CVSROOT: /cvs Module name: src Changes by: d...@cvs.openbsd.org 2024/10/13 19:57:50
Modified files: usr.bin/ssh : Makefile Makefile.inc log.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h pathnames.h sandbox-pledge.c sandbox-rlimit.c servconf.c servconf.h session.c ssh-sandbox.h sshd-session.c sshd.c usr.bin/ssh/sshd-session: Makefile Added files: usr.bin/ssh : sshd-auth.c usr.bin/ssh/sshd-auth: Makefile Log message: Split per-connection sshd-session binary This splits the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after thhe authentication phase completes. Joint work with markus@ feedback deraadt@ Tested in snaps since last week