diff options
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | ssh.c | 43 | ||||
| -rw-r--r-- | ssh_config.5 | 14 |
3 files changed, 55 insertions, 12 deletions
| @@ -45,6 +45,16 @@ | |||
| 45 | [ssh.1] | 45 | [ssh.1] |
| 46 | document that -g will only work in the multiplexed case if applied to | 46 | document that -g will only work in the multiplexed case if applied to |
| 47 | the mux master | 47 | the mux master |
| 48 | - djm@cvs.openbsd.org 2014/07/03 06:39:19 | ||
| 49 | [ssh.c ssh_config.5] | ||
| 50 | Add a %C escape sequence for LocalCommand and ControlPath that expands | ||
| 51 | to a unique identifer based on a has of the tuple of (local host, | ||
| 52 | remote user, hostname, port). | ||
| 53 | |||
| 54 | Helps avoid exceeding sockaddr_un's miserly pathname limits for mux | ||
| 55 | control paths. | ||
| 56 | |||
| 57 | bz#2220, based on patch from mancha1 AT zoho.com; ok markus@ | ||
| 48 | 58 | ||
| 49 | 20140702 | 59 | 20140702 |
| 50 | - OpenBSD CVS Sync | 60 | - OpenBSD CVS Sync |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh.c,v 1.404 2014/06/27 16:41:56 markus Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.405 2014/07/03 06:39:19 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -85,6 +85,7 @@ | |||
| 85 | #include "canohost.h" | 85 | #include "canohost.h" |
| 86 | #include "compat.h" | 86 | #include "compat.h" |
| 87 | #include "cipher.h" | 87 | #include "cipher.h" |
| 88 | #include "digest.h" | ||
| 88 | #include "packet.h" | 89 | #include "packet.h" |
| 89 | #include "buffer.h" | 90 | #include "buffer.h" |
| 90 | #include "channels.h" | 91 | #include "channels.h" |
| @@ -424,6 +425,9 @@ main(int ac, char **av) | |||
| 424 | extern char *optarg; | 425 | extern char *optarg; |
| 425 | Forward fwd; | 426 | Forward fwd; |
| 426 | struct addrinfo *addrs = NULL; | 427 | struct addrinfo *addrs = NULL; |
| 428 | struct ssh_digest_ctx *md; | ||
| 429 | u_char conn_hash[SSH_DIGEST_MAX_LENGTH]; | ||
| 430 | char *conn_hash_hex; | ||
| 427 | 431 | ||
| 428 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 432 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ |
| 429 | sanitise_stdfd(); | 433 | sanitise_stdfd(); |
| @@ -1002,12 +1006,29 @@ main(int ac, char **av) | |||
| 1002 | shorthost[strcspn(thishost, ".")] = '\0'; | 1006 | shorthost[strcspn(thishost, ".")] = '\0'; |
| 1003 | snprintf(portstr, sizeof(portstr), "%d", options.port); | 1007 | snprintf(portstr, sizeof(portstr), "%d", options.port); |
| 1004 | 1008 | ||
| 1009 | if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL || | ||
| 1010 | ssh_digest_update(md, thishost, strlen(thishost)) < 0 || | ||
| 1011 | ssh_digest_update(md, host, strlen(host)) < 0 || | ||
| 1012 | ssh_digest_update(md, portstr, strlen(portstr)) < 0 || | ||
| 1013 | ssh_digest_update(md, options.user, strlen(options.user)) < 0 || | ||
| 1014 | ssh_digest_final(md, conn_hash, sizeof(conn_hash)) < 0) | ||
| 1015 | fatal("%s: mux digest failed", __func__); | ||
| 1016 | ssh_digest_free(md); | ||
| 1017 | conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); | ||
| 1018 | |||
| 1005 | if (options.local_command != NULL) { | 1019 | if (options.local_command != NULL) { |
| 1006 | debug3("expanding LocalCommand: %s", options.local_command); | 1020 | debug3("expanding LocalCommand: %s", options.local_command); |
| 1007 | cp = options.local_command; | 1021 | cp = options.local_command; |
| 1008 | options.local_command = percent_expand(cp, "d", pw->pw_dir, | 1022 | options.local_command = percent_expand(cp, |
| 1009 | "h", host, "l", thishost, "n", host_arg, "r", options.user, | 1023 | "C", conn_hash_hex, |
| 1010 | "p", portstr, "u", pw->pw_name, "L", shorthost, | 1024 | "L", shorthost, |
| 1025 | "d", pw->pw_dir, | ||
| 1026 | "h", host, | ||
| 1027 | "l", thishost, | ||
| 1028 | "n", host_arg, | ||
| 1029 | "p", portstr, | ||
| 1030 | "r", options.user, | ||
| 1031 | "u", pw->pw_name, | ||
| 1011 | (char *)NULL); | 1032 | (char *)NULL); |
| 1012 | debug3("expanded LocalCommand: %s", options.local_command); | 1033 | debug3("expanded LocalCommand: %s", options.local_command); |
| 1013 | free(cp); | 1034 | free(cp); |
| @@ -1017,12 +1038,20 @@ main(int ac, char **av) | |||
| 1017 | cp = tilde_expand_filename(options.control_path, | 1038 | cp = tilde_expand_filename(options.control_path, |
| 1018 | original_real_uid); | 1039 | original_real_uid); |
| 1019 | free(options.control_path); | 1040 | free(options.control_path); |
| 1020 | options.control_path = percent_expand(cp, "h", host, | 1041 | options.control_path = percent_expand(cp, |
| 1021 | "l", thishost, "n", host_arg, "r", options.user, | 1042 | "C", conn_hash_hex, |
| 1022 | "p", portstr, "u", pw->pw_name, "L", shorthost, | 1043 | "L", shorthost, |
| 1044 | "h", host, | ||
| 1045 | "l", thishost, | ||
| 1046 | "n", host_arg, | ||
| 1047 | "p", portstr, | ||
| 1048 | "r", options.user, | ||
| 1049 | "u", pw->pw_name, | ||
| 1023 | (char *)NULL); | 1050 | (char *)NULL); |
| 1024 | free(cp); | 1051 | free(cp); |
| 1025 | } | 1052 | } |
| 1053 | free(conn_hash_hex); | ||
| 1054 | |||
| 1026 | if (muxclient_command != 0 && options.control_path == NULL) | 1055 | if (muxclient_command != 0 && options.control_path == NULL) |
| 1027 | fatal("No ControlPath specified for \"-O\" command"); | 1056 | fatal("No ControlPath specified for \"-O\" command"); |
| 1028 | if (options.control_path != NULL) | 1057 | if (options.control_path != NULL) |
diff --git a/ssh_config.5 b/ssh_config.5 index 5c6bd29ea..756762e49 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.187 2014/07/03 05:32:36 djm Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.188 2014/07/03 06:39:19 djm Exp $ |
| 37 | .Dd $Mdocdate: July 3 2014 $ | 37 | .Dd $Mdocdate: July 3 2014 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| @@ -499,14 +499,16 @@ specified on the command line, | |||
| 499 | .Ql %p | 499 | .Ql %p |
| 500 | the destination port, | 500 | the destination port, |
| 501 | .Ql %r | 501 | .Ql %r |
| 502 | by the remote login username, and | 502 | by the remote login username, |
| 503 | .Ql %u | 503 | .Ql %u |
| 504 | by the username of the user running | 504 | by the username of the user running |
| 505 | .Xr ssh 1 . | 505 | .Xr ssh 1 , and |
| 506 | .Ql %C | ||
| 507 | by a hash of the concatenation: %l%h%p%r. | ||
| 506 | It is recommended that any | 508 | It is recommended that any |
| 507 | .Cm ControlPath | 509 | .Cm ControlPath |
| 508 | used for opportunistic connection sharing include | 510 | used for opportunistic connection sharing include |
| 509 | at least %h, %p, and %r. | 511 | at least %h, %p, and %r (or alternatively %C). |
| 510 | This ensures that shared connections are uniquely identified. | 512 | This ensures that shared connections are uniquely identified. |
| 511 | .It Cm ControlPersist | 513 | .It Cm ControlPersist |
| 512 | When used in conjunction with | 514 | When used in conjunction with |
| @@ -939,7 +941,9 @@ The following escape character substitutions will be performed: | |||
| 939 | .Ql %r | 941 | .Ql %r |
| 940 | (remote user name) or | 942 | (remote user name) or |
| 941 | .Ql %u | 943 | .Ql %u |
| 942 | (local user name). | 944 | (local user name) or |
| 945 | .Ql %C | ||
| 946 | by a hash of the concatenation: %l%h%p%r. | ||
| 943 | .Pp | 947 | .Pp |
| 944 | The command is run synchronously and does not have access to the | 948 | The command is run synchronously and does not have access to the |
| 945 | session of the | 949 | session of the |