[openssh-commits] [openssh] branch master updated (b652322cd -> ecdf9b9f8)

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Dec 22 12:51:38 AEDT 2025 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from b652322cd upstream: typo in comment
     new daf6bdd34 upstream: add a "ssh -O channels user at host" multiplexing command to
     new aaac8c61c upstream: Don't misuse the sftp limits extension's open-handles
     new 5166b6cbf upstream: When certificate support was added to OpenSSH,
     new adca2f439 upstream: don't try to test webauthn signatures. Nothing in OpenSSH
     new ecdf9b9f8 upstream: regression tests for certificates with empty principals

The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit ecdf9b9f8e89aae65d4a12fe5a25c560eea08393
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 22 01:50:46 2025 +0000

    upstream: regression tests for certificates with empty principals
    
    sections (which are now unconditionally refused) and for certificates with
    wildcard principals (which should only be accepted in host certs)
    
    OpenBSD-Regress-ID: fdca88845a68424060547b4f9f32f90a7cf82e73

commit adca2f439827eb829652805f36e288b5b260ce1b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 22 01:31:07 2025 +0000

    upstream: don't try to test webauthn signatures. Nothing in OpenSSH
    
    generates these (yet)
    
    OpenBSD-Regress-ID: 48d59b7c4768c2a22ce3d8cf3b455e6ada9fc7b0

commit 5166b6cbf2b6103117a79f90a68068e89e02bf66
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 22 01:49:03 2025 +0000

    upstream: When certificate support was added to OpenSSH,
    
    certificates were originally specified to represent any principal if the
    principals list was empty.
    
    This was, in retrospect, a mistake as it created a fail-open
    situation if a CA could be convinced to accidentally sign a
    certificate with no principals. This actually happened in a 3rd-
    party CA product (CVE-2024-7594).
    
    Somewhat fortunately, the main pathway for using certificates in
    sshd (TrustedUserCAKeys) never supported empty-principals
    certificates, so the blast radius of such mistakes was
    substantially reduced.
    
    This change removes this footcannon and requires all certificates
    include principals sections. It also fixes interpretation of
    wildcard principals, and properly enables them for host
    certificates only.
    
    This is a behaviour change that will permanently break uses of
    certificates with empty principals sections.
    
    ok markus@
    
    OpenBSD-Commit-ID: 0a901f03c567c100724a492cf91e02939904712e

commit aaac8c61c18124eb5fb8a2cff1e85dea2db6c147
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 22 01:20:39 2025 +0000

    upstream: Don't misuse the sftp limits extension's open-handles
    
    field. This value is supposed to be the number of handles a server will allow
    to be opened and not a number of outstanding read/write requests that can be
    sent during an upload/download.
    
    ok markus@
    
    OpenBSD-Commit-ID: 14ebb6690acbd488e748ce8ce3302bd7e1e8a5b0

commit daf6bdd34b59f640d2af0fd230da69f1cbad33b4
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Dec 22 01:17:31 2025 +0000

    upstream: add a "ssh -O channels user at host" multiplexing command to
    
    get a running mux process to show information about what channels are
    currently open; ok dtucker@ markus@
    
    OpenBSD-Commit-ID: 80bb3953b306a50839f9a4bc5679faebc32e5bb8

Summary of changes:
 auth2-hostbased.c       |  6 +++---
 auth2-pubkey.c          |  4 ++--
 auth2-pubkeyfile.c      |  4 ++--
 clientloop.h            |  3 ++-
 mux.c                   | 21 ++++++++++++------
 regress/cert-hostkey.sh | 28 ++++++++++++++----------
 regress/cert-userkey.sh |  9 ++++----
 regress/test-exec.sh    |  6 +++---
 sftp-client.c           | 13 +----------
 ssh-agent.c             |  4 ++--
 ssh-keygen.1            | 34 ++++++++++++++++++++---------
 ssh-keygen.c            | 11 +++++++++-
 ssh.1                   |  6 ++++--
 ssh.c                   |  4 +++-
 sshconnect.c            |  4 ++--
 sshkey.c                | 57 +++++++++++++++++++++++--------------------------
 sshkey.h                |  8 +++----
 sshsig.c                |  8 +++----
 18 files changed, 128 insertions(+), 102 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list