summaryrefslogtreecommitdiff
path: root/readconf.c
AgeCommit message (Collapse)Author
2017-10-04Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-config.patch
2017-10-04Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2017-10-04 Patch-Name: user-group-modes.patch
2017-10-04Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2017-10-04 Patch-Name: keepalive-extensions.patch
2017-10-04Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2017-10-04GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
2017-09-22upstream commitmarkus@openbsd.org
Add 'reverse' dynamic forwarding which combines dynamic forwarding (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@ Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-04upstream commitdjm@openbsd.org
Expand ssh_config's StrictModes option with two new settings: StrictModes=accept-new will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. StrictModes=off is the same as StrictModes=no Motivation: StrictModes=no combines two behaviours for host key processing: automatically learning new hostkeys and continuing to connect to hosts with invalid/changed hostkeys. The latter behaviour is quite dangerous since it removes most of the protections the SSH protocol is supposed to provide. Quite a few users want to automatically learn hostkeys however, so this makes that feature available with less danger. At some point in the future, StrictModes=no will change to be a synonym for accept-new, with its current behaviour remaining available via StrictModes=off. bz#2400, suggested by Michael Samuel; ok markus Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
2017-05-31upstream commitbluhm@openbsd.org
Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
2017-05-20upstream commitdjm@openbsd.org
there's no reason to artificially limit the key path here, just check that it fits PATH_MAX; spotted by Matthew Patton Upstream-ID: 858addaf2009c9cf04d80164a41b2088edb30b58
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-05-01upstream commitdjm@openbsd.org
remove options.protocol and client Protocol configuration knob ok markus@ Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
2017-05-01upstream commitdjm@openbsd.org
unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-04-28upstream commitdtucker@openbsd.org
Add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705, patch from erahn at arista.com, ok djm@ Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
2017-03-10upstream commitdjm@openbsd.org
better match sshd config parser behaviour: fatal() if line is overlong, increase line buffer to match sshd's; bz#2651 reported by Don Fong; ok dtucker@ Upstream-ID: b175ae7e0ba403833f1ee566edf10f67443ccd18
2017-03-10upstream commitdtucker@openbsd.org
Plug mem leak on GLOB_NOMATCH case. From jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: 8016a7ae97719d3aa55fb723fc2ad3200058340d
2017-02-04upstream commitdjm@openbsd.org
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-03upstream commitdjm@openbsd.org
allow form-feed characters at EOL; bz#2431 ok dtucker@ Upstream-ID: 1f453afaba6da2ae69d6afdf1ae79a917552f1a2
2017-01-30upstream commitdjm@openbsd.org
small cleanup post SSHv1 removal: remove SSHv1-isms in commented examples reorder token table to group deprecated and compile-time conditional tokens better fix config dumping code for some compile-time conditional options that weren't being correctly skipped (SSHv1 and PKCS#11) Upstream-ID: f2e96b3cb3158d857c5a91ad2e15925df3060105
2017-01-30upstream commitdjm@openbsd.org
some explicit NULL tests when dumping configured forwardings; from Karsten Weiss Upstream-ID: 40957b8dea69672b0e50df6b4a91a94e3e37f72d
2017-01-30upstream commitdjm@openbsd.org
fix previous Upstream-ID: c107d6a69bc22325d79fbf78a2a62e04bcac6895
2017-01-30upstream commitdjm@openbsd.org
show a useful error message when included config files can't be opened; bz#2653, ok dtucker@ Upstream-ID: f598b73b5dfe497344cec9efc9386b4e5a3cb95b
2016-10-26upstream commitjsg@openbsd.org
Fix logic in add_local_forward() that inverted a test when code was refactored out into bind_permitted(). This broke ssh port forwarding for non-priv ports as a non root user. ok dtucker@ 'looks good' deraadt@ Upstream-ID: ddb8156ca03cc99997de284ce7777536ff9570c9
2016-10-24upstream commitdtucker@openbsd.org
Factor out "can bind to low ports" check into its own function. This will make it easier for Portable to support platforms with permissions models other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@. Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
2016-08-29upstream commitdjm@openbsd.org
remove superfluous NOTREACHED comment Upstream-ID: a7485c1f1be618e8c9e38fd9be46c13b2d03b90c
2016-07-22upstream commitdjm@openbsd.org
reverse the order in which -J/JumpHost proxies are visited to be more intuitive and document reported by and manpage bits naddy@ Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
2016-07-22upstream commitnaddy@openbsd.org
Do not clobber the global jump_host variables when parsing an inactive configuration. ok djm@ Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
2016-07-15upstream commitdjm@openbsd.org
Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-06-08upstream commitdtucker@openbsd.org
Allow ExitOnForwardFailure and ClearAllForwardings to be overridden when using ssh -W (but still default to yes in that case). bz#2577, ok djm@. Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
2016-06-08upstream commitdtucker@openbsd.org
Move the host and port used by ssh -W into the Options struct. This will make future changes a bit easier. ok djm@ Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
2016-05-19upstream commitmarkus@openbsd.org
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@ Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-05-05upstream commitmarkus@openbsd.org
IdentityAgent for specifying specific agent sockets; ok djm@ Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-04-15upstream commitdjm@openbsd.org
Include directive for ssh_config(5); feedback & ok markus@ Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-04-08Remove NO_IPPORT_RESERVED_CONCEPTDarren Tucker
Replace by defining IPPORT_RESERVED to zero on Cygwin, which should have the same effect without causing problems syncing patches with OpenBSD. Resync the two affected functions with OpenBSD. ok djm, sanity checked by Corinna.
2016-04-08upstream commitdjm@openbsd.org
don't record duplicate LocalForward and RemoteForward entries; fixes failure with ExitOnForwardFailure+hostname canonicalisation where the same forwards are added on the second pass through the configuration file. bz#2562; ok dtucker@ Upstream-ID: 40a51d68b6300f1cc61deecdb7d4847b8b7b0de1
2016-02-09upstream commitdjm@openbsd.org
don't attempt to percent_expand() already-canonicalised addresses, avoiding unnecessary failures when attempting to connect to scoped IPv6 addresses (that naturally contain '%' characters) Upstream-ID: f24569cffa1a7cbde5f08dc739a72f4d78aa5c6a
2016-01-30upstream commitdtucker@openbsd.org
Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the return type of scan_scaled). Part of bz#2521, ok djm. Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
2016-01-27upstream commitmarkus@openbsd.org
remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27upstream commitderaadt@openbsd.org
Disable experimental client-side roaming support. Server side was disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
2016-01-15forcibly disable roaming support in the clientDamien Miller
2015-11-16upstream commitjcs@openbsd.org
Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). Initial version from Joachim Schipper many years ago. ok markus@ Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-10-29upstream commitdjm@openbsd.org
fix execv arguments in a way less likely to cause grief for -portable; ok dtucker@ Upstream-ID: 5902bf0ea0371f39f1300698dc3b8e4105fc0fc5
2015-10-29upstream commitdjm@openbsd.org
avoid de-const warning & shrink; ok dtucker@ Upstream-ID: 69a85ef94832378952a22c172009cbf52aaa11db
2015-10-29upstream commitdtucker@openbsd.org
Do not prepend "exec" to the shell command run by "Match exec" in a config file. It's an unnecessary optimization from repurposed ProxyCommand code and prevents some things working with some shells. bz#2471, pointed out by res at qoxp.net. ok markus@ Upstream-ID: a1ead25ae336bfa15fb58d8c6b5589f85b4c33a3
2015-10-08upstream commitdjm@openbsd.org
include PubkeyAcceptedKeyTypes in ssh -G config dump Upstream-ID: 6c097ce6ffebf6fe393fb7988b5d152a5d6b36bb
2015-10-06upstream commitdjm@openbsd.org
add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-08-22upstream commitdjm@openbsd.org
Fix printing (ssh -G ...) of HostKeyAlgorithms=+... Reported by Bryan Drewery Upstream-ID: 19ad20c41bd5971e006289b6f9af829dd46c1293
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-06-27upstream commitdjm@openbsd.org
Fix \-escaping bug that caused forward path parsing to skip two characters and skip past the end of the string. Based on patch by Salvador Fandino; ok dtucker@ Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd