summaryrefslogtreecommitdiff
path: root/servconf.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Remove unused compat.h includes.dtucker@openbsd.org2023-03-051-2/+1
| | | | | | | | We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it. OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
* upstream: actually print "channeltimeout none" in config dump mode;djm@openbsd.org2023-03-031-3/+11
| | | | | | spotted via Coverity CID 405022 OpenBSD-Commit-ID: b074b52bf138b75f08264e8da15880b29c7a630f
* upstream: Add a sshd_config UnusedConnectionTimeout option to terminatedjm@openbsd.org2023-01-171-2/+23
| | | | | | | | | | client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@ OpenBSD-Commit-ID: ca983be74c0350364c11f8ba3bd692f6f24f5da9
* upstream: Implement channel inactivity timeoutsdjm@openbsd.org2023-01-061-10/+100
| | | | | | | | | | | | | | | This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker OpenBSD-Commit-ID: ae8bba3ed9d9f95ff2e2dc8dcadfa36b48e6c0b8
* upstream: Remove some set but otherwise unused variables, spotteddtucker@openbsd.org2022-11-071-3/+2
| | | | | | in -portable by clang 16's -Wunused-but-set-variable. ok djm@ OpenBSD-Commit-ID: 3d943ddf2369b38fbf89f5f19728e7dc1daf3982
* upstream: Check for and disallow MaxStartups values less than ordtucker@openbsd.org2022-11-071-1/+5
| | | | | | | equal to zero during config parsing, rather than faling later at runtime. bz#3489, ok djm@ OpenBSD-Commit-ID: d79c2b7a8601eb9be493629a91245d761154308b
* upstream: Add RequiredRSASize for sshd(8); RSA keys that falldjm@openbsd.org2022-09-171-1/+12
| | | | | | | | beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
* upstream: Make SetEnv directives first-match-wins in bothdjm@openbsd.org2022-06-031-1/+7
| | | | | | | | | | | sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
* upstream: don't try to resolve ListenAddress directives in the sshddjm@openbsd.org2022-03-201-4/+5
| | | | | | | | re-exec path - we're never going to use the result and if the operation fails then it can prevent connections from being accepted. Reported by Aaron Poffenberger; with / ok dtucker@ OpenBSD-Commit-ID: 44c53a43909a328e2f5ab26070fdef3594eded60
* upstream: Switch hpdelim interface to accept only ":" as delimiter.dtucker@openbsd.org2022-02-101-12/+9
| | | | | | | | | | Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@ OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
* upstream: revision 1.381 neglected to removemillert@openbsd.org2021-09-071-4/+3
| | | | | | | sChallengeResponseAuthentication from the enum. Noticed by christos@zoulas.com. OK dtucker@ OpenBSD-Commit-ID: b533283a4dd6d04a867da411a4c7a8fbc90e34ff
* Remove now-unused SSHv1 enums.Darren Tucker2021-07-021-1/+0
| | | | | sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options and are no longer used.
* upstream: Remove references to ChallengeResponseAuthentication indtucker@openbsd.org2021-07-021-13/+4
| | | | | | | | | | | | | favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
* upstream: switch sshd_config parsing to argv_split()djm@openbsd.org2021-06-081-283/+331
| | | | | | | | | | | | | similar to the previous commit, this switches sshd_config parsing to the newer tokeniser. Config parsing will be a little stricter wrt quote correctness and directives appearing without arguments. feedback and ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-7/+7
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: Add ModuliFile keyword to sshd_config to specify thedtucker@openbsd.org2021-03-131-2/+10
| | | | | | | | location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@ OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
* upstream: Put obsolete aliases for hostbasedalgorithms anddtucker@openbsd.org2021-02-251-3/+3
| | | | | | | pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock. OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
* upstream: factor out opt_array_append; ok djm@markus@openbsd.org2021-02-171-41/+15
| | | | OpenBSD-Commit-ID: 571bc5dd35f99c5cf9de6aaeac428b168218e74a
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-8/+9
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-12/+13
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: Correct spelling of persourcenetblocksize in config-dumpdtucker@openbsd.org2021-01-111-2/+2
| | | | | | mode. OpenBSD-Commit-ID: ecdc49e2b6bde6b6b0e52163d621831f6ac7b13d
* upstream: Add PerSourceMaxStartups and PerSourceNetBlockSizedtucker@openbsd.org2021-01-111-2/+59
| | | | | | | options which provide more fine grained MaxStartups limits. Man page help jmc@, feedback & ok djm@ OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-18/+16
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: LogVerbose keyword for ssh and sshddjm@openbsd.org2020-10-171-2/+17
| | | | | | | | | Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@ OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
* Remove HAVE_MMAP and BROKEN_MMAPSebastian Andrzej Siewior2020-09-111-9/+0
| | | | | | | | | | | | | BROKEN_MMAP is no longer defined since commit 1cfd5c06efb12 ("Remove portability support for mmap") this commit also removed other HAVE_MMAP user. I didn't find anything that defines HAVE_MMAP. The check does not trigger because compression on server side is by default COMP_DELAYED (2) so it never triggers. Remove remaining HAVE_MMAP and BROKEN_MMAP bits. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
* upstream: Check that the addresses supplied to Match Address anddtucker@openbsd.org2020-08-311-1/+8
| | | | | | | | Match LocalAddress are valid when parsing in config-test mode. This will catch address/mask mismatches before they cause problems at runtime. Found by Daniel Stocker, ok djm@ OpenBSD-Commit-ID: 2d0b10c69fad5d8fda4c703e7c6804935289378b
* upstream: support for requiring user verified FIDO keys in sshddjm@openbsd.org2020-08-271-1/+5
| | | | | | | | | | | | | This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@ OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
* upstream: some language improvements; ok markusdjm@openbsd.org2020-07-151-11/+11
| | | | OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8
* upstream: support loading big sshd_config files w/o realloc; okmarkus@openbsd.org2020-06-261-1/+7
| | | | | | djm OpenBSD-Commit-ID: ba9238e810074ac907f0cf8cee1737ac04983171
* upstream: fix Include before Match in sshd_config; bz#3122 patchdjm@openbsd.org2020-05-281-10/+21
| | | | | | from Jakub Jelen OpenBSD-Commit-ID: 1b0aaf135fe6732b5d326946042665dd3beba5f4
* upstream: Do not call process_queued_listen_addrs() for everydjm@openbsd.org2020-05-281-5/+5
| | | | | | included file from sshd_config; patch from Jakub Jelen OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
* Error out if given RDomain if unsupported.Darren Tucker2020-04-241-0/+6
| | | | | | | If the config contained 'RDomain %D' on a platform that did not support it, the error would not be detected until runtime resulting in a broken sshd. Detect this earlier and error out if found. bz#3126, based on a patch from jjelen at redhat.com, tweaks and ok djm@
* sys/sysctl.h is only used on OpenBSDDamien Miller2020-04-171-1/+1
| | | | | so change the preprocessor test used to include it to check __OpenBSD__, matching the code that uses the symbols it declares.
* upstream: make IgnoreRhosts a tri-state option: "yes" ignoredjm@openbsd.org2020-04-171-4/+13
| | | | | | | rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. ok dtucker@ OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
* upstream: allow the IgnoreRhosts directive to appear anywhere in adjm@openbsd.org2020-04-171-2/+3
| | | | | | sshd_config, not just before any Match blocks; bz3148, ok dtucker@ OpenBSD-Commit-ID: e042467d703bce640b1f42c5d1a62bf3825736e8
* upstream: fix relative includes in sshd_config; ok djmmarkus@openbsd.org2020-03-131-2/+2
| | | | OpenBSD-Commit-ID: fa29b0da3c93cbc3a1d4c6bcd58af43c00ffeb5b
* upstream: Add a sshd_config "Include" directive to allow inclusiondjm@openbsd.org2020-02-011-19/+148
| | | | | | | | of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@ OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
* upstream: Make zlib optional. This adds a "ZLIB" build time optiondtucker@openbsd.org2020-01-231-1/+8
| | | | | | | that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
* upstream: Remove unsupported algorithms from list of defaults at rundtucker@openbsd.org2020-01-231-20/+27
| | | | | | | | | | time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
* upstream: don't treat HostKeyAgent=none as a path either; avoidsdjm@openbsd.org2019-12-161-1/+2
| | | | | | spurious warnings from the cfgparse regress test OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
* upstream: do not attempt to find an absolute path for sshd_configdjm@openbsd.org2019-12-161-2/+13
| | | | | | SecurityKeyProvider=internal - unbreaks cfgparse regress test OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
* upstream: allow security keys to act as host keys as well as userdjm@openbsd.org2019-12-161-4/+14
| | | | | | | | | | | | | keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
* upstream: Add a sshd_config PubkeyAuthOptions directivedjm@openbsd.org2019-11-251-2/+31
| | | | | | | | | | | This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@ OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
* upstream: Separate myproposal.h userauth pubkey typesdjm@openbsd.org2019-11-011-3/+3
| | | | | | | | | U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys. feedback & ok markus@ OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
* upstream: Allow prepending a list of algorithms to the default setnaddy@openbsd.org2019-09-081-5/+9
| | | | | | | | | | | by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
* upstream: When running sshd -T, assume any attibute not provided bydtucker@openbsd.org2019-05-081-8/+10
| | | | | | | -C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. bz#2858, ok djm@ OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb
* upstream: whitespacedjm@openbsd.org2019-03-261-2/+1
| | | | OpenBSD-Commit-ID: 106e853ae8a477e8385bc53824d3884a8159db07
* upstream: Move checks for lists of users or groups into their owndtucker@openbsd.org2019-03-081-6/+2
| | | | | | | | function. This is a no-op on OpenBSD but will make things easier in -portable, eg on systems where these checks should be case-insensitive. ok djm@ OpenBSD-Commit-ID: 8bc9c8d98670e23f8eaaaefe29c1f98e7ba0487e
* Cygwin: implement case-insensitive Unicode user and group name matchingCorinna Vinschen2019-02-221-0/+4
| | | | | | | | | | The previous revert enabled case-insensitive user names again. This patch implements the case-insensitive user and group name matching. To allow Unicode chars, implement the matcher using wchar_t chars in Cygwin-specific code. Keep the generic code changes as small as possible. Cygwin: implement case-insensitive Unicode user and group name matching Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
* Revert unintended parts of previous commit.Darren Tucker2019-02-221-4/+0
|
View Lorry Controller Status