Commit Graph

368 Commits

Author SHA1 Message Date
djm@openbsd.org
21b6b5a06c upstream: add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default
KEXAlgorithms list (after the ECDH methods but before the prime-group DH
ones).

ok markus@

OpenBSD-Commit-ID: 22b77e27a04e497a10e22f138107579652854210
2021-11-10 17:32:18 +11:00
kn@openbsd.org
d39039ddc0 upstream: RSA/SHA-1 is not used by default anymore
OK dtucker deraadt djm

OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6
2021-09-26 21:13:28 +10:00
djm@openbsd.org
a4bee1934b upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; ok
markus@

OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
2021-09-16 15:38:16 +10:00
dtucker@openbsd.org
a60209a586 upstream: Use .Cm instead of .Dq in StrictHostKeyChecking list for
consistency. Patch from scop via github PR#257, ok jmc@

OpenBSD-Commit-ID: 3652a91564570779431802c31224fb4a9cf39872
2021-09-03 18:08:46 +10:00
dtucker@openbsd.org
eb4362e5e3 upstream: Refer to KEX "algorithms" instead of "methods" to match
other references and improve consistency.  Patch from scop via github PR#241,
ok djm@

OpenBSD-Commit-ID: 840bc94ff6861b28d8603c8e8c16499bfb65e32c
2021-09-03 17:33:08 +10:00
djm@openbsd.org
dcce2a2bcf upstream: mention that CASignatureAlgorithms accepts +/- similarly to
the other algorithm list directives; ok jmc bz#3335

OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9
2021-08-13 10:01:15 +10:00
dtucker@openbsd.org
35c8e41a6f upstream: Document "ProxyJump none". bz#3334.
OpenBSD-Commit-ID: f78cc6f55731f2cd35c3a41d5352ac1ee419eba7
2021-08-06 16:54:34 +10:00
jmc@openbsd.org
c7cd347a88 upstream: fix a formatting error and mark up known_hosts
consistently; issues reported by debian at helgefjell de

ok djm dtucker

OpenBSD-Commit-ID: a1fd8d21dc77f507685443832df0c9700481b0ce
2021-08-03 09:39:58 +10:00
djm@openbsd.org
a917e973a1 upstream: Add a ForkAfterAuthentication ssh_config(5) counterpart
to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok
dtucker

OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
2021-07-23 14:07:19 +10:00
djm@openbsd.org
e0c5088f1c upstream: Add a StdinNull directive to ssh_config(5) that allows
the config file to do the same thing as -n does on the ssh(1) commandline.
Patch from Volker Diels-Grabsch via GHPR231; ok dtucker

OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
2021-07-23 14:07:19 +10:00
jmc@openbsd.org
ef7c4e52d5 upstream: reorder SessionType; ok djm
OpenBSD-Commit-ID: c7dd0b39e942b1caf4976a0b1cf0fed33d05418c
2021-07-16 19:21:04 +10:00
djm@openbsd.org
eda8909d1b upstream: add a SessionType directive to ssh_config, allowing the
configuration file to offer equivalent control to the -N (no session) and -s
(subsystem) command-line flags.

Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
feedback and ok dtucker@

OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
2021-07-14 09:49:47 +10:00
Darren Tucker
53237ac789 Sync remaining ChallengeResponse removal.
These were omitted from commit 88868fd131.
2021-07-03 19:23:28 +10:00
djm@openbsd.org
d9cb35bbec upstream: adjust SetEnv description to clarify $TERM handling
OpenBSD-Commit-ID: 8b8cc0124856bc1094949d55615e5c44390bcb22
2021-06-04 15:13:14 +10:00
jmc@openbsd.org
320af2f3de upstream: remove stray inserts; from matthias schmidt
OpenBSD-Commit-ID: 2c36ebdc54e14bbf1daad70c6a05479a073d5c63
2021-04-06 19:08:53 +10:00
jmc@openbsd.org
801f710953 upstream: missing comma; from kawashima james
OpenBSD-Commit-ID: 31cec6bf26c6db4ffefc8a070715ebef274e68ea
2021-04-06 19:08:53 +10:00
djm@openbsd.org
53ea05e09b upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from
Matt Hazinski

OpenBSD-Commit-ID: f05e4ca54d7e67b90fe58fe1bdb1d2a37e0e2696
2021-04-03 17:57:01 +11:00
jsg@openbsd.org
4d48219c72 upstream: spelling
OpenBSD-Commit-ID: 478bc3db04f62f1048ed6e1765400f3ab325e60f
2021-03-13 13:14:13 +11:00
dtucker@openbsd.org
85ff2a564c upstream: Add %k to list of keywords. From
=?UTF-8?q?=20Eero=20H=C3=A4kkinenvia=20bz#3267?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 9c87f39a048cee2a7d1c8bab951b2f716256865e
2021-03-01 10:20:42 +11:00
djm@openbsd.org
8b8b60542d upstream: lots more s/key types/signature algorithms/ mostly in
HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen

OpenBSD-Commit-ID: 3f719de4385b1a89e4323b2549c66aae050129cb
2021-02-24 08:56:22 +11:00
markus@openbsd.org
da0a9afcc4 upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
with SOCKS ok djm@, dtucker@

OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
2021-02-17 15:03:41 +11:00
dlg@openbsd.org
ad74fc127c upstream: ProxyJump takes "none" to disable processing like
ProxyCommand does

ok djm@ jmc@

OpenBSD-Commit-ID: 941a2399da2193356bdc30b879d6e1692f18b6d3
2021-02-17 15:03:41 +11:00
naddy@openbsd.org
507b448a24 upstream: move HostbasedAcceptedAlgorithms to the right place in
alphabetical order

OpenBSD-Commit-ID: d766820d33dd874d944c14b0638239adb522c7ec
2021-01-27 11:45:50 +11:00
dtucker@openbsd.org
e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org
ee9c0da803 upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.  Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading.  The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
2021-01-22 15:03:56 +11:00
rob@openbsd.org
a164862dfa upstream: Minor grammatical correction.
OK jmc@

OpenBSD-Commit-ID: de0fad0581e212b2750751e479b79c18ff8cac02
2021-01-18 18:43:43 +11:00
djm@openbsd.org
6cb52d5bf7 upstream: make CheckHostIP default to 'no'. It doesn't provide any
perceptible value and makes it much harder for hosts to change host keys,
particularly ones that use IP-based load-balancing.

ok dtucker@

OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0
2021-01-08 16:01:30 +11:00
jmc@openbsd.org
09d070ccc3 upstream: tweak the description of KnownHostsCommand in ssh_conf.5,
and add entries for it to the -O list in scp.1 and sftp.1;

ok djm

OpenBSD-Commit-ID: aba31ebea03f38f8d218857f7ce16a500c3e4aff
2020-12-29 12:02:51 +11:00
djm@openbsd.org
da4bf0db94 upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
2020-12-22 15:43:59 +11:00
jmc@openbsd.org
616029a85a upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: bb81e2ed5a77832fe62ab30a915ae67cda57633e
2020-10-17 22:45:37 +11:00
djm@openbsd.org
793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org
3205eaa3f8 upstream: clarify conditions for UpdateHostkeys
OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
2020-10-08 12:28:06 +11:00
djm@openbsd.org
e79957e877 upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is
enabled; suggested by Mark D. Baushke

OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
2020-10-07 13:34:11 +11:00
djm@openbsd.org
1286981d08 upstream: enable UpdateHostkeys by default when the configuration
has not overridden UserKnownHostsFile; ok markus@ "The timing is perfect"
deraadt@

OpenBSD-Commit-ID: 62df71c9c5242da5763cb473c2a2deefbd0cef60
2020-10-03 18:31:49 +10:00
djm@openbsd.org
12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
djm@openbsd.org
d0a195c89e upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-limited keys
will automatically be removed from ssh-agent after their expiry time has
passed; ok markus@

OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
2020-08-27 11:27:01 +10:00
jmc@openbsd.org
69860769fa upstream: fix macro slip in previous;
OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a
2020-07-17 18:03:28 +10:00
dtucker@openbsd.org
8df5774a42 upstream: Add a '%k' TOKEN that expands to the effective HostKey of
the destination.  This allows, eg, keeping host keys in individual files
using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@
(man page bits)

OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc
2020-07-17 13:52:46 +10:00
dtucker@openbsd.org
c4f239944a upstream: Add %-TOKEN, environment variable and tilde expansion to
UserKnownHostsFile, allowing the file to be automagically split up in the
configuration (eg bz#1654).  ok djm@, man page parts jmc@

OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18
2020-07-17 13:52:46 +10:00
jmc@openbsd.org
ec1d50b01c upstream: remove a stray .El;
OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
2020-05-29 20:10:21 +10:00
djm@openbsd.org
188e332d1c upstream: mention that wildcards are processed in lexical order;
bz#3165

OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
2020-05-29 15:46:47 +10:00
dtucker@openbsd.org
4a1b46e6d0 upstream: Allow some keywords to expand shell-style ${ENV}
environment variables on the client side.  The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket paths.  This
would for example allow forwarding of Unix domain socket paths that change at
runtime.  bz#3140, ok djm@

OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
2020-05-29 15:46:47 +10:00
jmc@openbsd.org
ca5403b085 upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: e579e4d95eef13059c30931ea1f09ed8296b819c
2020-04-17 14:03:16 +10:00
dtucker@openbsd.org
990687a033 upstream: Add TOKEN percent expansion to LocalFoward and RemoteForward
when used for Unix domain socket forwarding.  Factor out the code for the
config keywords that use the most common subset of TOKENS into its own
function. bz#3014, ok jmc@ (man page bits) djm@

OpenBSD-Commit-ID: bffc9f7e7b5cf420309a057408bef55171fd0b97
2020-04-10 11:47:19 +10:00
dtucker@openbsd.org
ed833da176 upstream: Make with config keywords support which
percent_expansions more consistent.  - %C is moved into its own function and
added to Match Exec.  - move the common (global) options into a macro.  This
is ugly but it's    the least-ugly way I could come up with.  - move
IdentityAgent and ForwardAgent percent expansion to before the    config dump
to make it regression-testable.  - document all of the above

ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.

OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
2020-04-03 13:33:37 +11:00
dtucker@openbsd.org
d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
jmc@openbsd.org
ba261a1dd3 upstream: spelling fix;
OpenBSD-Commit-ID: 3c079523c4b161725a4b15dd06348186da912402
2020-02-01 10:15:27 +11:00
djm@openbsd.org
771891a044 upstream: document changed default for UpdateHostKeys
OpenBSD-Commit-ID: 25c390b21d142f78ac0106241d13441c4265fd2c
2020-01-31 09:27:10 +11:00
djm@openbsd.org
4594c76276 upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,
based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
2020-01-28 12:52:46 +11:00
djm@openbsd.org
469df611f7 upstream: clarify that BatchMode applies to all interactive prompts
(e.g. host key confirmation) and not just password prompts.

OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
2020-01-26 10:34:50 +11:00