upstream: Add support for configuration tags to ssh(1).

This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.

ok markus

OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3

readconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.378 2023/07/17 04:04:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.379 2023/07/17 04:08:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -144,7 +144,7 @@ static int process_config_line_depth(Options *options, struct passwd *pw,
 
 typedef enum {
 	oBadOption,
-	oHost, oMatch, oInclude,
+	oHost, oMatch, oInclude, oTag,
 	oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
 	oGatewayPorts, oExitOnForwardFailure,
 	oPasswordAuthentication,
@@ -257,6 +257,7 @@ static struct {
 	{ "user", oUser },
 	{ "host", oHost },
 	{ "match", oMatch },
+	{ "tag", oTag },
 	{ "escapechar", oEscapeChar },
 	{ "globalknownhostsfile", oGlobalKnownHostsFile },
 	{ "userknownhostsfile", oUserKnownHostsFile },
@@ -745,6 +746,10 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 				goto out;
 			}
 			r = check_match_ifaddrs(arg) == 1;
+		} else if (strcasecmp(attrib, "tagged") == 0) {
+			criteria = xstrdup(options->tag == NULL ? "" :
+			    options->tag);
+			r = match_pattern_list(criteria, arg, 0) == 1;
 			if (r == (negate ? 1 : 0))
 				this_result = result = 0;
 		} else if (strcasecmp(attrib, "exec") == 0) {
@@ -1365,6 +1370,10 @@ parse_char_array:
 		charptr = &options->hostname;
 		goto parse_string;
 
+	case oTag:
+		charptr = &options->tag;
+		goto parse_string;
+
 	case oHostKeyAlias:
 		charptr = &options->host_key_alias;
 		goto parse_string;
@@ -2512,6 +2521,7 @@ initialize_options(Options * options)
 	options->known_hosts_command = NULL;
 	options->required_rsa_size = -1;
 	options->enable_escape_commandline = -1;
+	options->tag = NULL;
 }
 
 /*
@@ -3431,6 +3441,7 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
 	dump_cfg_string(oXAuthLocation, o->xauth_location);
 	dump_cfg_string(oKnownHostsCommand, o->known_hosts_command);
+	dump_cfg_string(oTag, o->tag);
 
 	/* Forwards */
 	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);

readconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.150 2023/01/13 02:58:20 dtucker Exp $ */
+/* $OpenBSD: readconf.h,v 1.151 2023/07/17 04:08:31 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -70,6 +70,7 @@ typedef struct {
 	char   *kex_algorithms;	/* SSH2 kex methods in order of preference. */
 	char   *ca_sign_algorithms;	/* Allowed CA signature algorithms */
 	char   *hostname;	/* Real host to connect. */
+	char   *tag;		/* Configuration tag name. */
 	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
 	char   *proxy_command;	/* Proxy command for connecting the host. */
 	char   *user;		/* User to log in as. */

ssh.1

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.435 2023/07/17 04:08:31 djm Exp $
-.Dd $Mdocdate: June 21 2023 $
+.Dd $Mdocdate: July 17 2023 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Op Fl O Ar ctl_cmd
 .Op Fl o Ar option
 .Op Fl p Ar port
+.Op Fl P Ar tag
 .Op Fl Q Ar query_option
 .Op Fl R Ar address
 .Op Fl S Ar ctl_path
@@ -593,6 +594,16 @@ For full details of the options listed below, and their possible values, see
 .It XAuthLocation
 .El
 .Pp
+.It Fl P Ar tag
+Specify a tag name that may be used to select configuration in
+.Xr ssh_config 5 .
+Refer to the
+.Cm Tag
+and
+.Cm Match
+keywords in
+.Xr ssh_config 5
+for more information.
 .It Fl p Ar port
 Port to connect to on the remote host.
 This can be specified on a

ssh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.590 2023/07/04 03:59:21 dlg Exp $ */
+/* $OpenBSD: ssh.c,v 1.591 2023/07/17 04:08:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -708,7 +708,7 @@ main(int ac, char **av)
 
  again:
 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
+	    "AB:CD:E:F:GI:J:KL:MNO:P:Q:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
 		switch (opt) {
 		case '1':
 			fatal("SSH protocol v.1 is no longer supported");
@@ -772,7 +772,9 @@ main(int ac, char **av)
 			else
 				fatal("Invalid multiplex command.");
 			break;
-		case 'P':	/* deprecated */
+		case 'P':
+			if (options.tag == NULL)
+				options.tag = xstrdup(optarg);
 			break;
 		case 'Q':
 			cp = NULL;

ssh_config.5

@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.381 2023/07/17 04:04:36 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.382 2023/07/17 04:08:31 djm Exp $
 .Dd $Mdocdate: July 17 2023 $
 .Dt SSH_CONFIG 5
 .Os
@@ -144,6 +144,7 @@ The available criteria keywords are:
 .Cm localnetwork ,
 .Cm host ,
 .Cm originalhost ,
+.Cm Tag ,
 .Cm user ,
 and
 .Cm localuser .
@@ -223,6 +224,15 @@ The
 .Cm originalhost
 keyword matches against the hostname as it was specified on the command-line.
 The
+.Cm tagged
+keyword matches a tag name specified by a prior
+.Cm Tag
+directive or on the
+.Xr ssh 1
+command-line using the
+.Fl P
+flag.
+The
 .Cm user
 keyword matches against the target username on the remote host.
 The
@@ -1886,6 +1896,10 @@ To disable TCP keepalive messages, the value should be set to
 See also
 .Cm ServerAliveInterval
 for protocol-level keepalives.
+.It Cm Tag
+Specify a configuration tag name that may be later used by a
+.Cm Match
+directive to select a block of configuation.
 .It Cm Tunnel
 Request
 .Xr tun 4