The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed. In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer. ok deraadt@
OpenBSD-Commit-ID: f53a1015cb6908431b92116130d285d71589612c
Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.
These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.
ok markus@
OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138
don't attempt to force hostnames that are addresses to
lowercase, but instead canonicalise them through getnameinfo/getaddrinfo to
remove ambiguities (e.g. ::0001 => ::1) before they are matched against
known_hosts; bz#2763, ok dtucker@
OpenBSD-Commit-ID: ba0863ff087e61e5c65efdbe53be3cb92c9aefa0
fix broken stdout in ControlPersist mode, introduced by me in
r1.467 and reported by Alf Schlichting
OpenBSD-Commit-ID: 3750a16e02108fc25f747e4ebcedb7123c1ef509
transfer ownership of stdout to the session channel by
dup2'ing /dev/null to fd 1. This allows propagation of remote stdout close to
the local side; reported by David Newall, ok markus@
Upstream-ID: 8d9ac18a11d89e6b0415f0cbf67b928ac67f0e79
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
Add URI support to ssh, sftp and scp. For example
ssh://user@host or sftp://user@host/path. The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type. OK djm@
Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.
The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.
help and ok djm@
Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
refactor channels.c
Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.
Explicitly pass "struct ssh" to all channels functions.
Replace use of the legacy packet APIs in channels.c.
Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.
ok markus@
Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
make "--" before the hostname terminate command-line
option processing completely; previous behaviour would not prevent further
options appearing after the hostname (ssh has a supported options after the
hostname for >20 years, so that's too late to change).
ok deraadt@
Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line. This
command will be executed on the remote host. The feature allows to automate
tasks using ssh config. OK markus@
Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
Add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8). bz#2705, patch from erahn at arista.com, ok
djm@
Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
fix regression in 7.4 server-sig-algs, where we were
accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@
Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
quote [host]:port in generated ProxyJump commandline; the
[ / ] characters can confuse some shells (e.g. zsh). Reported by Lauri
Tirkkonen via bugs@
Upstream-ID: 65cdd161460e1351c3d778e974c1c2a4fa4bc182
For ProxyJump/-J, surround host name with brackets to
allow literal IPv6 addresses. From Dick Visser; ok dtucker@
Upstream-ID: 3a5d3b0171250daf6a5235e91bce09c1d5746bf1
Turkish locales are unique in their handling of the letters 'i' and
'I' (yes, they are different letters) and OpenSSH isn't remotely
prepared to deal with that. For now, the best we can do is to force
OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
encoding if possible.
ok dtucker@
make IdentityFile successfully load and use certificates that
have no corresponding bare public key. E.g. just a private id_rsa and
certificate id_rsa-cert.pub (and no id_rsa.pub).
bz#2617 ok dtucker@
Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux
client speaks the ssh-packet protocol directly over unix-domain socket. - mux
server acts as a proxy, translates channel IDs and relays to the server. - no
filedescriptor passing necessary. - combined with unix-domain forwarding it's
even possible to run mux client and server on different machines. feedback
& ok djm@
Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
list all supported signature algorithms in the
server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly)
Ron Frederick; ok markus@
Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
support UTF-8 characters in ssh(1) banners using
schwarze@'s safe fmprintf printer; bz#2058
feedback schwarze@ ok dtucker@
Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
Allow ExitOnForwardFailure and ClearAllForwardings to be
overridden when using ssh -W (but still default to yes in that case).
bz#2577, ok djm@.
Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
Move the host and port used by ssh -W into the Options
struct. This will make future changes a bit easier. ok djm@
Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
close ControlPersist background process stderr when not
in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
refactor canohost.c: move functions that cache results closer
to the places that use them (authn and session code). After this, no state is
cached in canohost.c
feedback and ok markus@
Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
Add a function to enable security-related malloc_options.
With and ok deraadt@, something similar has been in the snaps for a while.
Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
Disable experimental client-side roaming support. Server
side was disabled/gutted for years already, but this aspect was surprisingly
forgotten. Thanks for report from Qualys
Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
eliminate fallback from untrusted X11 forwarding to trusted
forwarding when the X server disables the SECURITY extension; Reported by
Thomas Hoger; ok deraadt@
Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
don't try to load SSHv1 private key when compiled without
SSHv1 support. From Iain Morgan bz#2505
Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
ban ConnectionAttempts=0, it makes no sense and would cause
ssh_connect_direct() to print an uninitialised stack variable; bz#2500
reported by dvw AT phas.ubc.ca
Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
Expand tildes in filenames passed to -i before checking
whether or not the identity file exists. This means that if the shell
doesn't do the expansion (eg because the option and filename were given as a
single argument) then we'll still add the key. bz#2481, ok markus@
Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
hostname canonicalisation - treat them as already canonical and remove the
trailing '.' before matching ssh_config; ok markus@
Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
fix some signed/unsigned integer type mismatches in
format strings; reported by Nicholas Lemonias
Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
add ssh_config CertificateFile option to explicitly list
a certificate; patch from Meghana Bhat on bz#2436; ok markus@
Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
sync -Q in usage() to SYNOPSIS; since it's drastically
shorter, i've reformatted the block to sync with the man (80 cols) and saved
a line;
Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
Plug minor memory leaks when options are used more than
once. bz#2182, patch from Tiago Cunha, ok deraadt djm
Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
add a debug2() right before DNS resolution; it's a place
where ssh could previously silently hang for a while. bz#2433
Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
Remove pattern length argument from match_pattern_list(), we
only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
when hostname canonicalisation is enabled, try to parse
hostnames as addresses before looking them up for canonicalisation. fixes
bz#2074 and avoids needless DNS lookups in some cases; ok markus
Tweak config reparsing with host canonicalisation
Make the second pass through the config files always run when
hostname canonicalisation is enabled.
Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.
Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"
Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).
bz#2267 bz#2286; ok markus
[mux.c ssh.c]
reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
previously we were always returning 0. bz#2255 reported by Brendan
Germain; ok dtucker
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
[ssh.c ssh_config.5]
Add a %C escape sequence for LocalCommand and ControlPath that expands
to a unique identifer based on a has of the tuple of (local host,
remote user, hostname, port).
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
control paths.
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
[ssh.c]
don't fatal() when hostname canonicalisation fails with a
ProxyCommand in use; continue and allow the ProxyCommand to
connect anyway (e.g. to a host with a name outside the DNS
behind a bastion)
[readconf.c readconf.h ssh.c ssh_config.5]
reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
[ssh.c]
delay lowercasing of hostname until right before hostname
canonicalisation to unbreak case-sensitive matching of ssh_config;
reported by Ike Devolder; ok markus@
[ssh.1 ssh.c]
- put -Q in the right place
- Ar was a poor choice for the arguments to -Q. i've chosen an
admittedly equally poor Cm, at least consistent with the rest
of the docs. also no need for multiple instances
- zap a now redundant Nm
- usage() sync
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
[ssh.c]
fix crash when using ProxyCommand caused by previous commit - was calling
freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
[ssh.c]
fix bug introduced in hostname canonicalisation commit: don't try to
resolve hostnames when a ProxyCommand is set unless the user has forced
canonicalisation; spotted by Iain Morgan
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
s/canonicalise/canonicalize/ for consistency with existing spelling,
e.g. authorized_keys; pointed out by naddy@
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
[sshconnect.c sshconnect.h]
Implement client-side hostname canonicalisation to allow an explicit
search path of domain suffixes to use to convert unqualified host names
to fully-qualified ones for host key matching.
This is particularly useful for host certificates, which would otherwise
need to list unqualified names alongside fully-qualified ones (and this
causes a number of problems).
"looks fine" markus@
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
refactor client config code a little:
add multistate option partsing to readconf.c, similar to servconf.c's
existing code.
move checking of options that accept "none" as an argument to readconf.c
add a lowercase() function and use it instead of explicit tolower() in
loops
part of a larger diff that was ok markus@
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@
[ssh.c]
daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
it is fully detached from its controlling terminal. based on debugging
dtucker@openbsd.org
djm@openbsd.org
djm@openbsd.org@openbsd.org
millert@openbsd.org
markus@openbsd.org
bluhm@openbsd.org
jmc@openbsd.org
Damien Miller
deraadt@openbsd.org
mmcc@openbsd.org
krw@openbsd.org
Darren Tucker