summaryrefslogtreecommitdiff
path: root/readconf.c
AgeCommit message (Collapse)Author
2020-02-21Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-config.patch
2020-02-21Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2019-10-09 Patch-Name: user-group-modes.patch
2020-02-21Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2020-02-21 Patch-Name: keepalive-extensions.patch
2020-02-21Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2020-02-21GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
2020-02-07upstream: expand HostkeyAlgorithms prior to config dump, matchingdjm@openbsd.org
other algorithm lists; ok markus@ OpenBSD-Commit-ID: a66f0fca8cc5ce30405a2867bc115fff600671d0
2020-02-04upstream: revert enabling UpdateHostKeys by default - there are stilldjm@openbsd.org
corner cases we need to address; ok markus OpenBSD-Commit-ID: ff7ad941bfdc49fb1d8baa95fd0717a61adcad57
2020-01-31upstream: enable UpdateKnownHosts=yes if the configurationdjm@openbsd.org
specifies only the default known_hosts files, otherwise select UpdateKnownHosts=ask; ok markus@ OpenBSD-Commit-ID: ab401a5ec4a33d2e1a9449eae6202e4b6d427df7
2020-01-25upstream: set UpdateKnownHosts=ask by default; bz#2894; okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: f09cb3177f3a14c96428e14f347e976a8a531fee
2020-01-23upstream: Make zlib optional. This adds a "ZLIB" build time optiondtucker@openbsd.org
that allows building without zlib compression and associated options. With feedback from markus@, ok djm@ OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
2020-01-23upstream: Replace all calls to signal(2) with a wrapper arounddtucker@openbsd.org
sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
2020-01-23upstream: Remove unsupported algorithms from list of defaults at rundtucker@openbsd.org
time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
2019-12-21upstream: Allow forwarding a different agent socket to the pathdjm@openbsd.org
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-20upstream: Move always unsupported keywords to be grouped with the otherdtucker@openbsd.org
ones. Move oSecurityProvider to match the order in the OpCodes enum. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 061e4505861ec1e02ba3a63e3d1b3be3cad458ec
2019-12-20upstream: Remove obsolete opcodes from the configuation enum.dtucker@openbsd.org
Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 395c202228872ce8d9044cc08552ac969f51e01b
2019-12-20upstream: Remove now-obsolete config options from example indtucker@openbsd.org
comment. Patch from openbsd@academicsolutions.ch, ok djm@ OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
2019-12-16upstream: allow security keys to act as host keys as well as userdjm@openbsd.org
keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15upstream: remove size_t gl_pathc < 0 test, it is invalid. thederaadt@openbsd.org
return value from glob() is sufficient. discussed with djm OpenBSD-Commit-ID: c91203322db9caaf7efaf5ae90c794a91070be3c
2019-11-15upstream: stdarg.h required more broadly; ok djmderaadt@openbsd.org
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
2019-11-13upstream: enable ed25519 support; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-01upstream: ssh client support for U2F/FIDO keysdjm@openbsd.org
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
2019-09-08upstream: Allow prepending a list of algorithms to the default setnaddy@openbsd.org
by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-08-09upstream: produce a useful error message if the user's shell is setdjm@openbsd.org
incorrectly during "match exec" processing. bz#2791 reported by Dario Bertini; ok dtucker OpenBSD-Commit-ID: cf9eddd6a6be726cb73bd9c3936f3888cd85c03d
2019-07-05upstream: When system calls indicate an error they return -1, notderaadt@openbsd.org
some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future. OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
2019-06-14upstream: Hostname->HostName cleanup; from lauri tirkkonen okjmc@openbsd.org
dtucker OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-08upstream: Typo and spelling fixes in comments and error messages.dtucker@openbsd.org
Patch from knweiss at gmail.com via -portable. OpenBSD-Commit-ID: 2577465442f761a39703762c4f87a8dfcb918b4b
2019-03-01upstream: let PKCS11Provider=none do what users expectdjm@openbsd.org
print PKCS11Provider instead of obsolete SmartcardDevice in config dump. bz#2974 ok dtucker@ OpenBSD-Commit-ID: c303d6f0230a33aa2dd92dc9b68843d56a64f846
2019-02-24upstream: openssh-7.9 accidentally reused the server's algorithm listsdjm@openbsd.org
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT vault24.org via bz#2697; ok dtucker OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
2018-11-23upstream: add a ssh_config "Match final" predicatedjm@openbsd.org
Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 ok markus OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
2018-11-16upstream: use path_absolute() for pathname checks; from Manoj Ampalamdjm@openbsd.org
OpenBSD-Commit-ID: 482ce71a5ea5c5f3bc4d00fd719481a6a584d925
2018-10-07upstream: Support using service names for port numbers.naddy@openbsd.org
* Try to resolve a port specification with getservbyname(3) if a numeric conversion fails. * Make the "Port" option in ssh_config handle its argument as a port rather than a plain integer. ok dtucker@ deraadt@ OpenBSD-Commit-ID: e7f03633133205ab3dfbc67f9df7475fabae660d
2018-10-03upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org
environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-09-20upstream: add CASignatureAlgorithms option for the client, allowingdjm@openbsd.org
it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
2018-08-13upstream: better diagnosics on alg list assembly errors; okdjm@openbsd.org
deraadt@ markus@ OpenBSD-Commit-ID: 5a557e74b839daf13cc105924d2af06a1560faee
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-31upstream: Now that ssh can't be setuid, remove thedtucker@openbsd.org
original_real_uid and original_effective_uid globals and replace with calls to plain getuid(). ok djm@ OpenBSD-Commit-ID: 92561c0cd418d34e6841e20ba09160583e27b68c
2018-07-31upstream: Remove uid checks from low port binds. Now that sshdtucker@openbsd.org
cannot be setuid and sshd always has privsep on, we can remove the uid checks for low port binds and just let the system do the check. We leave a sanity check for the !privsep case so long as the code is stil there. with & ok djm@ OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
2018-07-19upstream: Deprecate UsePrivilegedPort now that support for runningdtucker@openbsd.org
ssh(1) setuid has been removed, remove supporting code and clean up references to it in the man pages We have not shipped ssh(1) the setuid bit since 2002. If ayone really needs to make connections from a low port number this can be implemented via a small setuid ProxyCommand. ok markus@ jmc@ djm@ OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-19upstream: Remove support for running ssh(1) setuid and fatal ifdtucker@openbsd.org
attempted. Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@ djm@ OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-06-11upstream: unbreak SendEnv; patch from tb@djm@openbsd.org
OpenBSD-Commit-ID: fc808daced813242563b80976e1478de95940056
2018-06-09upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-07upstream: switch config file parsing to getline(3) as this avoidsmarkus@openbsd.org
static limits noted by gerhard@; ok dtucker@, djm@ OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-05-22upstream: support ProxyJump=none to disable ProxyJumpdjm@openbsd.org
functionality; bz#2869 ok dtucker@ OpenBSD-Commit-ID: 1c06ee08eb78451b5837fcfd8cbebc5ff3a67a01
2018-04-06upstream: Allow "SendEnv -PATTERN" to clear environment variablesdjm@openbsd.org
previously labeled for sendind. bz#1285 ok dtucker@ OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
2018-04-06upstream: add a couple of missed options to the config dump; patchdjm@openbsd.org
from Jakub Jelen via bz2835 OpenBSD-Commit-ID: 5970adadf6ef206bee0dddfc75d24c2019861446
2018-04-06upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 forjob@openbsd.org
interactive and CS1 for bulk AF21 was selected as this is the highest priority within the low-latency service class (and it is higher than what we have today). SSH is elastic and time-sensitive data, where a user is waiting for a response via the network in order to continue with a task at hand. As such, these flows should be considered foreground traffic, with delays or drops to such traffic directly impacting user-productivity. For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable networks implementing a scavanger/lower-than-best effort class to discriminate scp(1) below normal activities, such as web surfing. In general this type of bulk SSH traffic is a background activity. An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH is that they are recognisable values on all common platforms (IANA https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and for AF21 specifically a definition of the intended behavior exists https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662 The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate", or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e, MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK"). OK deraadt@, "no objection" djm@ OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-02-26upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac