Commit Graph

388 Commits

Author SHA1 Message Date
jsg@openbsd.org
86cc93fd3c upstream: remove please from manual pages ok jmc@ sthen@ millert@
OpenBSD-Commit-ID: 6543acb00f4f38a23472538e1685c013ca1a99aa
2022-02-07 12:27:48 +11:00
dtucker@openbsd.org
ad16a84e64 upstream: Since they are deprecated, move DSA to the end of the
default list of public keys so that they will be tried last.  From github
PR#295 from "ProBackup-nl", ok djm@

OpenBSD-Commit-ID: 7e5d575cf4971d4e2de92e0b6d6efaba53598bf0
2022-02-07 12:27:48 +11:00
dtucker@openbsd.org
66a658b5d9 upstream: Document behaviour of arguments following non-interactive
commands. Prompted by github PR#139 from EvanTheB, feedback & ok djm@ jmc@

OpenBSD-Commit-ID: fc758d1fe0471dfab4304fcad6cd4ecc3d79162a
2021-09-10 20:34:09 +10:00
dtucker@openbsd.org
8d1d9eb6de upstream: Mention using ssh -i for specifying the public key file
in the case where the private key is loaded into ssh-agent but is not present
locally.  Based on patch from rafork via github PR#215, ok jmc@

OpenBSD-Commit-ID: 2282e83b0ff78d2efbe705883b67240745fa5bb2
2021-09-03 17:33:08 +10:00
jmc@openbsd.org
4455aec2e4 upstream: no need to talk about version 2 with the -Q option, so
rewrite the text to read better;

issue reported by debian at helgefjell de
ok djm dtucker

OpenBSD-Commit-ID: 59fe2e8219c37906740ad062e0fdaea487dbe9cf
2021-08-03 09:39:57 +10:00
djm@openbsd.org
a917e973a1 upstream: Add a ForkAfterAuthentication ssh_config(5) counterpart
to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok
dtucker

OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
2021-07-23 14:07:19 +10:00
djm@openbsd.org
e0c5088f1c upstream: Add a StdinNull directive to ssh_config(5) that allows
the config file to do the same thing as -n does on the ssh(1) commandline.
Patch from Volker Diels-Grabsch via GHPR231; ok dtucker

OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
2021-07-23 14:07:19 +10:00
djm@openbsd.org
eda8909d1b upstream: add a SessionType directive to ssh_config, allowing the
configuration file to offer equivalent control to the -N (no session) and -s
(subsystem) command-line flags.

Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
feedback and ok dtucker@

OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
2021-07-14 09:49:47 +10:00
Darren Tucker
53237ac789 Sync remaining ChallengeResponse removal.
These were omitted from commit 88868fd131.
2021-07-03 19:23:28 +10:00
dtucker@openbsd.org
2a5704ec14 upstream: Use better language to refer to the user. From l1ving
via github PR#250, ok jmc@

OpenBSD-Commit-ID: 07ca3526626996613e128aeddf7748c93c4d6bbf
2021-06-25 16:32:34 +10:00
markus@openbsd.org
da0a9afcc4 upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
with SOCKS ok djm@, dtucker@

OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
2021-02-17 15:03:41 +11:00
naddy@openbsd.org
507b448a24 upstream: move HostbasedAcceptedAlgorithms to the right place in
alphabetical order

OpenBSD-Commit-ID: d766820d33dd874d944c14b0638239adb522c7ec
2021-01-27 11:45:50 +11:00
dtucker@openbsd.org
e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org
b55b7565f1 upstream: PubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms
here too.

OpenBSD-Commit-ID: 3b64a640f8ce8c21d9314da9df7ce2420eefde3a
2021-01-22 15:05:00 +11:00
djm@openbsd.org
da4bf0db94 upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
2020-12-22 15:43:59 +11:00
jmc@openbsd.org
69924a92c3 upstream: start sentence with capital letter;
OpenBSD-Commit-ID: ab06581d51b2b4cc1b4aab781f7f3cfa56cad973
2020-07-17 13:23:34 +10:00
djm@openbsd.org
aaa8b609a7 upstream: allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable. bz#69 ok markus@

OpenBSD-Commit-ID: 3a1e6cbbf6241ddc4405c4246caa2c249f149eb2
2020-07-15 15:08:10 +10:00
djm@openbsd.org
267cbc87b5 upstream: mention that /etc/hosts.equiv and /etc/shosts.equiv are
not considered for HostbasedAuthentication when the target user is root;
bz3148

OpenBSD-Commit-ID: fe4c1256929e53f23af17068fbef47852f4bd752
2020-04-17 14:03:36 +10:00
naddy@openbsd.org
30144865bf upstream: document -F none; with jmc@
OpenBSD-Commit-ID: 0eb93b75473d2267aae9200e02588e57778c84f2
2020-02-18 20:23:25 +11:00
dtucker@openbsd.org
d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
naddy@openbsd.org
141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
jmc@openbsd.org
483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
jmc@openbsd.org
d39a865b7a upstream: improve the text for -A a little; input from naddy and
djm

OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
2019-11-29 11:17:39 +11:00
naddy@openbsd.org
f0edda81c5 upstream: more missing mentions of ed25519-sk; ok djm@
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20 09:27:29 +11:00
djm@openbsd.org
6bff9521ab upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
naddy@openbsd.org
aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
jmc@openbsd.org
7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
1b1332b5bb upstream: benno helped me clean up the tcp forwarding section;
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
2019-03-26 10:20:22 +11:00
naddy@openbsd.org
c13b74530f upstream: PKCS#11 support is no longer limited to RSA; ok benno@
kn@

OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
2019-03-08 14:58:30 +11:00
djm@openbsd.org
7a2cb18a21 upstream: Mention that configuration for the destination host is
not applied to any ProxyJump/-J hosts. This has confused a few people...

OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
2019-01-22 23:04:54 +11:00
jmc@openbsd.org
e6933a2ffa upstream: reorder CASignatureAlgorithms, and add them to the
various -o lists; ok djm

OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
2018-09-21 09:41:10 +10:00
djm@openbsd.org
357128ac48 upstream: Add "ssh -Q sig" to allow listing supported signature
algorithms ok markus@

OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
2018-09-12 16:49:21 +10:00
djm@openbsd.org
247766cd31 upstream: ssh -MM requires confirmation for all operations that
change the multiplexing state, not just new sessions.

mention that confirmation is checked via ssh-askpass

OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
2018-09-09 14:50:32 +10:00
dtucker@openbsd.org
95d41e90ea upstream: Deprecate UsePrivilegedPort now that support for running
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages

We have not shipped ssh(1) the setuid bit since 2002.  If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.

ok markus@ jmc@ djm@

OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-19 21:44:21 +10:00
jmc@openbsd.org
acf4260f09 upstream: sort previous;
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-11 09:50:06 +10:00
djm@openbsd.org
7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00
djm@openbsd.org
f18bc97151 upstream: Emphasise that -w implicitly sets Tunnel=point-to-point
and that users should specify an explicit Tunnel directive if they don't want
this. bz#2365.

OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
2018-05-22 10:15:18 +10:00
djm@openbsd.org
8d6829be32 upstream: ssh does not accept -oInclude=... on the commandline, the
Include keyword is for configuration files only. bz#2840, patch from Jakub
Jelen

OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
2018-04-06 14:20:33 +10:00
jmc@openbsd.org
7d330a1ac0 upstream: some cleanup for BindInterface and ssh-keyscan;
OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
2018-02-26 11:32:29 +11:00
djm@openbsd.org
ac2e3026bb upstream: Add BindInterface ssh_config directive and -B
command-line argument to ssh(1) that directs it to bind its outgoing
connection to the address of the specified network interface.

BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.

Based on patch by Mike Manning in bz#2820, ok dtucker@

OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
2018-02-23 13:37:49 +11:00
djm@openbsd.org@openbsd.org
ecbf005b8f upstream commit
Private keys in PEM format have been encrypted by AES-128 for
a while (not 3DES). bz#2788 reported by Calum Mackay

OpenBSD-Commit-ID: bd33da7acbbb3c882f0a0ee56007a35ce0d8a11a
2017-11-03 16:20:41 +11:00
jmc@openbsd.org@openbsd.org
0b2e2896b9 upstream commit
tweak the uri text, specifically removing some markup to
make it a bit more readable;

issue reported by - and diff ok - millert

OpenBSD-Commit-ID: 8b56a20208040b2d0633536fd926e992de37ef3f
2017-10-31 09:08:50 +11:00
djm@openbsd.org
b7548b12a6 upstream commit
Expose devices allocated for tun/tap forwarding.

At the client, the device may be obtained from a new %T expansion
for LocalCommand.

At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.

ok markus

Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
2017-10-23 16:14:30 +11:00
millert@openbsd.org
887669ef03 upstream commit
Add URI support to ssh, sftp and scp.  For example
ssh://user@host or sftp://user@host/path.  The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type.  OK djm@

Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
2017-10-23 16:10:08 +11:00
djm@openbsd.org
10727487be upstream commit
mention SSH_USER_AUTH in the list of environment
variables

Upstream-ID: 1083397c3ee54b4933121ab058c70a0fc6383691
2017-10-20 12:01:03 +11:00
markus@openbsd.org
609d7a66ce upstream commit
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-22 09:14:53 +10:00
djm@openbsd.org
7f5637c4a6 upstream commit
in description of public key authentication, mention that
the server will send debug messages to the client for some error conditions
after authentication has completed. bz#2709 ok dtucker

Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
2017-06-10 16:40:10 +10:00
bluhm@openbsd.org
1112b534a6 upstream commit
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line.  This
command will be executed on the remote host.  The feature allows to automate
tasks using ssh config. OK markus@

Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
2017-05-31 10:51:09 +10:00
naddy@openbsd.org
2e9c324b3a upstream commit
remove superfluous protocol 2 mentions; ok jmc@

Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08 09:18:27 +10:00
naddy@openbsd.org
9a82e24b98 upstream commit
restore mistakenly deleted description of the
ConnectionAttempts option ok markus@

Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
2017-05-08 09:18:27 +10:00