From nobody Mon Jan 08 04:25:25 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7gw60gPhz56rDC; Mon, 8 Jan 2024 04:25:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T7gw56X21z46Gg; Mon, 8 Jan 2024 04:25:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704687925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ICZpXTxjXa3Gj7fo8Ygn1y2AyWE/nxZbhTMjUBr6uc4=; b=SmitTZSOmpgZ2fXzCjQPiIFm5eJ1pBWgU4hbXBKK/c7TRwcJOp6Cf7cR2x+hqT/mnWMvge dhobGWIYqWeKQAmQhFMjZNxkacDnUN/wWP/oNonCg+5nEXMmUfbc5C/Fdzx48i99CghpzZ BTTeA4un+wovWsJZyQ0MPUN2frDKLukz3myTb/LgSvWnk9pyuUuJf5GlUgWMh4qCUrhnTJ gu3y9zxs/dSUMJ30a4vXVBqVkazCrec0MK7ZxnL1RN7N3kVe7cwQfDQlinTTpmByMBZOSv Ct7SqC3UzVi3WiI8ZI7Kh09IEQ7oUJHrwlAseIPrylSgVcOL2ig2UYaHumwvww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704687925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ICZpXTxjXa3Gj7fo8Ygn1y2AyWE/nxZbhTMjUBr6uc4=; b=TkZ7/DZUQ3w9iva0pZVCosAdtOsMbiNzlJ1v1/QmqbkNYCfyBccHHUYkSiKgRMB8e61fLH jFt+FuAMb6vb6ekzhUqOT0ncONimQ2u43IlUk9fOtAPGhp35Vc9cGcTU9qTCRbfPci1y4W mw32M7k20C4HJTBLAlD6OaM9qnCX1ShSXhgWI0H3KLx1Igs3mCCi/7/Dq3sKprnepgniMD BRbcGQs9bYAo+iT2n4mYdEIZ14OaMtbwEtDdA57xzk9DvW8PCfdW55j7DfCHBY2h/EQ4Ay pJ69xpRJcekz16PLbXTL9cZG4DxJHcvVqrFEl/kGQPKu0OMgrdPQrc7pO/56Yg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704687925; a=rsa-sha256; cv=none; b=v7K1PJHBojqmEhwnmyW0afPP3g3TvPgvo1gih0IZbbKbAtwJ5Ktp2iZoKhL7G+gSdRJCmX zlJAS2D1SmlLD59mZZxiNbE7QYqf3ncK+nT0+88a8eAokUuCUE4XVu28aarT1+vApnjQh1 iQFPlIkS/UBcCKSwfpmRSUK0Si+iHruCaHEsK1QDdwHRJfYAACwTYUT9B1aWFLHuKv3QrT 0wvyytYa87dUrb/NySIlNowIAwJuvcAWFTT+FR2trFfp7ZEeZvDCsuVot0ei1IzU+u3lnU kRQwhX1RNijYmPiZk3s02wMuRaTtuR2LGIOEoKFC36xECpPP0nElWrgEUED4MA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T7gw55bpbzsdV; Mon, 8 Jan 2024 04:25:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4084PPqp090833; Mon, 8 Jan 2024 04:25:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4084PPZg090830; Mon, 8 Jan 2024 04:25:25 GMT (envelope-from git) Date: Mon, 8 Jan 2024 04:25:25 GMT Message-Id: <202401080425.4084PPZg090830@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: b8d5f0482d43 - stable/13 - ssh: ban user/hostnames with most shell metacharacters List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: b8d5f0482d43a6a5dca6eb07a98c806d476e8cd9 Auto-Submitted: auto-generated The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=b8d5f0482d43a6a5dca6eb07a98c806d476e8cd9 commit b8d5f0482d43a6a5dca6eb07a98c806d476e8cd9 Author: Ed Maste AuthorDate: 2024-01-05 18:12:09 +0000 Commit: Ed Maste CommitDate: 2024-01-08 04:21:51 +0000 ssh: ban user/hostnames with most shell metacharacters Cherry-picked from OpenSSH commit 7ef3787c84b6: This makes ssh(1) refuse user or host names provided on the commandline that contain most shell metacharacters. Some programs that invoke ssh(1) using untrusted data do not filter metacharacters in arguments they supply. This could create interactions with user-specified ProxyCommand and other directives that allow shell injection attacks to occur. It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, but getting this stuff right can be tricky, so this should prevent most obvious ways of creating risky situations. It however is not and cannot be perfect: ssh(1) has no practical way of interpreting what shell quoting rules are in use and how they interact with the user's specified ProxyCommand. To allow configurations that use strange user or hostnames to continue to work, this strictness is applied only to names coming from the commandline. Names specified using User or Hostname directives in ssh_config(5) are not affected. feedback/ok millert@ markus@ dtucker@ deraadt@ OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 (cherry picked from commit c39254c8f23379709b8e2a68dc64477d2885f1d4) --- crypto/openssh/ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c index 8469f8edbb48..55a28f0ea1ff 100644 --- a/crypto/openssh/ssh.c +++ b/crypto/openssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.594 2023/09/03 23:59:32 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -624,6 +624,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) free(cinfo); } +static int +valid_hostname(const char *s) +{ + size_t i; + + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { + if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || + isspace((u_char)s[i]) || iscntrl((u_char)s[i])) + return 0; + } + return 1; +} + +static int +valid_ruser(const char *s) +{ + size_t i; + + if (*s == '-') + return 0; + for (i = 0; s[i] != 0; i++) { + if (strchr("'`\";&<>|(){}", s[i]) != NULL) + return 0; + /* Disallow '-' after whitespace */ + if (isspace((u_char)s[i]) && s[i + 1] == '-') + return 0; + /* Disallow \ in last position */ + if (s[i] == '\\' && s[i + 1] == '\0') + return 0; + } + return 1; +} + /* * Main program for the ssh client. */ @@ -1122,6 +1157,10 @@ main(int ac, char **av) if (!host) usage(); + if (!valid_hostname(host)) + fatal("hostname contains invalid characters"); + if (options.user != NULL && !valid_ruser(options.user)) + fatal("remote username contains invalid characters"); options.host_arg = xstrdup(host); /* Initialize the command to execute on remote host. */