summaryrefslogtreecommitdiff
path: root/readconf.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream: don't leak arg2 on parse_pubkey_algos error path; okdjm@openbsd.org2023-03-311-1/+2
| | | | | | dtucker@ OpenBSD-Commit-ID: 7d0270ad3dd102412ca76add2b3760518abdef75
* upstream: Remove no-op (int) > INT_MAX checksdtucker@openbsd.org2023-03-101-5/+3
| | | | | | since they can never be true. From Coverity CID 405031, ok djm@ OpenBSD-Commit-ID: 9df3783b181e056595e2bb9edf7ed41d61cf8e84
* upstream: modify parentheses in conditionals to make it clearer what isjcs@openbsd.org2023-03-101-2/+2
| | | | | | | | being assigned and what is being checked ok djm dtucker OpenBSD-Commit-ID: 19c10baa46ae559474409f75a5cb3d0eade7a9b8
* upstream: Remove unused compat.h includes.dtucker@openbsd.org2023-03-051-2/+1
| | | | | | | | We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it. OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
* upstream: Add a "Host" line to the output of ssh -G showing thedtucker@openbsd.org2023-01-131-1/+3
| | | | | | | original host arg. Inspired by patch from vincent at bernat.ch via bz#3343, ok djm@ OpenBSD-Commit-ID: 59c0f60a222113a44d0650cd394376e3beecc883
* upstream: fix bug in PermitRemoteOpen which caused it to ignore itsdjm@openbsd.org2023-01-031-29/+33
| | | | | | | | first argument unless it was one of the special keywords "any" or "none". Reported by Georges Chaudy in bz3515; ok dtucker@ OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5
* upstream: New EnableEscapeCommandline ssh_config(5) optiondjm@openbsd.org2022-11-301-1/+11
| | | | | | | | | | This option (default "no") controls whether the ~C escape is available. Turning it off by default means we will soon be able to use a stricter default pledge(2) in the client. feedback deraadt@ dtucker@; tested in snaps for a while OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a
* upstream: add a RequiredRSASize for checking RSA key length indjm@openbsd.org2022-09-171-2/+11
| | | | | | | | | | | ssh(1). User authentication keys that fall beneath this limit will be ignored. If a host presents a host key beneath this limit then the connection will be terminated (unfortunately there are no fallbacks in the protocol for host authentication). feedback deraadt, Dmitry Belyavskiy; ok markus@ OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
* upstream: Make SetEnv directives first-match-wins in bothdjm@openbsd.org2022-06-031-26/+15
| | | | | | | | | | | sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
* upstream: Avoid an unnecessary xstrdup in rm_env() when matchingmillert@openbsd.org2022-04-271-7/+3
| | | | | | | | patterns. Since match_pattern() doesn't modify its arguments (they are const), there is no need to make an extra copy of the strings in options->send_env. From Martin Vahlensieck OpenBSD-Commit-ID: 2c9db31e3f4d3403b49642c64ee048b2a0a39351
* Really move DSA to end of list.Darren Tucker2022-02-201-2/+2
| | | | | In commit ad16a84e syncing from OpenBSD, RSA was accidentally moved to the end of the list instead of DSA. Spotted by andrew at fyfe.gb.net.
* upstream: Switch hpdelim interface to accept only ":" as delimiter.dtucker@openbsd.org2022-02-101-5/+4
| | | | | | | | | | Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@ OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
* upstream: Since they are deprecated, move DSA to the end of thedtucker@openbsd.org2022-02-071-2/+2
| | | | | | | default list of public keys so that they will be tried last. From github PR#295 from "ProBackup-nl", ok djm@ OpenBSD-Commit-ID: 7e5d575cf4971d4e2de92e0b6d6efaba53598bf0
* upstream: PubkeyAuthentication=yes|no|unbound|host-bounddjm@openbsd.org2021-12-201-3/+15
| | | | | | | | | | | | Allow control over which pubkey methods are used. Added out of concern that some hardware devices may have difficulty signing the longer pubkey authentication challenges. This provides a way for them to disable the extension. It's also handy for testing. feedback / ok markus@ OpenBSD-Commit-ID: ee52580db95c355cf6d563ba89974c210e603b1a
* upstream: missing space character in ssh -G output broke thedjm@openbsd.org2021-09-161-2/+2
| | | | | | t-sshcfgparse regression test; spotted by anton@ OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0
* upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; okdjm@openbsd.org2021-09-161-11/+47
| | | | | | markus@ OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
* upstream: Add a ForkAfterAuthentication ssh_config(5) counterpartdjm@openbsd.org2021-07-231-2/+11
| | | | | | | to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok dtucker OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
* upstream: Add a StdinNull directive to ssh_config(5) that allowsdjm@openbsd.org2021-07-231-2/+11
| | | | | | | the config file to do the same thing as -n does on the ssh(1) commandline. Patch from Volker Diels-Grabsch via GHPR231; ok dtucker OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
* upstream: add a SessionType directive to ssh_config, allowing thedjm@openbsd.org2021-07-141-2/+21
| | | | | | | | | | configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags. Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks; feedback and ok dtucker@ OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
* upstream: Remove references to ChallengeResponseAuthentication indtucker@openbsd.org2021-07-021-13/+5
| | | | | | | | | | | | | favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
* upstream: fix regression in r1.356: for ssh_config options thatdjm@openbsd.org2021-06-091-2/+3
| | | | | | | accepted multiple string arguments, ssh was only recording the first. Reported by Lucas via bugs@ OpenBSD-Commit-ID: 7cbf182f7449bf1cb7c5b4452667dc2b41170d6d
* upstream: Switch ssh_config parsing to use argv_split()djm@openbsd.org2021-06-081-150/+266
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a couple of problems with the previous tokeniser, strdelim() 1. strdelim() is permissive wrt accepting '=' characters. This is intended to allow it to tokenise "Option=value" but because it cannot keep state, it will incorrectly split "Opt=val=val2". 2. strdelim() has rudimentry handling of quoted strings, but it is incomplete and inconsistent. E.g. it doesn't handle escaped quotes inside a quoted string. 3. It has no support for stopping on a (unquoted) comment. Because of this readconf.c r1.343 added chopping of lines at '#', but this caused a regression because these characters may legitimately appear inside quoted strings. The new tokeniser is stricter is a number of cases, including #1 above but previously it was also possible for some directives to appear without arguments. AFAIK these were nonsensical in all cases, and the new tokeniser refuses to accept them. The new code handles quotes much better, permitting quoted space as well as escaped closing quotes. Finally, comment handling should be fixed - the tokeniser will terminate only on unquoted # characters. feedback & ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs OpenBSD-Commit-ID: dc72fd12af9d5398f4d9e159d671f9269c5b14d5
* upstream: Check if IPQoS or TunnelDevice are already set beforedtucker@openbsd.org2021-06-081-3/+3
| | | | | | | overriding. Prevents values in config files from overriding values supplied on the command line. bz#3319, ok markus. OpenBSD-Commit-ID: f3b08b898c324debb9195e6865d8999406938f74
* upstream: ssh: The client configuration keyword isnaddy@openbsd.org2021-05-261-2/+2
| | | | | | | | | | | "hostbasedacceptedalgorithms" This fixes a mistake that slipped in when "HostbasedKeyTypes" was renamed to "HostbasedAcceptedAlgorithms". Bug report by zack@philomathiclife.com OpenBSD-Commit-ID: d745a7e8e50b2589fc56877f322ea204bc784f38
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-4/+4
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: Put obsolete aliases for hostbasedalgorithms anddtucker@openbsd.org2021-02-251-3/+3
| | | | | | | pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock. OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
* upstream: ssh: add PermitRemoteOpen for remote dynamic forwardingmarkus@openbsd.org2021-02-171-3/+60
| | | | | | with SOCKS ok djm@, dtucker@ OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-9/+10
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-13/+14
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: make CheckHostIP default to 'no'. It doesn't provide anydjm@openbsd.org2021-01-081-2/+2
| | | | | | | | | perceptible value and makes it much harder for hosts to change host keys, particularly ones that use IP-based load-balancing. ok dtucker@ OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0
* upstream: Remove lines accidentally left behind in the ProxyJumptb@openbsd.org2020-12-221-4/+1
| | | | | | | | parsing fix r1.345. ok djm OpenBSD-Commit-ID: fe767c108c8117bea33767b080ff62eef2c55f5c
* upstream: add a ssh_config KnownHostsCommand that allows the clientdjm@openbsd.org2020-12-221-2/+10
| | | | | | | | | | | | | to obtain known_hosts data from a command in addition to the usual files. The command accepts bunch of %-expansions, including details of the connection and the offered server host key. Note that the command may be invoked up to three times per connection (see the manpage for details). ok markus@ OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
* upstream: properly fix ProxyJump parsing; Thanks to tb@ fordjm@openbsd.org2020-12-211-4/+9
| | | | | | | | | pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed). Reported by Raf Czlonka via bugs@ ok tb@ OpenBSD-Commit-ID: a2991a3794bcaf1ca2b025212cce11cdb5f6b7d6
* upstream: prepare readconf.c for fuzzing; remove fatal calls anddjm@openbsd.org2020-12-211-155/+404
| | | | | | fix some (one-off) memory leaks; ok markus@ OpenBSD-Commit-ID: 91c6aec57b0e7aae9190de188e9fe8933aad5ec5
* upstream: Ignore comments at the end of config lines in ssh_config,dtucker@openbsd.org2020-12-041-2/+9
| | | | | | similar to what we already do for sshd_config. bz#2320, with & ok djm@ OpenBSD-Commit-ID: bdbf9fc5bc72b1a14266f5f61723ed57307a6db4
* upstream: revert r1.341; it breaks ProxyJump; reported by sthen@djm@openbsd.org2020-11-161-3/+3
| | | | OpenBSD-Commit-ID: 6ac2f945b26cb86d936eed338f77861d6da8356a
* upstream: fix logic error that broke URI parsing in ProxyJumpdjm@openbsd.org2020-11-121-3/+3
| | | | | | directives; ok dtucker@ OpenBSD-Commit-ID: 96d48839b1704882a0e9a77898f5e14b2d222705
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-12/+11
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: LogVerbose keyword for ssh and sshddjm@openbsd.org2020-10-171-3/+20
| | | | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@ OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
* upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS isdjm@openbsd.org2020-10-071-3/+4
| | | | | | enabled; suggested by Mark D. Baushke OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
* upstream: There are lots of place where we want to redirect stdin,djm@openbsd.org2020-10-031-15/+4
| | | | | | | | stdout and/or stderr to /dev/null. Factor all these out to a single stdfd_devnull() function that allows selection of which of these to redirect. ok markus@ OpenBSD-Commit-ID: 3033ba5a4c47cacfd5def020d42cabc52fad3099
* upstream: enable UpdateHostkeys by default when the configurationdjm@openbsd.org2020-10-031-2/+8
| | | | | | | has not overridden UserKnownHostsFile; ok markus@ "The timing is perfect" deraadt@ OpenBSD-Commit-ID: 62df71c9c5242da5763cb473c2a2deefbd0cef60
* upstream: remove unreachable code I forgot to delete in r1.334djm@openbsd.org2020-08-271-13/+1
| | | | OpenBSD-Commit-ID: 9ed6078251a0959ee8deda443b9ae42484fd8b18
* upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a timedjm@openbsd.org2020-08-271-17/+68
| | | | | | | | limit for keys in addition to its current flag options. Time-limited keys will automatically be removed from ssh-agent after their expiry time has passed; ok markus@ OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
* upstream: Add %k to the TOKENs for Match Exec for consistency withdtucker@openbsd.org2020-07-171-2/+5
| | | | | | the other keywords that recently got %k. OpenBSD-Commit-ID: 1857d1c40f270cbc254fca91e66110641dddcfdb
* upstream: some language improvements; ok markusdjm@openbsd.org2020-07-151-6/+6
| | | | OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
* upstream: Allow some keywords to expand shell-style ${ENV}dtucker@openbsd.org2020-05-291-4/+16
| | | | | | | | | | environment variables on the client side. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. This would for example allow forwarding of Unix domain socket paths that change at runtime. bz#3140, ok djm@ OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
* upstream: fix crash in recallocarray when deleting SendEnvdjm@openbsd.org2020-05-281-2/+7
| | | | | | variables; spotted by & ok sthen@ OpenBSD-Commit-ID: b881e8e849edeec5082b5c0a87d8d7cff091a8fd
* upstream: Fix incorrect error message for "too many known hosts files."dtucker@openbsd.org2020-04-241-2/+2
| | | | | | bz#3149, patch from jjelen at redhat.com. OpenBSD-Commit-ID: e0fcb07ed5cf7fd54ce340471a747c24454235e5
* upstream: %C expansion just added to Match Exec should includedtucker@openbsd.org2020-04-031-2/+2
| | | | | | remote user not local user. OpenBSD-Commit-ID: 80f1d976938f2a55ee350c11d8b796836c8397e2
View Lorry Controller Status