Commit Graph

245 Commits

Author SHA1 Message Date
djm@openbsd.org
788ac799a6 upstream commit
remove SSHv1 configuration options and man pages bits

ok markus@

Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2017-05-01 10:05:00 +10:00
jmc@openbsd.org
47a287bb6a upstream commit
sort;

Upstream-ID: 7e6b56e52b039cf44d0418e9de9aca20a2d2d15a
2017-05-01 09:35:38 +10:00
dtucker@openbsd.org
68d3a2a059 upstream commit
Add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8).  bz#2705, patch from erahn at arista.com, ok
djm@

Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
2017-04-28 13:26:36 +10:00
jmc@openbsd.org
78142e3ab3 upstream commit
errant dot; from klemens nanni

Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
2017-02-28 17:10:41 +11:00
djm@openbsd.org
68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
jmc@openbsd.org
fd2a8f1033 upstream commit
various formatting fixes, specifically removing Dq;

Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c
2016-10-19 03:30:04 +11:00
jmc@openbsd.org
80d1c963b4 upstream commit
use a separate TOKENS section, as we've done for
sshd_config(5); help/ok djm

Upstream-ID: 640e32b5e4838e4363738cdec955084b3579481d
2016-09-29 06:54:50 +10:00
djm@openbsd.org
16277fc45f upstream commit
mention curve25519-sha256 KEX

Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
2016-09-24 05:39:37 +10:00
djm@openbsd.org
da95318dbe upstream commit
remove 3des-cbc from the client's default proposal;
64-bit block ciphers are not safe in 2016 and we don't want to wait until
attacks like sweet32 are extended to SSH.

As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may
cause problems connecting to older devices using the defaults, but
it's highly likely that such devices already need explicit
configuration for KEX and hostkeys anyway.

ok deraadt, markus, dtucker

Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
2016-09-12 13:39:30 +10:00
djm@openbsd.org
f00211e3c6 upstream commit
improve wording; suggested by jmc@

Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
2016-07-23 13:24:20 +10:00
djm@openbsd.org
286f5a77c3 upstream commit
reverse the order in which -J/JumpHost proxies are visited to
be more intuitive and document

reported by and manpage bits naddy@

Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
2016-07-22 13:36:40 +10:00
jmc@openbsd.org
e4eb7d9109 upstream commit
- add proxyjump to the options list - formatting fixes -
update usage()

ok djm

Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
2016-07-17 14:21:09 +10:00
djm@openbsd.org
ed877ef653 upstream commit
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".

These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.

This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.

ok markus@

Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-07-15 14:20:10 +10:00
markus@openbsd.org
1a75d14daf upstream commit
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@

Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-05-19 17:48:35 +10:00
markus@openbsd.org
b02ad1ce91 upstream commit
IdentityAgent for specifying specific agent sockets; ok
 djm@

Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-05-05 00:01:49 +10:00
jmc@openbsd.org
6aaabc2b61 upstream commit
tweak previous;

Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
2016-04-21 16:30:11 +10:00
djm@openbsd.org
dc7990be86 upstream commit
Include directive for ssh_config(5); feedback & ok markus@

Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-15 11:16:11 +10:00
sobrado@openbsd.org
c12f0fdce8 upstream commit
AddressFamily defaults to any.

ok djm@

Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
2016-02-23 12:44:19 +11:00
djm@openbsd.org
3a13cb543d upstream commit
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
 in *KeyTypes options yet. Remove them from the lists of algorithms for now.
 committing on behalf of markus@ ok djm@

Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
2016-02-18 09:24:41 +11:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org
e7901efa9b upstream commit
Replace list of ciphers and MACs adjacent to -1/-2 flag
 descriptions in ssh(1) with a strong recommendation not to use protocol 1.
 Add a similar warning to the Protocol option descriptions in ssh_config(5)
 and sshd_config(5);

prompted by and ok mmcc@

Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-17 16:37:55 +11:00
djm@openbsd.org
e4c918a6c7 upstream commit
sync crypto algorithm lists in ssh_config(5) and
 sshd_config(5) with current reality. bz#2527

Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
2016-02-11 13:58:57 +11:00
jmc@openbsd.org
e41a071f7b upstream commit
correct section number for ssh-agent;

Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
2015-11-16 11:31:40 +11:00
jcs@openbsd.org
f361df474c upstream commit
Add an AddKeysToAgent client option which can be set to
 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a
 private key that is used during authentication will be added to ssh-agent if
 it is running (with confirmation enabled if set to 'confirm').

Initial version from Joachim Schipper many years ago.

ok markus@

Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-11-16 11:31:39 +11:00
djm@openbsd.org
4e44a79a07 upstream commit
add ssh_config CertificateFile option to explicitly list
 a certificate; patch from Meghana Bhat on bz#2436; ok markus@

Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-10-06 12:21:54 +11:00
sobrado@openbsd.org
e3cbb06ade upstream commit
fix two typos.

Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
2015-10-06 12:21:54 +11:00
jmc@openbsd.org
95923e0520 upstream commit
tweak previous;

Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
2015-09-16 17:52:05 +10:00
djm@openbsd.org
674b3b68c1 upstream commit
expand %i in ControlPath to UID; bz#2449

patch from Christian Hesse w/ feedback from dtucker@

Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
2015-09-16 17:52:04 +10:00
jmc@openbsd.org
5245bc1e6b upstream commit
full stop belongs outside the brackets, not inside;

Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
2015-09-04 16:57:03 +10:00
djm@openbsd.org
a954cdb799 upstream commit
better document ExitOnForwardFailure; bz#2444, ok
 dtucker@

Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
2015-09-04 16:57:02 +10:00
jmc@openbsd.org
1f8d3d629c upstream commit
match myproposal.h order; from brian conway (i snuck in a
 tweak while here)

ok dtucker

Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
2015-08-19 10:47:16 +10:00
djm@openbsd.org
f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
bdfd29f60b upstream commit
turn off 1024 bit diffie-hellman-group1-sha1 key
 exchange method (already off in server, this turns it off in the client by
 default too) ok dtucker@

Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
2015-07-15 15:35:31 +10:00
djm@openbsd.org
5e67859a62 upstream commit
mention CheckHostIP adding addresses to known_hosts;
 bz#1993; ok dtucker@

Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
2015-06-04 08:53:54 +10:00
dtucker@openbsd.org
dd2cfeb586 upstream commit
Fix typo (keywork->keyword)

Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
2015-05-28 18:54:56 +10:00
dtucker@openbsd.org
3ecde664c9 upstream commit
Reorder client proposal to prefer
 diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1.  ok djm@

Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
2015-05-28 13:53:14 +10:00
jmc@openbsd.org
c1d5bcf1aa upstream commit
enviroment -> environment: apologies to darren for not
 spotting that first time round...
2015-04-29 18:20:14 +10:00
dtucker@openbsd.org
85b96ef413 upstream commit
Document that the TERM environment variable is not
 subject to SendEnv and AcceptEnv.  bz#2386, based loosely on a patch from
 jjelen at redhat, help and ok jmc@
2015-04-29 18:20:13 +10:00
jmc@openbsd.org
78de1673c0 upstream commit
ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
 diff originally from jiri b;
2015-04-01 10:00:27 +11:00
djm@openbsd.org
44732de068 upstream commit
UpdateHostKeys fixes:

I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@

s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.

Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
2015-02-21 09:20:28 +11:00
djm@openbsd.org
523463a3a2 upstream commit
Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@
2015-02-17 09:32:32 +11:00
djm@openbsd.org
15ad750e5e upstream commit
turn UpdateHostkeys off by default until I figure out
 mlarkin@'s warning message; requested by deraadt@
2015-02-03 11:06:16 +11:00
djm@openbsd.org
46347ed596 upstream commit
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-30 22:47:01 +11:00
djm@openbsd.org
1d1092bff8 upstream commit
correct description of UpdateHostKeys in ssh_config.5 and
 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-27 00:00:58 +11:00
djm@openbsd.org
8d4f87258f upstream commit
Host key rotation support.

Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.

The client side of this is controlled by a UpdateHostkeys config
option (default on).

ok markus@
2015-01-27 00:00:57 +11:00
jmc@openbsd.org
296ef0560f upstream commit
tweak previous;
2015-01-09 00:13:34 +11:00
djm@openbsd.org
8f6784f0cb upstream commit
mention ssh -Q feature to list supported { MAC, cipher,
 KEX, key } algorithms in more places and include the query string used to
 list the relevant information; bz#2288
2014-12-22 20:05:41 +11:00
djm@openbsd.org
b79efde5c3 upstream commit
document FingerprintHash here too
2014-12-22 13:16:57 +11:00
djm@openbsd.org
5e39a49930 upstream commit
add RevokedHostKeys option for the client

Allow textfile or KRL-based revocation of hostkeys.
2014-12-05 09:29:47 +11:00