Commit Graph

291 Commits

Author SHA1 Message Date
Damien Miller
ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller
03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Darren Tucker
427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Darren Tucker
628a3fdce2 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
[ssh.1]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
Darren Tucker
83d0af6907 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
[ssh.1]
     missing letter in previous;
2012-09-07 11:21:03 +10:00
Darren Tucker
50a48d025f - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
[clientloop.c log.c ssh.1 log.h]
     Add ~v and ~V escape sequences to raise and lower the logging level
     respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
Damien Miller
36378c6413 - dtucker@cvs.openbsd.org 2012/06/18 12:17:18
[ssh.1]
     Clarify description of -W.  Noted by Steve.McClellan at radisys com, ok jmc
2012-06-20 21:53:25 +10:00
Damien Miller
b9902cf6f6 - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
[ssh.1 sshd.8]
     Remove mention of 'three' key files since there are now four.  From
     Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
Damien Miller
70b2d5550b - jmc@cvs.openbsd.org 2012/04/20 16:26:22
[ssh.1]
     use "brackets" instead of "braces", for consistency;
2012-04-22 11:26:10 +10:00
Damien Miller
1bcbd0a9de - okan@cvs.openbsd.org 2011/09/11 06:59:05
[ssh.1]
     document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
Damien Miller
ff773644e6 - markus@cvs.openbsd.org 2011/09/10 22:26:34
[channels.c channels.h clientloop.c ssh.1]
     support cancellation of local/dynamic forwardings from ~C commandline;
     ok & feedback djm@
2011-09-22 21:39:48 +10:00
Damien Miller
efad727517 - djm@cvs.openbsd.org 2011/08/26 01:45:15
[ssh.1]
     Add some missing ssh_config(5) options that can be used in ssh(1)'s
     -o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
Damien Miller
20bd4535c0 - djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     Add new SHA256 and SHA512 based HMAC modes from
     http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
     Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
Damien Miller
f4b32aad05 - jmc@cvs.openbsd.org 2011/05/07 23:20:25
[ssh.1]
     +.It RequestTTY
2011-05-15 08:47:43 +10:00
Damien Miller
8cb1cda1e3 - djm@cvs.openbsd.org 2011/04/18 00:46:05
[ssh-keygen.c]
     certificate options are supposed to be packed in lexical order of
     option name (though we don't actually enforce this at present).
     Move one up that was out of sequence
2011-05-05 14:16:56 +10:00
Damien Miller
6c3eec7ab2 - djm@cvs.openbsd.org 2011/04/17 22:42:42
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
     allow graceful shutdown of multiplexing: request that a mux server
     removes its listener socket and refuse future multiplexing requests;
     ok markus@
2011-05-05 14:16:22 +10:00
Damien Miller
0a1847347d - jmc@cvs.openbsd.org 2010/11/18 15:01:00
[scp.1 sftp.1 ssh.1 sshd_config.5]
     add IPQoS to the various -o lists, and zap some trailing whitespace;
2010-11-20 15:21:03 +11:00
Damien Miller
55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller
7fe2b1fec3 - jmc@cvs.openbsd.org 2010/09/22 08:30:08
[ssh.1 ssh_config.5]
     ssh.1: add kexalgorithms to the -o list
     ssh_config.5: format the kexalgorithms in a more consistent
     (prettier!) way
     ok djm
2010-09-24 22:11:53 +10:00
Damien Miller
1ca9469318 - djm@cvs.openbsd.org 2010/09/11 21:44:20
[ssh.1]
     mention RFC 5656 for ECC stuff
2010-09-24 22:01:22 +10:00
Damien Miller
daa7b2254f - jmc@cvs.openbsd.org 2010/09/04 09:38:34
[ssh-add.1 ssh.1]
     two more EXIT STATUS sections;
2010-09-10 11:19:33 +10:00
Damien Miller
d442790292 - jmc@cvs.openbsd.org 2010/08/31 21:14:58
[ssh.1]
     small text tweak to accommodate previous;
2010-09-10 11:15:10 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
afdae61635 - jmc@cvs.openbsd.org 2010/08/08 19:36:30
[ssh-keysign.8 ssh.1 sshd.8]
     use the same template for all FILES sections; i.e. -compact/.Pp where we
     have multiple items, and .Pa for path names;
2010-08-31 22:31:14 +10:00
Damien Miller
7fa96602e5 - djm@cvs.openbsd.org 2010/08/04 05:37:01
[ssh.1 ssh_config.5 sshd.8]
     Remove mentions of weird "addr/port" alternate address format for IPv6
     addresses combinations. It hasn't worked for ages and we have supported
     the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-05 13:03:13 +10:00
Damien Miller
081f3c73d8 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25
[ssh.1]
     Ciphers is documented in ssh_config(5) these days
2010-08-03 16:05:25 +10:00
Damien Miller
bcfbc48930 - jmc@cvs.openbsd.org 2010/07/14 17:06:58
[ssh.1]
     finally ssh synopsis looks nice again! this commit just removes a ton of
     hacks we had in place to make it work with old groff;
2010-07-16 13:59:11 +10:00
Damien Miller
388f6fc485 - markus@cvs.openbsd.org 2010/05/16 12:55:51
[PROTOCOL.mux clientloop.h mux.c readconf.c readconf.h ssh.1 ssh.c]
     mux support for remote forwarding with dynamic port allocation,
     use with
        LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
     feedback and ok djm@
2010-05-21 14:57:35 +10:00
Damien Miller
67f30d70d9 - jmc@cvs.openbsd.org 2010/03/26 06:54:36
[ssh.1]
     tweak previous;
2010-04-16 15:52:03 +10:00
Damien Miller
9c60f24f01 - djm@cvs.openbsd.org 2010/03/26 00:26:58
[ssh.1]
     mention that -S none disables connection sharing; from Colin Watson
2010-03-26 11:28:35 +11:00
Damien Miller
5059d8d7e6 - djm@cvs.openbsd.org 2010/03/05 10:28:21
[ssh-add.1 ssh.1 ssh_config.5]
     mention loading of certificate files from [private]-cert.pub when
     they are present; feedback and ok jmc@
2010-03-05 21:31:11 +11:00
Damien Miller
922b541329 - jmc@cvs.openbsd.org 2010/03/05 08:31:20
[ssh.1]
     document certificate authentication; help/ok djm
2010-03-05 21:30:54 +11:00
Damien Miller
98339054f9 - jmc@cvs.openbsd.org 2010/03/05 06:50:35
[ssh.1 sshd.8]
     tweak previous;
2010-03-05 21:30:35 +11:00
Damien Miller
a7dab8bfe5 - djm@cvs.openbsd.org 2010/03/04 23:19:29
[ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
2010-03-05 10:42:05 +11:00
Damien Miller
72b33820af - jmc@cvs.openbsd.org 2010/03/04 12:51:25
[ssh.1 sshd_config.5]
     tweak previous;
2010-03-05 07:39:01 +11:00
Damien Miller
1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller
15f5b560b1 - jmc@cvs.openbsd.org 2010/02/26 22:09:28
[ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
2010-03-03 10:25:21 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller
d400da5ba8 - jmc@cvs.openbsd.org 2010/02/11 13:23:29
[ssh.1]
     libarary -> library;
2010-02-12 09:26:23 +11:00
Damien Miller
a761844455 - markus@cvs.openbsd.org 2010/02/10 23:20:38
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
     pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00
Damien Miller
048dc93617 - jmc@cvs.openbsd.org 2010/02/08 22:03:05
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
     tweak previous; ok markus
2010-02-12 09:22:04 +11:00
Damien Miller
7ea845e48d - markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
2010-02-12 09:21:02 +11:00
Darren Tucker
7ad8dd21da - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
[ssh_config channels.c ssh.1 channels.h ssh.c]
     Add a 'netcat mode' (ssh -W).  This connects stdio on the client to a
     single port forward on the server.  This allows, for example, using ssh as
     a ProxyCommand to route connections via intermediate servers.
     bz #1618, man page help from jmc@, ok markus@
2010-01-12 19:40:27 +11:00
Darren Tucker
7bd98e7f74 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 10:31:12 +11:00
Darren Tucker
535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker
34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker
98c9aec30e - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
[ssh-agent.1 ssh-add.1 ssh.1]
     write UNIX-domain in a more consistent way; while here, replace a
     few remaining ".Tn UNIX" macros with ".Ux" ones.
     pointed out by ratchov@, thanks!
     ok jmc@
2009-10-24 11:42:44 +11:00
Darren Tucker
ae69e1d010 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
[ssh.1 ssh-agent.1 ssh-add.1]
     use the UNIX-related macros (.At and .Ux) where appropriate.
     ok jmc@
2009-10-24 11:41:34 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
3a6a51f387 - jmc@cvs.openbsd.org 2009/03/19 15:15:09
[ssh.1]
     for "Ciphers", just point the reader to the keyword in ssh_config(5), just
     as we do for "MACs": this stops us getting out of sync when the lists
     change;
     fixes documentation/6102, submitted by Peter J. Philipp
     alternative fix proposed by djm
     ok markus
2009-06-21 17:48:52 +10:00