summaryrefslogtreecommitdiff
path: root/ssh.c
AgeCommit message (Collapse)Author
2016-10-01upstream commitmarkus@openbsd.org
ssh proxy mux mode (-O proxy; idea from Simon Tatham): - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@ Upstream-ID: 666a2fb79f58e5c50e246265fb2b9251e505c25b
2016-09-13upstream commitdjm@openbsd.org
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@ Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
2016-07-17upstream commitdjm@openbsd.org
support UTF-8 characters in ssh(1) banners using schwarze@'s safe fmprintf printer; bz#2058 feedback schwarze@ ok dtucker@ Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
2016-07-17upstream commitjmc@openbsd.org
- add proxyjump to the options list - formatting fixes - update usage() ok djm Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
2016-07-15upstream commitdjm@openbsd.org
Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-06-08upstream commitdtucker@openbsd.org
Allow ExitOnForwardFailure and ClearAllForwardings to be overridden when using ssh -W (but still default to yes in that case). bz#2577, ok djm@. Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
2016-06-08upstream commitdtucker@openbsd.org
Move the host and port used by ssh -W into the Options struct. This will make future changes a bit easier. ok djm@ Upstream-ID: 151bce5ecab2fbedf0d836250a27968d30389382
2016-05-19upstream commitmarkus@openbsd.org
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@ Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-05-05upstream commitmarkus@openbsd.org
IdentityAgent for specifying specific agent sockets; ok djm@ Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-04-29upstream commitdjm@openbsd.org
close ControlPersist background process stderr when not in debug mode or when logging to a file or syslog. bz#1988 ok dtucker Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
2016-03-08upstream commitdjm@openbsd.org
refactor canohost.c: move functions that cache results closer to the places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@ Upstream-ID: 5f2e4df88d4803fc8ec59ec53629105e23ce625e
2016-02-16upstream commitdtucker@openbsd.org
Add a function to enable security-related malloc_options. With and ok deraadt@, something similar has been in the snaps for a while. Upstream-ID: 43a95523b832b7f3b943d2908662191110c380ed
2016-01-27upstream commitmarkus@openbsd.org
remove roaming support; ok djm@ Upstream-ID: 2cab8f4b197bc95776fb1c8dc2859dad0c64dc56
2016-01-27upstream commitderaadt@openbsd.org
Disable experimental client-side roaming support. Server side was disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys Upstream-ID: 2328004b58f431a554d4c1bf67f5407eae3389df
2016-01-15forcibly disable roaming support in the clientDamien Miller
2016-01-14upstream commitdjm@openbsd.org
eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension; Reported by Thomas Hoger; ok deraadt@ Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
2015-12-18upstream commitdjm@openbsd.org
don't try to load SSHv1 private key when compiled without SSHv1 support. From Iain Morgan bz#2505 Upstream-ID: 8b8e7b02a448cf5e5635979df2d83028f58868a7
2015-12-11upstream commitmmcc@openbsd.org
Remove NULL-checks before free(). ok dtucker@ Upstream-ID: e3d3cb1ce900179906af36517b5eea0fb15e6ef8
2015-11-19upstream commitdjm@openbsd.org
ban ConnectionAttempts=0, it makes no sense and would cause ssh_connect_direct() to print an uninitialised stack variable; bz#2500 reported by dvw AT phas.ubc.ca Upstream-ID: 32b5134c608270583a90b93a07b3feb3cbd5f7d5
2015-10-29upstream commitdtucker@openbsd.org
Expand tildes in filenames passed to -i before checking whether or not the identity file exists. This means that if the shell doesn't do the expansion (eg because the option and filename were given as a single argument) then we'll still add the key. bz#2481, ok markus@ Upstream-ID: db1757178a14ac519e9a3e1a2dbd21113cb3bfc6
2015-10-17upstream commitdjm@openbsd.org
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config; ok markus@ Upstream-ID: f7619652e074ac3febe8363f19622aa4853b679a
2015-10-16upstream commitdjm@openbsd.org
fix some signed/unsigned integer type mismatches in format strings; reported by Nicholas Lemonias Upstream-ID: 78cd55420a0eef68c4095bdfddd1af84afe5f95c
2015-10-06upstream commitdjm@openbsd.org
add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-09-16upstream commitjmc@openbsd.org
sync -Q in usage() to SYNOPSIS; since it's drastically shorter, i've reformatted the block to sync with the man (80 cols) and saved a line; Upstream-ID: 86e2c65c3989a0777a6258a77e589b9f6f354abd
2015-09-16upstream commitdtucker@openbsd.org
Update usage to match man page. Upstream-ID: 9e85aefaecfb6aaf34c7cfd0700cd21783a35675
2015-09-16upstream commitdjm@openbsd.org
expand %i in ControlPath to UID; bz#2449 patch from Christian Hesse w/ feedback from dtucker@ Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
2015-09-11upstream commitdtucker@openbsd.org
Plug minor memory leaks when options are used more than once. bz#2182, patch from Tiago Cunha, ok deraadt djm Upstream-ID: 5b84d0401e27fe1614c10997010cc55933adb48e
2015-09-04upstream commitdjm@openbsd.org
add a debug2() right before DNS resolution; it's a place where ssh could previously silently hang for a while. bz#2433 Upstream-ID: 52a1a3e0748db66518e7598352c427145692a6a0
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-21upstream commitmillert@openbsd.org
Sync usage with SYNOPSIS Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
2015-05-10upstream commitdjm@openbsd.org
Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
2015-04-29upstream commitdjm@openbsd.org
debug log missing DISPLAY environment when X11 forwarding requested; bz#1682 ok dtucker@
2015-03-04upstream commitdjm@openbsd.org
Allow "ssh -Q protocol-version" to list supported SSH protocol versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
2015-02-21upstream commitdjm@openbsd.org
UpdateHostKeys fixes: I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
2015-01-26upstream commitderaadt@openbsd.org
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
2015-01-16upstream commitdjm@openbsd.org
when hostname canonicalisation is enabled, try to parse hostnames as addresses before looking them up for canonicalisation. fixes bz#2074 and avoids needless DNS lookups in some cases; ok markus
2015-01-15upstream commitdjm@openbsd.org
move authfd.c and its tentacles to the new buffer/key API; ok markus@
2015-01-09upstream commitdjm@openbsd.org
reorder hostbased key attempts to better match the default hostkey algorithms order in myproposal.h; ok markus@
2014-11-24upstream commitkrw@openbsd.org
Nuke more obvious #include duplications. ok deraadt@ millert@ tedu@
2014-10-20upstream commitjmc@openbsd.org
tweak previous;
2014-10-13upstream commitdjm@openbsd.org
Tweak config reparsing with host canonicalisation Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
2014-07-18 - djm@cvs.openbsd.org 2014/07/17 07:22:19Damien Miller
[mux.c ssh.c] reflect stdio-forward ("ssh -W host:port ...") failures in exit status. previously we were always returning 0. bz#2255 reported by Brendan Germain; ok dtucker
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 06:39:19Damien Miller
[ssh.c ssh_config.5] Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-02 - markus@cvs.openbsd.org 2014/06/27 16:41:56Damien Miller
[channels.c channels.h clientloop.c ssh.c] fix remote fwding with same listen port but different listen address with gerhard@, ok djm@
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 02:19:48Damien Miller
[ssh.c] don't fatal() when hostname canonicalisation fails with a ProxyCommand in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-04-01 - (djm) Use full release (e.g. 6.5p1) in debug output rather than justDamien Miller
version. From des@des.no
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@