Commit Graph

490 Commits

Author SHA1 Message Date
dtucker@openbsd.org 8543ff3f50 upstream commit
Move the host and port used by ssh -W into the Options
 struct. This will make future changes a bit easier.  ok djm@

Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
2016-06-08 11:39:31 +10:00
markus@openbsd.org 1a75d14daf upstream commit
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@

Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-05-19 17:48:35 +10:00
markus@openbsd.org b02ad1ce91 upstream commit
IdentityAgent for specifying specific agent sockets; ok
 djm@

Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-05-05 00:01:49 +10:00
djm@openbsd.org d2d6bf864e upstream commit
close ControlPersist background process stderr when not
 in debug mode or when logging to a file or syslog. bz#1988 ok dtucker

Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
2016-04-29 18:09:02 +10:00
djm@openbsd.org 95767262ca upstream commit
refactor canohost.c: move functions that cache results closer
 to the places that use them (authn and session code). After this, no state is
 cached in canohost.c

feedback and ok markus@

Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-03-08 06:20:35 +11:00
dtucker@openbsd.org ffb1e7e896 upstream commit
Add a function to enable security-related malloc_options.
  With and ok deraadt@, something similar has been in the snaps for a while.

Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
2016-02-16 10:44:00 +11:00
markus@openbsd.org a306863831 upstream commit
remove roaming support; ok djm@

Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27 16:54:10 +11:00
deraadt@openbsd.org 6ef49e83e3 upstream commit
Disable experimental client-side roaming support.  Server
 side was disabled/gutted for years already, but this aspect was surprisingly
 forgotten. Thanks for report from Qualys

Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
2016-01-27 16:41:49 +11:00
Damien Miller e6c85f8889 forcibly disable roaming support in the client 2016-01-15 01:30:36 +11:00
djm@openbsd.org ed4ce82dbf upstream commit
eliminate fallback from untrusted X11 forwarding to trusted
 forwarding when the X server disables the SECURITY extension; Reported by
 Thomas Hoger; ok deraadt@

Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
2016-01-14 10:06:01 +11:00
djm@openbsd.org 6091c362e8 upstream commit
don't try to load SSHv1 private key when compiled without
 SSHv1 support. From Iain Morgan bz#2505

Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
2015-12-18 14:50:09 +11:00
mmcc@openbsd.org d59ce08811 upstream commit
Remove NULL-checks before free().

ok dtucker@

Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-12-11 13:23:14 +11:00
djm@openbsd.org 88b6fcdeb8 upstream commit
ban ConnectionAttempts=0, it makes no sense and would cause
 ssh_connect_direct() to print an uninitialised stack variable; bz#2500
 reported by dvw AT phas.ubc.ca

Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
2015-11-19 19:25:04 +11:00
dtucker@openbsd.org 03239c1831 upstream commit
Expand tildes in filenames passed to -i before checking
 whether or not the identity file exists.  This means that if the shell
 doesn't do the expansion (eg because the option and filename were given as a
 single argument) then we'll still add the key.  bz#2481, ok markus@

Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
2015-10-29 19:07:13 +11:00
djm@openbsd.org 5ee0063f02 upstream commit
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
 hostname canonicalisation - treat them as already canonical and remove the
 trailing '.' before matching ssh_config; ok markus@

Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
2015-10-17 05:45:11 +11:00
djm@openbsd.org b1d38a3cc6 upstream commit
fix some signed/unsigned integer type mismatches in
 format strings; reported by Nicholas Lemonias

Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
2015-10-16 10:54:08 +11:00
djm@openbsd.org 4e44a79a07 upstream commit
add ssh_config CertificateFile option to explicitly list
 a certificate; patch from Meghana Bhat on bz#2436; ok markus@

Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-10-06 12:21:54 +11:00
jmc@openbsd.org 846f6fa4cf upstream commit
sync -Q in usage() to SYNOPSIS; since it's drastically
 shorter, i've reformatted the block to sync with the man (80 cols) and saved
 a line;

Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
2015-09-16 17:52:06 +10:00
dtucker@openbsd.org 86ac462f83 upstream commit
Update usage to match man page.

Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
2015-09-16 17:52:05 +10:00
djm@openbsd.org 674b3b68c1 upstream commit
expand %i in ControlPath to UID; bz#2449

patch from Christian Hesse w/ feedback from dtucker@

Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
2015-09-16 17:52:04 +10:00
dtucker@openbsd.org 4f7cc2f8cc upstream commit
Plug minor memory leaks when options are used more than
 once.  bz#2182, patch from Tiago Cunha, ok deraadt djm

Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
2015-09-11 13:28:00 +10:00
djm@openbsd.org a85768a932 upstream commit
add a debug2() right before DNS resolution; it's a place
 where ssh could previously silently hang for a while. bz#2433

Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
2015-09-04 16:57:03 +10:00
djm@openbsd.org f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
millert@openbsd.org d5d91d0da8 upstream commit
Sync usage with SYNOPSIS

Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
2015-07-21 13:05:12 +10:00
djm@openbsd.org e661a86353 upstream commit
Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@
2015-05-10 11:38:04 +10:00
djm@openbsd.org a58be33cb6 upstream commit
debug log missing DISPLAY environment when X11
 forwarding requested; bz#1682 ok dtucker@
2015-04-29 18:13:35 +10:00
djm@openbsd.org 68d2dfc464 upstream commit
Allow "ssh -Q protocol-version" to list supported SSH
 protocol versions. Useful for detecting builds without SSH v.1 support; idea
 and ok markus@
2015-03-04 04:54:11 +11:00
djm@openbsd.org 44732de068 upstream commit
UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
2015-02-21 09:20:28 +11:00
deraadt@openbsd.org 087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00
djm@openbsd.org 9010902954 upstream commit
when hostname canonicalisation is enabled, try to parse
 hostnames as addresses before looking them up for canonicalisation. fixes
 bz#2074 and avoids needless DNS lookups in some cases; ok markus
2015-01-16 18:24:49 +11:00
djm@openbsd.org 141efe4954 upstream commit
move authfd.c and its tentacles to the new buffer/key
 API; ok markus@
2015-01-15 21:37:34 +11:00
djm@openbsd.org ab24ab847b upstream commit
reorder hostbased key attempts to better match the
 default hostkey algorithms order in myproposal.h; ok markus@
2015-01-09 00:20:25 +11:00
krw@openbsd.org 335c83d5f3 upstream commit
Nuke more obvious #include duplications.

ok deraadt@ millert@ tedu@
2014-11-24 10:15:04 +11:00
jmc@openbsd.org b1ba15f388 upstream commit
tweak previous;
2014-10-20 14:40:05 +11:00
djm@openbsd.org 957fbceb0f upstream commit
Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus
2014-10-13 11:41:48 +11:00
Damien Miller 357610d159 - djm@cvs.openbsd.org 2014/07/17 07:22:19
[mux.c ssh.c]
     reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
     previously we were always returning 0. bz#2255 reported by Brendan
     Germain; ok dtucker
2014-07-18 15:04:10 +10:00
Damien Miller 7acefbbcbe - millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
2014-07-18 14:11:24 +10:00
Damien Miller 9c38643c5c - djm@cvs.openbsd.org 2014/07/03 06:39:19
[ssh.c ssh_config.5]
     Add a %C escape sequence for LocalCommand and ControlPath that expands
     to a unique identifer based on a has of the tuple of (local host,
     remote user, hostname, port).

     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
     control paths.

     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-03 21:27:46 +10:00
Damien Miller 4b3ed647d5 - markus@cvs.openbsd.org 2014/06/27 16:41:56
[channels.c channels.h clientloop.c ssh.c]
     fix remote fwding with same listen port but different listen address
     with gerhard@, ok djm@
2014-07-02 15:29:40 +10:00
Damien Miller 19439e9a2a - djm@cvs.openbsd.org 2014/06/24 02:19:48
[ssh.c]
     don't fatal() when hostname canonicalisation fails with a
     ProxyCommand in use; continue and allow the ProxyCommand to
     connect anyway (e.g. to a host with a name outside the DNS
     behind a bastion)
2014-07-02 15:28:40 +10:00
Damien Miller 1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller c2e49062fa - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
version. From des@des.no
2014-04-01 14:42:46 +11:00
Damien Miller 08b57c67f3 - djm@cvs.openbsd.org 2014/02/26 20:18:37
[ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
2014-02-27 10:17:13 +11:00
Damien Miller 13f97b2286 - djm@cvs.openbsd.org 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
     the hostname. This allows users to write configurations that always
     refer to canonical hostnames, e.g.

     CanonicalizeHostname yes
     CanonicalDomains int.example.org example.org
     CanonicalizeFallbackLocal no

     Host *.int.example.org
         Compression off
     Host *.example.org
         User djm

     ok markus@
2014-02-24 15:57:55 +11:00
Damien Miller d56b44d2df - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:04 +11:00
Damien Miller 1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller 0fa47cfb32 - djm@cvs.openbsd.org 2013/12/29 05:42:16
[ssh.c]
     don't forget to load Ed25519 certs too
2013-12-29 17:53:39 +11:00
Damien Miller 5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller bdb352a54f - jmc@cvs.openbsd.org 2013/11/26 12:14:54
[ssh.1 ssh.c]
     - put -Q in the right place
     - Ar was a poor choice for the arguments to -Q. i've chosen an
       admittedly equally poor Cm, at least consistent with the rest
       of the docs. also no need for multiple instances
     - zap a now redundant Nm
     - usage() sync
2013-12-05 10:20:52 +11:00
Damien Miller d937dc084a - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
[ssh.1 ssh.c]
     improve -Q usage and such.  One usage change is that the option is now
     case-sensitive
     ok dtucker markus djm
2013-12-05 10:19:54 +11:00
Damien Miller 0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller 690d989008 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
     Output the effective values of Ciphers, MACs and KexAlgorithms when
     the default has not been overridden.  ok markus@
2013-11-08 12:16:49 +11:00
Damien Miller 28631ceaa7 - djm@cvs.openbsd.org 2013/10/25 23:04:51
[ssh.c]
     fix crash when using ProxyCommand caused by previous commit - was calling
     freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
2013-10-26 10:07:56 +11:00
Damien Miller a90c033808 - djm@cvs.openbsd.org 2013/10/24 08:19:36
[ssh.c]
     fix bug introduced in hostname canonicalisation commit: don't try to
     resolve hostnames when a ProxyCommand is set unless the user has forced
     canonicalisation; spotted by Iain Morgan
2013-10-24 21:03:17 +11:00
Damien Miller eff5cada58 - djm@cvs.openbsd.org 2013/10/23 03:05:19
[readconf.c ssh.c]
     comment
2013-10-23 16:31:10 +11:00
Damien Miller e3ea09494d - djm@cvs.openbsd.org 2013/10/17 00:46:49
[ssh.c]
     rearrange check to reduce diff against -portable
     (Id sync only)
2013-10-17 11:57:23 +11:00
Damien Miller 51682faa59 - djm@cvs.openbsd.org 2013/10/16 22:58:01
[ssh.c ssh_config.5]
     one I missed in previous: s/isation/ization/
2013-10-17 11:48:31 +11:00
Damien Miller 3850559be9 - djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
     s/canonicalise/canonicalize/ for consistency with existing spelling,
     e.g. authorized_keys; pointed out by naddy@
2013-10-17 11:48:13 +11:00
Damien Miller 0faf747e2f - djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
     [sshconnect.c sshconnect.h]
     Implement client-side hostname canonicalisation to allow an explicit
     search path of domain suffixes to use to convert unqualified host names
     to fully-qualified ones for host key matching.
     This is particularly useful for host certificates, which would otherwise
     need to list unqualified names alongside fully-qualified ones (and this
     causes a number of problems).
     "looks fine" markus@
2013-10-17 11:47:23 +11:00
Damien Miller 5359a628ce - [ssh.c] g/c unused variable. 2013-10-15 12:20:37 +11:00
Damien Miller 386feab0c4 - djm@cvs.openbsd.org 2013/10/14 23:31:01
[ssh.c]
     whitespace at EOL; pointed out by markus@
2013-10-15 12:14:49 +11:00
Damien Miller e9fc72edd6 - djm@cvs.openbsd.org 2013/10/14 23:28:23
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
     refactor client config code a little:
     add multistate option partsing to readconf.c, similar to servconf.c's
     existing code.
     move checking of options that accept "none" as an argument to readconf.c
     add a lowercase() function and use it instead of explicit tolower() in
     loops
     part of a larger diff that was ok markus@
2013-10-15 12:14:12 +11:00
Damien Miller 194fd904d8 - djm@cvs.openbsd.org 2013/10/14 22:22:05
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
     add a "Match" keyword to ssh_config that allows matching on hostname,
     user and result of arbitrary commands. "nice work" markus@
2013-10-15 12:13:05 +11:00
Damien Miller 98e27dcf58 - djm@cvs.openbsd.org 2013/07/25 00:29:10
[ssh.c]
     daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
     it is fully detached from its controlling terminal. based on debugging
2013-07-25 11:55:52 +10:00
Damien Miller 3009d3cbb8 - djm@cvs.openbsd.org 2013/07/20 01:44:37
[ssh-keygen.c ssh.c]
     More useful error message on missing current user in /etc/passwd
2013-07-20 13:22:31 +10:00
Damien Miller 649fe025a4 - djm@cvs.openbsd.org 2013/07/12 05:48:55
[ssh.c]
     set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
2013-07-18 16:13:55 +10:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller 34bd20a1e5 - djm@cvs.openbsd.org 2013/04/19 11:10:18
[ssh.c]
     add -Q to usage; reminded by jmc@
2013-04-23 19:25:00 +10:00
Damien Miller ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller 03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Damien Miller 508b6c3d3b - djm@cvs.openbsd.org 2013/03/08 06:32:58
[ssh.c]
     allow "ssh -f none ..." ok markus@
2013-04-23 15:18:28 +10:00
Darren Tucker 15fd19c4c9 - djm@cvs.openbsd.org 2013/02/22 22:09:01
[ssh.c]
     Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier
     version)
2013-04-05 11:22:26 +11:00
Darren Tucker aefa368243 - dtucker@cvs.openbsd.org 2013/02/22 04:45:09
[ssh.c readconf.c readconf.h]
     Don't complain if IdentityFiles specified in system-wide configs are
     missing.  ok djm, deraadt
2013-04-05 11:18:35 +11:00
Darren Tucker 1910478c2d - dtucker@cvs.openbsd.org 2013/02/17 23:16:57
[readconf.c ssh.c readconf.h sshconnect2.c]
     Keep track of which IndentityFile options were manually supplied and which
     were default options, and don't warn if the latter are missing.
     ok markus@
2013-04-05 11:13:08 +11:00
Damien Miller fff9f095e2 - djm@cvs.openbsd.org 2012/07/06 01:47:38
[ssh.c]
     move setting of tty_flag to after config parsing so RequestTTY options
     are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
     ok dtucker@
2012-07-06 13:45:01 +10:00
Darren Tucker 7b30501bf5 - dtucker@cvs.openbsd.org 2012/07/02 08:50:03
[ssh.c]
     set interactive ToS for forwarded X11 sessions.  ok djm@
2012-07-02 18:55:09 +10:00
Darren Tucker 2d6665d944 - djm@cvs.openbsd.org 2011/10/24 02:10:46
[ssh.c]
     bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
     was incorrectly requesting the forward in both the control master and
     slave. skip requesting it in the master to fix. ok markus@
2011-11-04 10:54:22 +11:00
Darren Tucker 45c66d7ad4 - djm@cvs.openbsd.org 2011/10/18 05:15:28
[ssh.c]
     ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-11-04 10:50:40 +11:00
Darren Tucker 68afb8c5f2 - markus@cvs.openbsd.org 2011/09/23 07:45:05
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
     unbreak remote portforwarding with dynamic allocated listen ports:
     1) send the actual listen port in the open message (instead of 0).
        this allows multiple forwardings with a dynamic listen port
     2) update the matching permit-open entry, so we can identify where
        to connect to
     report: den at skbkontur.ru and P. Szczygielski
     feedback and ok djm@
2011-10-02 18:59:03 +11:00
Damien Miller f6dff7cd2f - djm@cvs.openbsd.org 2011/09/09 22:46:44
[channels.c channels.h clientloop.h mux.c ssh.c]
     support for cancelling local and remote port forwards via the multiplex
     socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
     the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
Damien Miller 765f8c4eff - djm@cvs.openbsd.org 2011/08/02 23:15:03
[ssh.c]
     typo in comment
2011-08-06 06:18:16 +10:00
Damien Miller 6d7b4377dd - djm@cvs.openbsd.org 2011/06/22 22:08:42
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
     hook up a channel confirm callback to warn the user then requested X11
     forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
Damien Miller ea2c1a4dc6 - djm@cvs.openbsd.org 2011/06/03 00:54:38
[ssh.c]
    bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
    AT googlemail.com; ok dtucker@
    NB. includes additional portability code to enable setproctitle emulation
    on platforms that don't support it.
2011-06-03 12:10:22 +10:00
Damien Miller 295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller a6bbbe4658 - djm@cvs.openbsd.org 2011/05/06 21:38:58
[ssh.c]
     fix dropping from previous diff
2011-05-15 08:46:29 +10:00
Damien Miller 21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00
Damien Miller dfc85fa181 - djm@cvs.openbsd.org 2011/05/06 21:18:02
[ssh.c ssh_config.5]
     add a %L expansion (short-form of the local host name) for ControlPath;
     sync some more expansions with LocalCommand; ok markus@
2011-05-15 08:44:02 +10:00
Damien Miller 6c3eec7ab2 - djm@cvs.openbsd.org 2011/04/17 22:42:42
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
     allow graceful shutdown of multiplexing: request that a mux server
     removes its listener socket and refuse future multiplexing requests;
     ok markus@
2011-05-05 14:16:22 +10:00
Damien Miller f22019bdbf - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
   [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
   [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
   [regress/README.regress] Remove ssh-rand-helper and all its
   tentacles. PRNGd seeding has been rolled into entropy.c directly.
   Thanks to tim@ for testing on affected platforms.
2011-05-05 13:48:37 +10:00
Damien Miller 71adf127e8 - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
   building with SELinux support to avoid linking failure; report from
   amk AT spamfence.net; ok dtucker
2011-01-25 12:16:15 +11:00
Damien Miller 83f8a4014d - djm@cvs.openbsd.org 2011/01/06 22:23:53
[ssh.c]
     unbreak %n expansion in LocalCommand; patch from bert.wesarg AT
     googlemail.com; ok markus@
2011-01-07 09:51:17 +11:00
Damien Miller d925dcd8a5 - djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
     [sshconnect.h sshconnect2.c]
     automatically order the hostkeys requested by the client based on
     which hostkeys are already recorded in known_hosts. This avoids
     hostkey warnings when connecting to servers with new ECDSA keys
     that are preferred by default; with markus@
2010-12-01 12:21:51 +11:00
Damien Miller 0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Damien Miller a41ccca643 - djm@cvs.openbsd.org 2010/10/06 06:39:28
[clientloop.c ssh.c sshconnect.c sshconnect.h]
     kill proxy command on fatal() (we already kill it on clean exit);
     ok markus@
2010-10-07 22:07:32 +11:00
Damien Miller 857b02e37f - djm@cvs.openbsd.org 2010/09/20 04:41:47
[ssh.c]
     install a SIGCHLD handler to reap expiried child process; ok markus@
2010-09-24 22:02:56 +10:00
Darren Tucker 8ccb7392e7 - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
for missing headers and compiler warnings.
2010-09-10 12:28:24 +10:00
Damien Miller 6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller 5929c52f65 - markus@cvs.openbsd.org 2010/09/02 16:08:39
[ssh.c]
     unbreak ControlPersist=yes for ControlMaster=yes; ok djm@
2010-09-10 11:17:02 +10:00
Damien Miller 4314c2b548 - djm@cvs.openbsd.org 2010/08/31 12:33:38
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     reintroduce commit from tedu@, which I pulled out for release
     engineering:
       OpenSSL_add_all_algorithms is the name of the function we have a
       man page for, so use that.  ok djm
2010-09-10 11:12:09 +10:00
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00