Commit Graph

358 Commits

Author SHA1 Message Date
jmc@openbsd.org
e6933a2ffa upstream: reorder CASignatureAlgorithms, and add them to the
various -o lists; ok djm

OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
2018-09-21 09:41:10 +10:00
djm@openbsd.org
357128ac48 upstream: Add "ssh -Q sig" to allow listing supported signature
algorithms ok markus@

OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
2018-09-12 16:49:21 +10:00
djm@openbsd.org
247766cd31 upstream: ssh -MM requires confirmation for all operations that
change the multiplexing state, not just new sessions.

mention that confirmation is checked via ssh-askpass

OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
2018-09-09 14:50:32 +10:00
dtucker@openbsd.org
95d41e90ea upstream: Deprecate UsePrivilegedPort now that support for running
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages

We have not shipped ssh(1) the setuid bit since 2002.  If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.

ok markus@ jmc@ djm@

OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-19 21:44:21 +10:00
jmc@openbsd.org
acf4260f09 upstream: sort previous;
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-11 09:50:06 +10:00
djm@openbsd.org
7082bb58a2 upstream: add a SetEnv directive to ssh_config that allows setting
environment variables for the remote session (subject to the server accepting
them)

refactor SendEnv to remove the arbitrary limit of variable names.

ok markus@

OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09 13:11:00 +10:00
djm@openbsd.org
f18bc97151 upstream: Emphasise that -w implicitly sets Tunnel=point-to-point
and that users should specify an explicit Tunnel directive if they don't want
this. bz#2365.

OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
2018-05-22 10:15:18 +10:00
djm@openbsd.org
8d6829be32 upstream: ssh does not accept -oInclude=... on the commandline, the
Include keyword is for configuration files only. bz#2840, patch from Jakub
Jelen

OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
2018-04-06 14:20:33 +10:00
jmc@openbsd.org
7d330a1ac0 upstream: some cleanup for BindInterface and ssh-keyscan;
OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
2018-02-26 11:32:29 +11:00
djm@openbsd.org
ac2e3026bb upstream: Add BindInterface ssh_config directive and -B
command-line argument to ssh(1) that directs it to bind its outgoing
connection to the address of the specified network interface.

BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.

Based on patch by Mike Manning in bz#2820, ok dtucker@

OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
2018-02-23 13:37:49 +11:00
djm@openbsd.org@openbsd.org
ecbf005b8f upstream commit
Private keys in PEM format have been encrypted by AES-128 for
a while (not 3DES). bz#2788 reported by Calum Mackay

OpenBSD-Commit-ID: bd33da7acbbb3c882f0a0ee56007a35ce0d8a11a
2017-11-03 16:20:41 +11:00
jmc@openbsd.org@openbsd.org
0b2e2896b9 upstream commit
tweak the uri text, specifically removing some markup to
make it a bit more readable;

issue reported by - and diff ok - millert

OpenBSD-Commit-ID: 8b56a20208040b2d0633536fd926e992de37ef3f
2017-10-31 09:08:50 +11:00
djm@openbsd.org
b7548b12a6 upstream commit
Expose devices allocated for tun/tap forwarding.

At the client, the device may be obtained from a new %T expansion
for LocalCommand.

At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.

ok markus

Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
2017-10-23 16:14:30 +11:00
millert@openbsd.org
887669ef03 upstream commit
Add URI support to ssh, sftp and scp.  For example
ssh://user@host or sftp://user@host/path.  The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type.  OK djm@

Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
2017-10-23 16:10:08 +11:00
djm@openbsd.org
10727487be upstream commit
mention SSH_USER_AUTH in the list of environment
variables

Upstream-ID: 1083397c3ee54b4933121ab058c70a0fc6383691
2017-10-20 12:01:03 +11:00
markus@openbsd.org
609d7a66ce upstream commit
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.

The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.

help and ok djm@

Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-22 09:14:53 +10:00
djm@openbsd.org
7f5637c4a6 upstream commit
in description of public key authentication, mention that
the server will send debug messages to the client for some error conditions
after authentication has completed. bz#2709 ok dtucker

Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
2017-06-10 16:40:10 +10:00
bluhm@openbsd.org
1112b534a6 upstream commit
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line.  This
command will be executed on the remote host.  The feature allows to automate
tasks using ssh config. OK markus@

Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
2017-05-31 10:51:09 +10:00
naddy@openbsd.org
2e9c324b3a upstream commit
remove superfluous protocol 2 mentions; ok jmc@

Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08 09:18:27 +10:00
naddy@openbsd.org
9a82e24b98 upstream commit
restore mistakenly deleted description of the
ConnectionAttempts option ok markus@

Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
2017-05-08 09:18:27 +10:00
jmc@openbsd.org
2b6f799e9b upstream commit
more protocol 1 stuff to go; ok djm

Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
2017-05-08 09:18:05 +10:00
jmc@openbsd.org
d852603214 upstream commit
remove now obsolete protocol1 options from the -o
lists;

Upstream-ID: 828e478a440bc5f9947672c392420510a362b3dd
2017-05-08 09:18:04 +10:00
djm@openbsd.org
788ac799a6 upstream commit
remove SSHv1 configuration options and man pages bits

ok markus@

Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2017-05-01 10:05:00 +10:00
jmc@openbsd.org
e4eb7d9109 upstream commit
- add proxyjump to the options list - formatting fixes -
update usage()

ok djm

Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
2016-07-17 14:21:09 +10:00
djm@openbsd.org
ed877ef653 upstream commit
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".

These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.

This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.

ok markus@

Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-07-15 14:20:10 +10:00
jmc@openbsd.org
772e6cec0e upstream commit
sort the -o list;

Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
2016-07-08 13:46:59 +10:00
jmc@openbsd.org
6915f1698e upstream commit
tweak previous;

Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
2016-06-08 11:39:31 +10:00
dtucker@openbsd.org
0cb2f4c249 upstream commit
Allow ExitOnForwardFailure and ClearAllForwardings to be
 overridden when using ssh -W (but still default to yes in that case).
 bz#2577, ok djm@.

Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
2016-06-08 11:39:31 +10:00
markus@openbsd.org
b02ad1ce91 upstream commit
IdentityAgent for specifying specific agent sockets; ok
 djm@

Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-05-05 00:01:49 +10:00
djm@openbsd.org
dc7990be86 upstream commit
Include directive for ssh_config(5); feedback & ok markus@

Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-15 11:16:11 +10:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
jmc@openbsd.org
eb3f7337a6 upstream commit
no need to state that protocol 2 is the default twice;

Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
2016-02-17 16:37:56 +11:00
djm@openbsd.org
e7901efa9b upstream commit
Replace list of ciphers and MACs adjacent to -1/-2 flag
 descriptions in ssh(1) with a strong recommendation not to use protocol 1.
 Add a similar warning to the Protocol option descriptions in ssh_config(5)
 and sshd_config(5);

prompted by and ok mmcc@

Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-17 16:37:55 +11:00
jcs@openbsd.org
f361df474c upstream commit
Add an AddKeysToAgent client option which can be set to
 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'.  When enabled, a
 private key that is used during authentication will be added to ssh-agent if
 it is running (with confirmation enabled if set to 'confirm').

Initial version from Joachim Schipper many years ago.

ok markus@

Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-11-16 11:31:39 +11:00
mmcc@openbsd.org
5e288923a3 upstream commit
1. rlogin and rsh are long gone 2. protocol version isn't
 of core relevance here, and v1 is going away

ok markus@, deraadt@

Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
2015-11-09 14:25:36 +11:00
jmc@openbsd.org
c5f7c0843c upstream commit
some certificatefile tweaks; ok djm

Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
2015-10-06 12:21:55 +11:00
djm@openbsd.org
4e44a79a07 upstream commit
add ssh_config CertificateFile option to explicitly list
 a certificate; patch from Meghana Bhat on bz#2436; ok markus@

Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-10-06 12:21:54 +11:00
djm@openbsd.org
c0f55db7ee upstream commit
mention -Q key-plain and -Q key-cert; bz#2455 pointed out
 by Jakub Jelen

Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
2015-09-16 17:52:04 +10:00
millert@openbsd.org
ebe27ebe52 upstream commit
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
 Noticed by jmc@

Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
2015-07-21 13:05:12 +10:00
millert@openbsd.org
79ec2142fb upstream commit
Better desciption of Unix domain socket forwarding.
 bz#2423; ok jmc@

Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
2015-07-21 13:05:12 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
f948737449 upstream commit
mention ssh-keygen -E for comparing legacy MD5
 fingerprints; bz#2332

Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
2015-05-22 20:02:19 +10:00
dtucker@openbsd.org
f8484dac67 upstream commit
Clarify pseudo-terminal request behaviour and use
 "pseudo-terminal" consistently.  bz#1716, ok jmc@ "I like it" deraadt@.
2015-05-08 13:32:58 +10:00
djm@openbsd.org
68d2dfc464 upstream commit
Allow "ssh -Q protocol-version" to list supported SSH
 protocol versions. Useful for detecting builds without SSH v.1 support; idea
 and ok markus@
2015-03-04 04:54:11 +11:00
djm@openbsd.org
46347ed596 upstream commit
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-30 22:47:01 +11:00
djm@openbsd.org
1d1092bff8 upstream commit
correct description of UpdateHostKeys in ssh_config.5 and
 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-27 00:00:58 +11:00
jmc@openbsd.org
8abd80315d upstream commit
add fingerprinthash to the options list;
2015-01-09 00:13:35 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
jmc@openbsd.org
b1ba15f388 upstream commit
tweak previous;
2014-10-20 14:40:05 +11:00
djm@openbsd.org
957fbceb0f upstream commit
Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus
2014-10-13 11:41:48 +11:00