mirror of
https://github.com/opnsense/src.git
synced 2026-06-04 06:15:33 -04:00
ff2fd01609
Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit0fdf8fae8b) (cherry picked from commitb4bb480ae9) (cherry picked from commite95979047a) (cherry picked from commitdcb4ae528d) Approved by: re (accelerated MFC)
184 lines
6.1 KiB
C
184 lines
6.1 KiB
C
/* $OpenBSD: pathnames.h,v 1.32 2024/05/17 00:30:24 djm Exp $ */
|
|
|
|
/*
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
* All rights reserved
|
|
*
|
|
* As far as I am concerned, the code I have written for this software
|
|
* can be used freely for any purpose. Any derived versions of this
|
|
* software must be clearly marked as such, and if the derived work is
|
|
* incompatible with the protocol description in the RFC file, it must be
|
|
* called by a name other than "ssh" or "Secure Shell".
|
|
*/
|
|
|
|
#define ETCDIR "/etc"
|
|
|
|
#ifndef SSHDIR
|
|
#define SSHDIR ETCDIR "/ssh"
|
|
#endif
|
|
|
|
#ifndef _PATH_SSH_PIDDIR
|
|
#define _PATH_SSH_PIDDIR "/var/run"
|
|
#endif
|
|
|
|
/*
|
|
* System-wide file containing host keys of known hosts. This file should be
|
|
* world-readable.
|
|
*/
|
|
#define _PATH_SSH_SYSTEM_HOSTFILE SSHDIR "/ssh_known_hosts"
|
|
/* backward compat for protocol 2 */
|
|
#define _PATH_SSH_SYSTEM_HOSTFILE2 SSHDIR "/ssh_known_hosts2"
|
|
|
|
/*
|
|
* Of these, ssh_host_key must be readable only by root, whereas ssh_config
|
|
* should be world-readable.
|
|
*/
|
|
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
|
|
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
|
|
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
|
|
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
|
|
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
|
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
|
|
|
#ifndef _PATH_SSH_PROGRAM
|
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
|
#endif
|
|
|
|
/* Binary paths for the sshd components */
|
|
#ifndef _PATH_SSHD_SESSION
|
|
#define _PATH_SSHD_SESSION "/usr/libexec/sshd-session"
|
|
#endif
|
|
|
|
/*
|
|
* The process id of the daemon listening for connections is saved here to
|
|
* make it easier to kill the correct daemon when necessary.
|
|
*/
|
|
#define _PATH_SSH_DAEMON_PID_FILE _PATH_SSH_PIDDIR "/sshd.pid"
|
|
|
|
/*
|
|
* The directory in user's home directory in which the files reside. The
|
|
* directory should be world-readable (though not all files are).
|
|
*/
|
|
#define _PATH_SSH_USER_DIR ".ssh"
|
|
|
|
/*
|
|
* Per-user file containing host keys of known hosts. This file need not be
|
|
* readable by anyone except the user him/herself, though this does not
|
|
* contain anything particularly secret.
|
|
*/
|
|
#define _PATH_SSH_USER_HOSTFILE "~/" _PATH_SSH_USER_DIR "/known_hosts"
|
|
/* backward compat for protocol 2 */
|
|
#define _PATH_SSH_USER_HOSTFILE2 "~/" _PATH_SSH_USER_DIR "/known_hosts2"
|
|
|
|
/*
|
|
* Name of the default file containing client-side authentication key. This
|
|
* file should only be readable by the user him/herself.
|
|
*/
|
|
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
|
|
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
|
|
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
|
|
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
|
|
#define _PATH_SSH_CLIENT_ID_XMSS _PATH_SSH_USER_DIR "/id_xmss"
|
|
#define _PATH_SSH_CLIENT_ID_ECDSA_SK _PATH_SSH_USER_DIR "/id_ecdsa_sk"
|
|
#define _PATH_SSH_CLIENT_ID_ED25519_SK _PATH_SSH_USER_DIR "/id_ed25519_sk"
|
|
|
|
/*
|
|
* Configuration file in user's home directory. This file need not be
|
|
* readable by anyone but the user him/herself, but does not contain anything
|
|
* particularly secret. If the user's home directory resides on an NFS
|
|
* volume where root is mapped to nobody, this may need to be world-readable.
|
|
*/
|
|
#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
|
|
|
|
/*
|
|
* File containing a list of those rsa keys that permit logging in as this
|
|
* user. This file need not be readable by anyone but the user him/herself,
|
|
* but does not contain anything particularly secret. If the user's home
|
|
* directory resides on an NFS volume where root is mapped to nobody, this
|
|
* may need to be world-readable. (This file is read by the daemon which is
|
|
* running as root.)
|
|
*/
|
|
#define _PATH_SSH_USER_PERMITTED_KEYS _PATH_SSH_USER_DIR "/authorized_keys"
|
|
|
|
/* backward compat for protocol v2 */
|
|
#define _PATH_SSH_USER_PERMITTED_KEYS2 _PATH_SSH_USER_DIR "/authorized_keys2"
|
|
|
|
/*
|
|
* Per-user and system-wide ssh "rc" files. These files are executed with
|
|
* /bin/sh before starting the shell or command if they exist. They will be
|
|
* passed "proto cookie" as arguments if X11 forwarding with spoofing is in
|
|
* use. xauth will be run if neither of these exists.
|
|
*/
|
|
#define _PATH_SSH_USER_RC _PATH_SSH_USER_DIR "/rc"
|
|
#define _PATH_SSH_SYSTEM_RC SSHDIR "/sshrc"
|
|
|
|
/*
|
|
* Ssh-only version of /etc/hosts.equiv. Additionally, the daemon may use
|
|
* ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled.
|
|
*/
|
|
#define _PATH_SSH_HOSTS_EQUIV SSHDIR "/shosts.equiv"
|
|
#define _PATH_RHOSTS_EQUIV "/etc/hosts.equiv"
|
|
|
|
/*
|
|
* Default location of askpass
|
|
*/
|
|
#ifndef _PATH_SSH_ASKPASS_DEFAULT
|
|
#define _PATH_SSH_ASKPASS_DEFAULT "/usr/local/bin/ssh-askpass"
|
|
#endif
|
|
|
|
/* Location of ssh-keysign for hostbased authentication */
|
|
#ifndef _PATH_SSH_KEY_SIGN
|
|
#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign"
|
|
#endif
|
|
|
|
/* Location of ssh-pkcs11-helper to support keys in tokens */
|
|
#ifndef _PATH_SSH_PKCS11_HELPER
|
|
#define _PATH_SSH_PKCS11_HELPER "/usr/libexec/ssh-pkcs11-helper"
|
|
#endif
|
|
|
|
/* Location of ssh-sk-helper to support keys in security keys */
|
|
#ifndef _PATH_SSH_SK_HELPER
|
|
#define _PATH_SSH_SK_HELPER "/usr/libexec/ssh-sk-helper"
|
|
#endif
|
|
|
|
/* xauth for X11 forwarding */
|
|
#ifndef _PATH_XAUTH
|
|
#define _PATH_XAUTH "/usr/local/bin/xauth"
|
|
#endif
|
|
|
|
/* UNIX domain socket for X11 server; displaynum will replace %u */
|
|
#ifndef _PATH_UNIX_X
|
|
#define _PATH_UNIX_X "/tmp/.X11-unix/X%u"
|
|
#endif
|
|
|
|
/* for scp */
|
|
#ifndef _PATH_CP
|
|
#define _PATH_CP "cp"
|
|
#endif
|
|
|
|
/* for sftp */
|
|
#ifndef _PATH_SFTP_SERVER
|
|
#define _PATH_SFTP_SERVER "/usr/libexec/sftp-server"
|
|
#endif
|
|
|
|
/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */
|
|
#ifndef _PATH_PRIVSEP_CHROOT_DIR
|
|
#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty"
|
|
#endif
|
|
|
|
/* for passwd change */
|
|
#ifndef _PATH_PASSWD_PROG
|
|
#define _PATH_PASSWD_PROG "/usr/bin/passwd"
|
|
#endif
|
|
|
|
#ifndef _PATH_LS
|
|
#define _PATH_LS "ls"
|
|
#endif
|
|
|
|
/* Askpass program define */
|
|
#ifndef ASKPASS_PROGRAM
|
|
#define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass"
|
|
#endif /* ASKPASS_PROGRAM */
|