From nobody Fri Jan 05 23:42:51 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T6Kl00YHnz56QGn; Fri, 5 Jan 2024 23:42:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T6Kkz6qBMz4kKJ; Fri, 5 Jan 2024 23:42:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704498172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UKVivvNTH0Ch62yLSbMyZiGGaD6AtjH9ZT5uCrx4FUw=; b=LLj0USqGrbB0m65B6QAd53xSCQrpoKYwWYnOhhQDv7UOaMr+v04mpT4TFjDW35V2LBN5RX 2fSE5v3tyRFJEwl3/vIgYWFPILVyNBIT/fAfywaDCs7s/gmoTf81hSHGz0hY59J+YKll2U 0LZtzE4S1PEE1OikygbysrOIYGZhm8XsiSXrqtOSuGT9wT8CxELG2GbrDjgz4LR5VtAggY t3mCph5Qp97wR4ti07cAGehnl4jBbJw2cpiaCpIlBUbvP+eqKmEXkDYOPp63+9rNDviXOd qJ1JOUW4lvzba6wdnWT0N1sdNF8Gpc+IomZduGMk12PwlVX8qmyxgxyKXc76Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704498172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UKVivvNTH0Ch62yLSbMyZiGGaD6AtjH9ZT5uCrx4FUw=; b=qMpmWKCBZLI9nkagsnoPoWbD8hOKONM35OkBPo3OmDnGDNQaG23UWcxmC0liOt9R7LaFcA Rx/N3NXmmPm1SUNx8OXIe+bKtGAWCILdqYhkmWR+In2Svv5MNINwss05pJMcedUWap6T2H aYK4VrWfBht+2rasfodeA4lC91wOufV9ECppKRH3Lz7fqsb6HmnQ8E5WN5Mso+9O1lMFBa SIYnGEJKzXnN26ZLqhTWAnRLu2A7ql9x4qQY9qtusNzAi+ubmrXSnCK4ytQS1ifjIPz2C9 TLKeXan4LGQ/KqNUxQMzWP5X5OTTeYEclkdyFeHAvJnWMLAKRiaUg6d/DSwLZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704498172; a=rsa-sha256; cv=none; b=lni2r4QrjVpra3g0gA1kJlhchlNDxOdM+/2xc5EJKp8jwlPHNl4cE+i42Zkfd87Kg3TPna ERru/u8VqdxJs1dgMfJ0ITx9wucM1RpXDl6ZPTNJZLj6JaBLSReND1xTB9CYCq5x7wsHRN k2Yb6jWC1W5jkxVn4quiEvplcgJjHNQqt17nOu6LIJt+OKdiQ0v4x5DpmCHJCB1xBQCofC +rgpZJctDHExqqHLsl4h0CdYRq63zg26PuSXZihlAeH0OFuB+E0MPk/P4GJK3dog0P3VDn yvWMHO2hQxsAz0yLFOXvkueGbdpqDCSHZUEa7QL3TpwuF4X8nqWXF6NeYXwEQQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T6Kkz5vH7zHtM; Fri, 5 Jan 2024 23:42:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 405NgpVb081183; Fri, 5 Jan 2024 23:42:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 405NgpCZ081180; Fri, 5 Jan 2024 23:42:51 GMT (envelope-from git) Date: Fri, 5 Jan 2024 23:42:51 GMT Message-Id: <202401052342.405NgpCZ081180@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: c39254c8f233 - stable/14 - ssh: ban user/hostnames with most shell metacharacters List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: c39254c8f23379709b8e2a68dc64477d2885f1d4 Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=c39254c8f23379709b8e2a68dc64477d2885f1d4 commit c39254c8f23379709b8e2a68dc64477d2885f1d4 Author: Ed Maste AuthorDate: 2024-01-05 18:12:09 +0000 Commit: Ed Maste CommitDate: 2024-01-05 23:42:30 +0000 ssh: ban user/hostnames with most shell metacharacters Cherry-picked from OpenSSH commit 7ef3787c84b6: This makes ssh(1) refuse user or host names provided on the commandline that contain most shell metacharacters. Some programs that invoke ssh(1) using untrusted data do not filter metacharacters in arguments they supply. This could create interactions with user-specified ProxyCommand and other directives that allow shell injection attacks to occur. It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, but getting this stuff right can be tricky, so this should prevent most obvious ways of creating risky situations. It however is not and cannot be perfect: ssh(1) has no practical way of interpreting what shell quoting rules are in use and how they interact with the user's specified ProxyCommand. To allow configurations that use strange user or hostnames to continue to work, this strictness is applied only to names coming from the commandline. Names specified using User or Hostname directives in ssh_config(5) are not affected. feedback/ok millert@ markus@ dtucker@ deraadt@ OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 --- crypto/openssh/ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index ec5c36091d29..ea459ffc007e 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.594 2023/09/03 23:59:32 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -624,6 +624,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) free(cinfo); } +static int +valid_hostname(const char *s) +{ + size_t i; + + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { + if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || + isspace((u_char)s[i]) || iscntrl((u_char)s[i])) + return 0; + } + return 1; +} + +static int +valid_ruser(const char *s) +{ + size_t i; + + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ + if (isspace((u_char)s[i]) && s[i + 1] == '-') + return 0; + /* Disallow \ in last position */ + if (s[i] == '\\' && s[i + 1] == '\0') + return 0; + } + return 1; +} + /* * Main program for the ssh client. */ @@ -1116,6 +1151,10 @@ main(int ac, char **av) if (!host) usage(); + if (!valid_hostname(host)) + fatal("hostname contains invalid characters"); + if (options.user != NULL && !valid_ruser(options.user)) + fatal("remote username contains invalid characters"); options.host_arg = xstrdup(host); /* Initialize the command to execute on remote host. */