From git+noreply at mindrot.org Fri Aug 1 20:41:10 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 01 Aug 2025 20:41:10 +1000 Subject: [openssh-commits] [openssh] branch master updated (dc630e6d8 -> b1c4cedbe) Message-ID: <175404487068.25782.7731413947822635253@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a change to branch master in repository openssh. from dc630e6d8 upstream: unbreak WITH_OPENSSL=no builds, also allowing ed25519 new 284abbed9 upstream: Plug leak in case where sigp is passed as NULL. Coverity CID new b1c4cedbe Replace fbsd64ppc VM with physical host. The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit b1c4cedbee107dc611ce091f27ea9f1de28ee378 Author: Darren Tucker Date: Fri Aug 1 19:29:00 2025 +1000 Replace fbsd64ppc VM with physical host. Run 64bit bigendian interop test on NetBSD arm64be instead. commit 284abbed9a8d815b1ec5e96aff885d77e26537e7 Author: dtucker at openbsd.org Date: Wed Jul 30 10:17:13 2025 +0000 upstream: Plug leak in case where sigp is passed as NULL. Coverity CID 483725, ok djm@ OpenBSD-Commit-ID: 47cf7b399c84e102b670b9f97ab6926c9a7256b5 Summary of changes: .github/workflows/selfhosted.yml | 4 ++-- ssh-pkcs11-client.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Fri Aug 1 20:41:11 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 01 Aug 2025 20:41:11 +1000 Subject: [openssh-commits] [openssh] 01/02: upstream: Plug leak in case where sigp is passed as NULL. Coverity CID In-Reply-To: <175404487068.25782.7731413947822635253@fuyu.mindrot.org> References: <175404487068.25782.7731413947822635253@fuyu.mindrot.org> Message-ID: This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. commit 284abbed9a8d815b1ec5e96aff885d77e26537e7 Author: dtucker at openbsd.org AuthorDate: Wed Jul 30 10:17:13 2025 +0000 upstream: Plug leak in case where sigp is passed as NULL. Coverity CID 483725, ok djm@ OpenBSD-Commit-ID: 47cf7b399c84e102b670b9f97ab6926c9a7256b5 --- ssh-pkcs11-client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 64b8f4c1c..8be0d8aec 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11-client.c,v 1.23 2025/07/25 11:50:45 dtucker Exp $ */ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.24 2025/07/30 10:17:13 dtucker Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -278,6 +278,7 @@ pkcs11_sign(struct sshkey *key, ret = 0; fail: + free(signature); sshbuf_free(msg); return ret; } -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Fri Aug 1 20:41:12 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 01 Aug 2025 20:41:12 +1000 Subject: [openssh-commits] [openssh] 02/02: Replace fbsd64ppc VM with physical host. In-Reply-To: <175404487068.25782.7731413947822635253@fuyu.mindrot.org> References: <175404487068.25782.7731413947822635253@fuyu.mindrot.org> Message-ID: This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. commit b1c4cedbee107dc611ce091f27ea9f1de28ee378 Author: Darren Tucker AuthorDate: Fri Aug 1 19:29:00 2025 +1000 Replace fbsd64ppc VM with physical host. Run 64bit bigendian interop test on NetBSD arm64be instead. --- .github/workflows/selfhosted.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/selfhosted.yml b/.github/workflows/selfhosted.yml index 281b2fc84..3bc54d64b 100644 --- a/.github/workflows/selfhosted.yml +++ b/.github/workflows/selfhosted.yml @@ -20,7 +20,7 @@ jobs: REMOTE: ${{ startsWith(matrix.host, 'remote') }} VM: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') }} SSHFS: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') || startsWith(matrix.host, 'remote') }} - BIGENDIAN: ${{ matrix.target == 'aix51' || matrix.target == 'fbsd14-ppc64' || matrix.target == 'openwrt-mips' }} + BIGENDIAN: ${{ matrix.target == 'aix51' || matrix.target == 'nbsd-arm64be' || matrix.target == 'openwrt-mips' }} strategy: fail-fast: false # We use a matrix in two parts: firstly all of the VMs are tested with the @@ -63,7 +63,6 @@ jobs: include: # Long-running/slow tests have access to high priority runners. - { target: aix51, config: default, host: libvirt-hipri } - - { target: fbsd14-ppc64, config: default, host: libvirt-hipri } - { target: openindiana, config: pam, host: libvirt-hipri } - { target: sol10, config: default, host: libvirt-hipri } - { target: sol10, config: pam, host: libvirt-hipri } @@ -100,6 +99,7 @@ jobs: - { target: debian-riscv64, config: default, host: remote-debian-riscv64 } - { target: openwrt-mips, config: default, host: remote-openwrt-mips } - { target: openwrt-mipsel, config: default, host: remote-openwrt-mipsel } + - { target: nbsd-arm64be, config: default, host: remote-nbsd-arm64be } steps: - name: shutdown VM if running if: env.VM == 'true' -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Sat Aug 2 12:52:59 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Sat, 02 Aug 2025 12:52:59 +1000 Subject: [openssh-commits] [openssh] branch master updated: Comment out atime restore test. Message-ID: <175410317925.53950.14699898374632764117@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new e85248df3 Comment out atime restore test. e85248df3 is described below commit e85248df3f1073343da87a6b00512e6a1e4a863d Author: Darren Tucker AuthorDate: Sat Aug 2 12:51:42 2025 +1000 Comment out atime restore test. This works on filesystems mounted 'noatime', but on others the stat() resets atime causing the test to fail. --- openbsd-compat/regress/utimensattest.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c index bbc66c485..b4405e464 100644 --- a/openbsd-compat/regress/utimensattest.c +++ b/openbsd-compat/regress/utimensattest.c @@ -77,11 +77,17 @@ main(void) fail("utimensat", 0, 0); if (stat(TMPFILE, &sb) == -1) - fail("stat", 0, 0 ); + fail("stat", 0, 0); +#if 0 + /* + * This test only works on filesystems mounted 'noatime', otherwise the + * stat() above resets atime. Skip by default. + */ if (sb.st_atime != 12345678) - fail("st_atime", 0, 0 ); + fail("st_atime", 0, 0); +#endif if (sb.st_mtime != 34567890) - fail("st_mtime", 0, 0 ); + fail("st_mtime", 0, 0); #if 0 /* * Results expected to be rounded to the nearest microsecond. -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Sat Aug 2 14:49:52 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Sat, 02 Aug 2025 14:49:52 +1000 Subject: [openssh-commits] [openssh] branch master updated: Disable security key tests for bigendian interop Message-ID: <175411019255.10.12498236826713867537@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new d1c6c67a5 Disable security key tests for bigendian interop d1c6c67a5 is described below commit d1c6c67a50fc957010fa027c6ab970424e9b9142 Author: Darren Tucker AuthorDate: Sat Aug 2 14:49:00 2025 +1000 Disable security key tests for bigendian interop --- .github/configs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/configs b/.github/configs index aa363be7d..230258f93 100755 --- a/.github/configs +++ b/.github/configs @@ -283,7 +283,7 @@ case "${TARGET_HOST}" in # Native linker is not great with PIC so OpenSSL is built w/out. CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" ;; - fbsd14-ppc64) + fbsd14-ppc64|nbsd-arm64be) # Disable security key tests for bigendian interop test. CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key" ;; -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Tue Aug 5 14:05:44 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Tue, 05 Aug 2025 14:05:44 +1000 Subject: [openssh-commits] [openssh] branch master updated (d1c6c67a5 -> 6ebd472c3) Message-ID: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from d1c6c67a5 Disable security key tests for bigendian interop new 65909fa11 upstream: Set default IPQoS for interactive sessions to Expedited new ec3465f59 upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS new 6ebd472c3 upstream: a bunch of the protocol extensions we support now have RFCs The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit 6ebd472c391a73574abe02771712d407c48e130d Author: djm at openbsd.org Date: Tue Aug 5 04:00:15 2025 +0000 upstream: a bunch of the protocol extensions we support now have RFCs and I-Ds that are more complete and detailed than what we have in the PROTOCOL.* files. Refer to these when possible instead of documenting them here. OpenBSD-Commit-ID: 4fa5b0fcf5d5f24093d33d9e82c7ca4850d50d70 commit ec3465f59c651405e395092f3ad606f8992328d8 Author: job at openbsd.org Date: Thu Jul 31 11:23:39 2025 +0000 upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords Type of Service (ToS) was deprecated in the late nineties and replaced with the Differentiated Services architecture. Diffserv has significant advantages for operators because this mechanism offers more granularity. OpenSSH switched its default IPQoS from ToS to DSCP values in 2018. IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be ignored and instead the system default QoS settings apply. Additionally, a debug message is logged about the deprecation with a suggestion to use DSCP. with/OK deraadt@ sthen@ djm@ OpenBSD-Commit-ID: 40c8c0c5cb20151a348728703536af2ec1c754ba commit 65909fa114e7dd7511800db2b7bacb8774afe887 Author: job at openbsd.org Date: Thu Jul 31 09:38:41 2025 +0000 upstream: Set default IPQoS for interactive sessions to Expedited Forwarding (EF) Marking interactive session data with DSCP value EF (RFC3246, RFC3247) helps inform the network on relative priority compared to other traffic. This is especially useful for differentiated treatment over wireless media. Following the reconciled IETF Diffserv to IEEE 802.11 mappings (RFC 8325), traffic marked with DSCP value EF maps to User Priority 6 in QoS Control, in turn mapping to the high priority WMM AC_VO access category. OK djm@ OpenBSD-Commit-ID: aadda7b9da794d70d7c6b381a861a0610afce1b3 Summary of changes: PROTOCOL | 115 +++++++++------------------------------------- PROTOCOL.chacha20poly1305 | 107 ------------------------------------------ misc.c | 8 ++-- readconf.c | 16 ++++++- readconf.h | 6 +-- servconf.c | 16 ++++++- ssh_config.5 | 15 +++--- sshd_config.5 | 15 +++--- 8 files changed, 70 insertions(+), 228 deletions(-) delete mode 100644 PROTOCOL.chacha20poly1305 -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Tue Aug 5 14:05:45 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Tue, 05 Aug 2025 14:05:45 +1000 Subject: [openssh-commits] [openssh] 01/03: upstream: Set default IPQoS for interactive sessions to Expedited In-Reply-To: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> References: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> Message-ID: This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 65909fa114e7dd7511800db2b7bacb8774afe887 Author: job at openbsd.org AuthorDate: Thu Jul 31 09:38:41 2025 +0000 upstream: Set default IPQoS for interactive sessions to Expedited Forwarding (EF) Marking interactive session data with DSCP value EF (RFC3246, RFC3247) helps inform the network on relative priority compared to other traffic. This is especially useful for differentiated treatment over wireless media. Following the reconciled IETF Diffserv to IEEE 802.11 mappings (RFC 8325), traffic marked with DSCP value EF maps to User Priority 6 in QoS Control, in turn mapping to the high priority WMM AC_VO access category. OK djm@ OpenBSD-Commit-ID: aadda7b9da794d70d7c6b381a861a0610afce1b3 --- readconf.c | 4 ++-- servconf.c | 4 ++-- ssh_config.5 | 8 ++++---- sshd_config.5 | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/readconf.c b/readconf.c index b5a9f925f..5e97d710e 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.401 2025/07/23 05:07:19 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.402 2025/07/31 09:38:41 job Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2947,7 +2947,7 @@ fill_default_options(Options * options) if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_DSCP_EF; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_DSCP_CS1; if (options->request_tty == -1) diff --git a/servconf.c b/servconf.c index 14165429f..63176d0d0 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.427 2025/05/24 08:13:29 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.428 2025/07/31 09:38:41 job Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -472,7 +472,7 @@ fill_default_server_options(ServerOptions *options) if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_DSCP_EF; if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_DSCP_CS1; if (options->version_addendum == NULL) diff --git a/ssh_config.5 b/ssh_config.5 index 14115fff1..4b5b62408 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.414 2025/07/23 05:07:19 djm Exp $ -.Dd $Mdocdate: July 23 2025 $ +.\" $OpenBSD: ssh_config.5,v 1.415 2025/07/31 09:38:41 job Exp $ +.Dd $Mdocdate: July 31 2025 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1277,8 +1277,8 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm ef +(Expedited Forwarding) for interactive sessions and .Cm cs1 (Lower Effort) diff --git a/sshd_config.5 b/sshd_config.5 index c07717375..ae57d0cb9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.381 2025/02/15 01:52:07 djm Exp $ -.Dd $Mdocdate: February 15 2025 $ +.\" $OpenBSD: sshd_config.5,v 1.382 2025/07/31 09:38:41 job Exp $ +.Dd $Mdocdate: July 31 2025 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -958,8 +958,8 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm ef +(Expedited Forwarding) for interactive sessions and .Cm cs1 (Lower Effort) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Tue Aug 5 14:05:46 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Tue, 05 Aug 2025 14:05:46 +1000 Subject: [openssh-commits] [openssh] 02/03: upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS In-Reply-To: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> References: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> Message-ID: This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit ec3465f59c651405e395092f3ad606f8992328d8 Author: job at openbsd.org AuthorDate: Thu Jul 31 11:23:39 2025 +0000 upstream: Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords Type of Service (ToS) was deprecated in the late nineties and replaced with the Differentiated Services architecture. Diffserv has significant advantages for operators because this mechanism offers more granularity. OpenSSH switched its default IPQoS from ToS to DSCP values in 2018. IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be ignored and instead the system default QoS settings apply. Additionally, a debug message is logged about the deprecation with a suggestion to use DSCP. with/OK deraadt@ sthen@ djm@ OpenBSD-Commit-ID: 40c8c0c5cb20151a348728703536af2ec1c754ba --- misc.c | 8 ++++---- readconf.c | 14 +++++++++++++- readconf.h | 6 +++--- servconf.c | 14 +++++++++++++- ssh_config.5 | 9 ++++----- sshd_config.5 | 9 ++++----- 6 files changed, 41 insertions(+), 19 deletions(-) diff --git a/misc.c b/misc.c index f4e02bd04..838a7f788 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.200 2025/05/22 03:53:46 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.201 2025/07/31 11:23:39 job Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -1885,9 +1885,9 @@ static const struct { { "cs7", IPTOS_DSCP_CS7 }, { "ef", IPTOS_DSCP_EF }, { "le", IPTOS_DSCP_LE }, - { "lowdelay", IPTOS_LOWDELAY }, - { "throughput", IPTOS_THROUGHPUT }, - { "reliability", IPTOS_RELIABILITY }, + { "lowdelay", INT_MIN }, /* deprecated */ + { "throughput", INT_MIN }, /* deprecated */ + { "reliability", INT_MIN }, /* deprecated */ { NULL, -1 } }; diff --git a/readconf.c b/readconf.c index 5e97d710e..02452edbf 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.402 2025/07/31 09:38:41 job Exp $ */ +/* $OpenBSD: readconf.c,v 1.403 2025/07/31 11:23:39 job Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2160,6 +2160,12 @@ parse_pubkey_algos: filename, linenum, arg); goto out; } + if (value == INT_MIN) { + debug("%s line %d: Deprecated IPQoS value \"%s\" " + "ignored - using system default instead. Consider" + " using DSCP values.", filename, linenum, arg); + value = INT_MAX; + } arg = argv_next(&ac, &av); if (arg == NULL) value2 = value; @@ -2168,6 +2174,12 @@ parse_pubkey_algos: filename, linenum, arg); goto out; } + if (value2 == INT_MIN) { + debug("%s line %d: Deprecated IPQoS value \"%s\" " + "ignored - using system default instead. Consider" + " using DSCP values.", filename, linenum, arg); + value2 = INT_MAX; + } if (*activep && options->ip_qos_interactive == -1) { options->ip_qos_interactive = value; options->ip_qos_bulk = value2; diff --git a/readconf.h b/readconf.h index cd49139b1..153fa6226 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.159 2025/02/15 01:48:30 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.160 2025/07/31 11:23:39 job Exp $ */ /* * Author: Tatu Ylonen @@ -49,8 +49,8 @@ typedef struct { int strict_host_key_checking; /* Strict host key checking. */ int compression; /* Compress packets in both directions. */ int tcp_keep_alive; /* Set SO_KEEPALIVE. */ - int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + int ip_qos_interactive; /* DSCP value for interactive */ + int ip_qos_bulk; /* DSCP value for bulk traffic */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for logging. */ u_int num_log_verbose; /* Verbose log overrides */ diff --git a/servconf.c b/servconf.c index 63176d0d0..2bd9d1191 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.428 2025/07/31 09:38:41 job Exp $ */ +/* $OpenBSD: servconf.c,v 1.429 2025/07/31 11:23:39 job Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -2512,12 +2512,24 @@ process_server_config_line_depth(ServerOptions *options, char *line, if ((value = parse_ipqos(arg)) == -1) fatal("%s line %d: Bad %s value: %s", filename, linenum, keyword, arg); + if (value == INT_MIN) { + debug("%s line %d: Deprecated IPQoS value \"%s\" " + "ignored - using system default instead. Consider" + " using DSCP values.", filename, linenum, arg); + value = INT_MAX; + } arg = argv_next(&ac, &av); if (arg == NULL) value2 = value; else if ((value2 = parse_ipqos(arg)) == -1) fatal("%s line %d: Bad %s value: %s", filename, linenum, keyword, arg); + if (value2 == INT_MIN) { + debug("%s line %d: Deprecated IPQoS value \"%s\" " + "ignored - using system default instead. Consider" + " using DSCP values.", filename, linenum, arg); + value2 = INT_MAX; + } if (*activep) { options->ip_qos_interactive = value; options->ip_qos_bulk = value2; diff --git a/ssh_config.5 b/ssh_config.5 index 4b5b62408..390bc44ab 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.415 2025/07/31 09:38:41 job Exp $ +.\" $OpenBSD: ssh_config.5,v 1.416 2025/07/31 11:23:39 job Exp $ .Dd $Mdocdate: July 31 2025 $ .Dt SSH_CONFIG 5 .Os @@ -1242,7 +1242,9 @@ or block to perform conditional inclusion. .It Cm IPQoS -Specifies the IPv4 type-of-service or DSCP class for connections. +Specifies the +.Em Differentiated Services Field Codepoint Pq DSCP +value for connections. Accepted values are .Cm af11 , .Cm af12 , @@ -1266,9 +1268,6 @@ Accepted values are .Cm cs7 , .Cm ef , .Cm le , -.Cm lowdelay , -.Cm throughput , -.Cm reliability , a numeric value, or .Cm none to use the operating system default. diff --git a/sshd_config.5 b/sshd_config.5 index ae57d0cb9..ee1b29341 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.382 2025/07/31 09:38:41 job Exp $ +.\" $OpenBSD: sshd_config.5,v 1.383 2025/07/31 11:23:39 job Exp $ .Dd $Mdocdate: July 31 2025 $ .Dt SSHD_CONFIG 5 .Os @@ -923,7 +923,9 @@ directive may appear inside a block to perform conditional inclusion. .It Cm IPQoS -Specifies the IPv4 type-of-service or DSCP class for the connection. +Specifies the +.Em Differentiated Services Field Codepoint Pq DSCP +value for the connection. Accepted values are .Cm af11 , .Cm af12 , @@ -947,9 +949,6 @@ Accepted values are .Cm cs7 , .Cm ef , .Cm le , -.Cm lowdelay , -.Cm throughput , -.Cm reliability , a numeric value, or .Cm none to use the operating system default. -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Tue Aug 5 14:05:47 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Tue, 05 Aug 2025 14:05:47 +1000 Subject: [openssh-commits] [openssh] 03/03: upstream: a bunch of the protocol extensions we support now have RFCs In-Reply-To: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> References: <175436674404.43752.9820059241416341180@fuyu.mindrot.org> Message-ID: This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 6ebd472c391a73574abe02771712d407c48e130d Author: djm at openbsd.org AuthorDate: Tue Aug 5 04:00:15 2025 +0000 upstream: a bunch of the protocol extensions we support now have RFCs and I-Ds that are more complete and detailed than what we have in the PROTOCOL.* files. Refer to these when possible instead of documenting them here. OpenBSD-Commit-ID: 4fa5b0fcf5d5f24093d33d9e82c7ca4850d50d70 --- PROTOCOL | 109 ++++++++-------------------------------------- PROTOCOL.chacha20poly1305 | 107 --------------------------------------------- 2 files changed, 18 insertions(+), 198 deletions(-) diff --git a/PROTOCOL b/PROTOCOL index f99173c52..af2a813f9 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -33,10 +33,7 @@ The method is documented in: https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt -1.3. transport: New public key algorithms "ssh-rsa-cert-v01 at openssh.com", - "ecdsa-sha2-nistp256-cert-v01 at openssh.com", - "ecdsa-sha2-nistp384-cert-v01 at openssh.com" and - "ecdsa-sha2-nistp521-cert-v01 at openssh.com" +1.3. transport: Certificate key algorithms OpenSSH introduces new public key algorithms to support certificate authentication for users and host keys. These methods are documented @@ -81,29 +78,20 @@ contains: 1.6 transport: AES-GCM OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. -Because of problems with the specification of the key exchange -the behaviour of OpenSSH differs from the RFC as follows: +Because of problems with design of algorithm negotiation in this +RFC, OpenSSH (and other SSH implementation) use different rules as +described in: -AES-GCM is only negotiated as the cipher algorithms -"aes128-gcm at openssh.com" or "aes256-gcm at openssh.com" and never as -an MAC algorithm. Additionally, if AES-GCM is selected as the cipher -the exchanged MAC algorithms are ignored and there doesn't have to be -a matching MAC. +https://datatracker.ietf.org/doc/draft-miller-sshm-aes-gcm/ 1.7 transport: chacha20-poly1305 at openssh.com authenticated encryption OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 -as described in PROTOCOL.chacha20poly1305. +as described in: -1.8 transport: curve25519-sha256 at libssh.org key exchange algorithm +https://datatracker.ietf.org/doc/draft-ietf-sshm-chacha20-poly1305/ -OpenSSH supports the use of ECDH in Curve25519 for key exchange as -described at: -http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256 at libssh.org.txt?h=curve25519 - -This is identical to curve25519-sha256 as later published in RFC8731. - -1.9 transport: ping facility +1.8 transport: ping facility OpenSSH implements a transport level ping message SSH2_MSG_PING and a corresponding SSH2_MSG_PONG reply. @@ -136,34 +124,16 @@ than as a named global or channel request to allow pings with very short packet lengths, which would not be possible with other approaches. -1.10 transport: strict key exchange extension +1.9 transport: strict key exchange extension -OpenSSH supports a number of transport-layer hardening measures under -a "strict KEX" feature. This feature is signalled similarly to the -RFC8308 ext-info feature: by including a additional algorithm in the -initial SSH2_MSG_KEXINIT kex_algorithms field. The client may append -"kex-strict-c-v00 at openssh.com" to its kex_algorithms and the server -may append "kex-strict-s-v00 at openssh.com". These pseudo-algorithms -are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored -if they are present in subsequent SSH2_MSG_KEXINIT packets. +OpenSSH supports a number of transport-layer hardening measures +designed to thwart the so-called "Terrapin" attack against the +early SSH protocol. These are collectively referred to as +"strict KEX" and documented in an Internet-Draft: -When an endpoint that supports this extension observes this algorithm -name in a peer's KEXINIT packet, it MUST make the following changes to -the protocol: +https://datatracker.ietf.org/doc/draft-miller-sshm-strict-kex/ -a) During initial KEX, terminate the connection if out-of-sequence - packet or any message that is not strictly required by KEX is - received. This includes terminating the connection if the first - packet received is not SSH2_MSG_KEXINIT. Unexpected packets for - the purpose of strict KEX include messages that are otherwise - valid at any time during the connection such as SSH2_MSG_DEBUG, - SSH2_MSG_IGNORE or SSH2_MSG_UNIMPLEMENTED. -b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the - packet sequence number to zero. This behaviour persists for the - duration of the connection (i.e. not just the first - SSH2_MSG_NEWKEYS). - -1.11 transport: SSH2_MSG_EXT_INFO during user authentication +1.10 transport: SSH2_MSG_EXT_INFO during user authentication This protocol extension allows the SSH2_MSG_EXT_INFO to be sent during user authentication. RFC8308 does allow a second @@ -368,52 +338,9 @@ and "hostkeys-prove-00 at openssh.com" OpenSSH supports a protocol extension allowing a server to inform a client of all its protocol v.2 host keys after user-authentication -has completed. +has completed. This is documented in an Internet-Draft - byte SSH_MSG_GLOBAL_REQUEST - string "hostkeys-00 at openssh.com" - char 0 /* want-reply */ - string[] hostkeys - -Upon receiving this message, a client should check which of the -supplied host keys are present in known_hosts. - -Note that the server may send key types that the client does not -support. The client should disregard such keys if they are received. - -If the client identifies any keys that are not present for the host, -it should send a "hostkeys-prove at openssh.com" message to request the -server prove ownership of the private half of the key. - - byte SSH_MSG_GLOBAL_REQUEST - string "hostkeys-prove-00 at openssh.com" - char 1 /* want-reply */ - string[] hostkeys - -When a server receives this message, it should generate a signature -using each requested key over the following: - - string "hostkeys-prove-00 at openssh.com" - string session identifier - string hostkey - -These signatures should be included in the reply, in the order matching -the hostkeys in the request: - - byte SSH_MSG_REQUEST_SUCCESS - string[] signatures - -When the client receives this reply (and not a failure), it should -validate the signatures and may update its known_hosts file, adding keys -that it has not seen before and deleting keys for the server host that -are no longer offered. - -These extensions let a client learn key types that it had not previously -encountered, thereby allowing it to potentially upgrade from weaker -key algorithms to better ones. It also supports graceful key rotation: -a server may offer multiple keys of the same type for a period (to -give clients an opportunity to learn them using this extension) before -removing the deprecated key from those offered. +https://datatracker.ietf.org/doc/draft-miller-sshm-hostkey-update/ 2.6. connection: SIGINFO support for "signal" channel request @@ -791,4 +718,4 @@ master instance and later clients. OpenSSH extends the usual agent protocol. These changes are documented in the PROTOCOL.agent file. -$OpenBSD: PROTOCOL,v 1.57 2025/05/06 05:40:56 djm Exp $ +$OpenBSD: PROTOCOL,v 1.58 2025/08/05 04:00:15 djm Exp $ diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305 deleted file mode 100644 index 0bfff28d7..000000000 --- a/PROTOCOL.chacha20poly1305 +++ /dev/null @@ -1,107 +0,0 @@ -This document describes the chacha20-poly1305 at openssh.com authenticated -encryption cipher supported by OpenSSH. - -Background ----------- - -ChaCha20 is a stream cipher designed by Daniel Bernstein and described -in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key, -a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output -is used as a keystream, with any unused bytes simply discarded. - -Poly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC -that computes a 128 bit integrity tag given a message and a single-use -256 bit secret key. - -The chacha20-poly1305 at openssh.com combines these two primitives into an -authenticated encryption mode. The construction used is based on that -proposed for TLS by Adam Langley in [3], but differs in the layout of -data passed to the MAC and in the addition of encryption of the packet -lengths. - -Negotiation ------------ - -The chacha20-poly1305 at openssh.com offers both encryption and -authentication. As such, no separate MAC is required. If the -chacha20-poly1305 at openssh.com cipher is selected in key exchange, -the offered MAC algorithms are ignored and no MAC is required to be -negotiated. - -Detailed Construction ---------------------- - -The chacha20-poly1305 at openssh.com cipher requires 512 bits of key -material as output from the SSH key exchange. This forms two 256 bit -keys (K_1 and K_2), used by two separate instances of chacha20. -The first 256 bits constitute K_2 and the second 256 bits become -K_1. - -The instance keyed by K_1 is a stream cipher that is used only -to encrypt the 4 byte packet length field. The second instance, -keyed by K_2, is used in conjunction with poly1305 to build an AEAD -(Authenticated Encryption with Associated Data) that is used to encrypt -and authenticate the entire packet. - -Two separate cipher instances are used here so as to keep the packet -lengths confidential but not create an oracle for the packet payload -cipher by decrypting and using the packet length prior to checking -the MAC. By using an independently-keyed cipher instance to encrypt the -length, an active attacker seeking to exploit the packet input handling -as a decryption oracle can learn nothing about the payload contents or -its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure). - -The AEAD is constructed as follows: for each packet, generate a Poly1305 -key by taking the first 256 bits of ChaCha20 stream output generated -using K_2, an IV consisting of the packet sequence number encoded as an -uint64 under the SSH wire encoding rules and a ChaCha20 block counter of -zero. The K_2 ChaCha20 block counter is then set to the little-endian -encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used -for encryption of the packet payload. - -Packet Handling ---------------- - -When receiving a packet, the length must be decrypted first. When 4 -bytes of ciphertext length have been received, they may be decrypted -using the K_1 key, a nonce consisting of the packet sequence number -encoded as a uint64 under the usual SSH wire encoding and a zero block -counter to obtain the plaintext length. - -Once the entire packet has been received, the MAC MUST be checked -before decryption. A per-packet Poly1305 key is generated as described -above and the MAC tag calculated using Poly1305 with this key over the -ciphertext of the packet length and the payload together. The calculated -MAC is then compared in constant time with the one appended to the -packet and the packet decrypted using ChaCha20 as described above (with -K_2, the packet sequence number as nonce and a starting block counter of -1). - -To send a packet, first encode the 4 byte length and encrypt it using -K_1. Encrypt the packet payload (using K_2) and append it to the -encrypted length. Finally, calculate a MAC tag and append it. - -Rekeying --------- - -ChaCha20 must never reuse a {key, nonce} for encryption nor may it be -used to encrypt more than 2^70 bytes under the same {key, nonce}. The -SSH Transport protocol (RFC4253) recommends a far more conservative -rekeying every 1GB of data sent or received. If this recommendation -is followed, then chacha20-poly1305 at openssh.com requires no special -handling in this area. - -References ----------- - -[1] "ChaCha, a variant of Salsa20", Daniel Bernstein - http://cr.yp.to/chacha/chacha-20080128.pdf - -[2] "The Poly1305-AES message-authentication code", Daniel Bernstein - http://cr.yp.to/mac/poly1305-20050329.pdf - -[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley - http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 - -$OpenBSD: PROTOCOL.chacha20poly1305,v 1.5 2020/02/21 00:04:43 dtucker Exp $ - -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 7 09:47:21 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 07 Aug 2025 09:47:21 +1000 Subject: [openssh-commits] [openssh] 01/04: upstream: Use the operating system default DSCP marking for In-Reply-To: <175452404072.53593.222935712290357992@fuyu.mindrot.org> References: <175452404072.53593.222935712290357992@fuyu.mindrot.org> Message-ID: <5a2fe1fdaccfc189@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 2a31009c36eb2da412c2784fe131fcb6ba800978 Author: job at openbsd.org AuthorDate: Tue Aug 5 09:08:16 2025 +0000 upstream: Use the operating system default DSCP marking for non-interactive traffic It seems the CS1 traffic class mark is considered ambiguous and therefore somewhat unhelpful (see RFC 8622 for more considerations). But, the new 'LE' scavenger class (also proposed in RFC 8622) offers high probability of excessive delays & high packet loss, which would be inappropriate for use with, for example, X11 forwardings. In fact, it is not known to SSH what's appropriate because SSH is not aware of the content of what passing through session forwardings. Therefore, no marking is appropriate. Non-interactive traffic simply is best effort. OK djm@ deraadt@ OpenBSD-Commit-ID: db1da1a432ecd53fc28feb84287aedb6bec80b01 --- readconf.c | 4 ++-- servconf.c | 4 ++-- ssh_config.5 | 8 ++++---- sshd_config.5 | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/readconf.c b/readconf.c index 02452edbf..781e5b004 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.403 2025/07/31 11:23:39 job Exp $ */ +/* $OpenBSD: readconf.c,v 1.404 2025/08/05 09:08:16 job Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2961,7 +2961,7 @@ fill_default_options(Options * options) if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_DSCP_EF; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_DSCP_CS0; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; if (options->session_type == -1) diff --git a/servconf.c b/servconf.c index 2bd9d1191..92f924e60 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.429 2025/07/31 11:23:39 job Exp $ */ +/* $OpenBSD: servconf.c,v 1.430 2025/08/05 09:08:16 job Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -474,7 +474,7 @@ fill_default_server_options(ServerOptions *options) if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_DSCP_EF; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_DSCP_CS0; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) diff --git a/ssh_config.5 b/ssh_config.5 index 390bc44ab..f1673e014 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.416 2025/07/31 11:23:39 job Exp $ -.Dd $Mdocdate: July 31 2025 $ +.\" $OpenBSD: ssh_config.5,v 1.417 2025/08/05 09:08:16 job Exp $ +.Dd $Mdocdate: August 5 2025 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1279,8 +1279,8 @@ The default is .Cm ef (Expedited Forwarding) for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm none +(the operating system default) for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. diff --git a/sshd_config.5 b/sshd_config.5 index ee1b29341..4536286b7 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.383 2025/07/31 11:23:39 job Exp $ -.Dd $Mdocdate: July 31 2025 $ +.\" $OpenBSD: sshd_config.5,v 1.384 2025/08/05 09:08:16 job Exp $ +.Dd $Mdocdate: August 5 2025 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -960,8 +960,8 @@ The default is .Cm ef (Expedited Forwarding) for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm none +(the operating system default) for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 7 09:47:23 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 07 Aug 2025 09:47:23 +1000 Subject: [openssh-commits] [openssh] 03/04: upstream: Improve sentence. ok djm@ In-Reply-To: <175452404072.53593.222935712290357992@fuyu.mindrot.org> References: <175452404072.53593.222935712290357992@fuyu.mindrot.org> Message-ID: <5a2fe2018b9f3e55@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 60b909fb110f77c1ffd15cceb5d09b8e3f79b27e Author: dtucker at openbsd.org AuthorDate: Wed Aug 6 11:22:53 2025 +0000 upstream: Improve sentence. ok djm@ OpenBSD-Commit-ID: 9c481ddd6bad110af7e530ba90db41f6d5fe2273 --- PROTOCOL | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/PROTOCOL b/PROTOCOL index af2a813f9..a94b36ba6 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -78,8 +78,8 @@ contains: 1.6 transport: AES-GCM OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. -Because of problems with design of algorithm negotiation in this -RFC, OpenSSH (and other SSH implementation) use different rules as +Because of problems with the design of the algorithm negotiation in this +RFC, OpenSSH (and other SSH implementations) use different rules as described in: https://datatracker.ietf.org/doc/draft-miller-sshm-aes-gcm/ @@ -718,4 +718,4 @@ master instance and later clients. OpenSSH extends the usual agent protocol. These changes are documented in the PROTOCOL.agent file. -$OpenBSD: PROTOCOL,v 1.58 2025/08/05 04:00:15 djm Exp $ +$OpenBSD: PROTOCOL,v 1.59 2025/08/06 11:22:53 dtucker Exp $ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 7 09:47:24 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 07 Aug 2025 09:47:24 +1000 Subject: [openssh-commits] [openssh] 04/04: upstream: all state related to the ssh connection should live in In-Reply-To: <175452404072.53593.222935712290357992@fuyu.mindrot.org> References: <175452404072.53593.222935712290357992@fuyu.mindrot.org> Message-ID: <5a2fe2037ae77649@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 2ebc6384258b58ace0ad2adb2593744f62749235 Author: djm at openbsd.org AuthorDate: Wed Aug 6 23:44:09 2025 +0000 upstream: all state related to the ssh connection should live in struct ssh or struct packet_state; one static int escaped this rule, so move it to struct packet_state now. ok millert tb OpenBSD-Commit-ID: bd6737168bf61a836ffbdc99ee4803468db90a53 --- packet.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/packet.c b/packet.c index 9dea2cfc5..7f67f4fcd 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.318 2025/02/18 08:02:12 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.319 2025/08/06 23:44:09 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -219,6 +219,12 @@ struct session_state { /* One-off warning about weak ciphers */ int cipher_warning_done; + /* + * Disconnect in progress. Used to prevent reentry in + * ssh_packet_disconnect() + */ + int disconnecting; + /* Hook for fuzzing inbound packets */ ssh_packet_hook_fn *hook_in; void *hook_in_ctx; @@ -2064,12 +2070,12 @@ ssh_packet_disconnect(struct ssh *ssh, const char *fmt,...) { char buf[1024], remote_id[512]; va_list args; - static int disconnecting = 0; int r; - if (disconnecting) /* Guard against recursive invocations. */ + /* Guard against recursive invocations. */ + if (ssh->state->disconnecting) fatal("packet_disconnect called recursively."); - disconnecting = 1; + ssh->state->disconnecting = 1; /* * Format the message. Note that the caller must make sure the -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 7 09:47:22 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 07 Aug 2025 09:47:22 +1000 Subject: [openssh-commits] [openssh] 02/04: upstream: when refusing a certificate for user authentication, log In-Reply-To: <175452404072.53593.222935712290357992@fuyu.mindrot.org> References: <175452404072.53593.222935712290357992@fuyu.mindrot.org> Message-ID: <5a2fe1ff96465c4c@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 9ffa98111dbe53bf86d07da8e01ded8c5c25456b Author: djm at openbsd.org AuthorDate: Wed Aug 6 04:53:04 2025 +0000 upstream: when refusing a certificate for user authentication, log enough information to identify the certificate in addition to the reason why it was being denied. Makes debugging certificate authz problems a bit easier. ok dlg@ OpenBSD-Commit-ID: 4c4621b2e70412754b3fe7540af8f4bf02b722b1 --- auth2-hostbased.c | 14 +++++++++++--- auth2-pubkey.c | 12 +++++++++--- auth2-pubkeyfile.c | 23 ++++++++++++++++------- 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/auth2-hostbased.c b/auth2-hostbased.c index eb21479a0..e28134a1a 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.53 2024/05/17 00:30:23 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.54 2025/08/06 04:53:04 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -213,8 +213,16 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, if (sshkey_is_cert(key) && sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) { - error("%s", reason); - auth_debug_add("%s", reason); + if ((fp = sshkey_fingerprint(key->cert->signature_key, + options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) + fatal_f("sshkey_fingerprint fail"); + error("Refusing certificate ID \"%s\" serial=%llu signed by " + "%s CA %s: %s", key->cert->key_id, key->cert->serial, + sshkey_type(key->cert->signature_key), fp, reason); + auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s", + key->cert->key_id, (unsigned long long)key->cert->serial, + reason); + free(fp); return 0; } diff --git a/auth2-pubkey.c b/auth2-pubkey.c index aa24fda05..221b242f8 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.122 2024/12/12 09:09:09 dtucker Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.123 2025/08/06 04:53:04 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -590,8 +590,14 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key, if ((final_opts = sshauthopt_merge(principals_opts, cert_opts, &reason)) == NULL) { fail_reason: - error("%s", reason); - auth_debug_add("%s", reason); + error("Refusing certificate ID \"%s\" serial=%llu " + "signed by %s CA %s: %s", key->cert->key_id, + key->cert->serial, + sshkey_type(key->cert->signature_key), ca_fp, + reason); + auth_debug_add("Refused Certificate ID \"%s\" " + "serial=%llu: %s", key->cert->key_id, + (unsigned long long)key->cert->serial, reason); goto out; } } diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c index 31e7481fb..531a266ac 100644 --- a/auth2-pubkeyfile.c +++ b/auth2-pubkeyfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkeyfile.c,v 1.4 2023/03/05 05:34:09 dtucker Exp $ */ +/* $OpenBSD: auth2-pubkeyfile.c,v 1.5 2025/08/06 04:53:04 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -344,15 +344,15 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key, /* Parse and check options present in certificate */ if ((certopts = sshauthopt_from_cert(key)) == NULL) { reason = "Invalid certificate options"; - goto fail_reason; + goto cert_fail_reason; } if (auth_authorise_keyopts(pw, certopts, 0, remote_ip, remote_host, loc) != 0) { reason = "Refused by certificate options"; - goto fail_reason; + goto cert_fail_reason; } if ((finalopts = sshauthopt_merge(keyopts, certopts, &reason)) == NULL) - goto fail_reason; + goto cert_fail_reason; /* * If the user has specified a list of principals as @@ -362,12 +362,12 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key, if (keyopts->cert_principals != NULL && !match_principals_option(keyopts->cert_principals, key->cert)) { reason = "Certificate does not contain an authorized principal"; - goto fail_reason; + goto cert_fail_reason; } if (sshkey_cert_check_authority_now(key, 0, 0, 0, keyopts->cert_principals == NULL ? pw->pw_name : NULL, &reason) != 0) - goto fail_reason; + goto cert_fail_reason; verbose("Accepted certificate ID \"%s\" (serial %llu) " "signed by CA %s %s found at %s", @@ -386,8 +386,17 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key, ret = 0; goto out; + cert_fail_reason: + error("Refusing certificate ID \"%s\" serial=%llu " + "signed by %s CA %s via %s: %s", key->cert->key_id, + key->cert->serial, sshkey_type(key->cert->signature_key), + fp, loc, reason); + auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s", + key->cert->key_id, (unsigned long long)key->cert->serial, reason); + goto out; + fail_reason: - error("%s", reason); + error("%s at %s", reason, loc); auth_debug_add("%s", reason); out: free(fp); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 7 09:47:20 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 07 Aug 2025 09:47:20 +1000 Subject: [openssh-commits] [openssh] branch master updated (6ebd472c3 -> 2ebc63842) Message-ID: <175452404072.53593.222935712290357992@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from 6ebd472c3 upstream: a bunch of the protocol extensions we support now have RFCs new 2a31009c3 upstream: Use the operating system default DSCP marking for new 9ffa98111 upstream: when refusing a certificate for user authentication, log new 60b909fb1 upstream: Improve sentence. ok djm@ new 2ebc63842 upstream: all state related to the ssh connection should live in The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit 2ebc6384258b58ace0ad2adb2593744f62749235 Author: djm at openbsd.org Date: Wed Aug 6 23:44:09 2025 +0000 upstream: all state related to the ssh connection should live in struct ssh or struct packet_state; one static int escaped this rule, so move it to struct packet_state now. ok millert tb OpenBSD-Commit-ID: bd6737168bf61a836ffbdc99ee4803468db90a53 commit 60b909fb110f77c1ffd15cceb5d09b8e3f79b27e Author: dtucker at openbsd.org Date: Wed Aug 6 11:22:53 2025 +0000 upstream: Improve sentence. ok djm@ OpenBSD-Commit-ID: 9c481ddd6bad110af7e530ba90db41f6d5fe2273 commit 9ffa98111dbe53bf86d07da8e01ded8c5c25456b Author: djm at openbsd.org Date: Wed Aug 6 04:53:04 2025 +0000 upstream: when refusing a certificate for user authentication, log enough information to identify the certificate in addition to the reason why it was being denied. Makes debugging certificate authz problems a bit easier. ok dlg@ OpenBSD-Commit-ID: 4c4621b2e70412754b3fe7540af8f4bf02b722b1 commit 2a31009c36eb2da412c2784fe131fcb6ba800978 Author: job at openbsd.org Date: Tue Aug 5 09:08:16 2025 +0000 upstream: Use the operating system default DSCP marking for non-interactive traffic It seems the CS1 traffic class mark is considered ambiguous and therefore somewhat unhelpful (see RFC 8622 for more considerations). But, the new 'LE' scavenger class (also proposed in RFC 8622) offers high probability of excessive delays & high packet loss, which would be inappropriate for use with, for example, X11 forwardings. In fact, it is not known to SSH what's appropriate because SSH is not aware of the content of what passing through session forwardings. Therefore, no marking is appropriate. Non-interactive traffic simply is best effort. OK djm@ deraadt@ OpenBSD-Commit-ID: db1da1a432ecd53fc28feb84287aedb6bec80b01 Summary of changes: PROTOCOL | 6 +++--- auth2-hostbased.c | 14 +++++++++++--- auth2-pubkey.c | 12 +++++++++--- auth2-pubkeyfile.c | 23 ++++++++++++++++------- packet.c | 14 ++++++++++---- readconf.c | 4 ++-- servconf.c | 4 ++-- ssh_config.5 | 8 ++++---- sshd_config.5 | 8 ++++---- 9 files changed, 61 insertions(+), 32 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:26 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:26 +1000 Subject: [openssh-commits] [openssh] branch V_8_9 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448605.99566.16601197124557126357@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_8_9 in repository openssh. The following commit(s) were added to refs/heads/V_8_9 by this push: new ffdbae4c0 support sntrup761x25519-sha512 alias ffdbae4c0 is described below commit ffdbae4c0201d42bfa1f5c5e9c21454d10795491 Author: Damien Miller AuthorDate: Mon Aug 11 15:36:27 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 8.9 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 0bcd27dc5..8d68ad567 100644 --- a/kex.c +++ b/kex.c @@ -111,6 +111,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index c35329501..5282f2825 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee50d215b..edb0ffe83 100644 --- a/myproposal.h +++ b/myproposal.h @@ -30,6 +30,7 @@ "ecdh-sha2-nistp256," \ "ecdh-sha2-nistp384," \ "ecdh-sha2-nistp521," \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:27 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:27 +1000 Subject: [openssh-commits] [openssh] branch V_9_0 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448610.99566.1298785816690998412@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_0 in repository openssh. The following commit(s) were added to refs/heads/V_9_0 by this push: new ade3fa278 support sntrup761x25519-sha512 alias ade3fa278 is described below commit ade3fa2787395ba32c63dc5f780eb372755d318d Author: Damien Miller AuthorDate: Mon Aug 11 15:48:29 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.0 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 0bcd27dc5..8d68ad567 100644 --- a/kex.c +++ b/kex.c @@ -111,6 +111,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index c35329501..5282f2825 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:28 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:28 +1000 Subject: [openssh-commits] [openssh] branch V_9_1 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448616.99566.2088148602310151778@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_1 in repository openssh. The following commit(s) were added to refs/heads/V_9_1 by this push: new 16d6a715a support sntrup761x25519-sha512 alias 16d6a715a is described below commit 16d6a715a69105bce9b8f986636e5e7811e412d1 Author: Damien Miller AuthorDate: Mon Aug 11 15:54:35 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.1 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 0bcd27dc5..8d68ad567 100644 --- a/kex.c +++ b/kex.c @@ -111,6 +111,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index c35329501..5282f2825 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:29 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:29 +1000 Subject: [openssh-commits] [openssh] branch V_9_2 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448621.99566.526236249816555326@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_2 in repository openssh. The following commit(s) were added to refs/heads/V_9_2 by this push: new 5ac781935 support sntrup761x25519-sha512 alias 5ac781935 is described below commit 5ac781935f068abd4c1bfe04a70f804cce4c603f Author: Damien Miller AuthorDate: Mon Aug 11 16:02:03 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.2 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 8cdefcf7c..cbc6ae724 100644 --- a/kex.c +++ b/kex.c @@ -111,6 +111,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index c35329501..5282f2825 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:30 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:30 +1000 Subject: [openssh-commits] [openssh] branch V_9_3 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448627.99566.2105744229518263750@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_3 in repository openssh. The following commit(s) were added to refs/heads/V_9_3 by this push: new 4815c5d19 support sntrup761x25519-sha512 alias 4815c5d19 is described below commit 4815c5d19a50a99776a23a7d700eda65a257aeee Author: Damien Miller AuthorDate: Mon Aug 11 16:08:30 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.3 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index b4e2ab75f..c93878d04 100644 --- a/kex.c +++ b/kex.c @@ -113,6 +113,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index 8b54e3f4b..185910bd9 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:31 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:31 +1000 Subject: [openssh-commits] [openssh] branch V_9_4 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448632.99566.18210746781643154225@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_4 in repository openssh. The following commit(s) were added to refs/heads/V_9_4 by this push: new 4ff236463 support sntrup761x25519-sha512 alias 4ff236463 is described below commit 4ff236463995fb1d4cbfba1b881cdf6d609c27ba Author: Damien Miller AuthorDate: Mon Aug 11 16:16:25 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.4 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index fd04bb0b5..34e66de63 100644 --- a/kex.c +++ b/kex.c @@ -113,6 +113,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index 8b54e3f4b..185910bd9 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:32 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:32 +1000 Subject: [openssh-commits] [openssh] branch V_9_5 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448639.99566.195696992038322941@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_5 in repository openssh. The following commit(s) were added to refs/heads/V_9_5 by this push: new 5a958562c support sntrup761x25519-sha512 alias 5a958562c is described below commit 5a958562ca7f6de33c4e288b6883e4b026202eda Author: Damien Miller AuthorDate: Mon Aug 11 16:23:58 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.5 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 8ff92f2a2..d79195583 100644 --- a/kex.c +++ b/kex.c @@ -113,6 +113,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index 5f7ef784e..e414d8718 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:33 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:33 +1000 Subject: [openssh-commits] [openssh] branch V_9_6 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448645.99566.3210543625583965769@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_6 in repository openssh. The following commit(s) were added to refs/heads/V_9_6 by this push: new 4306a0ccb support sntrup761x25519-sha512 alias 4306a0ccb is described below commit 4306a0ccb712249c98c0ab1a8ad4bf0761be4011 Author: Damien Miller AuthorDate: Mon Aug 11 16:24:54 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.6 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index cbb2af596..df1756b1a 100644 --- a/kex.c +++ b/kex.c @@ -113,6 +113,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index ba3a6a4ea..054a9d8e0 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:34 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:34 +1000 Subject: [openssh-commits] [openssh] branch V_9_7 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448650.99566.10982946124581899388@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_7 in repository openssh. The following commit(s) were added to refs/heads/V_9_7 by this push: new 77f962453 support sntrup761x25519-sha512 alias 77f962453 is described below commit 77f962453d74559a33f13c76477c2c51e242556b Author: Damien Miller AuthorDate: Mon Aug 11 16:25:25 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.7 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- kex.c | 2 ++ kex.h | 1 + myproposal.h | 1 + 3 files changed, 4 insertions(+) diff --git a/kex.c b/kex.c index 8a0f16513..65259f6a2 100644 --- a/kex.c +++ b/kex.c @@ -113,6 +113,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index 0caf42b50..a412bb220 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 16:41:35 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 16:41:35 +1000 Subject: [openssh-commits] [openssh] branch V_9_8 updated: support sntrup761x25519-sha512 alias Message-ID: <175489448656.99566.11256335857938186594@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_8 in repository openssh. The following commit(s) were added to refs/heads/V_9_8 by this push: new 26f73db15 support sntrup761x25519-sha512 alias 26f73db15 is described below commit 26f73db15e0eee558a11b42a9d794d78c87dd11e Author: Damien Miller AuthorDate: Mon Aug 11 16:40:24 2025 +1000 support sntrup761x25519-sha512 alias OpenSSH 9.8 supports the sntrup761x25519-sha512 at openssh.com key agreement algorithm. As part of standardisation, this algorithm has been assigned the name sntrup761x25519-sha512. This commit enables the existing algorithm under this new name. --- configure | 3 +++ kex-names.c | 2 ++ kex.h | 1 + moduli.0 | 2 +- myproposal.h | 1 + scp.0 | 2 +- sftp-server.0 | 2 +- sftp.0 | 2 +- ssh-add.0 | 2 +- ssh-agent.0 | 2 +- ssh-keygen.0 | 2 +- ssh-keyscan.0 | 2 +- ssh-keysign.0 | 2 +- ssh-pkcs11-helper.0 | 2 +- ssh-sk-helper.0 | 2 +- ssh.0 | 2 +- ssh_config.0 | 2 +- sshd.0 | 2 +- sshd_config.0 | 6 +++--- 19 files changed, 24 insertions(+), 17 deletions(-) diff --git a/configure b/configure index 07d19fd30..32e38c4cb 100755 --- a/configure +++ b/configure @@ -13317,6 +13317,9 @@ EOD printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h ;; +*-*-gnu*) + CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" + ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 diff --git a/kex-names.c b/kex-names.c index 339eb1c23..1869b8ee1 100644 --- a/kex-names.c +++ b/kex-names.c @@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = { { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, #ifdef USE_SNTRUP761X25519 + { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif diff --git a/kex.h b/kex.h index 34665eb20..ed22b929f 100644 --- a/kex.h +++ b/kex.h @@ -63,6 +63,7 @@ #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256 at libssh.org" #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512 at openssh.com" +#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ diff --git a/moduli.0 b/moduli.0 index 057a018ef..90700a16f 100644 --- a/moduli.0 +++ b/moduli.0 @@ -71,4 +71,4 @@ STANDARDS M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. -OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 +OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 diff --git a/myproposal.h b/myproposal.h index ee6e9f741..0528cd783 100644 --- a/myproposal.h +++ b/myproposal.h @@ -25,6 +25,7 @@ */ #define KEX_SERVER_KEX \ + "sntrup761x25519-sha512," \ "sntrup761x25519-sha512 at openssh.com," \ "curve25519-sha256," \ "curve25519-sha256 at libssh.org," \ diff --git a/scp.0 b/scp.0 index e098ddf55..85d5f83d5 100644 --- a/scp.0 +++ b/scp.0 @@ -229,4 +229,4 @@ CAVEATS requires careful quoting of any characters that have special meaning to the remote shell, such as quote characters. -OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 diff --git a/sftp-server.0 b/sftp-server.0 index 23fdda399..273b69908 100644 --- a/sftp-server.0 +++ b/sftp-server.0 @@ -95,4 +95,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 +OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 diff --git a/sftp.0 b/sftp.0 index c6a9e60c4..0476733c1 100644 --- a/sftp.0 +++ b/sftp.0 @@ -435,4 +435,4 @@ SEE ALSO T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 diff --git a/ssh-add.0 b/ssh-add.0 index 30eed6672..20f1a88e2 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -206,4 +206,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/ssh-agent.0 b/ssh-agent.0 index 2e4ef7b6e..238fa54e2 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 @@ -137,4 +137,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 +OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 diff --git a/ssh-keygen.0 b/ssh-keygen.0 index a731a7fa8..13b032f46 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -904,4 +904,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index 110399094..cf0962c82 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -120,4 +120,4 @@ AUTHORS Davison added support for protocol version 2. -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/ssh-keysign.0 b/ssh-keysign.0 index 577955d1b..ff3305809 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 @@ -47,4 +47,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 index 564587259..4b1cb8d7d 100644 --- a/ssh-pkcs11-helper.0 +++ b/ssh-pkcs11-helper.0 @@ -32,4 +32,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 index ea2117abd..4abc5e8a0 100644 --- a/ssh-sk-helper.0 +++ b/ssh-sk-helper.0 @@ -31,4 +31,4 @@ HISTORY AUTHORS Damien Miller -OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 diff --git a/ssh.0 b/ssh.0 index 78863b1b0..9c34e3e6e 100644 --- a/ssh.0 +++ b/ssh.0 @@ -1016,4 +1016,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 diff --git a/ssh_config.0 b/ssh_config.0 index ef6c0936a..f9a82781b 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -1428,4 +1428,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/sshd.0 b/sshd.0 index c7de2d311..eac127dcf 100644 --- a/sshd.0 +++ b/sshd.0 @@ -682,4 +682,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 diff --git a/sshd_config.0 b/sshd_config.0 index 6883dda4b..ca030fcca 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -950,8 +950,8 @@ DESCRIPTION accumulated. Penalties are enabled by default with the default settings listed - below but may disabled using the off keyword. The defaults may - be overridden by specifying one or more of the keywords below, + below but may disabled using the no keyword. The defaults may be + overridden by specifying one or more of the keywords below, separated by whitespace. All keywords accept arguments, e.g. "crash:2m". @@ -1390,4 +1390,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 +OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 11 21:03:41 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 11 Aug 2025 21:03:41 +1000 Subject: [openssh-commits] [openssh] branch master updated: upstream: ssh(1): add a warning when the connection negotiates a Message-ID: <175491022146.24847.11032406683029878414@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new 0e1b8aa27 upstream: ssh(1): add a warning when the connection negotiates a 0e1b8aa27 is described below commit 0e1b8aa27f7c86d412c9e54ad9e2cae30d9ddab4 Author: djm at openbsd.org AuthorDate: Mon Aug 11 10:55:38 2025 +0000 upstream: ssh(1): add a warning when the connection negotiates a non-post quantum safe key agreement algorithm. Controlled via a new WarnWeakCrypto ssh_config option, defaulting to on. This option might grow additional weak crypto warnings in the future. More details at https://openssh.com/pq.html mostly by deraadt@ feedback dtucker@ ok deraadt@ OpenBSD-Commit-ID: 974ff243a1eccceac6a1a9d8fab3bcc89d74a2a4 --- kex-names.c | 45 ++++++++++++++++++++++++++++----------------- kex.c | 6 +++--- kex.h | 7 ++++++- readconf.c | 24 ++++++++++++++++++++++-- readconf.h | 4 +++- ssh_config.5 | 18 ++++++++++++++++-- sshconnect.c | 14 +++++++++++++- 7 files changed, 91 insertions(+), 27 deletions(-) diff --git a/kex-names.c b/kex-names.c index ec840c1f9..96deb8817 100644 --- a/kex-names.c +++ b/kex-names.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex-names.c,v 1.4 2024/09/09 02:39:57 djm Exp $ */ +/* $OpenBSD: kex-names.c,v 1.5 2025/08/11 10:55:38 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -50,44 +50,45 @@ struct kexalg { u_int type; int ec_nid; int hash_alg; + int pq_alg; }; static const struct kexalg kexalgs[] = { #ifdef WITH_OPENSSL - { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, - { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, - { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, - { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, - { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, - { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ }, + { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ }, + { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ }, + { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ }, + { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ }, + { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ }, #ifdef HAVE_EVP_SHA256 - { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ }, #endif /* HAVE_EVP_SHA256 */ #ifdef OPENSSL_HAS_ECC { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, - NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, + NID_X9_62_prime256v1, SSH_DIGEST_SHA256, KEX_NOT_PQ }, { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, - SSH_DIGEST_SHA384 }, + SSH_DIGEST_SHA384, KEX_NOT_PQ }, # ifdef OPENSSL_HAS_NISTP521 { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, - SSH_DIGEST_SHA512 }, + SSH_DIGEST_SHA512, KEX_NOT_PQ }, # endif /* OPENSSL_HAS_NISTP521 */ #endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) - { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, - { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ }, + { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ }, #ifdef USE_SNTRUP761X25519 { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, - SSH_DIGEST_SHA512 }, + SSH_DIGEST_SHA512, KEX_IS_PQ }, { KEX_SNTRUP761X25519_SHA512_OLD, KEX_KEM_SNTRUP761X25519_SHA512, 0, - SSH_DIGEST_SHA512 }, + SSH_DIGEST_SHA512, KEX_IS_PQ }, #endif #ifdef USE_MLKEM768X25519 { KEX_MLKEM768X25519_SHA256, KEX_KEM_MLKEM768X25519_SHA256, 0, - SSH_DIGEST_SHA256 }, + SSH_DIGEST_SHA256, KEX_IS_PQ }, #endif #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ - { NULL, 0, -1, -1}, + { NULL, 0, -1, -1, 0 }, }; char * @@ -130,6 +131,16 @@ kex_name_valid(const char *name) return kex_alg_by_name(name) != NULL; } +int +kex_is_pq_from_name(const char *name) +{ + const struct kexalg *k; + + if ((k = kex_alg_by_name(name)) == NULL) + return 0; + return k->pq_alg == KEX_IS_PQ; +} + u_int kex_type_from_name(const char *name) { diff --git a/kex.c b/kex.c index 6b957e5e1..f8eaa8c97 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.187 2024/08/23 04:51:00 deraadt Exp $ */ +/* $OpenBSD: kex.c,v 1.188 2025/08/11 10:55:38 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -563,8 +563,6 @@ kex_input_newkeys(int type, u_int32_t seq, struct ssh *ssh) kex->flags &= ~KEX_INITIAL; sshbuf_reset(kex->peer); kex->flags &= ~KEX_INIT_SENT; - free(kex->name); - kex->name = NULL; return 0; } @@ -620,6 +618,8 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) error_f("no kex"); return SSH_ERR_INTERNAL_ERROR; } + free(kex->name); + kex->name = NULL; ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); ptr = sshpkt_ptr(ssh, &dlen); if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) diff --git a/kex.h b/kex.h index d08988b3e..55baa6a1e 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.126 2024/09/02 12:13:56 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.127 2025/08/11 10:55:38 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -115,6 +115,10 @@ enum kex_exchange { #define KEX_HAS_PING 0x0020 #define KEX_HAS_EXT_INFO_IN_AUTH 0x0040 +/* kex->pq */ +#define KEX_NOT_PQ 0 +#define KEX_IS_PQ 1 + struct sshenc { char *name; const struct sshcipher *cipher; @@ -189,6 +193,7 @@ int kex_name_valid(const char *); u_int kex_type_from_name(const char *); int kex_hash_from_name(const char *); int kex_nid_from_name(const char *); +int kex_is_pq_from_name(const char *); int kex_names_valid(const char *); char *kex_alg_list(char); char *kex_names_cat(const char *, const char *); diff --git a/readconf.c b/readconf.c index 781e5b004..c7701d8c2 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.404 2025/08/05 09:08:16 job Exp $ */ +/* $OpenBSD: readconf.c,v 1.405 2025/08/11 10:55:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -180,7 +180,7 @@ typedef enum { oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout, - oVersionAddendum, oRefuseConnection, + oVersionAddendum, oRefuseConnection, oWarnWeakCrypto, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -333,6 +333,7 @@ static struct { { "channeltimeout", oChannelTimeout }, { "versionaddendum", oVersionAddendum }, { "refuseconnection", oRefuseConnection }, + { "warnweakcrypto", oWarnWeakCrypto }, { NULL, oBadOption } }; @@ -1101,6 +1102,15 @@ static const struct multistate multistate_compression[] = { { "no", COMP_NONE }, { NULL, -1 } }; +/* XXX this will need to be replaced with a bitmask if we add more flags */ +static const struct multistate multistate_warnweakcrypto[] = { + { "true", 1 }, + { "false", 0 }, + { "yes", 1 }, + { "no", 0 }, + { "no-pq-kex", 0 }, + { NULL, -1 } +}; static int parse_multistate_value(const char *arg, const char *filename, int linenum, @@ -2427,6 +2437,11 @@ parse_pubkey_algos: intptr = &options->required_rsa_size; goto parse_int; + case oWarnWeakCrypto: + intptr = &options->warn_weak_crypto; + multistate_ptr = multistate_warnweakcrypto; + goto parse_multistate; + case oObscureKeystrokeTiming: value = -1; while ((arg = argv_next(&ac, &av)) != NULL) { @@ -2786,6 +2801,7 @@ initialize_options(Options * options) options->pubkey_accepted_algos = NULL; options->known_hosts_command = NULL; options->required_rsa_size = -1; + options->warn_weak_crypto = -1; options->enable_escape_commandline = -1; options->obscure_keystroke_timing_interval = -1; options->tag = NULL; @@ -2989,6 +3005,8 @@ fill_default_options(Options * options) #endif if (options->required_rsa_size == -1) options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; + if (options->warn_weak_crypto == -1) + options->warn_weak_crypto = 1; if (options->enable_escape_commandline == -1) options->enable_escape_commandline = 0; if (options->obscure_keystroke_timing_interval == -1) { @@ -3016,6 +3034,7 @@ fill_default_options(Options * options) goto fail; \ } \ } while (0) + options->kex_algorithms_set = options->kex_algorithms != NULL; ASSEMBLE(ciphers, def_cipher, all_cipher); ASSEMBLE(macs, def_mac, all_mac); ASSEMBLE(kex_algorithms, def_kex, all_kex); @@ -3703,6 +3722,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); dump_cfg_fmtint(oEnableEscapeCommandline, o->enable_escape_commandline); + dump_cfg_fmtint(oWarnWeakCrypto, o->warn_weak_crypto); /* Integer options */ dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); diff --git a/readconf.h b/readconf.h index 153fa6226..942149f9a 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.160 2025/07/31 11:23:39 job Exp $ */ +/* $OpenBSD: readconf.h,v 1.161 2025/08/11 10:55:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -67,6 +67,7 @@ typedef struct { char *macs; /* SSH2 macs in order of preference. */ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ + int kex_algorithms_set; /* KexAlgorithms was set by the user */ char *ca_sign_algorithms; /* Allowed CA signature algorithms */ char *hostname; /* Real host to connect. */ char *tag; /* Configuration tag name. */ @@ -180,6 +181,7 @@ typedef struct { int required_rsa_size; /* minimum size of RSA keys */ int enable_escape_commandline; /* ~C commandline */ int obscure_keystroke_timing_interval; + int warn_weak_crypto; char **channel_timeouts; /* inactivity timeout by channel type */ u_int num_channel_timeouts; diff --git a/ssh_config.5 b/ssh_config.5 index f1673e014..4cbe98631 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.417 2025/08/05 09:08:16 job Exp $ -.Dd $Mdocdate: August 5 2025 $ +.\" $OpenBSD: ssh_config.5,v 1.418 2025/08/11 10:55:38 djm Exp $ +.Dd $Mdocdate: August 11 2025 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -2229,6 +2229,20 @@ If this flag is set to (the default), no fingerprint strings are printed at login and only the fingerprint string will be printed for unknown host keys. +.It Cm WarnWeakCrypto +controls whether the user is warned when the cryptographic algorithms +negotiated for the connection are weak or otherwise recommended against. +Warnings may be disabled by turning off a specific warning or by disabling +all warnings. +Warnings that the connection is using a non-post quantum safe key exchange +may be disabled using the +.Cm no-pq-kex +flag. +.Cm no +will disable all warnings. +The default, equivalent to +.Cm yes , +is to enable all warnings. .It Cm XAuthLocation Specifies the full pathname of the .Xr xauth 1 diff --git a/sshconnect.c b/sshconnect.c index a90167fd6..09e937c9e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.371 2025/05/24 09:46:16 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.372 2025/08/11 10:55:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1580,6 +1580,14 @@ out: return r; } +static void +warn_nonpq_kex(void) +{ + logit("** WARNING: connection is not using a post-quantum kex exchange algorithm."); + logit("** This session may be vulnerable to \"store now, decrypt later\" attacks."); + logit("** The server may need to be upgraded. See https://openssh.com/pq.html"); +} + /* * Starts a dialog with the server, and authenticates the current user on the * server. This does not need any extra privileges. The basic connection @@ -1615,6 +1623,10 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, /* authenticate user */ debug("Authenticating to %s:%d as '%s'", host, port, server_user); ssh_kex2(ssh, host, hostaddr, port, cinfo); + if (!options.kex_algorithms_set && ssh->kex != NULL && + ssh->kex->name != NULL && options.warn_weak_crypto && + !kex_is_pq_from_name(ssh->kex->name)) + warn_nonpq_kex(); ssh_userauth2(ssh, local_user, server_user, host, sensitive); free(local_user); free(host); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:47 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:47 +1000 Subject: [openssh-commits] [openssh] branch V_8_9 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084687.46513.7482461704880819334@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_8_9 in repository openssh. The following commit(s) were added to refs/heads/V_8_9 by this push: new b738f18f4 mention sntrup761x25519-sha512 in manpages b738f18f4 is described below commit b738f18f4b26cbd92cd0dfcff960d5f2ee7c0f99 Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 69132282b..751361945 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1167,6 +1167,7 @@ The default is: .Bd -literal -offset indent curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diff --git a/sshd_config.5 b/sshd_config.5 index 985f1ba5c..4adc13e9d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -956,6 +956,8 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp @@ -963,6 +965,7 @@ The default is: .Bd -literal -offset indent curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:48 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:48 +1000 Subject: [openssh-commits] [openssh] branch V_9_0 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084691.46513.7966315078051027624@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_0 in repository openssh. The following commit(s) were added to refs/heads/V_9_0 by this push: new 73bd9c8b8 mention sntrup761x25519-sha512 in manpages 73bd9c8b8 is described below commit 73bd9c8b81aa065830ffe9b00e8c2a8b2de20a6f Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 59ff96465..53264102e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1165,6 +1165,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 3a4ffab7c..ffece563c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -956,11 +956,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:49 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:49 +1000 Subject: [openssh-commits] [openssh] branch V_9_1 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084697.46513.13021329775058906134@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_1 in repository openssh. The following commit(s) were added to refs/heads/V_9_1 by this push: new 7fb7641c7 mention sntrup761x25519-sha512 in manpages 7fb7641c7 is described below commit 7fb7641c71a6497a4aa839d86cab83f87e12e66a Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index d1ede18e7..1f3a1ba8b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1165,6 +1165,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index f5a06637f..128f0f1c2 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -956,11 +956,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:50 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:50 +1000 Subject: [openssh-commits] [openssh] branch V_9_2 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084702.46513.8235356254166857988@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_2 in repository openssh. The following commit(s) were added to refs/heads/V_9_2 by this push: new e552e9f6e mention sntrup761x25519-sha512 in manpages e552e9f6e is described below commit e552e9f6e481c558cb929dd601fd6722f6355388 Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 9eb6b9779..9dba29f55 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1175,6 +1175,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 7313a7f79..28ca59f62 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1025,11 +1025,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:51 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:51 +1000 Subject: [openssh-commits] [openssh] branch V_9_3 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084708.46513.16869768078770628867@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_3 in repository openssh. The following commit(s) were added to refs/heads/V_9_3 by this push: new 73024dd5d mention sntrup761x25519-sha512 in manpages 73024dd5d is described below commit 73024dd5d7f4e306870106a87e0d270e6afd5b12 Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index c56b9d7be..f382e94a4 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1175,6 +1175,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 9a1578f75..0aaf2a8ab 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1037,11 +1037,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:52 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:52 +1000 Subject: [openssh-commits] [openssh] branch V_9_4 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084713.46513.3858246958424595119@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_4 in repository openssh. The following commit(s) were added to refs/heads/V_9_4 by this push: new 45b7f6ef5 mention sntrup761x25519-sha512 in manpages 45b7f6ef5 is described below commit 45b7f6ef5d44bf743f6c69c2f390474922444a50 Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index ab8d1021d..c1df23d3b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1197,6 +1197,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 7e1a56cd0..7b211038e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1037,11 +1037,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:53 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:53 +1000 Subject: [openssh-commits] [openssh] branch V_9_5 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084719.46513.10548482559026736767@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_5 in repository openssh. The following commit(s) were added to refs/heads/V_9_5 by this push: new 2c6544ea2 mention sntrup761x25519-sha512 in manpages 2c6544ea2 is described below commit 2c6544ea221ad55fc45339489d6d4a4c336826ba Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 367305d2c..097cc6a45 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1197,6 +1197,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 7e1a56cd0..7b211038e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1037,11 +1037,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:54 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:54 +1000 Subject: [openssh-commits] [openssh] branch V_9_6 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084724.46513.10653934874513952456@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_6 in repository openssh. The following commit(s) were added to refs/heads/V_9_6 by this push: new 68b5963fe mention sntrup761x25519-sha512 in manpages 68b5963fe is described below commit 68b5963fea1d421821648734096f5d5e0492663a Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 4bbdfefd1..54d0024b3 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1267,6 +1267,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index 7e1a56cd0..7b211038e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1037,11 +1037,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:55 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:55 +1000 Subject: [openssh-commits] [openssh] branch V_9_7 updated: mention sntrup761x25519-sha512 in manpages Message-ID: <175504084730.46513.18002517023836104272@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_7 in repository openssh. The following commit(s) were added to refs/heads/V_9_7 by this push: new 2911ffb37 mention sntrup761x25519-sha512 in manpages 2911ffb37 is described below commit 2911ffb37d3a8e0a24de08d380141cd067b9d085 Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 2931d807e..1a54fbc7e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1277,6 +1277,7 @@ character, then the specified algorithms will be placed at the head of the default set. The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index a0f16874f..e4a0238d6 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1045,11 +1045,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:56 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:56 +1000 Subject: [openssh-commits] [openssh] branch V_9_8 updated (26f73db15 -> a38b48e77) Message-ID: <175504084735.46513.2836056348232082908@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch V_9_8 in repository openssh. from 26f73db15 support sntrup761x25519-sha512 alias new d1460a177 back out unrelated manpages changes new a38b48e77 mention sntrup761x25519-sha512 in manpages The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit a38b48e77ccfe9528dd4a8516c114950fa7a111d Author: Damien Miller Date: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson commit d1460a177431d034248b62b36240f634482e48de Author: Damien Miller Date: Wed Aug 13 09:19:53 2025 +1000 back out unrelated manpages changes spotted by Colin Wilson Summary of changes: configure | 3 --- moduli.0 | 2 +- scp.0 | 2 +- sftp-server.0 | 2 +- sftp.0 | 2 +- ssh-add.0 | 2 +- ssh-agent.0 | 2 +- ssh-keygen.0 | 2 +- ssh-keyscan.0 | 2 +- ssh-keysign.0 | 2 +- ssh-pkcs11-helper.0 | 2 +- ssh-sk-helper.0 | 2 +- ssh.0 | 2 +- ssh_config.0 | 2 +- ssh_config.5 | 1 + sshd.0 | 2 +- sshd_config.0 | 6 +++--- sshd_config.5 | 3 +++ 18 files changed, 21 insertions(+), 20 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:57 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:57 +1000 Subject: [openssh-commits] [openssh] 01/02: back out unrelated manpages changes In-Reply-To: <175504084735.46513.2836056348232082908@fuyu.mindrot.org> References: <175504084735.46513.2836056348232082908@fuyu.mindrot.org> Message-ID: <2f5e60f7a6a55bdc@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_8 in repository openssh. commit d1460a177431d034248b62b36240f634482e48de Author: Damien Miller AuthorDate: Wed Aug 13 09:19:53 2025 +1000 back out unrelated manpages changes spotted by Colin Wilson --- configure | 3 --- moduli.0 | 2 +- scp.0 | 2 +- sftp-server.0 | 2 +- sftp.0 | 2 +- ssh-add.0 | 2 +- ssh-agent.0 | 2 +- ssh-keygen.0 | 2 +- ssh-keyscan.0 | 2 +- ssh-keysign.0 | 2 +- ssh-pkcs11-helper.0 | 2 +- ssh-sk-helper.0 | 2 +- ssh.0 | 2 +- ssh_config.0 | 2 +- sshd.0 | 2 +- sshd_config.0 | 6 +++--- 16 files changed, 17 insertions(+), 20 deletions(-) diff --git a/configure b/configure index 32e38c4cb..07d19fd30 100755 --- a/configure +++ b/configure @@ -13317,9 +13317,6 @@ EOD printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h ;; -*-*-gnu*) - CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" - ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 diff --git a/moduli.0 b/moduli.0 index 90700a16f..057a018ef 100644 --- a/moduli.0 +++ b/moduli.0 @@ -71,4 +71,4 @@ STANDARDS M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. -OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 +OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 diff --git a/scp.0 b/scp.0 index 85d5f83d5..e098ddf55 100644 --- a/scp.0 +++ b/scp.0 @@ -229,4 +229,4 @@ CAVEATS requires careful quoting of any characters that have special meaning to the remote shell, such as quote characters. -OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 diff --git a/sftp-server.0 b/sftp-server.0 index 273b69908..23fdda399 100644 --- a/sftp-server.0 +++ b/sftp-server.0 @@ -95,4 +95,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 +OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 diff --git a/sftp.0 b/sftp.0 index 0476733c1..c6a9e60c4 100644 --- a/sftp.0 +++ b/sftp.0 @@ -435,4 +435,4 @@ SEE ALSO T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 diff --git a/ssh-add.0 b/ssh-add.0 index 20f1a88e2..30eed6672 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -206,4 +206,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/ssh-agent.0 b/ssh-agent.0 index 238fa54e2..2e4ef7b6e 100644 --- a/ssh-agent.0 +++ b/ssh-agent.0 @@ -137,4 +137,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 +OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 13b032f46..a731a7fa8 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 @@ -904,4 +904,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 index cf0962c82..110399094 100644 --- a/ssh-keyscan.0 +++ b/ssh-keyscan.0 @@ -120,4 +120,4 @@ AUTHORS Davison added support for protocol version 2. -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/ssh-keysign.0 b/ssh-keysign.0 index ff3305809..577955d1b 100644 --- a/ssh-keysign.0 +++ b/ssh-keysign.0 @@ -47,4 +47,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 index 4b1cb8d7d..564587259 100644 --- a/ssh-pkcs11-helper.0 +++ b/ssh-pkcs11-helper.0 @@ -32,4 +32,4 @@ HISTORY AUTHORS Markus Friedl -OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 index 4abc5e8a0..ea2117abd 100644 --- a/ssh-sk-helper.0 +++ b/ssh-sk-helper.0 @@ -31,4 +31,4 @@ HISTORY AUTHORS Damien Miller -OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 diff --git a/ssh.0 b/ssh.0 index 9c34e3e6e..78863b1b0 100644 --- a/ssh.0 +++ b/ssh.0 @@ -1016,4 +1016,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 diff --git a/ssh_config.0 b/ssh_config.0 index f9a82781b..ef6c0936a 100644 --- a/ssh_config.0 +++ b/ssh_config.0 @@ -1428,4 +1428,4 @@ AUTHORS created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/sshd.0 b/sshd.0 index eac127dcf..c7de2d311 100644 --- a/sshd.0 +++ b/sshd.0 @@ -682,4 +682,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 diff --git a/sshd_config.0 b/sshd_config.0 index ca030fcca..6883dda4b 100644 --- a/sshd_config.0 +++ b/sshd_config.0 @@ -950,8 +950,8 @@ DESCRIPTION accumulated. Penalties are enabled by default with the default settings listed - below but may disabled using the no keyword. The defaults may be - overridden by specifying one or more of the keywords below, + below but may disabled using the off keyword. The defaults may + be overridden by specifying one or more of the keywords below, separated by whitespace. All keywords accept arguments, e.g. "crash:2m". @@ -1390,4 +1390,4 @@ AUTHORS versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 +OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:58 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:58 +1000 Subject: [openssh-commits] [openssh] 02/02: mention sntrup761x25519-sha512 in manpages In-Reply-To: <175504084735.46513.2836056348232082908@fuyu.mindrot.org> References: <175504084735.46513.2836056348232082908@fuyu.mindrot.org> Message-ID: <2f5e60f926977d31@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch V_9_8 in repository openssh. commit a38b48e77ccfe9528dd4a8516c114950fa7a111d Author: Damien Miller AuthorDate: Wed Aug 13 09:16:34 2025 +1000 mention sntrup761x25519-sha512 in manpages Spotted by Colin Watson --- ssh_config.5 | 1 + sshd_config.5 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 2e1902283..9473f4692 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1281,6 +1281,7 @@ default set. .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diff --git a/sshd_config.5 b/sshd_config.5 index ce872de52..3c727f4d3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It +sntrup761x25519-sha512 +.It sntrup761x25519-sha512 at openssh.com .El .Pp The default is: .Bd -literal -offset indent +sntrup761x25519-sha512, sntrup761x25519-sha512 at openssh.com, curve25519-sha256,curve25519-sha256 at libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:20:59 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:20:59 +1000 Subject: [openssh-commits] [openssh] branch master updated (0e1b8aa27 -> ab5074dfb) Message-ID: <175504084742.46513.17219787103151789045@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from 0e1b8aa27 upstream: ssh(1): add a warning when the connection negotiates a new 8b6c1f402 upstream: Handle localtime_r() failure by return "UNKNOWN-TIME" new ab5074dfb upstream: fix typo, ok markus dtucker The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit ab5074dfb614e3801fecbd376d8ed4cea613c629 Author: sthen at openbsd.org Date: Tue Aug 12 11:09:48 2025 +0000 upstream: fix typo, ok markus dtucker OpenBSD-Commit-ID: 8f223da7633752162c64a659c6cf55202703d870 commit 8b6c1f402feb9eb6438003a312d7ffe8d5669896 Author: deraadt at openbsd.org Date: Mon Aug 11 14:37:43 2025 +0000 upstream: Handle localtime_r() failure by return "UNKNOWN-TIME" which is only used in user-visible contexts. freebsd 288773 shows their localtime_r() has failed at least once for unknown reason. discussed with djm OpenBSD-Commit-ID: 68f4c92d46b2578d4594b0ed940958d597fd61ac Summary of changes: misc.c | 8 +++++--- sshconnect.c | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:21:00 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:21:00 +1000 Subject: [openssh-commits] [openssh] 01/02: upstream: Handle localtime_r() failure by return "UNKNOWN-TIME" In-Reply-To: <175504084742.46513.17219787103151789045@fuyu.mindrot.org> References: <175504084742.46513.17219787103151789045@fuyu.mindrot.org> Message-ID: <2f5e60fc5e1935c1@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 8b6c1f402feb9eb6438003a312d7ffe8d5669896 Author: deraadt at openbsd.org AuthorDate: Mon Aug 11 14:37:43 2025 +0000 upstream: Handle localtime_r() failure by return "UNKNOWN-TIME" which is only used in user-visible contexts. freebsd 288773 shows their localtime_r() has failed at least once for unknown reason. discussed with djm OpenBSD-Commit-ID: 68f4c92d46b2578d4594b0ed940958d597fd61ac --- misc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/misc.c b/misc.c index 838a7f788..2e77eeb88 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.201 2025/07/31 11:23:39 job Exp $ */ +/* $OpenBSD: misc.c,v 1.202 2025/08/11 14:37:43 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -2540,8 +2540,10 @@ format_absolute_time(uint64_t t, char *buf, size_t len) time_t tt = t > SSH_TIME_T_MAX ? SSH_TIME_T_MAX : t; struct tm tm; - localtime_r(&tt, &tm); - strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); + if (localtime_r(&tt, &tm) == NULL) + strlcpy(buf, "UNKNOWN-TIME", len); + else + strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); } /* -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Wed Aug 13 09:21:01 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Wed, 13 Aug 2025 09:21:01 +1000 Subject: [openssh-commits] [openssh] 02/02: upstream: fix typo, ok markus dtucker In-Reply-To: <175504084742.46513.17219787103151789045@fuyu.mindrot.org> References: <175504084742.46513.17219787103151789045@fuyu.mindrot.org> Message-ID: <2f5e60fe397798bf@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit ab5074dfb614e3801fecbd376d8ed4cea613c629 Author: sthen at openbsd.org AuthorDate: Tue Aug 12 11:09:48 2025 +0000 upstream: fix typo, ok markus dtucker OpenBSD-Commit-ID: 8f223da7633752162c64a659c6cf55202703d870 --- sshconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sshconnect.c b/sshconnect.c index 09e937c9e..d2c8cf0bd 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.372 2025/08/11 10:55:38 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.373 2025/08/12 11:09:48 sthen Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1583,7 +1583,7 @@ out: static void warn_nonpq_kex(void) { - logit("** WARNING: connection is not using a post-quantum kex exchange algorithm."); + logit("** WARNING: connection is not using a post-quantum key exchange algorithm."); logit("** This session may be vulnerable to \"store now, decrypt later\" attacks."); logit("** The server may need to be upgraded. See https://openssh.com/pq.html"); } -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 14 20:52:43 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 14 Aug 2025 20:52:43 +1000 Subject: [openssh-commits] [openssh] branch master updated (ab5074dfb -> 32deb00b3) Message-ID: <175516876299.82650.483748839743760585@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a change to branch master in repository openssh. from ab5074dfb upstream: fix typo, ok markus dtucker new fde5a4d2c upstream: Cast serial no for %lld to prevent compiler warnings on some new 883886c95 upstream: Cast serial no for %lld to prevent compiler warnings on some new 32deb00b3 upstream: Cast serial no for %lld to prevent compiler warnings on some The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit 32deb00b38b4ee2b3302f261ea1e68c04e020a08 Author: dtucker at openbsd.org Date: Thu Aug 14 10:03:44 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: afadd741622f16c6733d461c0d6053ed52868a57 commit 883886c959ecab152650e231335857eb3193c662 Author: dtucker at openbsd.org Date: Thu Aug 14 09:44:39 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: 46c6063284d318f7e4dc922479a3e394c94b0588 commit fde5a4d2cd01bea700439fa6d5bbad88e65c99bd Author: dtucker at openbsd.org Date: Thu Aug 14 09:26:53 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: 15644234b58abc9c6da2994f0422a5aa344a9e89 Summary of changes: auth2-hostbased.c | 5 +++-- auth2-pubkey.c | 4 ++-- auth2-pubkeyfile.c | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 14 20:52:44 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 14 Aug 2025 20:52:44 +1000 Subject: [openssh-commits] [openssh] 01/03: upstream: Cast serial no for %lld to prevent compiler warnings on some In-Reply-To: <175516876299.82650.483748839743760585@fuyu.mindrot.org> References: <175516876299.82650.483748839743760585@fuyu.mindrot.org> Message-ID: <2f5e61093dd0c0eb@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. commit fde5a4d2cd01bea700439fa6d5bbad88e65c99bd Author: dtucker at openbsd.org AuthorDate: Thu Aug 14 09:26:53 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: 15644234b58abc9c6da2994f0422a5aa344a9e89 --- auth2-hostbased.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e28134a1a..9d8b860eb 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.54 2025/08/06 04:53:04 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.55 2025/08/14 09:26:53 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -217,7 +217,8 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) fatal_f("sshkey_fingerprint fail"); error("Refusing certificate ID \"%s\" serial=%llu signed by " - "%s CA %s: %s", key->cert->key_id, key->cert->serial, + "%s CA %s: %s", key->cert->key_id, + (unsigned long long)key->cert->serial, sshkey_type(key->cert->signature_key), fp, reason); auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s", key->cert->key_id, (unsigned long long)key->cert->serial, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 14 20:52:45 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 14 Aug 2025 20:52:45 +1000 Subject: [openssh-commits] [openssh] 02/03: upstream: Cast serial no for %lld to prevent compiler warnings on some In-Reply-To: <175516876299.82650.483748839743760585@fuyu.mindrot.org> References: <175516876299.82650.483748839743760585@fuyu.mindrot.org> Message-ID: <2f5e610b4be07c25@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. commit 883886c959ecab152650e231335857eb3193c662 Author: dtucker at openbsd.org AuthorDate: Thu Aug 14 09:44:39 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: 46c6063284d318f7e4dc922479a3e394c94b0588 --- auth2-pubkey.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 221b242f8..d7704e510 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.123 2025/08/06 04:53:04 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.124 2025/08/14 09:44:39 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -592,7 +592,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key, fail_reason: error("Refusing certificate ID \"%s\" serial=%llu " "signed by %s CA %s: %s", key->cert->key_id, - key->cert->serial, + (unsigned long long)key->cert->serial, sshkey_type(key->cert->signature_key), ca_fp, reason); auth_debug_add("Refused Certificate ID \"%s\" " -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Thu Aug 14 20:52:46 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Thu, 14 Aug 2025 20:52:46 +1000 Subject: [openssh-commits] [openssh] 03/03: upstream: Cast serial no for %lld to prevent compiler warnings on some In-Reply-To: <175516876299.82650.483748839743760585@fuyu.mindrot.org> References: <175516876299.82650.483748839743760585@fuyu.mindrot.org> Message-ID: <2f5e610dcee42010@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. dtucker pushed a commit to branch master in repository openssh. commit 32deb00b38b4ee2b3302f261ea1e68c04e020a08 Author: dtucker at openbsd.org AuthorDate: Thu Aug 14 10:03:44 2025 +0000 upstream: Cast serial no for %lld to prevent compiler warnings on some platforms. OpenBSD-Commit-ID: afadd741622f16c6733d461c0d6053ed52868a57 --- auth2-pubkeyfile.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c index 531a266ac..9d59e5666 100644 --- a/auth2-pubkeyfile.c +++ b/auth2-pubkeyfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkeyfile.c,v 1.5 2025/08/06 04:53:04 djm Exp $ */ +/* $OpenBSD: auth2-pubkeyfile.c,v 1.6 2025/08/14 10:03:44 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2010 Damien Miller. All rights reserved. @@ -389,8 +389,8 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key, cert_fail_reason: error("Refusing certificate ID \"%s\" serial=%llu " "signed by %s CA %s via %s: %s", key->cert->key_id, - key->cert->serial, sshkey_type(key->cert->signature_key), - fp, loc, reason); + (unsigned long long)key->cert->serial, + sshkey_type(key->cert->signature_key), fp, loc, reason); auth_debug_add("Refused Certificate ID \"%s\" serial=%llu: %s", key->cert->key_id, (unsigned long long)key->cert->serial, reason); goto out; -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:46 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:46 +1000 Subject: [openssh-commits] [openssh] branch master updated (32deb00b3 -> dc5147028) Message-ID: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from 32deb00b3 upstream: Cast serial no for %lld to prevent compiler warnings on some new a00f5b02e handle futex_time64 properly in seccomp sandbox new 3a039108b allow some socket syscalls in seccomp sandbox new 80b5ffd22 upstream: make -E a no-op in sshd-auth. Redirecting logging to a new 9b61679d7 upstream: add channel_report_open() to report (to logs) open new f807a598c upstream: SIGINFO handler for ssh(1) to dump active new dc5147028 upstream: SIGINFO handler for sshd(8) to dump active The 6 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit dc5147028ff19213a32281dad07bba02e58da3fa Author: djm at openbsd.org Date: Mon Aug 18 03:29:11 2025 +0000 upstream: SIGINFO handler for sshd(8) to dump active channels/sessions ok deraadt@ OpenBSD-Commit-ID: 9955cb6d157c6d7aa23a819e8ef61b1edabc8b7d commit f807a598c96be683d97810481e954ec9db6b0027 Author: djm at openbsd.org Date: Mon Aug 18 03:28:36 2025 +0000 upstream: SIGINFO handler for ssh(1) to dump active channels/sessions ok deraadt@ OpenBSD-Commit-ID: 12f88a5044bca40ef5f41ff61b1755d0e25df901 commit 9b61679d73a8a001c25ab308db8a3162456010cf Author: djm at openbsd.org Date: Mon Aug 18 03:28:02 2025 +0000 upstream: add channel_report_open() to report (to logs) open channels; ok deraadt@ (as part of bigger diff) OpenBSD-Commit-ID: 7f691e25366c5621d7ed6f7f9018d868f7511c0d commit 80b5ffd22abd4093201939e31d1ea6dc8cc7913a Author: djm at openbsd.org Date: Mon Aug 18 01:59:53 2025 +0000 upstream: make -E a no-op in sshd-auth. Redirecting logging to a file doesn't work in this program as logging already goes via the parent sshd-session process. ok dtucker@ OpenBSD-Commit-ID: 73325b9e69364117c18305f896c620a3abcf4f87 commit 3a039108bd25ff10047d7fa64750ed7df10c717c Author: Damien Miller Date: Mon Aug 18 13:46:37 2025 +1000 allow some socket syscalls in seccomp sandbox Allow getsockname(2), getpeername(2) and getsockopt(2). Also allow setsockopt(2) but only IP_TOS and IPV6_TCLASS. Note that systems that use the older socketcall(2) mux syscall will not have IP_TOS and IPV6_TCLASS allowlisted. On these platforms, these calls will be soft-blocked (i.e. will fail rather than terminate the whole process with a sandbox violation). Needed for upcoming IPQoS change; ok dtucker@ commit a00f5b02e171bc6d6fb130050afb7a08f5ece1d8 Author: Damien Miller Date: Mon Aug 18 13:44:53 2025 +1000 handle futex_time64 properly in seccomp sandbox Previously we only allowed __NR_futex, but some 32-bit systems apparently support __NR_futex_time64. We had support for this in the sandbox, but because of a macro error only __NR_futex was allowlisted. ok dtucker@ Summary of changes: channels.c | 17 ++++++++++++++- channels.h | 3 ++- clientloop.c | 20 ++++++++++++++--- sandbox-seccomp-filter.c | 56 ++++++++++++++++++++++++++++++++++++++++++------ serverloop.c | 20 ++++++++++++++--- sshd-auth.c | 21 ++---------------- 6 files changed, 104 insertions(+), 33 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:47 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:47 +1000 Subject: [openssh-commits] [openssh] 01/06: handle futex_time64 properly in seccomp sandbox In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e612dcf7e15d2@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit a00f5b02e171bc6d6fb130050afb7a08f5ece1d8 Author: Damien Miller AuthorDate: Mon Aug 18 13:44:53 2025 +1000 handle futex_time64 properly in seccomp sandbox Previously we only allowed __NR_futex, but some 32-bit systems apparently support __NR_futex_time64. We had support for this in the sandbox, but because of a macro error only __NR_futex was allowlisted. ok dtucker@ --- sandbox-seccomp-filter.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b31062c2b..827cb61ee 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -180,12 +180,12 @@ /* Use this for both __NR_futex and __NR_futex_time64 */ # define SC_FUTEX(_nr) \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT), \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAIT_BITSET), \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE), \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_WAKE_BITSET), \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_REQUEUE), \ - SC_ALLOW_FUTEX_OP(__NR_futex, FUTEX_CMP_REQUEUE) + SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT), \ + SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAIT_BITSET), \ + SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE), \ + SC_ALLOW_FUTEX_OP(_nr, FUTEX_WAKE_BITSET), \ + SC_ALLOW_FUTEX_OP(_nr, FUTEX_REQUEUE), \ + SC_ALLOW_FUTEX_OP(_nr, FUTEX_CMP_REQUEUE) #endif /* __NR_futex || __NR_futex_time64 */ #if defined(__NR_mmap) || defined(__NR_mmap2) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:48 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:48 +1000 Subject: [openssh-commits] [openssh] 02/06: allow some socket syscalls in seccomp sandbox In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e612f9fd54b4c@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 3a039108bd25ff10047d7fa64750ed7df10c717c Author: Damien Miller AuthorDate: Mon Aug 18 13:46:37 2025 +1000 allow some socket syscalls in seccomp sandbox Allow getsockname(2), getpeername(2) and getsockopt(2). Also allow setsockopt(2) but only IP_TOS and IPV6_TCLASS. Note that systems that use the older socketcall(2) mux syscall will not have IP_TOS and IPV6_TCLASS allowlisted. On these platforms, these calls will be soft-blocked (i.e. will fail rather than terminate the whole process with a sandbox violation). Needed for upcoming IPQoS change; ok dtucker@ --- sandbox-seccomp-filter.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 827cb61ee..a8f34a76c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -49,6 +49,8 @@ #include #include +#include + #include #include #include @@ -200,6 +202,32 @@ SC_ALLOW_ARG_MASK(_nr, 2, PROT_READ|PROT_WRITE|PROT_NONE) #endif /* __NR_mmap || __NR_mmap2 */ +/* Special handling for setsockopt(2) */ +#define SC_ALLOW_SETSOCKOPT(_level, _optname) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_setsockopt, 0, 10), \ + /* load and test level, low word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[1]) + ARG_LO_OFFSET), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \ + ((_level) & 0xFFFFFFFF), 0, 7), \ + /* load and test level high word is zero */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[1]) + ARG_HI_OFFSET), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5), \ + /* load and test optname, low word */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[2]) + ARG_LO_OFFSET), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \ + ((_optname) & 0xFFFFFFFF), 0, 3), \ + /* load and test level high word is zero */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[2]) + ARG_HI_OFFSET), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, nr)) + /* Syscall filtering set for preauth. */ static const struct sock_filter preauth_insns[] = { /* Ensure the syscall arch convention is as expected. */ @@ -398,7 +426,23 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_writev SC_ALLOW(__NR_writev), #endif +#ifdef __NR_getsockopt + SC_ALLOW(__NR_getsockopt), +#endif +#ifdef __NR_getsockname + SC_ALLOW(__NR_getsockname), +#endif +#ifdef __NR_getpeername + SC_ALLOW(__NR_getpeername), +#endif +#ifdef __NR_setsockopt + SC_ALLOW_SETSOCKOPT(IPPROTO_IPV6, IPV6_TCLASS), + SC_ALLOW_SETSOCKOPT(IPPROTO_IP, IP_TOS), +#endif #ifdef __NR_socketcall + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_GETPEERNAME), + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKNAME), + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_GETSOCKOPT), SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), SC_DENY(__NR_socketcall, EACCES), #endif -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:49 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:49 +1000 Subject: [openssh-commits] [openssh] 03/06: upstream: make -E a no-op in sshd-auth. Redirecting logging to a In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e613127ef0422@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 80b5ffd22abd4093201939e31d1ea6dc8cc7913a Author: djm at openbsd.org AuthorDate: Mon Aug 18 01:59:53 2025 +0000 upstream: make -E a no-op in sshd-auth. Redirecting logging to a file doesn't work in this program as logging already goes via the parent sshd-session process. ok dtucker@ OpenBSD-Commit-ID: 73325b9e69364117c18305f896c620a3abcf4f87 --- sshd-auth.c | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/sshd-auth.c b/sshd-auth.c index 5de06a5ba..6bf596e7a 100644 --- a/sshd-auth.c +++ b/sshd-auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-auth.c,v 1.4 2025/05/06 05:40:56 djm Exp $ */ +/* $OpenBSD: sshd-auth.c,v 1.5 2025/08/18 01:59:53 djm Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -445,7 +445,7 @@ main(int ac, char **av) extern int optind; int r, opt, have_key = 0; int sock_in = -1, sock_out = -1, rexeced_flag = 0; - char *line, *logfile = NULL; + char *line; u_int i; mode_t new_umask; Authctxt *authctxt; @@ -508,11 +508,7 @@ main(int ac, char **av) options.log_level++; break; case 'D': - /* ignore */ - break; case 'E': - logfile = optarg; - /* FALLTHROUGH */ case 'e': /* ignore */ break; @@ -601,19 +597,6 @@ main(int ac, char **av) OpenSSL_add_all_algorithms(); #endif - /* If requested, redirect the logs to the specified logfile. */ - if (logfile != NULL) { - char *cp, pid_s[32]; - - snprintf(pid_s, sizeof(pid_s), "%ld", (unsigned long)getpid()); - cp = percent_expand(logfile, - "p", pid_s, - "P", "sshd-auth", - (char *)NULL); - log_redirect_stderr_to(cp); - free(cp); - } - log_init(__progname, options.log_level == SYSLOG_LEVEL_NOT_SET ? SYSLOG_LEVEL_INFO : options.log_level, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:51 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:51 +1000 Subject: [openssh-commits] [openssh] 05/06: upstream: SIGINFO handler for ssh(1) to dump active In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e61358026f52c@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit f807a598c96be683d97810481e954ec9db6b0027 Author: djm at openbsd.org AuthorDate: Mon Aug 18 03:28:36 2025 +0000 upstream: SIGINFO handler for ssh(1) to dump active channels/sessions ok deraadt@ OpenBSD-Commit-ID: 12f88a5044bca40ef5f41ff61b1755d0e25df901 --- clientloop.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/clientloop.c b/clientloop.c index 5f6577f65..b9c050409 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.412 2025/06/17 01:20:17 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.413 2025/08/18 03:28:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -147,7 +147,8 @@ extern char *forward_agent_sock_path; * because this is updated in a signal handler. */ static volatile sig_atomic_t received_window_change_signal = 0; -static volatile sig_atomic_t received_signal = 0; +static volatile sig_atomic_t siginfo_received = 0; +static volatile sig_atomic_t received_signal = 0; /* exit signals */ /* Time when backgrounded control master using ControlPersist should exit */ static time_t control_persist_exit_time = 0; @@ -224,6 +225,13 @@ window_change_handler(int sig) received_window_change_signal = 1; } +/* Signal handler for SIGINFO */ +static void +siginfo_handler(int sig) +{ + siginfo_received = 1; +} + /* * Signal handler for signals that cause the program to terminate. These * signals must be trapped to restore terminal modes. @@ -1514,6 +1522,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) ssh_signal(SIGTERM, signal_handler); ssh_signal(SIGWINCH, window_change_handler); + ssh_signal(SIGINFO, siginfo_handler); if (have_pty) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); @@ -1536,7 +1545,8 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, sigaddset(&bsigset, SIGHUP) == -1 || sigaddset(&bsigset, SIGINT) == -1 || sigaddset(&bsigset, SIGQUIT) == -1 || - sigaddset(&bsigset, SIGTERM) == -1) + sigaddset(&bsigset, SIGTERM) == -1 || + sigaddset(&bsigset, SIGINFO) == -1) error_f("bsigset setup: %s", strerror(errno)); /* Main loop of the client for the interactive session mode. */ @@ -1577,6 +1587,10 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, */ if (sigprocmask(SIG_BLOCK, &bsigset, &osigset) == -1) error_f("bsigset sigprocmask: %s", strerror(errno)); + if (siginfo_received) { + siginfo_received = 0; + channel_report_open(ssh, SYSLOG_LEVEL_INFO); + } if (quit_pending) break; client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc, -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:50 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:50 +1000 Subject: [openssh-commits] [openssh] 04/06: upstream: add channel_report_open() to report (to logs) open In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e6133de54acf5@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 9b61679d73a8a001c25ab308db8a3162456010cf Author: djm at openbsd.org AuthorDate: Mon Aug 18 03:28:02 2025 +0000 upstream: add channel_report_open() to report (to logs) open channels; ok deraadt@ (as part of bigger diff) OpenBSD-Commit-ID: 7f691e25366c5621d7ed6f7f9018d868f7511c0d --- channels.c | 17 ++++++++++++++++- channels.h | 3 ++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/channels.c b/channels.c index 0efbd8d17..9d5631017 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.446 2025/06/02 14:09:34 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.447 2025/08/18 03:28:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1096,6 +1096,21 @@ channel_open_message(struct ssh *ssh) return ret; } +void +channel_report_open(struct ssh *ssh, int level) +{ + char *open, *oopen, *cp, ident[256]; + + sshpkt_fmt_connection_id(ssh, ident, sizeof(ident)); + do_log2(level, "Connection: %s (pid %ld)", ident, (long)getpid()); + open = oopen = channel_open_message(ssh); + while ((cp = strsep(&open, "\r\n")) != NULL) { + if (*cp != '\0') + do_log2(level, "%s", cp); + } + free(oopen); +} + static void open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) { diff --git a/channels.h b/channels.h index 134528d59..1bfade4c5 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.158 2024/10/13 22:20:06 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.159 2025/08/18 03:28:02 djm Exp $ */ /* * Author: Tatu Ylonen @@ -344,6 +344,7 @@ int channel_still_open(struct ssh *); int channel_tty_open(struct ssh *); const char *channel_format_extended_usage(const Channel *); char *channel_open_message(struct ssh *); +void channel_report_open(struct ssh *, int); int channel_find_open(struct ssh *); /* tcp forwarding */ -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:56:52 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:56:52 +1000 Subject: [openssh-commits] [openssh] 06/06: upstream: SIGINFO handler for sshd(8) to dump active In-Reply-To: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> References: <175548940666.40956.4682567416337978351@fuyu.mindrot.org> Message-ID: <2f5e6137172029ee@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit dc5147028ff19213a32281dad07bba02e58da3fa Author: djm at openbsd.org AuthorDate: Mon Aug 18 03:29:11 2025 +0000 upstream: SIGINFO handler for sshd(8) to dump active channels/sessions ok deraadt@ OpenBSD-Commit-ID: 9955cb6d157c6d7aa23a819e8ef61b1edabc8b7d --- serverloop.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/serverloop.c b/serverloop.c index 40ddfb042..dc9628874 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.241 2024/11/26 22:01:37 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.242 2025/08/18 03:29:11 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,7 +89,8 @@ extern struct sshauthopt *auth_opts; static int no_more_sessions = 0; /* Disallow further sessions. */ -static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ +static volatile sig_atomic_t child_terminated = 0; /* set on SIGCHLD */ +static volatile sig_atomic_t siginfo_received = 0; /* prototypes */ static void server_init_dispatch(struct ssh *); @@ -103,6 +104,12 @@ sigchld_handler(int sig) child_terminated = 1; } +static void +siginfo_handler(int sig) +{ + siginfo_received = 1; +} + static void client_alive_check(struct ssh *ssh) { @@ -326,9 +333,12 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) debug("Entering interactive session for SSH2."); - if (sigemptyset(&bsigset) == -1 || sigaddset(&bsigset, SIGCHLD) == -1) + if (sigemptyset(&bsigset) == -1 || + sigaddset(&bsigset, SIGCHLD) == -1 || + sigaddset(&bsigset, SIGINFO) == -1) error_f("bsigset setup: %s", strerror(errno)); ssh_signal(SIGCHLD, sigchld_handler); + ssh_signal(SIGINFO, siginfo_handler); child_terminated = 0; connection_in = ssh_packet_get_connection_in(ssh); connection_out = ssh_packet_get_connection_out(ssh); @@ -350,6 +360,10 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) if (sigprocmask(SIG_BLOCK, &bsigset, &osigset) == -1) error_f("bsigset sigprocmask: %s", strerror(errno)); collect_children(ssh); + if (siginfo_received) { + siginfo_received = 0; + channel_report_open(ssh, SYSLOG_LEVEL_INFO); + } wait_until_can_do_something(ssh, connection_in, connection_out, &pfd, &npfd_alloc, &npfd_active, &osigset, &conn_in_ready, &conn_out_ready); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 13:57:48 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 13:57:48 +1000 Subject: [openssh-commits] [openssh] branch master updated: upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) Message-ID: <175548946834.13822.8257030866789350353@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new 289239046 upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) 289239046 is described below commit 289239046b2c4b0076c14394ae9703a879e78706 Author: djm at openbsd.org AuthorDate: Mon Aug 18 03:43:01 2025 +0000 upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) continually at runtime based on what sessions/channels are open. Previously, ssh(1) and sshd(8) would pick a QoS value when they were started and use it for the whole connection. This could produce suboptimal choices for the QoS value, e.g. for multiplexed sessions that started interactive but picked up a sftp client, or sessions that moved large amounts of data via port forwarding. Now the QoS value will change to the non-interactive IPQoS whenever a "non-interactive" channel is open; basically any channel that lacks a tty other than agent forwarding. This is important now that the default interactive IPQoS is EF (Expedited Forwarding), as many networks are configured to allow only relatively small amounts of traffic of this class and they will aggressively deprioritise the entire connection if this is exceeded. NB. because ssh(1) and sshd(8) now change IP_TOS/IPV6_TCLASS continually via setsockopt(), this commit requires a recent pledge(2) change that landed recently in the OpenBSD kernel. Please ensure you have updated to a kernel from within the last two weeks before updating OpenSSH. with job@ deraadt@ OpenBSD-Commit-ID: 325fc41717eecdf5e4b534bfa8d66817425b840f --- channels.c | 46 ++++++++++++++++++++++++++++++++---- channels.h | 9 +++++++- clientloop.c | 13 +++++++---- misc.c | 6 ++++- mux.c | 4 +++- packet.c | 73 ++++++++++++++++++++++++++++++++++++++++------------------ packet.h | 5 ++-- serverloop.c | 9 +++++++- session.c | 7 +----- ssh.c | 27 +++++++--------------- sshd-auth.c | 4 +++- sshd-session.c | 4 +++- 12 files changed, 142 insertions(+), 65 deletions(-) diff --git a/channels.c b/channels.c index 9d5631017..61cc8a008 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.447 2025/08/18 03:28:02 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.448 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -212,6 +212,10 @@ struct ssh_channels { /* Global timeout for all OPEN channels */ int global_deadline; time_t lastused; + /* pattern-lists used to classify channels as bulk */ + char *bulk_classifier_tty, *bulk_classifier_notty; + /* Number of active bulk channels (set by channel_handler) */ + u_int nbulk; }; /* helper */ @@ -239,6 +243,8 @@ channel_init_channels(struct ssh *ssh) sc->channels_alloc = 10; sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); sc->IPv4or6 = AF_UNSPEC; + sc->bulk_classifier_tty = xstrdup(CHANNEL_BULK_TTY); + sc->bulk_classifier_notty = xstrdup(CHANNEL_BULK_NOTTY); channel_handler_init(sc); ssh->chanctxt = sc; @@ -357,6 +363,17 @@ lookup_timeout(struct ssh *ssh, const char *type) return 0; } +static void +channel_classify(struct ssh *ssh, Channel *c) +{ + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; + const char *classifier = c->isatty ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +} + /* * Sets "extended type" of a channel; used by session layer to add additional * information about channel types (e.g. shell, login, subsystem) that can then @@ -375,6 +392,7 @@ channel_set_xtype(struct ssh *ssh, int id, const char *xctype) c->xctype = xstrdup(xctype); /* Type has changed, so look up inactivity deadline again */ c->inactive_deadline = lookup_timeout(ssh, c->xctype); + channel_classify(ssh, c); debug2_f("labeled channel %d as %s (inactive timeout %u)", id, xctype, c->inactive_deadline); } @@ -411,6 +429,13 @@ channel_get_expiry(struct ssh *ssh, Channel *c) return expiry; } +/* Returns non-zero if there is an open, non-interactive channel */ +int +channel_has_bulk(struct ssh *ssh) +{ + return ssh->chanctxt != NULL && ssh->chanctxt->nbulk != 0; +} + /* * Register filedescriptors for a channel, used when allocating a channel or * when the channel consumer/producer is ready, e.g. shell exec'd @@ -478,6 +503,7 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, } /* channel might be entering a larval state, so reset global timeout */ channel_set_used_time(ssh, NULL); + channel_classify(ssh, c); } /* @@ -537,11 +563,19 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, c->delayed = 1; /* prevent call to channel_post handler */ c->inactive_deadline = lookup_timeout(ssh, c->ctype); TAILQ_INIT(&c->status_confirms); + channel_classify(ssh, c); debug("channel %d: new %s [%s] (inactive timeout: %u)", found, c->ctype, remote_name, c->inactive_deadline); return c; } +void +channel_set_tty(struct ssh *ssh, Channel *c) +{ + c->isatty = 1; + channel_classify(ssh, c); +} + int channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) { @@ -1019,7 +1053,7 @@ channel_format_status(const Channel *c) char *ret = NULL; xasprintf(&ret, "t%d [%s] %s%u %s%u i%u/%zu o%u/%zu e[%s]/%zu " - "fd %d/%d/%d sock %d cc %d %s%u io 0x%02x/0x%02x", + "fd %d/%d/%d sock %d cc %d %s%u io 0x%02x/0x%02x %s%s", c->type, c->xctype != NULL ? c->xctype : c->ctype, c->have_remote_id ? "r" : "nr", c->remote_id, c->mux_ctx != NULL ? "m" : "nm", c->mux_downstream_id, @@ -1028,7 +1062,8 @@ channel_format_status(const Channel *c) channel_format_extended_usage(c), sshbuf_len(c->extended), c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, - c->io_want, c->io_ready); + c->io_want, c->io_ready, + c->isatty ? "T" : "", c->bulk ? "B" : "I"); return ret; } @@ -2621,10 +2656,13 @@ channel_handler(struct ssh *ssh, int table, struct timespec *timeout) time_t now; now = monotime(); - for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { + for (sc->nbulk = i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { c = sc->channels[i]; if (c == NULL) continue; + /* Count open channels in bulk state */ + if (c->type == SSH_CHANNEL_OPEN && c->bulk) + sc->nbulk++; /* Try to keep IO going while rekeying */ if (ssh_packet_is_rekeying(ssh) && c->type != SSH_CHANNEL_OPEN) continue; diff --git a/channels.h b/channels.h index 1bfade4c5..145ea2f69 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.159 2025/08/18 03:28:02 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.160 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -82,6 +82,10 @@ #define FORWARD_ADM 0x100 #define FORWARD_USER 0x101 +/* default pattern-lists used to classify channel types as bulk */ +#define CHANNEL_BULK_TTY "" +#define CHANNEL_BULK_NOTTY "direct-*,forwarded-*,tun-*,x11-*,session*" + struct ssh; struct Channel; typedef struct Channel Channel; @@ -180,6 +184,7 @@ struct Channel { char *ctype; /* const type - NB. not freed on channel_free */ char *xctype; /* extended type */ + int bulk; /* channel is non-interactive */ /* callback */ channel_open_fn *open_confirm; @@ -289,6 +294,7 @@ Channel *channel_new(struct ssh *, char *, int, int, int, int, u_int, u_int, int, const char *, int); void channel_set_fds(struct ssh *, int, int, int, int, int, int, int, u_int); +void channel_set_tty(struct ssh *, Channel *); void channel_free(struct ssh *, Channel *); void channel_free_all(struct ssh *); void channel_stop_listening(struct ssh *); @@ -308,6 +314,7 @@ void channel_register_status_confirm(struct ssh *, int, void channel_cancel_cleanup(struct ssh *, int); int channel_close_fd(struct ssh *, Channel *, int *); void channel_send_window_changes(struct ssh *); +int channel_has_bulk(struct ssh *); /* channel inactivity timeouts */ void channel_add_timeout(struct ssh *, const char *, int); diff --git a/clientloop.c b/clientloop.c index b9c050409..677bf40f0 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.413 2025/08/18 03:28:36 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.414 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1455,7 +1455,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, struct pollfd *pfd = NULL; u_int npfd_alloc = 0, npfd_active = 0; double start_time, total_time; - int channel_did_enqueue = 0, r; + int interactive = -1, channel_did_enqueue = 0, r; u_int64_t ibytes, obytes; int conn_in_ready, conn_out_ready; sigset_t bsigset, osigset; @@ -1621,6 +1621,12 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, * sender. */ if (conn_out_ready) { + if (interactive != !channel_has_bulk(ssh)) { + interactive = !channel_has_bulk(ssh); + debug2_f("session QoS is now %s", interactive ? + "interactive" : "non-interactive"); + ssh_packet_set_interactive(ssh, interactive); + } if ((r = ssh_packet_write_poll(ssh)) != 0) { sshpkt_fatal(ssh, r, "%s: ssh_packet_write_poll", __func__); @@ -2706,9 +2712,6 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem, if ((c = channel_lookup(ssh, id)) == NULL) fatal_f("channel %d: unknown channel", id); - ssh_packet_set_interactive(ssh, want_tty, - options.ip_qos_interactive, options.ip_qos_bulk); - if (want_tty) { struct winsize ws; diff --git a/misc.c b/misc.c index 2e77eeb88..ef77a6b7f 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.202 2025/08/11 14:37:43 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.203 2025/08/18 03:43:01 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -297,6 +297,10 @@ set_sock_tos(int fd, int tos) #ifndef IP_TOS_IS_BROKEN int af; + if (tos < 0 || tos == INT_MAX) { + debug_f("invalid TOS %d", tos); + return; + } switch ((af = get_sock_af(fd))) { case -1: /* assume not a socket */ diff --git a/mux.c b/mux.c index 1a4f357d4..542024e7a 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.104 2025/07/04 00:17:55 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.105 2025/08/18 03:43:01 djm Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -460,6 +460,8 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid, nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, new_fd[0], new_fd[1], new_fd[2], window, packetmax, CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); + if (cctx->want_tty) + channel_set_tty(ssh, nc); nc->ctl_chan = c->self; /* link session -> control channel */ c->ctl_child_id = nc->self; /* link control -> session channel */ diff --git a/packet.c b/packet.c index 7f67f4fcd..b899fcafb 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.319 2025/08/06 23:44:09 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.320 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -210,8 +210,8 @@ struct session_state { /* Used in ssh_packet_send_mux() */ int mux; - /* Used in packet_set_interactive */ - int set_interactive_called; + /* QoS handling */ + int qos_interactive, qos_other; /* Used in packet_set_maxsize */ int set_maxsize_called; @@ -225,6 +225,9 @@ struct session_state { */ int disconnecting; + /* Nagle disabled on socket */ + int nodelay_set; + /* Hook for fuzzing inbound packets */ ssh_packet_hook_fn *hook_in; void *hook_in_ctx; @@ -253,6 +256,8 @@ ssh_alloc_session_state(void) state->connection_out = -1; state->max_packet_size = 32768; state->packet_timeout_ms = -1; + state->interactive_mode = 1; + state->qos_interactive = state->qos_other = -1; state->p_send.packets = state->p_read.packets = 0; state->initialized = 1; /* @@ -2212,37 +2217,44 @@ ssh_packet_interactive_data_to_write(struct ssh *ssh) sshbuf_len(ssh->state->output) < 256; } -void -ssh_packet_set_tos(struct ssh *ssh, int tos) +static void +apply_qos(struct ssh *ssh) { - if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX) + struct session_state *state = ssh->state; + int qos = state->interactive_mode ? + state->qos_interactive : state->qos_other; + + if (!ssh_packet_connection_is_on_socket(ssh)) return; - set_sock_tos(ssh->state->connection_in, tos); + if (!state->nodelay_set) { + set_nodelay(state->connection_in); + state->nodelay_set = 1; + } + set_sock_tos(ssh->state->connection_in, qos); } -/* Informs that the current session is interactive. Sets IP flags for that. */ - +/* Informs that the current session is interactive. */ void -ssh_packet_set_interactive(struct ssh *ssh, int interactive, int qos_interactive, int qos_bulk) +ssh_packet_set_interactive(struct ssh *ssh, int interactive) { struct session_state *state = ssh->state; - if (state->set_interactive_called) - return; - state->set_interactive_called = 1; - - /* Record that we are in interactive mode. */ state->interactive_mode = interactive; + apply_qos(ssh); +} - /* Only set socket options if using a socket. */ - if (!ssh_packet_connection_is_on_socket(ssh)) - return; - set_nodelay(state->connection_in); - ssh_packet_set_tos(ssh, interactive ? qos_interactive : qos_bulk); +/* Set QoS flags to be used for interactive and non-interactive sessions */ +void +ssh_packet_set_qos(struct ssh *ssh, int qos_interactive, int qos_other) +{ + struct session_state *state = ssh->state; + + state->qos_interactive = qos_interactive; + state->qos_other = qos_other; + apply_qos(ssh); } /* Returns true if the current connection is interactive. */ - int ssh_packet_is_interactive(struct ssh *ssh) { @@ -2421,6 +2433,7 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) struct session_state *state = ssh->state; int r; +#define ENCODE_INT(v) (((v) < 0) ? 0xFFFFFFFF : (u_int)v) if ((r = kex_to_blob(m, ssh->kex)) != 0 || (r = newkeys_to_blob(m, ssh, MODE_OUT)) != 0 || (r = newkeys_to_blob(m, ssh, MODE_IN)) != 0 || @@ -2435,9 +2448,12 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 || (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 || (r = sshbuf_put_stringb(m, state->input)) != 0 || - (r = sshbuf_put_stringb(m, state->output)) != 0) + (r = sshbuf_put_stringb(m, state->output)) != 0 || + (r = sshbuf_put_u32(m, ENCODE_INT(state->interactive_mode))) != 0 || + (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_interactive))) != 0 || + (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_other))) != 0) return r; - +#undef ENCODE_INT return 0; } @@ -2556,6 +2572,7 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) const u_char *input, *output; size_t ilen, olen; int r; + u_int interactive, qos_interactive, qos_other; if ((r = kex_from_blob(m, &ssh->kex)) != 0 || (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || @@ -2592,6 +2609,16 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_put(state->output, output, olen)) != 0) return r; + if ((r = sshbuf_get_u32(m, &interactive)) != 0 || + (r = sshbuf_get_u32(m, &qos_interactive)) != 0 || + (r = sshbuf_get_u32(m, &qos_other)) != 0) + return r; +#define DECODE_INT(v) ((v) > INT_MAX ? -1 : (v)) + state->interactive_mode = DECODE_INT(interactive); + state->qos_interactive = DECODE_INT(qos_interactive); + state->qos_other = DECODE_INT(qos_other); +#undef DECODE_INT + if (sshbuf_len(m)) return SSH_ERR_INVALID_FORMAT; debug3_f("done"); diff --git a/packet.h b/packet.h index 49bb87f07..6828476c7 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.99 2024/08/15 00:51:51 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.100 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen @@ -111,8 +111,9 @@ int ssh_packet_check_rekey(struct ssh *); void ssh_packet_set_protocol_flags(struct ssh *, u_int); u_int ssh_packet_get_protocol_flags(struct ssh *); void ssh_packet_set_tos(struct ssh *, int); -void ssh_packet_set_interactive(struct ssh *, int, int, int); +void ssh_packet_set_interactive(struct ssh *, int); int ssh_packet_is_interactive(struct ssh *); +void ssh_packet_set_qos(struct ssh *, int, int); void ssh_packet_set_server(struct ssh *); void ssh_packet_set_authenticated(struct ssh *); void ssh_packet_set_mux(struct ssh *); diff --git a/serverloop.c b/serverloop.c index dc9628874..753f56388 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.242 2025/08/18 03:29:11 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.243 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -292,8 +292,15 @@ static void process_output(struct ssh *ssh, int connection_out) { int r; + static int interactive = -1; /* Send any buffered packet data to the client. */ + if (interactive != !channel_has_bulk(ssh)) { + interactive = !channel_has_bulk(ssh); + debug2_f("session QoS is now %s", interactive ? + "interactive" : "non-interactive"); + ssh_packet_set_interactive(ssh, interactive); + } if ((r = ssh_packet_write_poll(ssh)) != 0) { sshpkt_fatal(ssh, r, "%s: ssh_packet_write_poll", __func__); diff --git a/session.c b/session.c index 630e0e6a3..7b030793a 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.342 2025/05/05 02:48:06 djm Exp $ */ +/* $OpenBSD: session.c,v 1.343 2025/08/18 03:43:01 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -498,9 +498,6 @@ do_exec_no_pty(struct ssh *ssh, Session *s, const char *command) #endif s->pid = pid; - /* Set interactive/non-interactive mode. */ - ssh_packet_set_interactive(ssh, s->display != NULL, - options.ip_qos_interactive, options.ip_qos_bulk); /* * Clear loginmsg, since it's the child's responsibility to display @@ -628,8 +625,6 @@ do_exec_pty(struct ssh *ssh, Session *s, const char *command) /* Enter interactive session. */ s->ptymaster = ptymaster; - ssh_packet_set_interactive(ssh, 1, - options.ip_qos_interactive, options.ip_qos_bulk); session_set_fds(ssh, s, ptyfd, fdout, -1, 1, 1); return 0; } diff --git a/ssh.c b/ssh.c index b44a94313..58c254b93 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.614 2025/06/19 05:49:05 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.615 2025/08/18 03:43:01 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -758,7 +758,6 @@ main(int ac, char **av) fatal("Couldn't allocate session state"); channel_init_channels(ssh); - /* Parse command-line arguments. */ args = argv_assemble(ac, av); /* logged later */ host = NULL; @@ -1376,6 +1375,8 @@ main(int ac, char **av) if (options.port == 0) options.port = default_ssh_port(); channel_set_af(ssh, options.address_family); + ssh_packet_set_qos(ssh, options.ip_qos_interactive, + options.ip_qos_bulk); /* Tidy and check options */ if (options.host_key_alias != NULL) @@ -2182,7 +2183,7 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg) { extern char **environ; const char *display, *term; - int r, interactive = tty_flag; + int r; char *proto = NULL, *data = NULL; if (!success) @@ -2201,7 +2202,6 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg) data, 1); client_expect_confirm(ssh, id, "X11 forwarding", CONFIRM_WARN); /* XXX exit_on_forward_failure */ - interactive = 1; } check_agent_present(); @@ -2212,10 +2212,6 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg) fatal_fr(r, "send packet"); } - /* Tell the packet module whether this is an interactive session. */ - ssh_packet_set_interactive(ssh, interactive, - options.ip_qos_interactive, options.ip_qos_bulk); - if ((term = lookup_env_in_list("TERM", options.setenv, options.num_setenv)) == NULL || *term == '\0') term = getenv("TERM"); @@ -2252,8 +2248,9 @@ ssh_session2_open(struct ssh *ssh) "session", SSH_CHANNEL_OPENING, in, out, err, window, packetmax, CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); - - debug3_f("channel_new: %d", c->self); + if (tty_flag) + channel_set_tty(ssh, c); + debug3_f("channel_new: %d%s", c->self, tty_flag ? " (tty)" : ""); channel_send_open(ssh, c->self); if (options.session_type != SESSION_TYPE_NONE) @@ -2266,7 +2263,7 @@ ssh_session2_open(struct ssh *ssh) static int ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) { - int r, interactive, id = -1; + int r, id = -1; char *cp, *tun_fwd_ifname = NULL; /* XXX should be pre-session */ @@ -2322,14 +2319,6 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) if (options.session_type != SESSION_TYPE_NONE) id = ssh_session2_open(ssh); - else { - interactive = options.control_master == SSHCTL_MASTER_NO; - /* ControlPersist may have clobbered ControlMaster, so check */ - if (need_controlpersist_detach) - interactive = otty_flag != 0; - ssh_packet_set_interactive(ssh, interactive, - options.ip_qos_interactive, options.ip_qos_bulk); - } /* If we don't expect to open a new session, then disallow it */ if (options.control_master == SSHCTL_MASTER_NO && diff --git a/sshd-auth.c b/sshd-auth.c index 6bf596e7a..9dd086c4c 100644 --- a/sshd-auth.c +++ b/sshd-auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-auth.c,v 1.5 2025/08/18 01:59:53 djm Exp $ */ +/* $OpenBSD: sshd-auth.c,v 1.6 2025/08/18 03:43:01 djm Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -652,6 +652,8 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); options.timing_secret = timing_secret; /* XXX eliminate from unpriv */ + ssh_packet_set_qos(ssh, options.ip_qos_interactive, + options.ip_qos_bulk); /* Reinit logging in case config set Level, Facility or Verbose. */ log_init(__progname, options.log_level, options.log_facility, 1); diff --git a/sshd-session.c b/sshd-session.c index 60f887e92..4aad8b6fe 100644 --- a/sshd-session.c +++ b/sshd-session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-session.c,v 1.13 2025/05/06 05:40:56 djm Exp $ */ +/* $OpenBSD: sshd-session.c,v 1.14 2025/08/18 03:43:01 djm Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -1207,6 +1207,8 @@ main(int ac, char **av) fatal("Unable to create connection"); the_active_state = ssh; ssh_packet_set_server(ssh); + ssh_packet_set_qos(ssh, options.ip_qos_interactive, + options.ip_qos_bulk); check_ip_options(ssh); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 14:22:35 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 14:22:35 +1000 Subject: [openssh-commits] [openssh] branch master updated (289239046 -> 056022261) Message-ID: <175549095543.20321.9265028062239313879@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from 289239046 upstream: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) new b7ee13fbb wrap SIGINFO in ifdef new 056022261 depend The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit 056022261e6cf7eb65bbacac72afe5f4d5945f2c Author: Damien Miller Date: Mon Aug 18 14:22:32 2025 +1000 depend commit b7ee13fbbb4ebafcf71f29685f053ecb97d1bcef Author: Damien Miller Date: Mon Aug 18 14:22:18 2025 +1000 wrap SIGINFO in ifdef Summary of changes: .depend | 17 +++++++++++++++++ clientloop.c | 11 +++++++++-- serverloop.c | 9 +++++++-- 3 files changed, 33 insertions(+), 4 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 14:22:36 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 14:22:36 +1000 Subject: [openssh-commits] [openssh] 01/02: wrap SIGINFO in ifdef In-Reply-To: <175549095543.20321.9265028062239313879@fuyu.mindrot.org> References: <175549095543.20321.9265028062239313879@fuyu.mindrot.org> Message-ID: <2f5e6142cb9b108c@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit b7ee13fbbb4ebafcf71f29685f053ecb97d1bcef Author: Damien Miller AuthorDate: Mon Aug 18 14:22:18 2025 +1000 wrap SIGINFO in ifdef --- clientloop.c | 11 +++++++++-- serverloop.c | 9 +++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/clientloop.c b/clientloop.c index 677bf40f0..b9a010414 100644 --- a/clientloop.c +++ b/clientloop.c @@ -225,12 +225,14 @@ window_change_handler(int sig) received_window_change_signal = 1; } +#ifdef SIGINFO /* Signal handler for SIGINFO */ static void siginfo_handler(int sig) { siginfo_received = 1; } +#endif /* * Signal handler for signals that cause the program to terminate. These @@ -1522,7 +1524,9 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) ssh_signal(SIGTERM, signal_handler); ssh_signal(SIGWINCH, window_change_handler); +#ifdef SIGINFO ssh_signal(SIGINFO, siginfo_handler); +#endif if (have_pty) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); @@ -1545,9 +1549,12 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, sigaddset(&bsigset, SIGHUP) == -1 || sigaddset(&bsigset, SIGINT) == -1 || sigaddset(&bsigset, SIGQUIT) == -1 || - sigaddset(&bsigset, SIGTERM) == -1 || - sigaddset(&bsigset, SIGINFO) == -1) + sigaddset(&bsigset, SIGTERM) == -1) error_f("bsigset setup: %s", strerror(errno)); +#ifdef SIGINFO + if (sigaddset(&bsigset, SIGINFO) == -1) + error_f("bsigset setup: %s", strerror(errno)); +#endif /* Main loop of the client for the interactive session mode. */ while (!quit_pending) { diff --git a/serverloop.c b/serverloop.c index 753f56388..4beb2a390 100644 --- a/serverloop.c +++ b/serverloop.c @@ -104,11 +104,13 @@ sigchld_handler(int sig) child_terminated = 1; } +#ifdef SIGINFO static void siginfo_handler(int sig) { siginfo_received = 1; } +#endif static void client_alive_check(struct ssh *ssh) @@ -341,11 +343,14 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) debug("Entering interactive session for SSH2."); if (sigemptyset(&bsigset) == -1 || - sigaddset(&bsigset, SIGCHLD) == -1 || - sigaddset(&bsigset, SIGINFO) == -1) + sigaddset(&bsigset, SIGCHLD) == -1) error_f("bsigset setup: %s", strerror(errno)); ssh_signal(SIGCHLD, sigchld_handler); +#ifdef SIGINFO + if (sigaddset(&bsigset, SIGINFO) == -1) + error_f("bsigset setup: %s", strerror(errno)); ssh_signal(SIGINFO, siginfo_handler); +#endif child_terminated = 0; connection_in = ssh_packet_get_connection_in(ssh); connection_out = ssh_packet_get_connection_out(ssh); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 14:22:37 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 14:22:37 +1000 Subject: [openssh-commits] [openssh] 02/02: depend In-Reply-To: <175549095543.20321.9265028062239313879@fuyu.mindrot.org> References: <175549095543.20321.9265028062239313879@fuyu.mindrot.org> Message-ID: <2f5e61441e355b10@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 056022261e6cf7eb65bbacac72afe5f4d5945f2c Author: Damien Miller AuthorDate: Mon Aug 18 14:22:32 2025 +1000 depend --- .depend | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.depend b/.depend index f569b603d..6961e34dd 100644 --- a/.depend +++ b/.depend @@ -8,8 +8,11 @@ atomicio.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp audit-bsm.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] audit-linux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] +auth-bsdauth-monitor.o: xmalloc.h sshkey.h sshbuf.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/b [...] auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] +auth-log.o: authfile.h monitor_wrap.h channels.h +auth-log.o: xmalloc.h match.h groupaccess.h log.h ssherr.h sshbuf.h misc.h servconf.h openbsd-compat/sys-queue.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h [...] auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpi [...] auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] @@ -18,17 +21,25 @@ auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpi [...] auth.o: authfile.h monitor_wrap.h channels.h auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] +auth2-banner.o: atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h open [...] auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] +auth2-hostbased-monitor.o: canohost.h pathnames.h match.h +auth2-hostbased-monitor.o: xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd [...] auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd [...] auth2-hostbased.o: monitor_wrap.h pathnames.h match.h +auth2-kbdint-monitor.o: xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compa [...] auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth2-methods.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-w [...] auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wait [...] auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] +auth2-pubkey-monitor.o: loginrec.h pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h +auth2-pubkey-monitor.o: xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h open [...] auth2-pubkey.o: audit.h loginrec.h pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bs [...] +auth2-userauth.o: atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h op [...] +auth2-userauth.o: digest.h auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] auth2.o: mac.h crypto_api.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid. [...] @@ -161,8 +172,14 @@ sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h sshd-auth.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h ssh-sandbox.h dh.h sshd-auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] +sshd-monitor.o: openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h +sshd-monitor.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h ope [...] sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h dh.h sshd-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] +sshd-unpriv-postauth.o: openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h +sshd-unpriv-postauth.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyna [...] +sshd-unpriv-preauth.o: openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h +sshd-unpriv-preauth.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbynam [...] sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h atomicio.h monitor_wrap.h sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] ssherr.o: ssherr.h -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 14:39:43 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 14:39:43 +1000 Subject: [openssh-commits] [openssh] branch master updated: upstream: missing set_log_handler() call in ssh-auth.c, exposed after Message-ID: <175549198357.30992.14102512741315884897@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new c2c8bae39 upstream: missing set_log_handler() call in ssh-auth.c, exposed after c2c8bae39 is described below commit c2c8bae39380392449ac3297061cbfc486126ad5 Author: djm at openbsd.org AuthorDate: Mon Aug 18 04:38:21 2025 +0000 upstream: missing set_log_handler() call in ssh-auth.c, exposed after last commit OpenBSD-Commit-ID: 09f5c3cf33c18b8ad321edbf96c30ae3deada2b0 --- sshd-auth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sshd-auth.c b/sshd-auth.c index 9dd086c4c..6bb4aff0d 100644 --- a/sshd-auth.c +++ b/sshd-auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd-auth.c,v 1.6 2025/08/18 03:43:01 djm Exp $ */ +/* $OpenBSD: sshd-auth.c,v 1.7 2025/08/18 04:38:21 djm Exp $ */ /* * SSH2 implementation: * Privilege Separation: @@ -657,6 +657,7 @@ main(int ac, char **av) /* Reinit logging in case config set Level, Facility or Verbose. */ log_init(__progname, options.log_level, options.log_facility, 1); + set_log_handler(mm_log_handler, pmonitor); debug("sshd-auth version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 14:51:07 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 14:51:07 +1000 Subject: [openssh-commits] [openssh] branch master updated: upstream: cast Message-ID: <175549266699.33226.17655648090855854638@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new ae44cd74f upstream: cast ae44cd74f is described below commit ae44cd74f3a4ac711152f50b2712803ccf785593 Author: djm at openbsd.org AuthorDate: Mon Aug 18 04:50:35 2025 +0000 upstream: cast OpenBSD-Commit-ID: d69bd2328513c2dcd99f4f346b77e2bd90cf1964 --- packet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packet.c b/packet.c index b899fcafb..34bf91d75 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.320 2025/08/18 03:43:01 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.321 2025/08/18 04:50:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2613,7 +2613,7 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_get_u32(m, &qos_interactive)) != 0 || (r = sshbuf_get_u32(m, &qos_other)) != 0) return r; -#define DECODE_INT(v) ((v) > INT_MAX ? -1 : (v)) +#define DECODE_INT(v) ((v) > INT_MAX ? -1 : (int)(v)) state->interactive_mode = DECODE_INT(interactive); state->qos_interactive = DECODE_INT(qos_interactive); state->qos_other = DECODE_INT(qos_other); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 16:50:07 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 16:50:07 +1000 Subject: [openssh-commits] [openssh] branch master updated (ae44cd74f -> 5e9ca80fe) Message-ID: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from ae44cd74f upstream: cast new 9184fa363 check for setsockopt IP_TOS in OpenBSD pledge new 6c84609e5 depend new 5e9ca80fe Match version instead of groups in connect-bigconf The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit 5e9ca80fe65e407428dc46ed45804724d08b91b7 Author: Damien Miller Date: Mon Aug 18 16:47:23 2025 +1000 Match version instead of groups in connect-bigconf The connect-bigconf makes a giant config file to test config passing between the sshd subprocesses. Previously it used a bunch of "Match group" lines to construct a large file. However checking group membership can be expensive (e.g. if a large groups database is present or if group lookup is remote via NSS). This could be slow enough to exceed LoginGraceTime. This switches it to "Match version" which is just a string compare and does just as well for making a giant nonsense config file. commit 6c84609e5f9ddd49e250d5cf190b2820dbeca178 Author: Damien Miller Date: Mon Aug 18 16:47:00 2025 +1000 depend commit 9184fa363687fcb5dac056b093fb3b8e9d327242 Author: Damien Miller Date: Mon Aug 18 16:45:15 2025 +1000 check for setsockopt IP_TOS in OpenBSD pledge OpenBSD has recently relaxed the pledge(2) sandbox to allow some setsockopt options to be changed without the "inet" promise. This adds compatibility for OpenBSD that predates this relaxation. Summary of changes: .depend | 17 ----------------- clientloop.c | 4 ++-- configure.ac | 29 +++++++++++++++++++++++++++++ regress/connect-bigconf.sh | 2 +- 4 files changed, 32 insertions(+), 20 deletions(-) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 16:50:08 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 16:50:08 +1000 Subject: [openssh-commits] [openssh] 01/03: check for setsockopt IP_TOS in OpenBSD pledge In-Reply-To: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> References: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> Message-ID: <2f5e615cfddb1924@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 9184fa363687fcb5dac056b093fb3b8e9d327242 Author: Damien Miller AuthorDate: Mon Aug 18 16:45:15 2025 +1000 check for setsockopt IP_TOS in OpenBSD pledge OpenBSD has recently relaxed the pledge(2) sandbox to allow some setsockopt options to be changed without the "inet" promise. This adds compatibility for OpenBSD that predates this relaxation. --- clientloop.c | 4 ++-- configure.ac | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/clientloop.c b/clientloop.c index b9a010414..577771f06 100644 --- a/clientloop.c +++ b/clientloop.c @@ -975,11 +975,11 @@ client_repledge(void) } else if (options.forward_agent != 0) { /* agent forwarding needs to open $SSH_AUTH_SOCK at will */ debug("pledge: agent"); - if (pledge("stdio unix proc tty", NULL) == -1) + if (pledge(PLEDGE_EXTRA_INET "stdio unix proc tty", NULL) == -1) fatal_f("pledge(): %s", strerror(errno)); } else { debug("pledge: fork"); - if (pledge("stdio proc tty", NULL) == -1) + if (pledge(PLEDGE_EXTRA_INET "stdio proc tty", NULL) == -1) fatal_f("pledge(): %s", strerror(errno)); } /* XXX further things to do: diff --git a/configure.ac b/configure.ac index 460ebd3b4..bc1900af7 100644 --- a/configure.ac +++ b/configure.ac @@ -1128,6 +1128,35 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1], [syslog_r function is safe to use in in a signal handler]) TEST_MALLOC_OPTIONS="SJRU" + AC_MSG_CHECKING([whether pledge(2) allows IP_TOS]) + need_pledge_inet="" + AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#include +#include +#include +#include + ]], [[ +int s, one = 1; +if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) + err(1, "socket"); +if (pledge("stdio", NULL) == -1) + err(1, "pledge"); +if (setsockopt(s, IPPROTO_IP, IP_TOS, &one, sizeof(one)) == -1) + err(1, "setsockopt"); + ]])], + [ AC_MSG_RESULT([yes]) ], [ + AC_MSG_RESULT([no]) + need_pledge_inet=1 + ], + [ AC_MSG_WARN([cross compiling: cannot test]) ]) + if test -z "$need_pledge_inet" ; then + AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], []) + else + AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], ["inet "], + [need inet in pledge for setsockopt IP_TOS]) + fi ;; *-*-solaris*) if test "x$withval" != "xno" ; then -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 16:50:09 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 16:50:09 +1000 Subject: [openssh-commits] [openssh] 02/03: depend In-Reply-To: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> References: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> Message-ID: <2f5e615edde03986@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 6c84609e5f9ddd49e250d5cf190b2820dbeca178 Author: Damien Miller AuthorDate: Mon Aug 18 16:47:00 2025 +1000 depend --- .depend | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.depend b/.depend index 6961e34dd..f569b603d 100644 --- a/.depend +++ b/.depend @@ -8,11 +8,8 @@ atomicio.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp audit-bsm.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] audit-linux.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] audit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] -auth-bsdauth-monitor.o: xmalloc.h sshkey.h sshbuf.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/b [...] auth-bsdauth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] -auth-log.o: authfile.h monitor_wrap.h channels.h -auth-log.o: xmalloc.h match.h groupaccess.h log.h ssherr.h sshbuf.h misc.h servconf.h openbsd-compat/sys-queue.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h [...] auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpi [...] auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] @@ -21,25 +18,17 @@ auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpi [...] auth.o: authfile.h monitor_wrap.h channels.h auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] -auth2-banner.o: atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h open [...] auth2-chall.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wai [...] auth2-gss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] -auth2-hostbased-monitor.o: canohost.h pathnames.h match.h -auth2-hostbased-monitor.o: xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd [...] auth2-hostbased.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd [...] auth2-hostbased.o: monitor_wrap.h pathnames.h match.h -auth2-kbdint-monitor.o: xmalloc.h packet.h openbsd-compat/sys-queue.h dispatch.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compa [...] auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth2-methods.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-w [...] auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wait [...] auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] -auth2-pubkey-monitor.o: loginrec.h pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h -auth2-pubkey-monitor.o: xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h open [...] auth2-pubkey.o: audit.h loginrec.h pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bs [...] -auth2-userauth.o: atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h op [...] -auth2-userauth.o: digest.h auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] auth2.o: mac.h crypto_api.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid. [...] @@ -172,14 +161,8 @@ sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-c sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h sshd-auth.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h ssh-sandbox.h dh.h sshd-auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitp [...] -sshd-monitor.o: openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h -sshd-monitor.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h ope [...] sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h dh.h sshd-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-wa [...] -sshd-unpriv-postauth.o: openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h -sshd-unpriv-postauth.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyna [...] -sshd-unpriv-preauth.o: openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h dh.h -sshd-unpriv-preauth.o: xmalloc.h ssh.h ssh2.h sshpty.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbynam [...] sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h atomicio.h monitor_wrap.h sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h [...] ssherr.o: ssherr.h -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 16:50:10 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 16:50:10 +1000 Subject: [openssh-commits] [openssh] 03/03: Match version instead of groups in connect-bigconf In-Reply-To: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> References: <175549980788.28624.2487552028702348810@fuyu.mindrot.org> Message-ID: <2f5e61601c12232b@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 5e9ca80fe65e407428dc46ed45804724d08b91b7 Author: Damien Miller AuthorDate: Mon Aug 18 16:47:23 2025 +1000 Match version instead of groups in connect-bigconf The connect-bigconf makes a giant config file to test config passing between the sshd subprocesses. Previously it used a bunch of "Match group" lines to construct a large file. However checking group membership can be expensive (e.g. if a large groups database is present or if group lookup is remote via NSS). This could be slow enough to exceed LoginGraceTime. This switches it to "Match version" which is just a string compare and does just as well for making a giant nonsense config file. --- regress/connect-bigconf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/connect-bigconf.sh b/regress/connect-bigconf.sh index 56cf0ea64..ca2c11918 100644 --- a/regress/connect-bigconf.sh +++ b/regress/connect-bigconf.sh @@ -4,7 +4,7 @@ tid="simple connect" for x in `jot 10000 1` ; do - echo "Match group NONEXIST" >> $OBJ/sshd_config + echo "Match version NONEXIST" >> $OBJ/sshd_config echo "ChrootDirectory /some/path/for/group/NONEXIST" >> $OBJ/sshd_config done #cat $OBJ/sshd_config -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Mon Aug 18 17:00:51 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Mon, 18 Aug 2025 17:00:51 +1000 Subject: [openssh-commits] [openssh] branch master updated: Fix pledge(2) special casing Message-ID: <175550045164.56356.8576919608371890296@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. The following commit(s) were added to refs/heads/master by this push: new 3ef1a87d0 Fix pledge(2) special casing 3ef1a87d0 is described below commit 3ef1a87d0a29eac94f32371af628e81eb2e2d817 Author: Damien Miller AuthorDate: Mon Aug 18 17:00:26 2025 +1000 Fix pledge(2) special casing Unbreaks non-OpenBSD platforms --- configure.ac | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index bc1900af7..71766ba10 100644 --- a/configure.ac +++ b/configure.ac @@ -629,6 +629,9 @@ SOLARIS_PRIVS="no" # Default shared library extension SHLIBEXT=".so" +# See OpenBSD section in $host case below. +need_pledge_inet="" + # Check for some target-specific stuff case "$host" in *-*-aix*) @@ -1129,7 +1132,6 @@ mips-sony-bsd|mips-sony-newsos4) [syslog_r function is safe to use in in a signal handler]) TEST_MALLOC_OPTIONS="SJRU" AC_MSG_CHECKING([whether pledge(2) allows IP_TOS]) - need_pledge_inet="" AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ #include @@ -1151,12 +1153,6 @@ if (setsockopt(s, IPPROTO_IP, IP_TOS, &one, sizeof(one)) == -1) need_pledge_inet=1 ], [ AC_MSG_WARN([cross compiling: cannot test]) ]) - if test -z "$need_pledge_inet" ; then - AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], []) - else - AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], ["inet "], - [need inet in pledge for setsockopt IP_TOS]) - fi ;; *-*-solaris*) if test "x$withval" != "xno" ; then @@ -1430,6 +1426,14 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ exit(0); ]])], [ AC_MSG_WARN([cross compiling: not checking compiler sanity]) ] ) +dnl Finish up special pledge(2) handling from above. +if test -z "$need_pledge_inet" ; then + AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], []) +else + AC_DEFINE_UNQUOTED([PLEDGE_EXTRA_INET], ["inet "], + [need inet in pledge for setsockopt IP_TOS]) +fi + dnl Checks for header files. # Checks for libraries. AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])]) -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Fri Aug 29 13:58:45 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 29 Aug 2025 13:58:45 +1000 Subject: [openssh-commits] [openssh] branch master updated (3ef1a87d0 -> a9a3f025d) Message-ID: <175643992561.27232.3294073742261524307@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a change to branch master in repository openssh. from 3ef1a87d0 Fix pledge(2) special casing new ceca966bd upstream: Delete unused accessor function new 908e9d551 upstream: ssh_config.5: say "post-quantum" instead of "post quantum new a9a3f025d upstream: remove experimental support for XMSS keys; The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit a9a3f025d76f06a6601e6e8d52b468ec467865d9 Author: djm at openbsd.org Date: Fri Aug 29 03:50:38 2025 +0000 upstream: remove experimental support for XMSS keys; ok deraadt markus OpenBSD-Commit-ID: 38eaf4df6189acad9e46eddf7cf32d7f6d07df35 commit 908e9d55139bed19ed87d6fec749974eb42702c6 Author: caspar at openbsd.org Date: Mon Aug 18 18:39:33 2025 +0000 upstream: ssh_config.5: say "post-quantum" instead of "post quantum safe", and rephrase the sentence to make it easier to read. Input djm@, input and OK deraadt@, OK dtucker@ OpenBSD-Commit-ID: c3ee4d1cafdcfc20cc0d2f086021efce4b19c075 commit ceca966bde4ab38b2434876416da12fe16747459 Author: job at openbsd.org Date: Mon Aug 18 09:16:36 2025 +0000 upstream: Delete unused accessor function OK dtucker@ OpenBSD-Commit-ID: 93b59ac088fb254e1189729ece5bb9656d6e810b Summary of changes: .depend | 7 - Makefile.in | 12 +- PROTOCOL.agent | 13 +- authfd.c | 25 +- authfd.h | 8 +- authfile.c | 7 +- dns.c | 5 +- dns.h | 5 +- packet.c | 9 +- packet.h | 3 +- pathnames.h | 4 +- readconf.c | 3 +- servconf.c | 6 +- ssh-add.c | 73 +--- ssh-agent.c | 27 +- ssh-keygen.c | 14 +- ssh-keyscan.c | 10 +- ssh-keysign.c | 3 +- ssh-xmss.c | 389 ------------------ ssh.c | 4 +- ssh_config.5 | 6 +- sshconnect.c | 5 +- sshd-auth.c | 5 +- sshd-session.c | 3 +- sshd.c | 3 +- sshkey-xmss.c | 1113 --------------------------------------------------- sshkey-xmss.h | 56 --- sshkey.c | 153 +------ sshkey.h | 25 +- xmss_commons.c | 36 -- xmss_commons.h | 21 - xmss_fast.c | 1106 -------------------------------------------------- xmss_fast.h | 111 ----- xmss_hash.c | 137 ------- xmss_hash.h | 22 - xmss_hash_address.c | 66 --- xmss_hash_address.h | 40 -- xmss_wots.c | 192 --------- xmss_wots.h | 64 --- 39 files changed, 58 insertions(+), 3733 deletions(-) delete mode 100644 ssh-xmss.c delete mode 100644 sshkey-xmss.c delete mode 100644 sshkey-xmss.h delete mode 100644 xmss_commons.c delete mode 100644 xmss_commons.h delete mode 100644 xmss_fast.c delete mode 100644 xmss_fast.h delete mode 100644 xmss_hash.c delete mode 100644 xmss_hash.h delete mode 100644 xmss_hash_address.c delete mode 100644 xmss_hash_address.h delete mode 100644 xmss_wots.c delete mode 100644 xmss_wots.h -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Fri Aug 29 13:58:46 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 29 Aug 2025 13:58:46 +1000 Subject: [openssh-commits] [openssh] 01/03: upstream: Delete unused accessor function In-Reply-To: <175643992561.27232.3294073742261524307@fuyu.mindrot.org> References: <175643992561.27232.3294073742261524307@fuyu.mindrot.org> Message-ID: <157c27de919929ca@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit ceca966bde4ab38b2434876416da12fe16747459 Author: job at openbsd.org AuthorDate: Mon Aug 18 09:16:36 2025 +0000 upstream: Delete unused accessor function OK dtucker@ OpenBSD-Commit-ID: 93b59ac088fb254e1189729ece5bb9656d6e810b --- packet.c | 9 +-------- packet.h | 3 +-- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/packet.c b/packet.c index 34bf91d75..6dfa7ac31 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.321 2025/08/18 04:50:35 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.322 2025/08/18 09:16:36 job Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2254,13 +2254,6 @@ ssh_packet_set_qos(struct ssh *ssh, int qos_interactive, int qos_other) apply_qos(ssh); } -/* Returns true if the current connection is interactive. */ -int -ssh_packet_is_interactive(struct ssh *ssh) -{ - return ssh->state->interactive_mode; -} - int ssh_packet_set_maxsize(struct ssh *ssh, u_int s) { diff --git a/packet.h b/packet.h index 6828476c7..ade3c0f9d 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.100 2025/08/18 03:43:01 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.101 2025/08/18 09:16:36 job Exp $ */ /* * Author: Tatu Ylonen @@ -112,7 +112,6 @@ void ssh_packet_set_protocol_flags(struct ssh *, u_int); u_int ssh_packet_get_protocol_flags(struct ssh *); void ssh_packet_set_tos(struct ssh *, int); void ssh_packet_set_interactive(struct ssh *, int); -int ssh_packet_is_interactive(struct ssh *); void ssh_packet_set_qos(struct ssh *, int, int); void ssh_packet_set_server(struct ssh *); void ssh_packet_set_authenticated(struct ssh *); -- To stop receiving notification emails like this one, please contact djm at mindrot.org. From git+noreply at mindrot.org Fri Aug 29 13:58:47 2025 From: git+noreply at mindrot.org (git+noreply at mindrot.org) Date: Fri, 29 Aug 2025 13:58:47 +1000 Subject: [openssh-commits] [openssh] 02/03: upstream: ssh_config.5: say "post-quantum" instead of "post quantum In-Reply-To: <175643992561.27232.3294073742261524307@fuyu.mindrot.org> References: <175643992561.27232.3294073742261524307@fuyu.mindrot.org> Message-ID: <157c27e08a4efc5f@fuyu.mindrot.org> This is an automated email from the git hooks/post-receive script. djm pushed a commit to branch master in repository openssh. commit 908e9d55139bed19ed87d6fec749974eb42702c6 Author: caspar at openbsd.org AuthorDate: Mon Aug 18 18:39:33 2025 +0000 upstream: ssh_config.5: say "post-quantum" instead of "post quantum safe", and rephrase the sentence to make it easier to read. Input djm@, input and OK deraadt@, OK dtucker@ OpenBSD-Commit-ID: c3ee4d1cafdcfc20cc0d2f086021efce4b19c075 --- ssh_config.5 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index 4cbe98631..d24e92f73 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.418 2025/08/11 10:55:38 djm Exp $ -.Dd $Mdocdate: August 11 2025 $ +.\" $OpenBSD: ssh_config.5,v 1.419 2025/08/18 18:39:33 caspar Exp $ +.Dd $Mdocdate: August 18 2025 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -2234,7 +2234,7 @@ controls whether the user is warned when the cryptographic algorithms negotiated for the connection are weak or otherwise recommended against. Warnings may be disabled by turning off a specific warning or by disabling all warnings. -Warnings that the connection is using a non-post quantum safe key exchange +Warnings about connections that don't use a post-quantum key exchange may be disabled using the .Cm no-pq-kex flag. -- To stop receiving notification emails like this one, please contact djm at mindrot.org.