This is an automated email from the git hooks/post-receive script.
djm pushed a change to branch V_9_6
in repository openssh.
at 8241b9c0 crank versions
This branch includes the following new commits:
new 1edb00c5 upstream: implement "strict key exchange" in ssh and sshd
new a7ed931c upstream: add "ext-info-in-auth@openssh.com" extension
new 881d9c6a upstream: apply destination constraints to all p11 keys
new 4448a293 upstream: Make it possible to load certs from PKCS#11 tokens
new 0cb50eef upstream: stricter handling of channel window limits
new 7ef3787c upstream: ban user/hostnames with most shell metacharacters
new 6d51feab upstream: ssh-agent: record failed session-bind attempts
new cdddd664 upstream: openssh-9.6
new 2f512f86 upstream: regress test for constrained PKCS#11 keys
new e48cdee8 upstream: regress test for agent PKCS#11-backed certificates
new 2f2c65cb depend
new 8241b9c0 crank versions
The 12 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
Author: Damien Miller <djm@mindrot.org>
Date: Tue Dec 19 01:59:50 2023 +1100
crank versions
commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
Author: Damien Miller <djm@mindrot.org>
Date: Tue Dec 19 01:59:06 2023 +1100
depend
commit e48cdee8e19059203b1aeeabec2350b8375fa61f
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:50:08 2023 +0000
upstream: regress test for agent PKCS#11-backed certificates
OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:49:39 2023 +0000
upstream: regress test for constrained PKCS#11 keys
OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:48:44 2023 +0000
upstream: openssh-9.6
OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
commit 7ef3787c84b6b524501211b11a26c742f829af1a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:47:44 2023 +0000
upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:48:08 2023 +0000
upstream: ssh-agent: record failed session-bind attempts
Record failed attempts to session-bind a connection and refuse signing
operations on that connection henceforth.
Prevents a future situation where we add a new hostkey type that is not
recognised by an older ssh-agent, that consequently causes session-bind
to fail (this situation is only likely to arise when people mix ssh(1)
and ssh-agent(1) of different versions on the same host). Previously,
after such a failure the agent socket would be considered unbound and
not subject to restriction.
Spotted by Jann Horn
OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:46:56 2023 +0000
upstream: Make it possible to load certs from PKCS#11 tokens
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.
feedback/ok markus@
OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:47:20 2023 +0000
upstream: stricter handling of channel window limits
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.
ok markus@
OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
commit a7ed931caeb68947d30af8a795f4108b6efad761
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:45:49 2023 +0000
upstream: add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:46:12 2023 +0000
upstream: apply destination constraints to all p11 keys
Previously applied only to the first key returned from each token.
ok markus@
OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:45:17 2023 +0000
upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits
djm pushed a change to branch V_9_6
in repository openssh.
at 8241b9c0 crank versions
This branch includes the following new commits:
new 1edb00c5 upstream: implement "strict key exchange" in ssh and sshd
new a7ed931c upstream: add "ext-info-in-auth@openssh.com" extension
new 881d9c6a upstream: apply destination constraints to all p11 keys
new 4448a293 upstream: Make it possible to load certs from PKCS#11 tokens
new 0cb50eef upstream: stricter handling of channel window limits
new 7ef3787c upstream: ban user/hostnames with most shell metacharacters
new 6d51feab upstream: ssh-agent: record failed session-bind attempts
new cdddd664 upstream: openssh-9.6
new 2f512f86 upstream: regress test for constrained PKCS#11 keys
new e48cdee8 upstream: regress test for agent PKCS#11-backed certificates
new 2f2c65cb depend
new 8241b9c0 crank versions
The 12 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
Author: Damien Miller <djm@mindrot.org>
Date: Tue Dec 19 01:59:50 2023 +1100
crank versions
commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
Author: Damien Miller <djm@mindrot.org>
Date: Tue Dec 19 01:59:06 2023 +1100
depend
commit e48cdee8e19059203b1aeeabec2350b8375fa61f
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:50:08 2023 +0000
upstream: regress test for agent PKCS#11-backed certificates
OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:49:39 2023 +0000
upstream: regress test for constrained PKCS#11 keys
OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:48:44 2023 +0000
upstream: openssh-9.6
OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
commit 7ef3787c84b6b524501211b11a26c742f829af1a
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:47:44 2023 +0000
upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:48:08 2023 +0000
upstream: ssh-agent: record failed session-bind attempts
Record failed attempts to session-bind a connection and refuse signing
operations on that connection henceforth.
Prevents a future situation where we add a new hostkey type that is not
recognised by an older ssh-agent, that consequently causes session-bind
to fail (this situation is only likely to arise when people mix ssh(1)
and ssh-agent(1) of different versions on the same host). Previously,
after such a failure the agent socket would be considered unbound and
not subject to restriction.
Spotted by Jann Horn
OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:46:56 2023 +0000
upstream: Make it possible to load certs from PKCS#11 tokens
Adds a protocol extension to allow grafting certificates supplied by
ssh-add to keys loaded from PKCS#11 tokens in the agent.
feedback/ok markus@
OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:47:20 2023 +0000
upstream: stricter handling of channel window limits
This makes ssh/sshd more strict in handling non-compliant peers that
send more data than the advertised channel window allows. Previously
the additional data would be silently discarded. This change will
cause ssh/sshd to terminate the connection if the channel window is
exceeded by more than a small grace allowance.
ok markus@
OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
commit a7ed931caeb68947d30af8a795f4108b6efad761
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:45:49 2023 +0000
upstream: add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:46:12 2023 +0000
upstream: apply destination constraints to all p11 keys
Previously applied only to the first key returned from each token.
ok markus@
OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Author: djm@openbsd.org <djm@openbsd.org>
Date: Mon Dec 18 14:45:17 2023 +0000
upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits