Age | Commit message (Collapse) | Author |
|
improve wording; suggested by jmc@
Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
|
|
reverse the order in which -J/JumpHost proxies are visited to
be more intuitive and document
reported by and manpage bits naddy@
Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
|
|
- add proxyjump to the options list - formatting fixes -
update usage()
ok djm
Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
|
|
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
|
|
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@
Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
|
|
IdentityAgent for specifying specific agent sockets; ok
djm@
Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
|
|
tweak previous;
Upstream-ID: 46c1bab91c164078edbccd5f7d06b9058edd814f
|
|
Include directive for ssh_config(5); feedback & ok markus@
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
AddressFamily defaults to any.
ok djm@
Upstream-ID: 0d94aa06a4b889bf57a7f631c45ba36d24c13e0c
|
|
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
in *KeyTypes options yet. Remove them from the lists of algorithms for now.
committing on behalf of markus@ ok djm@
Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
|
|
since these pages now clearly tell folks to avoid v1,
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
are v2 only);
ok/tweaks djm ok markus
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
Replace list of ciphers and MACs adjacent to -1/-2 flag
descriptions in ssh(1) with a strong recommendation not to use protocol 1.
Add a similar warning to the Protocol option descriptions in ssh_config(5)
and sshd_config(5);
prompted by and ok mmcc@
Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
|
|
sync crypto algorithm lists in ssh_config(5) and
sshd_config(5) with current reality. bz#2527
Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
|
|
correct section number for ssh-agent;
Upstream-ID: 44be72fd8bcc167635c49b357b1beea8d5674bd6
|
|
Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
private key that is used during authentication will be added to ssh-agent if
it is running (with confirmation enabled if set to 'confirm').
Initial version from Joachim Schipper many years ago.
ok markus@
Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
|
|
add ssh_config CertificateFile option to explicitly list
a certificate; patch from Meghana Bhat on bz#2436; ok markus@
Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
|
|
fix two typos.
Upstream-ID: 424402c0d8863a11b51749bacd7f8d932083b709
|
|
tweak previous;
Upstream-ID: f29b3cfcfd9aa31fa140c393e7bd48c1c74139d6
|
|
expand %i in ControlPath to UID; bz#2449
patch from Christian Hesse w/ feedback from dtucker@
Upstream-ID: 2ba8d303e555a84e2f2165ab4b324b41e80ab925
|
|
full stop belongs outside the brackets, not inside;
Upstream-ID: 99d098287767799ac33d2442a05b5053fa5a551a
|
|
better document ExitOnForwardFailure; bz#2444, ok
dtucker@
Upstream-ID: a126209b5a6d9cb3117ac7ab5bc63d284538bfc2
|
|
match myproposal.h order; from brian conway (i snuck in a
tweak while here)
ok dtucker
Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
|
|
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
turn off 1024 bit diffie-hellman-group1-sha1 key
exchange method (already off in server, this turns it off in the client by
default too) ok dtucker@
Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
|
|
mention CheckHostIP adding addresses to known_hosts;
bz#1993; ok dtucker@
Upstream-ID: fd44b68440fd0dc29abf9f2d3f703d74a2396cb7
|
|
Fix typo (keywork->keyword)
Upstream-ID: 8aacd0f4089c0a244cf43417f4f9045dfaeab534
|
|
Reorder client proposal to prefer
diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@
Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
|
|
enviroment -> environment: apologies to darren for not
spotting that first time round...
|
|
Document that the TERM environment variable is not
subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from
jjelen at redhat, help and ok jmc@
|
|
ssh-askpass(1) is the default, overridden by SSH_ASKPASS;
diff originally from jiri b;
|
|
UpdateHostKeys fixes:
I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
|
|
Revise hostkeys@openssh.com hostkey learning extension.
The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.
ok markus@
|
|
turn UpdateHostkeys off by default until I figure out
mlarkin@'s warning message; requested by deraadt@
|
|
Add a ssh_config HostbasedKeyType option to control which
host public key types are tried during hostbased authentication.
This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.
bz#2211 based on patch by Iain Morgan; ok markus@
|
|
correct description of UpdateHostKeys in ssh_config.5 and
add it to -o lists for ssh, scp and sftp; pointed out by jmc@
|
|
Host key rotation support.
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
|
|
tweak previous;
|
|
mention ssh -Q feature to list supported { MAC, cipher,
KEX, key } algorithms in more places and include the query string used to
list the relevant information; bz#2288
|
|
document FingerprintHash here too
|
|
add RevokedHostKeys option for the client
Allow textfile or KRL-based revocation of hostkeys.
|
|
mux-related manual tweaks
mention ControlPersist=0 is the same as ControlPersist=yes
recommend that ControlPath sockets be placed in a og-w directory
|
|
tweak previous;
|
|
Tweak config reparsing with host canonicalisation
Make the second pass through the config files always run when
hostname canonicalisation is enabled.
Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.
Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"
Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).
bz#2267 bz#2286; ok markus
|
|
improve capitalization for the Ed25519 public-key
signature system.
ok djm@
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[ssh_config.5]
mention that ProxyCommand is executed using shell "exec" to avoid
a lingering process; bz#1977
|
|
[ssh_config.5]
escape %C since groff thinks it part of an Rs/Re block;
|
|
[ssh.c ssh_config.5]
Add a %C escape sequence for LocalCommand and ControlPath that expands
to a unique identifer based on a has of the tuple of (local host,
remote user, hostname, port).
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
control paths.
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
|
|
[ssh_config.5]
mention '%%' escape sequence in HostName directives and how it may
be used to specify IPv6 link-local addresses
|