Commit Graph

351 Commits

Author SHA1 Message Date
jsg@openbsd.org 4d48219c72 upstream: spelling
OpenBSD-Commit-ID: 478bc3db04f62f1048ed6e1765400f3ab325e60f
2021-03-13 13:14:13 +11:00
dtucker@openbsd.org 85ff2a564c upstream: Add %k to list of keywords. From
=?UTF-8?q?=20Eero=20H=C3=A4kkinenvia=20bz#3267?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 9c87f39a048cee2a7d1c8bab951b2f716256865e
2021-03-01 10:20:42 +11:00
djm@openbsd.org 8b8b60542d upstream: lots more s/key types/signature algorithms/ mostly in
HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen

OpenBSD-Commit-ID: 3f719de4385b1a89e4323b2549c66aae050129cb
2021-02-24 08:56:22 +11:00
markus@openbsd.org da0a9afcc4 upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
with SOCKS ok djm@, dtucker@

OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
2021-02-17 15:03:41 +11:00
dlg@openbsd.org ad74fc127c upstream: ProxyJump takes "none" to disable processing like
ProxyCommand does

ok djm@ jmc@

OpenBSD-Commit-ID: 941a2399da2193356bdc30b879d6e1692f18b6d3
2021-02-17 15:03:41 +11:00
naddy@openbsd.org 507b448a24 upstream: move HostbasedAcceptedAlgorithms to the right place in
alphabetical order

OpenBSD-Commit-ID: d766820d33dd874d944c14b0638239adb522c7ec
2021-01-27 11:45:50 +11:00
dtucker@openbsd.org e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org ee9c0da803 upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.  Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading.  The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
2021-01-22 15:03:56 +11:00
rob@openbsd.org a164862dfa upstream: Minor grammatical correction.
OK jmc@

OpenBSD-Commit-ID: de0fad0581e212b2750751e479b79c18ff8cac02
2021-01-18 18:43:43 +11:00
djm@openbsd.org 6cb52d5bf7 upstream: make CheckHostIP default to 'no'. It doesn't provide any
perceptible value and makes it much harder for hosts to change host keys,
particularly ones that use IP-based load-balancing.

ok dtucker@

OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0
2021-01-08 16:01:30 +11:00
jmc@openbsd.org 09d070ccc3 upstream: tweak the description of KnownHostsCommand in ssh_conf.5,
and add entries for it to the -O list in scp.1 and sftp.1;

ok djm

OpenBSD-Commit-ID: aba31ebea03f38f8d218857f7ce16a500c3e4aff
2020-12-29 12:02:51 +11:00
djm@openbsd.org da4bf0db94 upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
2020-12-22 15:43:59 +11:00
jmc@openbsd.org 616029a85a upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: bb81e2ed5a77832fe62ab30a915ae67cda57633e
2020-10-17 22:45:37 +11:00
djm@openbsd.org 793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org 3205eaa3f8 upstream: clarify conditions for UpdateHostkeys
OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
2020-10-08 12:28:06 +11:00
djm@openbsd.org e79957e877 upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is
enabled; suggested by Mark D. Baushke

OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
2020-10-07 13:34:11 +11:00
djm@openbsd.org 1286981d08 upstream: enable UpdateHostkeys by default when the configuration
has not overridden UserKnownHostsFile; ok markus@ "The timing is perfect"
deraadt@

OpenBSD-Commit-ID: 62df71c9c5242da5763cb473c2a2deefbd0cef60
2020-10-03 18:31:49 +10:00
djm@openbsd.org 12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
djm@openbsd.org d0a195c89e upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-limited keys
will automatically be removed from ssh-agent after their expiry time has
passed; ok markus@

OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
2020-08-27 11:27:01 +10:00
jmc@openbsd.org 69860769fa upstream: fix macro slip in previous;
OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a
2020-07-17 18:03:28 +10:00
dtucker@openbsd.org 8df5774a42 upstream: Add a '%k' TOKEN that expands to the effective HostKey of
the destination.  This allows, eg, keeping host keys in individual files
using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@
(man page bits)

OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc
2020-07-17 13:52:46 +10:00
dtucker@openbsd.org c4f239944a upstream: Add %-TOKEN, environment variable and tilde expansion to
UserKnownHostsFile, allowing the file to be automagically split up in the
configuration (eg bz#1654).  ok djm@, man page parts jmc@

OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18
2020-07-17 13:52:46 +10:00
jmc@openbsd.org ec1d50b01c upstream: remove a stray .El;
OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
2020-05-29 20:10:21 +10:00
djm@openbsd.org 188e332d1c upstream: mention that wildcards are processed in lexical order;
bz#3165

OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
2020-05-29 15:46:47 +10:00
dtucker@openbsd.org 4a1b46e6d0 upstream: Allow some keywords to expand shell-style ${ENV}
environment variables on the client side.  The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket paths.  This
would for example allow forwarding of Unix domain socket paths that change at
runtime.  bz#3140, ok djm@

OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
2020-05-29 15:46:47 +10:00
jmc@openbsd.org ca5403b085 upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: e579e4d95eef13059c30931ea1f09ed8296b819c
2020-04-17 14:03:16 +10:00
dtucker@openbsd.org 990687a033 upstream: Add TOKEN percent expansion to LocalFoward and RemoteForward
when used for Unix domain socket forwarding.  Factor out the code for the
config keywords that use the most common subset of TOKENS into its own
function. bz#3014, ok jmc@ (man page bits) djm@

OpenBSD-Commit-ID: bffc9f7e7b5cf420309a057408bef55171fd0b97
2020-04-10 11:47:19 +10:00
dtucker@openbsd.org ed833da176 upstream: Make with config keywords support which
percent_expansions more consistent.  - %C is moved into its own function and
added to Match Exec.  - move the common (global) options into a macro.  This
is ugly but it's    the least-ugly way I could come up with.  - move
IdentityAgent and ForwardAgent percent expansion to before the    config dump
to make it regression-testable.  - document all of the above

ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.

OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
2020-04-03 13:33:37 +11:00
dtucker@openbsd.org d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
jmc@openbsd.org ba261a1dd3 upstream: spelling fix;
OpenBSD-Commit-ID: 3c079523c4b161725a4b15dd06348186da912402
2020-02-01 10:15:27 +11:00
djm@openbsd.org 771891a044 upstream: document changed default for UpdateHostKeys
OpenBSD-Commit-ID: 25c390b21d142f78ac0106241d13441c4265fd2c
2020-01-31 09:27:10 +11:00
djm@openbsd.org 4594c76276 upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,
based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
2020-01-28 12:52:46 +11:00
djm@openbsd.org 469df611f7 upstream: clarify that BatchMode applies to all interactive prompts
(e.g. host key confirmation) and not just password prompts.

OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
2020-01-26 10:34:50 +11:00
tedu@openbsd.org 0b813436bb upstream: group14-sha1 is no longer a default algorithm
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25 18:20:01 +11:00
djm@openbsd.org 3432b6e05d upstream: reword HashKnownHosts description a little more; some
people found the wording confusing (bz#2560)

OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
2020-01-25 18:20:01 +11:00
djm@openbsd.org f80d7d6aa9 upstream: weaken the language for what HashKnownHosts provides with
regards to known_hosts name privacy, it's not practical for this option to
offer any guarantee that hostnames cannot be recovered from a disclosed
known_hosts file (e.g. by brute force).

OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
2020-01-25 18:20:01 +11:00
naddy@openbsd.org a78c66d5d2 upstream: document the default value of the ControlPersist option;
ok dtucker@ djm@

OpenBSD-Commit-ID: 0788e7f2b5a9d4e36d3d2ab378f73329320fef66
2020-01-22 09:41:41 +11:00
naddy@openbsd.org 141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
djm@openbsd.org 40be78f503 upstream: Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in addition
to yes/no.

Patch by Eric Chiang, manpage by me; ok markus@

OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-21 13:22:07 +11:00
naddy@openbsd.org ae024b22c4 upstream: Document that security key-hosted keys can act as host
keys.

Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5.  Copy the description of the SecurityKeyProvider
option to sshd_config.5.

ok jmc@

OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-20 14:25:08 +11:00
jmc@openbsd.org 483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
naddy@openbsd.org 2cf262c21f upstream: document '$' environment variable expansion for
SecurityKeyProvider; ok djm@

OpenBSD-Commit-ID: 76db507ebd336a573e1cd4146cc40019332c5799
2019-11-20 09:27:29 +11:00
naddy@openbsd.org f0edda81c5 upstream: more missing mentions of ed25519-sk; ok djm@
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20 09:27:29 +11:00
djm@openbsd.org e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
djm@openbsd.org 6bff9521ab upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
naddy@openbsd.org aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
djm@openbsd.org 7047d5afe3 upstream: clarify that IdentitiesOnly also applies to the default
~/.ssh/id_* keys; bz#3062

OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa
2019-09-13 14:53:45 +10:00
djm@openbsd.org fbe24b1429 upstream: allow %n to be expanded in ProxyCommand strings
From Zachary Harmany via github.com/openssh/openssh-portable/pull/118
ok dtucker@

OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6
2019-09-13 14:28:44 +10:00
djm@openbsd.org 2ce1d11600 upstream: clarify that ConnectTimeout applies both to the TCP
connection and to the protocol handshake/KEX. From Jean-Charles Longuet via
Github PR140

OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf
2019-09-13 14:09:21 +10:00
naddy@openbsd.org 91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00