CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2024/10/13 19:57:50
Modified files:
usr.bin/ssh : Makefile Makefile.inc log.c monitor.c monitor.h
monitor_wrap.c monitor_wrap.h pathnames.h
sandbox-pledge.c sandbox-rlimit.c servconf.c
servconf.h session.c ssh-sandbox.h
sshd-session.c sshd.c
usr.bin/ssh/sshd-session: Makefile
Added files:
usr.bin/ssh : sshd-auth.c
usr.bin/ssh/sshd-auth: Makefile
Log message:
Split per-connection sshd-session binary
This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.
Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.
Joint work with markus@ feedback deraadt@
Tested in snaps since last week
