[openssh-commits] [openssh] branch master updated (49f325fd -> 9306d601)

git+noreply at mindrot.org git+noreply at mindrot.org
Sun Sep 15 11:23:16 AEST 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from 49f325fd Fix without_openssl always being set to 1
     new 62bbf8f8 upstream: Do not apply authorized_keys options when signature
     new dd424d7c upstream: include pathname in some of the ssh-keygen passphrase
     new baec3f7f upstream: switch "Match" directive processing over to the argv
     new acad117e upstream: switch sshd_config Match processing to the argv tokeniser
     new 8d21713b upstream: Add a sshd_config "RefuseConnection" option
     new 78759751 upstream: Add a "refuseconnection" penalty class to sshd_config
     new 0118a4da upstream: add a "Match invalid-user" predicate to sshd_config Match
     new 9306d601 upstream: document Match invalid-user

The 8 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 9306d6017e0ce5dea6824c29ca5ba5673c2923ad
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 01:19:56 2024 +0000

    upstream: document Match invalid-user
    
    OpenBSD-Commit-ID: 2c84a9b517283e9711e2812c1f268081dcb02081

commit 0118a4da21147a88a56dc8b90bbc2849fefd5c1e
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 01:18:26 2024 +0000

    upstream: add a "Match invalid-user" predicate to sshd_config Match
    
    options.
    
    This allows writing Match conditions that trigger for invalid username.
    E.g.
    
    PerSourcePenalties refuseconnection:90s
    Match invalid-user
     RefuseConnection yes
    
    Will effectively penalise bots try to guess passwords for bogus accounts,
    at the cost of implicitly revealing which accounts are invalid.
    
    feedback markus@
    
    OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07

commit 7875975136f275619427604900cb0ffd7020e845
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 01:11:26 2024 +0000

    upstream: Add a "refuseconnection" penalty class to sshd_config
    
    PerSourcePenalties
    
    This allows penalising connection sources that have had connections
    dropped by the RefuseConnection option. ok markus@
    
    OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6

commit 8d21713b669b8516ca6d43424a356fccc37212bb
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 01:09:40 2024 +0000

    upstream: Add a sshd_config "RefuseConnection" option
    
    If set, this will terminate the connection at the first authentication
    request (this is the earliest we can evaluate sshd_config Match blocks)
    
    ok markus@
    
    OpenBSD-Commit-ID: 43cc2533984074c44d0d2f92eb93f661e7a0b09c

commit acad117e66018fe1fa5caf41b36e6dfbd61f76a1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 00:58:01 2024 +0000

    upstream: switch sshd_config Match processing to the argv tokeniser
    
    too; ok markus@
    
    OpenBSD-Commit-ID: b74b5b0385f2e0379670e2b869318a65b0bc3923

commit baec3f7f4c60cd5aa1bb9adbeb6dfa4a172502a8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 00:57:36 2024 +0000

    upstream: switch "Match" directive processing over to the argv
    
    string tokeniser, making it possible to use shell-like quoting in Match
    directives, particularly "Match exec". ok markus@
    
    OpenBSD-Commit-ID: 0877309650b76f624b2194c35dbacaf065e769a5

commit dd424d7c382c2074ab70f1b8ad4f169a10f60ee7
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 00:47:01 2024 +0000

    upstream: include pathname in some of the ssh-keygen passphrase
    
    prompts. Helps the user know what's going on when ssh-keygen is invoked via
    other tools. Requested in GHPR503
    
    OpenBSD-Commit-ID: 613b0bb6cf845b7e787d69a5b314057ceda6a8b6

commit 62bbf8f825cc390ecb0523752ddac1435006f206
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Sep 15 00:41:18 2024 +0000

    upstream: Do not apply authorized_keys options when signature
    
    verification fails. Prevents restrictive key options being incorrectly
    applied to subsequent keys in authorized_keys. bz3733, ok markus@
    
    OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e

Summary of changes:
 auth.c        |  3 ++-
 monitor.c     | 14 +++++++++--
 readconf.c    | 35 +++++++++++----------------
 servconf.c    | 76 ++++++++++++++++++++++++++++++++++++++++-------------------
 servconf.h    |  6 ++++-
 srclimit.c    |  4 ++++
 srclimit.h    | 12 ++++++----
 ssh-keygen.c  | 26 +++++++++++++-------
 sshd.8        |  8 +++++--
 sshd.c        |  9 ++++++-
 sshd_config.5 | 30 +++++++++++++++++++----
 11 files changed, 152 insertions(+), 71 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list