CVSROOT:        /cvs
Module name:    src
Changes by:     d...@cvs.openbsd.org    2024/10/13 19:57:50

Modified files:
        usr.bin/ssh    : Makefile Makefile.inc log.c monitor.c monitor.h 
                         monitor_wrap.c monitor_wrap.h pathnames.h 
                         sandbox-pledge.c sandbox-rlimit.c servconf.c 
                         servconf.h session.c ssh-sandbox.h 
                         sshd-session.c sshd.c 
        usr.bin/ssh/sshd-session: Makefile 
Added files:
        usr.bin/ssh    : sshd-auth.c 
        usr.bin/ssh/sshd-auth: Makefile 

Log message:
Split per-connection sshd-session binary

This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.

Joint work with markus@ feedback deraadt@

Tested in snaps since last week

Reply via email to