mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 21:05:08 +00:00
f374ba41f5
Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
67 lines
2.1 KiB
Bash
67 lines
2.1 KiB
Bash
# $OpenBSD: hostbased.sh,v 1.4 2022/12/07 11:45:43 dtucker Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
# This test requires external setup and thus is skipped unless
|
|
# TEST_SSH_HOSTBASED_AUTH and SUDO are set to "yes".
|
|
# Since ssh-keysign has key paths hard coded, unlike the other tests it
|
|
# needs to use the real host keys. It requires:
|
|
# - ssh-keysign must be installed and setuid.
|
|
# - "EnableSSHKeysign yes" must be in the system ssh_config.
|
|
# - the system's own real FQDN the system-wide shosts.equiv.
|
|
# - the system's real public key fingerprints must be in global ssh_known_hosts.
|
|
#
|
|
tid="hostbased"
|
|
|
|
if [ -z "${TEST_SSH_HOSTBASED_AUTH}" ]; then
|
|
skip "TEST_SSH_HOSTBASED_AUTH not set."
|
|
elif [ -z "${SUDO}" ]; then
|
|
skip "SUDO not set"
|
|
fi
|
|
|
|
# Enable all supported hostkey algos (but no others)
|
|
hostkeyalgos=`${SSH} -Q HostKeyAlgorithms | tr '\n' , | sed 's/,$//'`
|
|
|
|
cat >>$OBJ/sshd_proxy <<EOD
|
|
HostbasedAuthentication yes
|
|
HostbasedAcceptedAlgorithms $hostkeyalgos
|
|
HostbasedUsesNameFromPacketOnly yes
|
|
HostKeyAlgorithms $hostkeyalgos
|
|
EOD
|
|
|
|
cat >>$OBJ/ssh_proxy <<EOD
|
|
HostbasedAuthentication yes
|
|
HostKeyAlgorithms $hostkeyalgos
|
|
HostbasedAcceptedAlgorithms $hostkeyalgos
|
|
PreferredAuthentications hostbased
|
|
EOD
|
|
|
|
algos=""
|
|
for key in `${SUDO} ${SSHD} -T | awk '$1=="hostkey"{print $2}'`; do
|
|
case "`$SSHKEYGEN -l -f ${key}.pub`" in
|
|
256*ECDSA*) algos="$algos ecdsa-sha2-nistp256" ;;
|
|
384*ECDSA*) algos="$algos ecdsa-sha2-nistp384" ;;
|
|
521*ECDSA*) algos="$algos ecdsa-sha2-nistp521" ;;
|
|
*RSA*) algos="$algos ssh-rsa rsa-sha2-256 rsa-sha2-512" ;;
|
|
*ED25519*) algos="$algos ssh-ed25519" ;;
|
|
*DSA*) algos="$algos ssh-dss" ;;
|
|
*) verbose "unknown host key type $key" ;;
|
|
esac
|
|
done
|
|
|
|
for algo in $algos; do
|
|
trace "hostbased algo $algo"
|
|
opts="-F $OBJ/ssh_proxy"
|
|
if [ "x$algo" != "xdefault" ]; then
|
|
opts="$opts -oHostbasedAcceptedAlgorithms=$algo"
|
|
fi
|
|
SSH_CONNECTION=`${SSH} $opts localhost 'echo $SSH_CONNECTION'`
|
|
if [ $? -ne 0 ]; then
|
|
fail "connect failed, hostbased algo $algo"
|
|
elif [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
|
|
fail "hostbased algo $algo bad SSH_CONNECTION" \
|
|
"$SSH_CONNECTION"
|
|
else
|
|
verbose "ok hostbased algo $algo"
|
|
fi
|
|
done
|