Commit Graph

403 Commits

Author SHA1 Message Date
Damien Miller
9c38643c5c - djm@cvs.openbsd.org 2014/07/03 06:39:19
[ssh.c ssh_config.5]
     Add a %C escape sequence for LocalCommand and ControlPath that expands
     to a unique identifer based on a has of the tuple of (local host,
     remote user, hostname, port).

     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
     control paths.

     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-03 21:27:46 +10:00
Damien Miller
4b3ed647d5 - markus@cvs.openbsd.org 2014/06/27 16:41:56
[channels.c channels.h clientloop.c ssh.c]
     fix remote fwding with same listen port but different listen address
     with gerhard@, ok djm@
2014-07-02 15:29:40 +10:00
Damien Miller
19439e9a2a - djm@cvs.openbsd.org 2014/06/24 02:19:48
[ssh.c]
     don't fatal() when hostname canonicalisation fails with a
     ProxyCommand in use; continue and allow the ProxyCommand to
     connect anyway (e.g. to a host with a name outside the DNS
     behind a bastion)
2014-07-02 15:28:40 +10:00
Damien Miller
1f0311c7c7 - markus@cvs.openbsd.org 2014/04/29 18:01:49
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm
2014-05-15 14:24:09 +10:00
Damien Miller
c2e49062fa - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
version. From des@des.no
2014-04-01 14:42:46 +11:00
Damien Miller
08b57c67f3 - djm@cvs.openbsd.org 2014/02/26 20:18:37
[ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
2014-02-27 10:17:13 +11:00
Damien Miller
13f97b2286 - djm@cvs.openbsd.org 2014/02/23 20:11:36
[readconf.c readconf.h ssh.c ssh_config.5]
     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
     the hostname. This allows users to write configurations that always
     refer to canonical hostnames, e.g.

     CanonicalizeHostname yes
     CanonicalDomains int.example.org example.org
     CanonicalizeFallbackLocal no

     Host *.int.example.org
         Compression off
     Host *.example.org
         User djm

     ok markus@
2014-02-24 15:57:55 +11:00
Damien Miller
d56b44d2df - djm@cvs.openbsd.org 2014/02/04 00:24:29
[ssh.c]
     delay lowercasing of hostname until right before hostname
     canonicalisation to unbreak case-sensitive matching of ssh_config;
     reported by Ike Devolder; ok markus@
2014-02-04 11:26:04 +11:00
Damien Miller
1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller
0fa47cfb32 - djm@cvs.openbsd.org 2013/12/29 05:42:16
[ssh.c]
     don't forget to load Ed25519 certs too
2013-12-29 17:53:39 +11:00
Damien Miller
5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
bdb352a54f - jmc@cvs.openbsd.org 2013/11/26 12:14:54
[ssh.1 ssh.c]
     - put -Q in the right place
     - Ar was a poor choice for the arguments to -Q. i've chosen an
       admittedly equally poor Cm, at least consistent with the rest
       of the docs. also no need for multiple instances
     - zap a now redundant Nm
     - usage() sync
2013-12-05 10:20:52 +11:00
Damien Miller
d937dc084a - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
[ssh.1 ssh.c]
     improve -Q usage and such.  One usage change is that the option is now
     case-sensitive
     ok dtucker markus djm
2013-12-05 10:19:54 +11:00
Damien Miller
0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller
690d989008 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
     Output the effective values of Ciphers, MACs and KexAlgorithms when
     the default has not been overridden.  ok markus@
2013-11-08 12:16:49 +11:00
Damien Miller
28631ceaa7 - djm@cvs.openbsd.org 2013/10/25 23:04:51
[ssh.c]
     fix crash when using ProxyCommand caused by previous commit - was calling
     freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
2013-10-26 10:07:56 +11:00
Damien Miller
a90c033808 - djm@cvs.openbsd.org 2013/10/24 08:19:36
[ssh.c]
     fix bug introduced in hostname canonicalisation commit: don't try to
     resolve hostnames when a ProxyCommand is set unless the user has forced
     canonicalisation; spotted by Iain Morgan
2013-10-24 21:03:17 +11:00
Damien Miller
eff5cada58 - djm@cvs.openbsd.org 2013/10/23 03:05:19
[readconf.c ssh.c]
     comment
2013-10-23 16:31:10 +11:00
Damien Miller
e3ea09494d - djm@cvs.openbsd.org 2013/10/17 00:46:49
[ssh.c]
     rearrange check to reduce diff against -portable
     (Id sync only)
2013-10-17 11:57:23 +11:00
Damien Miller
51682faa59 - djm@cvs.openbsd.org 2013/10/16 22:58:01
[ssh.c ssh_config.5]
     one I missed in previous: s/isation/ization/
2013-10-17 11:48:31 +11:00
Damien Miller
3850559be9 - djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
     s/canonicalise/canonicalize/ for consistency with existing spelling,
     e.g. authorized_keys; pointed out by naddy@
2013-10-17 11:48:13 +11:00
Damien Miller
0faf747e2f - djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
     [sshconnect.c sshconnect.h]
     Implement client-side hostname canonicalisation to allow an explicit
     search path of domain suffixes to use to convert unqualified host names
     to fully-qualified ones for host key matching.
     This is particularly useful for host certificates, which would otherwise
     need to list unqualified names alongside fully-qualified ones (and this
     causes a number of problems).
     "looks fine" markus@
2013-10-17 11:47:23 +11:00
Damien Miller
5359a628ce - [ssh.c] g/c unused variable. 2013-10-15 12:20:37 +11:00
Damien Miller
386feab0c4 - djm@cvs.openbsd.org 2013/10/14 23:31:01
[ssh.c]
     whitespace at EOL; pointed out by markus@
2013-10-15 12:14:49 +11:00
Damien Miller
e9fc72edd6 - djm@cvs.openbsd.org 2013/10/14 23:28:23
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
     refactor client config code a little:
     add multistate option partsing to readconf.c, similar to servconf.c's
     existing code.
     move checking of options that accept "none" as an argument to readconf.c
     add a lowercase() function and use it instead of explicit tolower() in
     loops
     part of a larger diff that was ok markus@
2013-10-15 12:14:12 +11:00
Damien Miller
194fd904d8 - djm@cvs.openbsd.org 2013/10/14 22:22:05
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
     add a "Match" keyword to ssh_config that allows matching on hostname,
     user and result of arbitrary commands. "nice work" markus@
2013-10-15 12:13:05 +11:00
Damien Miller
98e27dcf58 - djm@cvs.openbsd.org 2013/07/25 00:29:10
[ssh.c]
     daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
     it is fully detached from its controlling terminal. based on debugging
2013-07-25 11:55:52 +10:00
Damien Miller
3009d3cbb8 - djm@cvs.openbsd.org 2013/07/20 01:44:37
[ssh-keygen.c ssh.c]
     More useful error message on missing current user in /etc/passwd
2013-07-20 13:22:31 +10:00
Damien Miller
649fe025a4 - djm@cvs.openbsd.org 2013/07/12 05:48:55
[ssh.c]
     set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
2013-07-18 16:13:55 +10:00
Darren Tucker
a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Damien Miller
34bd20a1e5 - djm@cvs.openbsd.org 2013/04/19 11:10:18
[ssh.c]
     add -Q to usage; reminded by jmc@
2013-04-23 19:25:00 +10:00
Damien Miller
ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller
03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Damien Miller
508b6c3d3b - djm@cvs.openbsd.org 2013/03/08 06:32:58
[ssh.c]
     allow "ssh -f none ..." ok markus@
2013-04-23 15:18:28 +10:00
Darren Tucker
15fd19c4c9 - djm@cvs.openbsd.org 2013/02/22 22:09:01
[ssh.c]
     Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier
     version)
2013-04-05 11:22:26 +11:00
Darren Tucker
aefa368243 - dtucker@cvs.openbsd.org 2013/02/22 04:45:09
[ssh.c readconf.c readconf.h]
     Don't complain if IdentityFiles specified in system-wide configs are
     missing.  ok djm, deraadt
2013-04-05 11:18:35 +11:00
Darren Tucker
1910478c2d - dtucker@cvs.openbsd.org 2013/02/17 23:16:57
[readconf.c ssh.c readconf.h sshconnect2.c]
     Keep track of which IndentityFile options were manually supplied and which
     were default options, and don't warn if the latter are missing.
     ok markus@
2013-04-05 11:13:08 +11:00
Damien Miller
fff9f095e2 - djm@cvs.openbsd.org 2012/07/06 01:47:38
[ssh.c]
     move setting of tty_flag to after config parsing so RequestTTY options
     are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
     ok dtucker@
2012-07-06 13:45:01 +10:00
Darren Tucker
7b30501bf5 - dtucker@cvs.openbsd.org 2012/07/02 08:50:03
[ssh.c]
     set interactive ToS for forwarded X11 sessions.  ok djm@
2012-07-02 18:55:09 +10:00
Darren Tucker
2d6665d944 - djm@cvs.openbsd.org 2011/10/24 02:10:46
[ssh.c]
     bz#1943: unbreak stdio forwarding when ControlPersist is in user - ssh
     was incorrectly requesting the forward in both the control master and
     slave. skip requesting it in the master to fix. ok markus@
2011-11-04 10:54:22 +11:00
Darren Tucker
45c66d7ad4 - djm@cvs.openbsd.org 2011/10/18 05:15:28
[ssh.c]
     ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@
2011-11-04 10:50:40 +11:00
Darren Tucker
68afb8c5f2 - markus@cvs.openbsd.org 2011/09/23 07:45:05
[mux.c readconf.h channels.h compat.h compat.c ssh.c readconf.c channels.c     version.h]
     unbreak remote portforwarding with dynamic allocated listen ports:
     1) send the actual listen port in the open message (instead of 0).
        this allows multiple forwardings with a dynamic listen port
     2) update the matching permit-open entry, so we can identify where
        to connect to
     report: den at skbkontur.ru and P. Szczygielski
     feedback and ok djm@
2011-10-02 18:59:03 +11:00
Damien Miller
f6dff7cd2f - djm@cvs.openbsd.org 2011/09/09 22:46:44
[channels.c channels.h clientloop.h mux.c ssh.c]
     support for cancelling local and remote port forwards via the multiplex
     socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request
     the cancellation of the specified forwardings; ok markus@
2011-09-22 21:38:52 +10:00
Damien Miller
765f8c4eff - djm@cvs.openbsd.org 2011/08/02 23:15:03
[ssh.c]
     typo in comment
2011-08-06 06:18:16 +10:00
Damien Miller
6d7b4377dd - djm@cvs.openbsd.org 2011/06/22 22:08:42
[channels.c channels.h clientloop.c clientloop.h mux.c ssh.c]
     hook up a channel confirm callback to warn the user then requested X11
     forwarding was refused by the server; ok markus@
2011-06-23 08:31:57 +10:00
Damien Miller
ea2c1a4dc6 - djm@cvs.openbsd.org 2011/06/03 00:54:38
[ssh.c]
    bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesarg
    AT googlemail.com; ok dtucker@
    NB. includes additional portability code to enable setproctitle emulation
    on platforms that don't support it.
2011-06-03 12:10:22 +10:00
Damien Miller
295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller
a6bbbe4658 - djm@cvs.openbsd.org 2011/05/06 21:38:58
[ssh.c]
     fix dropping from previous diff
2011-05-15 08:46:29 +10:00
Damien Miller
21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00
Damien Miller
dfc85fa181 - djm@cvs.openbsd.org 2011/05/06 21:18:02
[ssh.c ssh_config.5]
     add a %L expansion (short-form of the local host name) for ControlPath;
     sync some more expansions with LocalCommand; ok markus@
2011-05-15 08:44:02 +10:00