Commit Graph

330 Commits

Author SHA1 Message Date
markus@openbsd.org b02ad1ce91 upstream commit
IdentityAgent for specifying specific agent sockets; ok
 djm@

Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-05-05 00:01:49 +10:00
djm@openbsd.org dc7990be86 upstream commit
Include directive for ssh_config(5); feedback & ok markus@

Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-15 11:16:11 +10:00
jmc@openbsd.org a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
jmc@openbsd.org eb3f7337a6 upstream commit
no need to state that protocol 2 is the default twice;

Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
2016-02-17 16:37:56 +11:00
djm@openbsd.org e7901efa9b upstream commit
Replace list of ciphers and MACs adjacent to -1/-2 flag
 descriptions in ssh(1) with a strong recommendation not to use protocol 1.
 Add a similar warning to the Protocol option descriptions in ssh_config(5)
 and sshd_config(5);

prompted by and ok mmcc@

Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-17 16:37:55 +11:00
jcs@openbsd.org f361df474c upstream commit
Add an AddKeysToAgent client option which can be set to
 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a
 private key that is used during authentication will be added to ssh-agent if
 it is running (with confirmation enabled if set to 'confirm').

Initial version from Joachim Schipper many years ago.

ok markus@

Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-11-16 11:31:39 +11:00
mmcc@openbsd.org 5e288923a3 upstream commit
1. rlogin and rsh are long gone 2. protocol version isn't
 of core relevance here, and v1 is going away

ok markus@, deraadt@

Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
2015-11-09 14:25:36 +11:00
jmc@openbsd.org c5f7c0843c upstream commit
some certificatefile tweaks; ok djm

Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
2015-10-06 12:21:55 +11:00
djm@openbsd.org 4e44a79a07 upstream commit
add ssh_config CertificateFile option to explicitly list
 a certificate; patch from Meghana Bhat on bz#2436; ok markus@

Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-10-06 12:21:54 +11:00
djm@openbsd.org c0f55db7ee upstream commit
mention -Q key-plain and -Q key-cert; bz#2455 pointed out
 by Jakub Jelen

Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
2015-09-16 17:52:04 +10:00
millert@openbsd.org ebe27ebe52 upstream commit
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
 Noticed by jmc@

Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
2015-07-21 13:05:12 +10:00
millert@openbsd.org 79ec2142fb upstream commit
Better desciption of Unix domain socket forwarding.
 bz#2423; ok jmc@

Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
2015-07-21 13:05:12 +10:00
markus@openbsd.org 3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org f948737449 upstream commit
mention ssh-keygen -E for comparing legacy MD5
 fingerprints; bz#2332

Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
2015-05-22 20:02:19 +10:00
dtucker@openbsd.org f8484dac67 upstream commit
Clarify pseudo-terminal request behaviour and use
 "pseudo-terminal" consistently.  bz#1716, ok jmc@ "I like it" deraadt@.
2015-05-08 13:32:58 +10:00
djm@openbsd.org 68d2dfc464 upstream commit
Allow "ssh -Q protocol-version" to list supported SSH
 protocol versions. Useful for detecting builds without SSH v.1 support; idea
 and ok markus@
2015-03-04 04:54:11 +11:00
djm@openbsd.org 46347ed596 upstream commit
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-30 22:47:01 +11:00
djm@openbsd.org 1d1092bff8 upstream commit
correct description of UpdateHostKeys in ssh_config.5 and
 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-27 00:00:58 +11:00
jmc@openbsd.org 8abd80315d upstream commit
add fingerprinthash to the options list;
2015-01-09 00:13:35 +11:00
djm@openbsd.org 56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
jmc@openbsd.org b1ba15f388 upstream commit
tweak previous;
2014-10-20 14:40:05 +11:00
djm@openbsd.org 957fbceb0f upstream commit
Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus
2014-10-13 11:41:48 +11:00
sobrado@openbsd.org f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller a8a0f65c57 - OpenBSD CVS Sync
- millert@cvs.openbsd.org 2014/07/24 22:57:10
     [ssh.1]
     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
2014-07-30 12:32:28 +10:00
Damien Miller 6d57656331 - jmc@cvs.openbsd.org 2014/07/16 14:48:57
[ssh.1]
     add the streamlocal* options to ssh's -o list; millert says they're
     irrelevant for scp/sftp;

     ok markus millert
2014-07-18 15:02:06 +10:00
Damien Miller 49d9bfe2b2 - djm@cvs.openbsd.org 2014/07/03 05:38:17
[ssh.1]
     document that -g will only work in the multiplexed case if applied to
     the mux master
2014-07-03 21:26:42 +10:00
Damien Miller 16f85cbc7e - tedu@cvs.openbsd.org 2014/04/19 18:42:19
[ssh.1]
     delete .xr to hosts.equiv. there's still an unfortunate amount of
     documentation referring to rhosts equivalency in here.
2014-04-20 13:29:28 +10:00
Damien Miller eb1b7c514d - tedu@cvs.openbsd.org 2014/03/17 19:44:10
[ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 13:02:26 +10:00
Damien Miller 8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller bdb352a54f - jmc@cvs.openbsd.org 2013/11/26 12:14:54
[ssh.1 ssh.c]
     - put -Q in the right place
     - Ar was a poor choice for the arguments to -Q. i've chosen an
       admittedly equally poor Cm, at least consistent with the rest
       of the docs. also no need for multiple instances
     - zap a now redundant Nm
     - usage() sync
2013-12-05 10:20:52 +11:00
Damien Miller d937dc084a - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
[ssh.1 ssh.c]
     improve -Q usage and such.  One usage change is that the option is now
     case-sensitive
     ok dtucker markus djm
2013-12-05 10:19:54 +11:00
Damien Miller 0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller 3850559be9 - djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
     s/canonicalise/canonicalize/ for consistency with existing spelling,
     e.g. authorized_keys; pointed out by naddy@
2013-10-17 11:48:13 +11:00
Damien Miller 0faf747e2f - djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
     [sshconnect.c sshconnect.h]
     Implement client-side hostname canonicalisation to allow an explicit
     search path of domain suffixes to use to convert unqualified host names
     to fully-qualified ones for host key matching.
     This is particularly useful for host certificates, which would otherwise
     need to list unqualified names alongside fully-qualified ones (and this
     causes a number of problems).
     "looks fine" markus@
2013-10-17 11:47:23 +11:00
Damien Miller d77b81f856 - jmc@cvs.openbsd.org 2013/10/15 14:10:25
[ssh.1 ssh_config.5]
     tweak previous;
2013-10-17 11:39:00 +11:00
Damien Miller f2f6c315a9 - jmc@cvs.openbsd.org 2013/08/20 06:56:07
[ssh.1 ssh_config.5]
     some proxyusefdpass tweaks;
2013-08-21 02:44:58 +10:00
Damien Miller b7727df37e - jmc@cvs.openbsd.org 2013/08/14 08:39:27
[scp.1 ssh.1]
     some Bx/Ox conversion;
     From: Jan Stary
2013-08-21 02:43:49 +10:00
Damien Miller d93340cbb6 - djm@cvs.openbsd.org 2013/07/18 01:12:26
[ssh.1]
     be more exact wrt perms for ~/.ssh/config; bz#2078
2013-07-18 16:14:34 +10:00
Damien Miller fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller 03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Darren Tucker 427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Darren Tucker 628a3fdce2 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
[ssh.1]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
Darren Tucker 83d0af6907 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
[ssh.1]
     missing letter in previous;
2012-09-07 11:21:03 +10:00
Darren Tucker 50a48d025f - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
[clientloop.c log.c ssh.1 log.h]
     Add ~v and ~V escape sequences to raise and lower the logging level
     respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
Damien Miller 36378c6413 - dtucker@cvs.openbsd.org 2012/06/18 12:17:18
[ssh.1]
     Clarify description of -W.  Noted by Steve.McClellan at radisys com, ok jmc
2012-06-20 21:53:25 +10:00
Damien Miller b9902cf6f6 - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
[ssh.1 sshd.8]
     Remove mention of 'three' key files since there are now four.  From
     Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
Damien Miller 70b2d5550b - jmc@cvs.openbsd.org 2012/04/20 16:26:22
[ssh.1]
     use "brackets" instead of "braces", for consistency;
2012-04-22 11:26:10 +10:00
Damien Miller 1bcbd0a9de - okan@cvs.openbsd.org 2011/09/11 06:59:05
[ssh.1]
     document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
Damien Miller ff773644e6 - markus@cvs.openbsd.org 2011/09/10 22:26:34
[channels.c channels.h clientloop.c ssh.1]
     support cancellation of local/dynamic forwardings from ~C commandline;
     ok & feedback djm@
2011-09-22 21:39:48 +10:00