summaryrefslogtreecommitdiff
path: root/ssh.c
AgeCommit message (Collapse)Author
2015-10-06upstream commitdjm@openbsd.org
add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-09-16upstream commitjmc@openbsd.org
sync -Q in usage() to SYNOPSIS; since it's drastically shorter, i've reformatted the block to sync with the man (80 cols) and saved a line; Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
2015-09-16upstream commitdtucker@openbsd.org
Update usage to match man page. Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
2015-09-16upstream commitdjm@openbsd.org
expand %i in ControlPath to UID; bz#2449 patch from Christian Hesse w/ feedback from dtucker@ Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
2015-09-11upstream commitdtucker@openbsd.org
Plug minor memory leaks when options are used more than once. bz#2182, patch from Tiago Cunha, ok deraadt djm Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
2015-09-04upstream commitdjm@openbsd.org
add a debug2() right before DNS resolution; it's a place where ssh could previously silently hang for a while. bz#2433 Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-21upstream commitmillert@openbsd.org
Sync usage with SYNOPSIS Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-04-29upstream commitdjm@openbsd.org
debug log missing DISPLAY environment when X11 forwarding requested; bz#1682 ok dtucker@
2015-03-04upstream commitdjm@openbsd.org
Allow "ssh -Q protocol-version" to list supported SSH protocol versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
2015-02-21upstream commitdjm@openbsd.org
UpdateHostKeys fixes: I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
2015-01-26upstream commitderaadt@openbsd.org
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
2015-01-16upstream commitdjm@openbsd.org
when hostname canonicalisation is enabled, try to parse hostnames as addresses before looking them up for canonicalisation. fixes bz#2074 and avoids needless DNS lookups in some cases; ok markus
2015-01-15upstream commitdjm@openbsd.org
move authfd.c and its tentacles to the new buffer/key API; ok markus@
2015-01-09upstream commitdjm@openbsd.org
reorder hostbased key attempts to better match the default hostkey algorithms order in myproposal.h; ok markus@
2014-11-24upstream commitkrw@openbsd.org
Nuke more obvious #include duplications. ok deraadt@ millert@ tedu@
2014-10-20upstream commitjmc@openbsd.org
tweak previous;
2014-10-13upstream commitdjm@openbsd.org
Tweak config reparsing with host canonicalisation Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 07:22:19Damien Miller
[mux.c ssh.c] reflect stdio-forward ("ssh -W host:port ...") failures in exit status. previously we were always returning 0. bz#2255 reported by Brendan Germain; ok dtucker
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 06:39:19Damien Miller
[ssh.c ssh_config.5] Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-02 - markus@cvs.openbsd.org 2014/06/27 16:41:56Damien Miller
[channels.c channels.h clientloop.c ssh.c] fix remote fwding with same listen port but different listen address with gerhard@, ok djm@
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 02:19:48Damien Miller
[ssh.c] don't fatal() when hostname canonicalisation fails with a ProxyCommand in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-04-01 - (djm) Use full release (e.g. 6.5p1) in debug output rather than justDamien Miller
version. From des@des.no
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/02/04 00:24:29Damien Miller
[ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@
2014-02-04 - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
2013-12-29 - djm@cvs.openbsd.org 2013/12/29 05:42:16Damien Miller
[ssh.c] don't forget to load Ed25519 certs too
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
2013-12-05 - jmc@cvs.openbsd.org 2013/11/26 12:14:54Damien Miller
[ssh.1 ssh.c] - put -Q in the right place - Ar was a poor choice for the arguments to -Q. i've chosen an admittedly equally poor Cm, at least consistent with the rest of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync
2013-12-05 - deraadt@cvs.openbsd.org 2013/11/25 18:04:21Damien Miller
[ssh.1 ssh.c] improve -Q usage and such. One usage change is that the option is now case-sensitive ok dtucker markus djm
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-11-08 - dtucker@cvs.openbsd.org 2013/11/07 11:58:27Damien Miller
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c] Output the effective values of Ciphers, MACs and KexAlgorithms when the default has not been overridden. ok markus@
2013-10-26 - djm@cvs.openbsd.org 2013/10/25 23:04:51Damien Miller
[ssh.c] fix crash when using ProxyCommand caused by previous commit - was calling freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
2013-10-24 - djm@cvs.openbsd.org 2013/10/24 08:19:36Damien Miller
[ssh.c] fix bug introduced in hostname canonicalisation commit: don't try to resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan
2013-10-23 - djm@cvs.openbsd.org 2013/10/23 03:05:19Damien Miller
[readconf.c ssh.c] comment
2013-10-17 - djm@cvs.openbsd.org 2013/10/17 00:46:49Damien Miller
[ssh.c] rearrange check to reduce diff against -portable (Id sync only)
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:58:01Damien Miller
[ssh.c ssh_config.5] one I missed in previous: s/isation/ization/
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:49:39Damien Miller
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 02:31:47Damien Miller
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
2013-10-15 - [ssh.c] g/c unused variable.Damien Miller
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 23:31:01Damien Miller
[ssh.c] whitespace at EOL; pointed out by markus@
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 23:28:23Damien Miller
[canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c] refactor client config code a little: add multistate option partsing to readconf.c, similar to servconf.c's existing code. move checking of options that accept "none" as an argument to readconf.c add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 22:22:05Damien Miller
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@
2013-07-25 - djm@cvs.openbsd.org 2013/07/25 00:29:10Damien Miller
[ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:44:37Damien Miller
[ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd
2013-07-18 - djm@cvs.openbsd.org 2013/07/12 05:48:55Damien Miller
[ssh.c] set TCP nodelay for connections started with -N; bz#2124 ok dtucker@