitespace
commit 49b55e44182b8294419aa580cbf043d5b9e3d953
Author: deraadt at openbsd.org <deraadt at openbsd.org>
Date: Tue Jun 4 15:14:45 2024 +0000
upstream: enable -fret-clean on amd64, for libc libcrypto ld.so
kernel, and all the ssh tools. The dynamic objects are entirely ret-clean,
static binaries will contain a blend of cleaning and non-cleaning callers.
OpenBSD-Commit-ID: 112aacedd3b61cc5c34b1fa6d9fb759214179172
Summary of changes:
.depend | 6 +-
.skipped-commit-ids | 1 +
misc.c | 18 ++-
misc.h | 3 +-
monitor.c | 8 +-
monitor_wrap.c | 35 ++++-
servconf.c | 134 +++++++++++++++-
servconf.h | 18 ++-
srclimit.c | 322 +++++++++++++++++++++++++++++++++++++--
srclimit.h | 22 ++-
sshd-session.c | 15 +-
sshd.c | 430 ++++++++++++++++++++++++++++++++++++++++++++--------
sshd_config.5 | 66 +++++++-
13 files changed, 984 insertions(+), 94 deletions(-)
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list