Commit Graph

402 Commits

Author SHA1 Message Date
djm@openbsd.org
53d1d30743
upstream: mention mux proxy mode
OpenBSD-Commit-ID: fd77a77779f06d316a314e4540dc57c93fc3369a
2024-07-26 08:51:19 +10:00
jmc@openbsd.org
268c3a7f57
upstream: ssl(8) no longer contains a HISTORY section;
OpenBSD-Commit-ID: 83b7ff34433d79595e9c2a5d2a561a6660251245
2024-06-28 08:36:16 +10:00
djm@openbsd.org
00eb95957d
upstream: disable the DSA signature algorithm by default; ok
markus@

(yes, I know this expands to "the Digitial Signature Algorithm
signature algorithm)

OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
2024-06-17 18:48:29 +10:00
naddy@openbsd.org
210d423973
upstream: remove references to SSH1 and DSA server keys
OpenBSD-Commit-ID: 57cc1c98d4f998981473734f144b904af7d178a2
2024-05-27 11:55:03 +10:00
job@openbsd.org
151146f03b
upstream: Clarify how literal IPv6 addresses can be used in -J mode
OK djm@

OpenBSD-Commit-ID: 524ddae97746b3563ad4a887dfd0a6e6ba114c50
2024-03-26 13:02:27 +11:00
djm@openbsd.org
64f7ca881b
upstream: ssh -Q does not make sense with other command-line options,
so give it its own line in the manpage

OpenBSD-Commit-ID: 00a747f0655c12122bbb77c2796be0013c105361
2023-10-12 10:15:47 +11:00
naddy@openbsd.org
076aeda86a
upstream: man page typos; ok jmc@
OpenBSD-Commit-ID: e6ddfef94b0eb867ad88abe07cedc8ed581c07f0
2023-07-27 09:11:21 +10:00
jmc@openbsd.org
f1a9898283
upstream: -P before -p in SYNOPSIS;
OpenBSD-Commit-ID: 535f5257c779e26c6a662a038d241b017f8cab7c
2023-07-17 16:23:02 +10:00
djm@openbsd.org
919bc3d3b7
upstream: Add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.

ok markus

OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
2023-07-17 14:53:53 +10:00
djm@openbsd.org
4e73cd0f4a
upstream: make ssh -Q CASignatureAlgorithms only list signature
algorithms that are valid for CA signing. Previous behaviour was to list all
signing algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@

OpenBSD-Commit-ID: 99c2b072dbac0f44fd1f2269e3ff6c1b5d7d3e59
2023-06-21 15:13:55 +10:00
djm@openbsd.org
f7cebbbf40
upstream: New EnableEscapeCommandline ssh_config(5) option
This option (default "no") controls whether the ~C escape is available.
Turning it off by default means we will soon be able to use a stricter
default pledge(2) in the client.

feedback deraadt@ dtucker@; tested in snaps for a while

OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a
2022-11-30 12:16:08 +11:00
djm@openbsd.org
54b333d12e
upstream: add a RequiredRSASize for checking RSA key length in
ssh(1). User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then the connection
will be terminated (unfortunately there are no fallbacks in the protocol for
host authentication).

feedback deraadt, Dmitry Belyavskiy; ok markus@

OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
2022-09-17 20:39:02 +10:00
jmc@openbsd.org
b7f86ffc30 upstream: keywords ref ssh_config.5;
from caspar schutijser

OpenBSD-Commit-ID: f146a19d7d5c9374c3b9c520da43b2732d7d1a4e
2022-06-03 13:38:12 +10:00
naddy@openbsd.org
9ec2713d12 upstream: man pages: add missing commas between subordinate and
main clauses

jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.

ok jmc@

OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3
2022-04-06 09:16:05 +10:00
jsg@openbsd.org
86cc93fd3c upstream: remove please from manual pages ok jmc@ sthen@ millert@
OpenBSD-Commit-ID: 6543acb00f4f38a23472538e1685c013ca1a99aa
2022-02-07 12:27:48 +11:00
dtucker@openbsd.org
ad16a84e64 upstream: Since they are deprecated, move DSA to the end of the
default list of public keys so that they will be tried last.  From github
PR#295 from "ProBackup-nl", ok djm@

OpenBSD-Commit-ID: 7e5d575cf4971d4e2de92e0b6d6efaba53598bf0
2022-02-07 12:27:48 +11:00
dtucker@openbsd.org
66a658b5d9 upstream: Document behaviour of arguments following non-interactive
commands. Prompted by github PR#139 from EvanTheB, feedback & ok djm@ jmc@

OpenBSD-Commit-ID: fc758d1fe0471dfab4304fcad6cd4ecc3d79162a
2021-09-10 20:34:09 +10:00
dtucker@openbsd.org
8d1d9eb6de upstream: Mention using ssh -i for specifying the public key file
in the case where the private key is loaded into ssh-agent but is not present
locally.  Based on patch from rafork via github PR#215, ok jmc@

OpenBSD-Commit-ID: 2282e83b0ff78d2efbe705883b67240745fa5bb2
2021-09-03 17:33:08 +10:00
jmc@openbsd.org
4455aec2e4 upstream: no need to talk about version 2 with the -Q option, so
rewrite the text to read better;

issue reported by debian at helgefjell de
ok djm dtucker

OpenBSD-Commit-ID: 59fe2e8219c37906740ad062e0fdaea487dbe9cf
2021-08-03 09:39:57 +10:00
djm@openbsd.org
a917e973a1 upstream: Add a ForkAfterAuthentication ssh_config(5) counterpart
to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok
dtucker

OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
2021-07-23 14:07:19 +10:00
djm@openbsd.org
e0c5088f1c upstream: Add a StdinNull directive to ssh_config(5) that allows
the config file to do the same thing as -n does on the ssh(1) commandline.
Patch from Volker Diels-Grabsch via GHPR231; ok dtucker

OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
2021-07-23 14:07:19 +10:00
djm@openbsd.org
eda8909d1b upstream: add a SessionType directive to ssh_config, allowing the
configuration file to offer equivalent control to the -N (no session) and -s
(subsystem) command-line flags.

Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
feedback and ok dtucker@

OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
2021-07-14 09:49:47 +10:00
Darren Tucker
53237ac789 Sync remaining ChallengeResponse removal.
These were omitted from commit 88868fd131.
2021-07-03 19:23:28 +10:00
dtucker@openbsd.org
2a5704ec14 upstream: Use better language to refer to the user. From l1ving
via github PR#250, ok jmc@

OpenBSD-Commit-ID: 07ca3526626996613e128aeddf7748c93c4d6bbf
2021-06-25 16:32:34 +10:00
markus@openbsd.org
da0a9afcc4 upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
with SOCKS ok djm@, dtucker@

OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
2021-02-17 15:03:41 +11:00
naddy@openbsd.org
507b448a24 upstream: move HostbasedAcceptedAlgorithms to the right place in
alphabetical order

OpenBSD-Commit-ID: d766820d33dd874d944c14b0638239adb522c7ec
2021-01-27 11:45:50 +11:00
dtucker@openbsd.org
e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org
b55b7565f1 upstream: PubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms
here too.

OpenBSD-Commit-ID: 3b64a640f8ce8c21d9314da9df7ce2420eefde3a
2021-01-22 15:05:00 +11:00
djm@openbsd.org
da4bf0db94 upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
2020-12-22 15:43:59 +11:00
jmc@openbsd.org
69924a92c3 upstream: start sentence with capital letter;
OpenBSD-Commit-ID: ab06581d51b2b4cc1b4aab781f7f3cfa56cad973
2020-07-17 13:23:34 +10:00
djm@openbsd.org
aaa8b609a7 upstream: allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@

OpenBSD-Commit-ID: 3a1e6cbbf6241ddc4405c4246caa2c249f149eb2
2020-07-15 15:08:10 +10:00
djm@openbsd.org
267cbc87b5 upstream: mention that /etc/hosts.equiv and /etc/shosts.equiv are
not considered for HostbasedAuthentication when the target user is root;
bz3148

OpenBSD-Commit-ID: fe4c1256929e53f23af17068fbef47852f4bd752
2020-04-17 14:03:36 +10:00
naddy@openbsd.org
30144865bf upstream: document -F none; with jmc@
OpenBSD-Commit-ID: 0eb93b75473d2267aae9200e02588e57778c84f2
2020-02-18 20:23:25 +11:00
dtucker@openbsd.org
d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
naddy@openbsd.org
141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
jmc@openbsd.org
483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
jmc@openbsd.org
d39a865b7a upstream: improve the text for -A a little; input from naddy and
djm

OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
2019-11-29 11:17:39 +11:00
naddy@openbsd.org
f0edda81c5 upstream: more missing mentions of ed25519-sk; ok djm@
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20 09:27:29 +11:00
djm@openbsd.org
6bff9521ab upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
naddy@openbsd.org
aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
jmc@openbsd.org
7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
1b1332b5bb upstream: benno helped me clean up the tcp forwarding section;
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
2019-03-26 10:20:22 +11:00
naddy@openbsd.org
c13b74530f upstream: PKCS#11 support is no longer limited to RSA; ok benno@
kn@

OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
2019-03-08 14:58:30 +11:00
djm@openbsd.org
7a2cb18a21 upstream: Mention that configuration for the destination host is
not applied to any ProxyJump/-J hosts. This has confused a few people...

OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
2019-01-22 23:04:54 +11:00
jmc@openbsd.org
e6933a2ffa upstream: reorder CASignatureAlgorithms, and add them to the
various -o lists; ok djm

OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
2018-09-21 09:41:10 +10:00
djm@openbsd.org
357128ac48 upstream: Add "ssh -Q sig" to allow listing supported signature
algorithms ok markus@

OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
2018-09-12 16:49:21 +10:00
djm@openbsd.org
247766cd31 upstream: ssh -MM requires confirmation for all operations that
change the multiplexing state, not just new sessions.

mention that confirmation is checked via ssh-askpass

OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
2018-09-09 14:50:32 +10:00
dtucker@openbsd.org
95d41e90ea upstream: Deprecate UsePrivilegedPort now that support for running
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages

We have not shipped ssh(1) the setuid bit since 2002.  If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.

ok markus@ jmc@ djm@

OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-19 21:44:21 +10:00
jmc@openbsd.org
acf4260f09 upstream: sort previous;
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-11 09:50:06 +10:00
djm@openbsd.org
7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00