[openssh-commits] [openssh] branch master updated (fe6c6330 -> 74856204)

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Oct 14 14:03:12 AEDT 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from fe6c6330 upstream: don't start the ObscureKeystrokeTiming mitigations if
     new 6072e4c9 upstream: Split per-connection sshd-session binary
     new 46174108 upstream: test some more Match syntax, including criteria=arg and
     new 74856204 upstream: regress support for split sshd-auth binary

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 74856204a353a187dc6e7706c6cf84b7f14d775d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Oct 14 03:02:08 2024 +0000

    upstream: regress support for split sshd-auth binary
    
    OpenBSD-Regress-ID: df7d18a87b475f70004770f0f4e404adba5f6ab7

commit 461741083d7254595fecea274e60fe3ebf3ce3f9
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Sep 27 01:05:54 2024 +0000

    upstream: test some more Match syntax, including criteria=arg and
    
    negations
    
    OpenBSD-Regress-ID: 67476baccc60bf1a255fd4e329ada950047b8b8d

commit 6072e4c9385713e9c166f32cfca6a7e603d4f0b8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Oct 14 01:57:50 2024 +0000

    upstream: Split per-connection sshd-session binary
    
    This splits the user authentication code from the sshd-session
    binary into a separate sshd-auth binary. This will be executed by
    sshd-session to complete the user authentication phase of the
    protocol only.
    
    Splitting this code into a separate binary ensures that the crucial
    pre-authentication attack surface has an entirely disjoint address
    space from the code used for the rest of the connection. It also
    yields a small runtime memory saving as the authentication code will
    be unloaded after thhe authentication phase completes.
    
    Joint work with markus@ feedback deraadt@
    
    Tested in snaps since last week
    
    OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c

Summary of changes:
 Makefile.in               |  27 +-
 log.c                     |   4 +-
 monitor.c                 | 107 +++++-
 monitor.h                 |   3 +
 monitor_wrap.c            |  81 ++++-
 monitor_wrap.h            |   6 +
 pathnames.h               |   3 +
 regress/cfginclude.sh     |  14 +-
 regress/cfgmatch.sh       |  70 ++--
 regress/servcfginclude.sh |  14 +-
 regress/test-exec.sh      |   7 +-
 sandbox-capsicum.c        |  26 +-
 sandbox-darwin.c          |  17 +-
 sandbox-null.c            |  12 -
 sandbox-pledge.c          |  77 -----
 sandbox-rlimit.c          |  17 +-
 sandbox-seccomp-filter.c  |  17 +-
 sandbox-solaris.c         |  14 -
 sandbox-systrace.c        | 218 ------------
 servconf.c                |  11 +-
 servconf.h                |   1 +
 session.c                 |   7 +-
 ssh-sandbox.h             |   2 -
 sshd-auth.c               | 861 ++++++++++++++++++++++++++++++++++++++++++++++
 sshd-session.c            | 308 ++++++-----------
 sshd.c                    |   7 +
 26 files changed, 1249 insertions(+), 682 deletions(-)
 create mode 100644 sshd-auth.c

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list