summaryrefslogtreecommitdiff
path: root/readconf.h
Commit message (Collapse)AuthorAgeFilesLines
* upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; okdjm@openbsd.org2021-09-161-1/+2
| | | | | | markus@ OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
* upstream: Add a ForkAfterAuthentication ssh_config(5) counterpartdjm@openbsd.org2021-07-231-1/+2
| | | | | | | to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok dtucker OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
* upstream: Add a StdinNull directive to ssh_config(5) that allowsdjm@openbsd.org2021-07-231-1/+2
| | | | | | | the config file to do the same thing as -n does on the ssh(1) commandline. Patch from Volker Diels-Grabsch via GHPR231; ok dtucker OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
* upstream: add a SessionType directive to ssh_config, allowing thedjm@openbsd.org2021-07-141-1/+6
| | | | | | | | | | configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags. Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks; feedback and ok dtucker@ OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
* Sync remaining ChallengeResponse removal.Darren Tucker2021-07-031-3/+1
| | | | These were omitted from commit 88868fd131.
* upstream: ssh: add PermitRemoteOpen for remote dynamic forwardingmarkus@openbsd.org2021-02-171-1/+5
| | | | | | with SOCKS ok djm@, dtucker@ OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-2/+2
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-2/+2
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: add a ssh_config KnownHostsCommand that allows the clientdjm@openbsd.org2020-12-221-1/+3
| | | | | | | | | | | | | to obtain known_hosts data from a command in addition to the usual files. The command accepts bunch of %-expansions, including details of the connection and the offered server host key. Note that the command may be invoked up to three times per connection (see the manpage for details). ok markus@ OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
* upstream: prepare readconf.c for fuzzing; remove fatal calls anddjm@openbsd.org2020-12-211-2/+3
| | | | | | fix some (one-off) memory leaks; ok markus@ OpenBSD-Commit-ID: 91c6aec57b0e7aae9190de188e9fe8933aad5ec5
* upstream: LogVerbose keyword for ssh and sshddjm@openbsd.org2020-10-171-2/+3
| | | | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@ OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
* upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a timedjm@openbsd.org2020-08-271-1/+2
| | | | | | | | limit for keys in addition to its current flag options. Time-limited keys will automatically be removed from ssh-agent after their expiry time has passed; ok markus@ OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
* upstream: Make with config keywords support whichdtucker@openbsd.org2020-04-031-1/+3
| | | | | | | | | | | | percent_expansions more consistent. - %C is moved into its own function and added to Match Exec. - move the common (global) options into a macro. This is ugly but it's the least-ugly way I could come up with. - move IdentityAgent and ForwardAgent percent expansion to before the config dump to make it regression-testable. - document all of the above ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest. OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
* upstream: Remove unsupported algorithms from list of defaults at rundtucker@openbsd.org2020-01-231-1/+2
| | | | | | | | | | time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
* upstream: Allow forwarding a different agent socket to the pathdjm@openbsd.org2019-12-211-1/+2
| | | | | | | | | | specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
* upstream: ssh client support for U2F/FIDO keysdjm@openbsd.org2019-11-011-1/+2
| | | | OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
* upstream: add a ssh_config "Match final" predicatedjm@openbsd.org2018-11-231-3/+3
| | | | | | | Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 ok markus OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
* upstream: add CASignatureAlgorithms option for the client, allowingdjm@openbsd.org2018-09-201-1/+2
| | | | | | | it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
* upstream: Deprecate UsePrivilegedPort now that support for runningdtucker@openbsd.org2018-07-191-2/+1
| | | | | | | | | | | | | ssh(1) setuid has been removed, remove supporting code and clean up references to it in the man pages We have not shipped ssh(1) the setuid bit since 2002. If ayone really needs to make connections from a low port number this can be implemented via a small setuid ProxyCommand. ok markus@ jmc@ djm@ OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
* upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org2018-06-091-3/+4
| | | | | | | | | | | environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
* upstream: Add BindInterface ssh_config directive and -Bdjm@openbsd.org2018-02-231-1/+2
| | | | | | | | | | | | | command-line argument to ssh(1) that directs it to bind its outgoing connection to the address of the specified network interface. BindInterface prefers to use addresses that aren't loopback or link- local, but will fall back to those if no other addresses of the required family are available on that interface. Based on patch by Mike Manning in bz#2820, ok dtucker@ OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
* upstream commitmillert@openbsd.org2017-10-231-1/+2
| | | | | | | | | | Add URI support to ssh, sftp and scp. For example ssh://user@host or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@ Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
* upstream commitdjm@openbsd.org2017-09-041-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expand ssh_config's StrictModes option with two new settings: StrictModes=accept-new will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. StrictModes=off is the same as StrictModes=no Motivation: StrictModes=no combines two behaviours for host key processing: automatically learning new hostkeys and continuing to connect to hosts with invalid/changed hostkeys. The latter behaviour is quite dangerous since it removes most of the protections the SSH protocol is supposed to provide. Quite a few users want to automatically learn hostkeys however, so this makes that feature available with less danger. At some point in the future, StrictModes=no will change to be a synonym for accept-new, with its current behaviour remaining available via StrictModes=off. bz#2400, suggested by Michael Samuel; ok markus Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
* upstream commitbluhm@openbsd.org2017-05-311-1/+2
| | | | | | | | | Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
* upstream commitdjm@openbsd.org2017-05-011-6/+1
| | | | | | | | remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
* upstream commitdjm@openbsd.org2017-05-011-2/+1
| | | | | | remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
* upstream commitdjm@openbsd.org2017-05-011-2/+1
| | | | | | | | | remove options.protocol and client Protocol configuration knob ok markus@ Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
* upstream commitdtucker@openbsd.org2017-04-281-1/+2
| | | | | | | | Add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705, patch from erahn at arista.com, ok djm@ Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
* upstream commitdjm@openbsd.org2016-07-151-1/+7
| | | | | | | | | | | | | | | | | Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
* upstream commitdtucker@openbsd.org2016-06-081-1/+5
| | | | | | | Move the host and port used by ssh -W into the Options struct. This will make future changes a bit easier. ok djm@ Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
* upstream commitmarkus@openbsd.org2016-05-051-1/+2
| | | | | | | IdentityAgent for specifying specific agent sockets; ok djm@ Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
* upstream commitdjm@openbsd.org2016-04-151-1/+2
| | | | | | Include directive for ssh_config(5); feedback & ok markus@ Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
* upstream commitmarkus@openbsd.org2016-01-271-3/+1
| | | | | | remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
* upstream commitjcs@openbsd.org2015-11-161-1/+3
| | | | | | | | | | | | | Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). Initial version from Joachim Schipper many years ago. ok markus@ Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
* upstream commitdjm@openbsd.org2015-10-061-1/+7
| | | | | | | add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
* upstream commitmarkus@openbsd.org2015-07-151-2/+3
| | | | | | | | Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
* upstream commitdjm@openbsd.org2015-02-171-2/+6
| | | | | | | | | | | | Revise hostkeys@openssh.com hostkey learning extension. The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
* upstream commitdjm@openbsd.org2015-01-301-1/+3
| | | | | | | | | | Add a ssh_config HostbasedKeyType option to control which host public key types are tried during hostbased authentication. This may be used to prevent too many keys being sent to the server, and blowing past its MaxAuthTries limit. bz#2211 based on patch by Iain Morgan; ok markus@
* upstream commitdjm@openbsd.org2015-01-271-2/+4
| | | | | | | | | | | | | | | Host key rotation support. Add a hostkeys@openssh.com protocol extension (global request) for a server to inform a client of all its available host key after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default on). ok markus@
* upstream commitdjm@openbsd.org2015-01-151-2/+2
| | | | | sync ssh-keysign, ssh-keygen and some dependencies to the new buffer/key API; mostly mechanical, ok markus@
* upstream commitdjm@openbsd.org2014-12-221-1/+3
| | | | | | | | Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* upstream commitdjm@openbsd.org2014-12-051-1/+3
| | | | | | add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys.
* upstream commitdjm@openbsd.org2014-10-131-4/+6
| | | | | | | | | | | | | | | | | | Tweak config reparsing with host canonicalisation Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
* - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller2014-07-181-17/+8
| | | | | | | | | | | | | | | | [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller2014-02-241-1/+3
| | | | | | | | | | | | | | | | | | [readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
* - djm@cvs.openbsd.org 2014/01/29 06:18:35Damien Miller2014-02-041-2/+1
| | | | | | | [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] remove experimental, never-enabled JPAKE code; ok markus@
* - djm@cvs.openbsd.org 2013/10/16 22:49:39Damien Miller2013-10-171-4/+4
| | | | | | [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@
* - djm@cvs.openbsd.org 2013/10/16 02:31:47Damien Miller2013-10-171-2/+20
| | | | | | | | | | | | [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
* - djm@cvs.openbsd.org 2013/10/14 22:22:05Damien Miller2013-10-151-6/+6
| | | | | | [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@
* - djm@cvs.openbsd.org 2013/08/20 00:11:38Damien Miller2013-08-211-1/+3
| | | | | | | | | | [readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@