From 1adc2bd8d72e7ee0c8f65f84e6f36dafe5421d12 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 14 Mar 2005 23:14:20 +1100 Subject: - jmc@cvs.openbsd.org 2005/03/12 11:55:03 [ssh_config.5] escape `.' at eol to avoid double spacing issues; --- ssh_config.5 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 06db04c27..dc6d6746f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.47 2005/03/07 23:41:54 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.48 2005/03/12 11:55:03 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -571,9 +571,9 @@ Default is 22. .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. -This allows a client to prefer one method (e.g. +This allows a client to prefer one method (e.g.\& .Cm keyboard-interactive ) -over another method (e.g. +over another method (e.g.\& .Cm password ) The default for this option is: .Dq hostbased,publickey,keyboard-interactive,password . -- cgit v1.2.3 From 5ede2ad8a74a66059a2bf02ae7b4867140b67874 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 31 Mar 2005 21:31:10 +1000 Subject: - jmc@cvs.openbsd.org 2005/03/16 11:10:38 [ssh_config.5] get the syntax right for {Local,Remote}Forward; based on a diff from markus; problem report from ponraj; ok dtucker@ markus@ deraadt@ --- ChangeLog | 11 ++++++++++- ssh_config.5 | 42 +++++++++++++++++------------------------- 2 files changed, 27 insertions(+), 26 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 5bb4788ca..253fb164e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20050331 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/03/16 11:10:38 + [ssh_config.5] + get the syntax right for {Local,Remote}Forward; + based on a diff from markus; + problem report from ponraj; + ok dtucker@ markus@ deraadt@ + 20050329 - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're interested in which is much faster in large (eg LDAP or NIS) environments. @@ -2387,4 +2396,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3728 2005/03/29 13:24:12 dtucker Exp $ +$Id: ChangeLog,v 1.3729 2005/03/31 11:31:10 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index dc6d6746f..b35753307 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.48 2005/03/12 11:55:03 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -495,21 +495,17 @@ The default is to use the server specified list. .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. -The first argument must be a port number, and the second must be -.Xo +The first argument must be .Sm off -.Oo Ar bind_address : Oc -.Ar host : port +.Oo Ar bind_address : Oc Ar port .Sm on -.Xc . +and the second argument must be +.Ar host : Ns Ar hostport . IPv6 addresses can be specified by enclosing addresses in square brackets or by using an alternative syntax: -.Sm off -.Xo -.Op Ar bind_address No / -.Ar host No / Ar port -.Xc . -.Sm on +.Oo Ar bind_address Ns / Oc Ns Ar port +and +.Ar host Ns / Ns Ar hostport . Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. @@ -632,21 +628,17 @@ This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. -The first argument must be a port number, and the second must be -.Xo +The first argument must be .Sm off -.Oo Ar bind_address : Oc -.Ar host : port -.Sm on -.Xc . -IPv6 addresses can be specified by enclosing any addresses in square brackets -or by using the alternative syntax: -.Sm off -.Xo -.Op Ar bind_address No / -.Ar host No / Ar port -.Xc . +.Oo Ar bind_address : Oc Ar port .Sm on +and the second argument must be +.Ar host : Ns Ar hostport . +IPv6 addresses can be specified by enclosing addresses in square brackets +or by using an alternative syntax: +.Oo Ar bind_address Ns / Oc Ns Ar port +and +.Ar host Ns / Ns Ar hostport . Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. -- cgit v1.2.3 From 167ea5d0268243991ad3c55cb20fa2b53f577b37 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:04:02 +1000 Subject: - djm@cvs.openbsd.org 2005/04/21 06:17:50 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@ --- ChangeLog | 6 ++++- ssh-add.1 | 14 ++++++------ ssh-agent.1 | 14 ++++++------ ssh-keygen.1 | 26 +++++++++++----------- ssh.1 | 70 +++++++++++++++++++++++++++++------------------------------ ssh_config.5 | 20 ++++++++--------- sshd.8 | 30 ++++++++++++------------- sshd_config.5 | 4 ++-- 8 files changed, 94 insertions(+), 90 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index bd45e73d6..b9d6de72d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ - jakob@cvs.openbsd.org 2005/04/20 10:05:45 [dns.c] do not try to look up SSHFP for numerical hostname. ok djm@ + - djm@cvs.openbsd.org 2005/04/21 06:17:50 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] + [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment + variable, so don't say that we do (bz #623); ok deraadt@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2522,4 +2526,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3767 2005/05/26 02:03:31 djm Exp $ +$Id: ChangeLog,v 1.3768 2005/05/26 02:04:02 djm Exp $ diff --git a/ssh-add.1 b/ssh-add.1 index 1f3df5bec..327fcddae 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.42 2005/03/01 17:32:19 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -57,10 +57,10 @@ adds RSA or DSA identities to the authentication agent, .Xr ssh-agent 1 . When run without arguments, it adds the files -.Pa $HOME/.ssh/id_rsa , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_dsa and -.Pa $HOME/.ssh/identity . +.Pa ~/.ssh/identity . Alternative file names can be given on the command line. If any file requires a passphrase, .Nm @@ -142,11 +142,11 @@ agent. .El .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .El .Pp diff --git a/ssh-agent.1 b/ssh-agent.1 index 226804e5f..741cf4bd1 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.41 2004/07/11 17:48:47 deraadt Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -111,10 +111,10 @@ Keys are added using When executed without arguments, .Xr ssh-add 1 adds the files -.Pa $HOME/.ssh/id_rsa , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_dsa and -.Pa $HOME/.ssh/identity . +.Pa ~/.ssh/identity . If the identity has a passphrase, .Xr ssh-add 1 asks for the passphrase (using a small X11 application if running @@ -179,11 +179,11 @@ The agent exits automatically when the command given on the command line terminates. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .It Pa /tmp/ssh-XXXXXXXX/agent. Unix-domain sockets used to contain the connection to the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c14eed14e..ac0b72764 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.67 2005/03/14 10:09:03 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.68 2005/04/21 06:17:50 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -129,10 +129,10 @@ section for details. Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in -.Pa $HOME/.ssh/identity , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/identity , +.Pa ~/.ssh/id_dsa or -.Pa $HOME/.ssh/id_rsa . +.Pa ~/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, as seen in .Pa /etc/rc . @@ -381,7 +381,7 @@ It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -392,14 +392,14 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/identity.pub +.It Pa ~/.ssh/identity.pub Contains the protocol version 1 RSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using RSA authentication. There is no need to keep the contents of this file secret. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -410,14 +410,14 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/id_dsa.pub +.It Pa ~/.ssh/id_dsa.pub Contains the protocol version 2 DSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -428,10 +428,10 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/id_rsa.pub +.It Pa ~/.ssh/id_rsa.pub Contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. diff --git a/ssh.1 b/ssh.1 index 4cbab7477..05d2234a3 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.206 2005/04/14 12:30:30 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.207 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -109,9 +109,9 @@ or .Pa /etc/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files -.Pa $HOME/.rhosts +.Pa ~/.rhosts or -.Pa $HOME/.shosts +.Pa ~/.shosts exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is @@ -120,7 +120,7 @@ Additionally, if the server can verify the client's host key (see .Pa /etc/ssh/ssh_known_hosts and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts in the .Sx FILES section), only then is login permitted. @@ -128,7 +128,7 @@ This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: .Pa /etc/hosts.equiv , -.Pa $HOME/.rhosts , +.Pa ~/.rhosts , and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] .Pp @@ -144,7 +144,7 @@ key pair for authentication purposes. The server knows the public key, and only the user knows the private key. .Pp The file -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the .Nm @@ -165,18 +165,18 @@ implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running .Xr ssh-keygen 1 . This stores the private key in -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity and stores the public key in -.Pa $HOME/.ssh/identity.pub +.Pa ~/.ssh/identity.pub in the user's home directory. The user should then copy the .Pa identity.pub to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys in his/her home directory on the remote machine (the .Pa authorized_keys file corresponds to the conventional -.Pa $HOME/.rhosts +.Pa ~/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. @@ -206,12 +206,12 @@ password authentication are tried. The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The client uses his private key, -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa or -.Pa $HOME/.ssh/id_rsa , +.Pa ~/.ssh/id_rsa , to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. @@ -365,7 +365,7 @@ electronic purse; another is going through firewalls. automatically maintains and checks a database containing identifications for all hosts it has ever been used with. Host keys are stored in -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts in the user's home directory. Additionally, the file .Pa /etc/ssh/ssh_known_hosts @@ -522,7 +522,7 @@ the system-wide configuration file .Pq Pa /etc/ssh/ssh_config will be ignored. The default for the per-user configuration file is -.Pa $HOME/.ssh/config . +.Pa ~/.ssh/config . .It Fl f Requests .Nm @@ -548,11 +548,11 @@ private RSA key. Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity for protocol version 1, and -.Pa $HOME/.ssh/id_rsa +.Pa ~/.ssh/id_rsa and -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. @@ -941,7 +941,7 @@ Set to the name of the user logging in. Additionally, .Nm reads -.Pa $HOME/.ssh/environment , +.Pa ~/.ssh/environment , and adds lines of the format .Dq VARNAME=value to the environment if the file exists and if users are allowed to @@ -952,13 +952,13 @@ option in .Xr sshd_config 5 . .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/known_hosts +.It Pa ~/.ssh/known_hosts Records host keys for all hosts the user has logged into that are not in .Pa /etc/ssh/ssh_known_hosts . See .Xr sshd 8 . -.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa +.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files @@ -970,21 +970,21 @@ ignores a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. -.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub +.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the -.Pa $HOME/.ssh/identity.pub +.Pa ~/.ssh/identity.pub file should be added to the file -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 1 RSA authentication. The contents of the -.Pa $HOME/.ssh/id_dsa.pub +.Pa ~/.ssh/id_dsa.pub and -.Pa $HOME/.ssh/id_rsa.pub +.Pa ~/.ssh/id_rsa.pub file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. These files are not @@ -992,13 +992,13 @@ sensitive and can (but need not) be readable by anyone. These files are never used automatically and are not necessary; they are only provided for the convenience of the user. -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. -.It Pa $HOME/.ssh/authorized_keys +.It Pa ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 @@ -1058,7 +1058,7 @@ be setuid root when that authentication method is used. By default .Nm is not setuid root. -.It Pa $HOME/.rhosts +.It Pa ~/.rhosts This file is used in .Cm RhostsRSAAuthentication and @@ -1088,12 +1088,12 @@ authentication before permitting log in. If the server machine does not have the client's host key in .Pa /etc/ssh/ssh_known_hosts , it can be stored in -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . The easiest way to do this is to connect back to the client from the server machine using ssh; this will automatically add the host key to -.Pa $HOME/.ssh/known_hosts . -.It Pa $HOME/.shosts +.Pa ~/.ssh/known_hosts . +.It Pa ~/.shosts This file is used exactly the same way as .Pa .rhosts . The purpose for @@ -1133,7 +1133,7 @@ when the user logs in just before the user's shell (or command) is started. See the .Xr sshd 8 manual page for more information. -.It Pa $HOME/.ssh/rc +.It Pa ~/.ssh/rc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is @@ -1141,7 +1141,7 @@ started. See the .Xr sshd 8 manual page for more information. -.It Pa $HOME/.ssh/environment +.It Pa ~/.ssh/environment Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. diff --git a/ssh_config.5 b/ssh_config.5 index b35753307..7e48fa65b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.50 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -43,7 +43,7 @@ .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS .Bl -tag -width Ds -compact -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config .It Pa /etc/ssh/ssh_config .El .Sh DESCRIPTION @@ -55,7 +55,7 @@ the following order: command-line options .It user's configuration file -.Pq Pa $HOME/.ssh/config +.Pq Pa ~/.ssh/config .It system-wide configuration file .Pq Pa /etc/ssh/ssh_config @@ -411,7 +411,7 @@ Note that this option applies to protocol version 2 only. Indicates that .Nm ssh should hash host names and addresses when they are added to -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . These hashed names may be used normally by .Nm ssh and @@ -457,11 +457,11 @@ specifications). Specifies a file from which the user's RSA or DSA authentication identity is read. The default is -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity for protocol version 1, and -.Pa $HOME/.ssh/id_rsa +.Pa ~/.ssh/id_rsa and -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. @@ -751,7 +751,7 @@ If this flag is set to .Dq yes , .Nm ssh will never automatically add host keys to the -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the @@ -823,7 +823,7 @@ having to remember to give the user name on the command line. .It Cm UserKnownHostsFile Specifies a file to use for the user host key database instead of -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. @@ -856,7 +856,7 @@ The default is .El .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the diff --git a/sshd.8 b/sshd.8 index ac3bf96cf..6acdda130 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.207 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -350,7 +350,7 @@ If the login is on a tty, and no command has been specified, prints last login time and .Pa /etc/motd (unless prevented in the configuration file or by -.Pa $HOME/.hushlogin ; +.Pa ~/.hushlogin ; see the .Sx FILES section). @@ -367,7 +367,7 @@ Changes to run with normal user privileges. Sets up basic environment. .It Reads the file -.Pa $HOME/.ssh/environment , +.Pa ~/.ssh/environment , if it exists, and users are allowed to change their environment. See the .Cm PermitUserEnvironment @@ -377,7 +377,7 @@ option in Changes to user's home directory. .It If -.Pa $HOME/.ssh/rc +.Pa ~/.ssh/rc exists, runs it; else if .Pa /etc/ssh/sshrc exists, runs @@ -390,7 +390,7 @@ authentication protocol and cookie in standard input. Runs user's shell or command. .El .Sh AUTHORIZED_KEYS FILE FORMAT -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys is the default file that lists the public keys that are permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) @@ -528,7 +528,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 The .Pa /etc/ssh/ssh_known_hosts and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts files contain host public keys for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is @@ -639,7 +639,7 @@ listening for connections (if there are several daemons running concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. -.It Pa $HOME/.ssh/authorized_keys +.It Pa ~/.ssh/authorized_keys Lists the public keys (RSA or DSA) that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world-readable if the user's home directory resides on an NFS @@ -653,7 +653,7 @@ and/or .Pa id_rsa.pub files into this file, as described in .Xr ssh-keygen 1 . -.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" +.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts" These files are consulted when using rhosts with RSA host authentication or protocol version 2 hostbased authentication to check the public key of the host. @@ -663,12 +663,12 @@ to verify that it is connecting to the correct remote host. These files should be writable only by root/the owner. .Pa /etc/ssh/ssh_known_hosts should be world-readable, and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts can, but need not be, world-readable. .It Pa /etc/motd See .Xr motd 5 . -.It Pa $HOME/.hushlogin +.It Pa ~/.hushlogin This file is used to suppress printing the last login time and .Pa /etc/motd , if @@ -691,7 +691,7 @@ The file should be world-readable. Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in .Xr hosts_access 5 . -.It Pa $HOME/.rhosts +.It Pa ~/.rhosts This file is used during .Cm RhostsRSAAuthentication and @@ -709,7 +709,7 @@ It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. -.It Pa $HOME/.shosts +.It Pa ~/.shosts For ssh, this file is exactly the same as for .Pa .rhosts . @@ -758,7 +758,7 @@ This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both rsh/rlogin and ssh. -.It Pa $HOME/.ssh/environment +.It Pa ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with .Ql # ) , @@ -769,7 +769,7 @@ Environment processing is disabled by default and is controlled via the .Cm PermitUserEnvironment option. -.It Pa $HOME/.ssh/rc +.It Pa ~/.ssh/rc If this file exists, it is run with .Pa /bin/sh after reading the @@ -814,7 +814,7 @@ This file should be writable only by the user, and need not be readable by anyone else. .It Pa /etc/ssh/sshrc Like -.Pa $HOME/.ssh/rc . +.Pa ~/.ssh/rc . This can be used to specify machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. diff --git a/sshd_config.5 b/sshd_config.5 index ea79a54bf..df51fb867 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.41 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -327,7 +327,7 @@ The default is Specifies whether .Nm sshd should ignore the user's -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts during .Cm RhostsRSAAuthentication or -- cgit v1.2.3 From dadfd4dd3862df5cebae2f2dc9b7f112321fa85e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:07:13 +1000 Subject: - jakob@cvs.openbsd.org 2005/04/26 13:08:37 [ssh.c ssh_config.5] fallback gracefully if client cannot connect to ControlPath. ok djm@ --- ChangeLog | 5 ++++- ssh.c | 29 ++++++++++++++++------------- ssh_config.5 | 7 ++++++- 3 files changed, 26 insertions(+), 15 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 9cc00405f..90eaf2d8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ - jmc@cvs.openbsd.org 2005/04/26 12:59:02 [sftp-client.h] spelling correction in comment from wiz@netbsd; + - jakob@cvs.openbsd.org 2005/04/26 13:08:37 + [ssh.c ssh_config.5] + fallback gracefully if client cannot connect to ControlPath. ok djm@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2537,4 +2540,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3771 2005/05/26 02:05:49 djm Exp $ +$Id: ChangeLog,v 1.3772 2005/05/26 02:07:13 djm Exp $ diff --git a/ssh.c b/ssh.c index add697ae0..2bdc7ab91 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.236 2005/04/21 11:47:19 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.237 2005/04/26 13:08:37 jakob Exp $"); #include #include @@ -613,7 +613,7 @@ again: options.control_path, original_real_uid); } if (options.control_path != NULL && options.control_master == 0) - control_client(options.control_path); /* This doesn't return */ + control_client(options.control_path); /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, @@ -1290,15 +1290,6 @@ control_client(const char *path) extern char **environ; u_int flags; - if (stdin_null_flag) { - if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) - fatal("open(/dev/null): %s", strerror(errno)); - if (dup2(fd, STDIN_FILENO) == -1) - fatal("dup2: %s", strerror(errno)); - if (fd > STDERR_FILENO) - close(fd); - } - memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + @@ -1311,8 +1302,20 @@ control_client(const char *path) if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) fatal("%s socket(): %s", __func__, strerror(errno)); - if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) - fatal("Couldn't connect to %s: %s", path, strerror(errno)); + if (connect(sock, (struct sockaddr*)&addr, addr_len) == -1) { + debug("Couldn't connect to %s: %s", path, strerror(errno)); + close(sock); + return; + } + + if (stdin_null_flag) { + if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + if (dup2(fd, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (fd > STDERR_FILENO) + close(fd); + } if ((term = getenv("TERM")) == NULL) term = ""; diff --git a/ssh_config.5 b/ssh_config.5 index 7e48fa65b..d98246aa4 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.50 2005/04/21 06:17:50 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.51 2005/04/26 13:08:37 jakob Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -270,6 +270,11 @@ to listen for control connections, but require confirmation using the program before they are accepted (see .Xr ssh-add 1 for details). +If the +.Cm ControlPath +can not be opened, +.Nm ssh +will continue without connecting to a master instance. .It Cm ControlPath Specify the path to the control socket used for connection sharing. See -- cgit v1.2.3 From ebcfedce85310aba939049b29804bf68697c9a1f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:13:56 +1000 Subject: - djm@cvs.openbsd.org 2005/05/20 10:50:55 [ssh_config.5] give a ProxyCommand example using nc(1), with and ok jmc@ --- ChangeLog | 5 ++++- ssh_config.5 | 11 ++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 40b28d2d9..28a7d082f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -65,6 +65,9 @@ - djm@cvs.openbsd.org 2005/05/19 02:42:26 [includes.h] fix cast, from grunk AT pestilenz.org + - djm@cvs.openbsd.org 2005/05/20 10:50:55 + [ssh_config.5] + give a ProxyCommand example using nc(1), with and ok jmc@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2564,4 +2567,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3780 2005/05/26 02:13:42 djm Exp $ +$Id: ChangeLog,v 1.3781 2005/05/26 02:13:56 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index d98246aa4..52a8dff4c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.51 2005/04/26 13:08:37 jakob Exp $ +.\" $OpenBSD: ssh_config.5,v 1.52 2005/05/20 10:50:55 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -621,6 +621,15 @@ Note that .Cm CheckHostIP is not available for connects with a proxy command. .Pp +This directive is useful in conjunction with +.Xr nc 1 +and its proxy support. +For example, the following directive would connect via a HTTP proxy at +192.0.2.0: +.Bd -literal -offset 3n +ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p +.Ed +.Pp .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be -- cgit v1.2.3 From dfec2941acfdcadb81adb149f452f0eece26625d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:14:32 +1000 Subject: - jmc@cvs.openbsd.org 2005/05/20 11:23:32 [ssh_config.5] oops - article and spacing; --- ChangeLog | 5 ++++- ssh_config.5 | 5 ++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 28a7d082f..82ab680f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,9 @@ - djm@cvs.openbsd.org 2005/05/20 10:50:55 [ssh_config.5] give a ProxyCommand example using nc(1), with and ok jmc@ + - jmc@cvs.openbsd.org 2005/05/20 11:23:32 + [ssh_config.5] + oops - article and spacing; 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2567,4 +2570,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3781 2005/05/26 02:13:56 djm Exp $ +$Id: ChangeLog,v 1.3782 2005/05/26 02:14:32 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 52a8dff4c..42eefa034 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.52 2005/05/20 10:50:55 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.53 2005/05/20 11:23:32 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -624,12 +624,11 @@ is not available for connects with a proxy command. This directive is useful in conjunction with .Xr nc 1 and its proxy support. -For example, the following directive would connect via a HTTP proxy at +For example, the following directive would connect via an HTTP proxy at 192.0.2.0: .Bd -literal -offset 3n ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed -.Pp .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be -- cgit v1.2.3 From 3710f278ae76751118fb3ced2ee6e8e320b91002 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:19:17 +1000 Subject: - djm@cvs.openbsd.org 2005/05/23 23:32:46 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@ --- ChangeLog | 6 +++++- cipher.c | 61 +++++++++++++++++++++++++++++++++++++---------------------- myproposal.h | 5 +++-- ssh.1 | 9 ++++++--- ssh_config.5 | 9 ++++++--- sshd_config.5 | 9 ++++++--- 6 files changed, 64 insertions(+), 35 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index caf31ec86..0418ae55f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -76,6 +76,10 @@ - removes signed/unsigned comparisons in moduli generation - use strtonum instead of atoi where its easier - check some strlcpy overflow and fatal instead of truncate + - djm@cvs.openbsd.org 2005/05/23 23:32:46 + [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] + add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; + ok markus@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2575,4 +2579,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3783 2005/05/26 02:16:18 djm Exp $ +$Id: ChangeLog,v 1.3784 2005/05/26 02:19:17 djm Exp $ diff --git a/cipher.c b/cipher.c index beba4618d..b56492940 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.74 2005/05/23 23:32:46 djm Exp $"); #include "xmalloc.h" #include "log.h" @@ -74,39 +74,42 @@ struct Cipher { int number; /* for ssh1 only */ u_int block_size; u_int key_len; + u_int discard_len; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, - { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, - { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, - { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des }, + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf }, + + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc }, + { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc }, + { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc }, + { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 }, + { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 }, + { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 }, #if OPENSSL_VERSION_NUMBER < 0x00907000L - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, evp_rijndael }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, evp_rijndael }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, #else - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, #endif #if OPENSSL_VERSION_NUMBER >= 0x00905000L - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr }, #endif #if defined(EVP_CTRL_SET_ACSS_MODE) - { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, + { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss }, #endif - { NULL, SSH_CIPHER_INVALID, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL } }; /*--*/ @@ -224,6 +227,7 @@ cipher_init(CipherContext *cc, Cipher *cipher, const EVP_CIPHER *type; #endif int klen; + u_char *junk, *discard; if (cipher->number == SSH_CIPHER_DES) { if (dowarn) { @@ -271,6 +275,17 @@ cipher_init(CipherContext *cc, Cipher *cipher, fatal("cipher_init: EVP_CipherInit: set key failed for %s", cipher->name); #endif + + if (cipher->discard_len > 0) { + junk = xmalloc(cipher->discard_len); + discard = xmalloc(cipher->discard_len); + if (EVP_Cipher(&cc->evp, discard, junk, + cipher->discard_len) == 0) + fatal("evp_crypt: EVP_Cipher failed during discard"); + memset(discard, 0, cipher->discard_len); + xfree(junk); + xfree(discard); + } } void diff --git a/myproposal.h b/myproposal.h index 228ed6882..2edbe1624 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.17 2005/05/23 23:32:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,7 +28,8 @@ "diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ - "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ + "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ + "arcfour128,arcfour256,arcfour," \ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ "aes128-ctr,aes192-ctr,aes256-ctr" #define KEX_DEFAULT_MAC \ diff --git a/ssh.1 b/ssh.1 index 05d2234a3..4cc1738c1 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.207 2005/04/21 06:17:50 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.208 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -479,14 +479,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Fl D Ar port Specifies a local diff --git a/ssh_config.5 b/ssh_config.5 index 42eefa034..18899ae58 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.53 2005/05/20 11:23:32 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.54 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -193,14 +193,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Cm ClearAllForwardings Specifies that all local, remote and dynamic port forwardings diff --git a/sshd_config.5 b/sshd_config.5 index 70d18ab0f..cec2a2382 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.42 2005/05/19 02:39:55 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.43 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -168,14 +168,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see above) which may be -- cgit v1.2.3 From 6476cad9bb6b8a9524a153639b4ebceb3427e743 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 Jun 2005 13:18:34 +1000 Subject: - djm@cvs.openbsd.org 2005/06/06 11:20:36 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] introduce a generic %foo expansion function. replace existing % expansion and add expansion to ControlPath; ok markus@ --- ChangeLog | 7 +++++-- auth.c | 59 +++++++++++++++++------------------------------------- auth.h | 3 +-- misc.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- misc.h | 3 ++- ssh.c | 10 +++++++--- ssh_config.5 | 15 ++++++++++---- sshconnect.c | 41 ++++++++++---------------------------- 8 files changed, 119 insertions(+), 84 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 71e7beea0..b439cbecd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,7 +3,10 @@ - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 [progressmeter.c] catch SIGWINCH and resize progress meter accordingly; ok markus dtucker - + - djm@cvs.openbsd.org 2005/06/06 11:20:36 + [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] + introduce a generic %foo expansion function. replace existing % expansion + and add expansion to ControlPath; ok markus@ 20050609 - (dtucker) [cipher.c openbsd-compat/Makefile.in @@ -2699,4 +2702,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3816 2005/06/16 03:18:04 djm Exp $ +$Id: ChangeLog,v 1.3817 2005/06/16 03:18:34 djm Exp $ diff --git a/auth.c b/auth.c index 46b013137..68c2824fb 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.58 2005/03/14 11:44:42 dtucker Exp $"); +RCSID("$OpenBSD: auth.c,v 1.59 2005/06/06 11:20:36 djm Exp $"); #ifdef HAVE_LOGIN_H #include @@ -326,64 +326,41 @@ auth_root_allowed(char *method) * * This returns a buffer allocated by xmalloc. */ -char * -expand_filename(const char *filename, struct passwd *pw) +static char * +expand_authorized_keys(const char *filename, struct passwd *pw) { - Buffer buffer; - char *file; - const char *cp; + char *file, *ret; - /* - * Build the filename string in the buffer by making the appropriate - * substitutions to the given file name. - */ - buffer_init(&buffer); - for (cp = filename; *cp; cp++) { - if (cp[0] == '%' && cp[1] == '%') { - buffer_append(&buffer, "%", 1); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'h') { - buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir)); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'u') { - buffer_append(&buffer, pw->pw_name, - strlen(pw->pw_name)); - cp++; - continue; - } - buffer_append(&buffer, cp, 1); - } - buffer_append(&buffer, "\0", 1); + file = percent_expand(filename, "h", pw->pw_dir, + "u", pw->pw_name, (char *)NULL); /* * Ensure that filename starts anchored. If not, be backward * compatible and prepend the '%h/' */ - file = xmalloc(MAXPATHLEN); - cp = buffer_ptr(&buffer); - if (*cp != '/') - snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp); - else - strlcpy(file, cp, MAXPATHLEN); + if (*file == '/') + return (file); + + ret = xmalloc(MAXPATHLEN); + if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN || + strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN || + strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN) + fatal("expand_authorized_keys: path too long"); - buffer_free(&buffer); - return file; + xfree(file); + return (ret); } char * authorized_keys_file(struct passwd *pw) { - return expand_filename(options.authorized_keys_file, pw); + return expand_authorized_keys(options.authorized_keys_file, pw); } char * authorized_keys_file2(struct passwd *pw) { - return expand_filename(options.authorized_keys_file2, pw); + return expand_authorized_keys(options.authorized_keys_file2, pw); } /* return ok if key exists in sysfile or userfile */ diff --git a/auth.h b/auth.h index 471404e4e..bf47b9a64 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ +/* $OpenBSD: auth.h,v 1.51 2005/06/06 11:20:36 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -163,7 +163,6 @@ char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); void abandon_challenge_response(Authctxt *); -char *expand_filename(const char *, struct passwd *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); diff --git a/misc.c b/misc.c index 4bc07a42a..fc094f874 100644 --- a/misc.c +++ b/misc.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005 Damien Miller. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.30 2005/04/09 04:32:54 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.31 2005/06/06 11:20:36 djm Exp $"); #include "misc.h" #include "log.h" @@ -420,6 +421,68 @@ tilde_expand_filename(const char *filename, uid_t uid) return (xstrdup(ret)); } +/* + * Expand a string with a set of %[char] escapes. A number of escapes may be + * specified as (char *escape_chars, char *replacement) pairs. The list must + * be terminated by an escape_char of -1. Returns replaced string in memory + * allocated by xmalloc. + */ +char * +percent_expand(const char *string, ...) +{ +#define EXPAND_MAX_KEYS 16 + struct { + const char *key; + const char *repl; + } keys[EXPAND_MAX_KEYS]; + int num_keys, i, j; + char buf[4096]; + va_list ap; + + /* Gather keys */ + va_start(ap, string); + for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) { + keys[num_keys].key = va_arg(ap, char *); + if (keys[num_keys].key == NULL) + break; + keys[num_keys].repl = va_arg(ap, char *); + if (keys[num_keys].repl == NULL) + fatal("percent_expand: NULL replacement"); + } + va_end(ap); + + if (num_keys >= EXPAND_MAX_KEYS) + fatal("percent_expand: too many keys"); + + /* Expand string */ + *buf = '\0'; + for (i = 0; *string != '\0'; string++) { + if (*string != '%') { + append: + buf[i++] = *string; + if (i >= sizeof(buf)) + fatal("percent_expand: string too long"); + buf[i] = '\0'; + continue; + } + string++; + if (*string == '%') + goto append; + for (j = 0; j < num_keys; j++) { + if (strchr(keys[j].key, *string) != NULL) { + i = strlcat(buf, keys[j].repl, sizeof(buf)); + if (i >= sizeof(buf)) + fatal("percent_expand: string too long"); + break; + } + } + if (j >= num_keys) + fatal("percent_expand: unknown key %%%c", *string); + } + return (xstrdup(buf)); +#undef EXPAND_MAX_KEYS +} + /* * Read an entire line from a public key file into a static buffer, discarding * lines that exceed the buffer size. Returns 0 on success, -1 on failure. diff --git a/misc.h b/misc.h index 798d80fbf..a85fcd134 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.22 2005/04/09 04:32:54 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.23 2005/06/06 11:20:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -25,6 +25,7 @@ char *cleanhostname(char *); char *colon(char *); long convtime(const char *); char *tilde_expand_filename(const char *, uid_t); +char *percent_expand(const char *, ...) __attribute__((sentinel)); struct passwd *pwcopy(struct passwd *); diff --git a/ssh.c b/ssh.c index 43ecbd924..0871d06de 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.240 2005/05/27 08:30:37 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.241 2005/06/06 11:20:36 djm Exp $"); #include #include @@ -609,8 +609,12 @@ again: options.proxy_command = NULL; if (options.control_path != NULL) { - options.control_path = tilde_expand_filename( - options.control_path, original_real_uid); + snprintf(buf, sizeof(buf), "%d", options.port); + cp = tilde_expand_filename(options.control_path, + original_real_uid); + options.control_path = percent_expand(cp, "p", buf, "h", host, + "r", options.user, (char *)NULL); + xfree(cp); } if (mux_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); diff --git a/ssh_config.5 b/ssh_config.5 index 18899ae58..2afc3c093 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.54 2005/05/23 23:32:46 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.55 2005/06/06 11:20:36 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -279,10 +279,17 @@ can not be opened, .Nm ssh will continue without connecting to a master instance. .It Cm ControlPath -Specify the path to the control socket used for connection sharing. -See +Specify the path to the control socket used for connection sharing as described +in the .Cm ControlMaster -above. +section above. +In the path, +.Ql %h +will be substituted by the target host name, +.Ql %p +the port and +.Ql %r +by the remote login username. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application diff --git a/sshconnect.c b/sshconnect.c index b79cead5d..0bd351f6b 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.163 2005/05/24 17:32:44 avsm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.164 2005/06/06 11:20:36 djm Exp $"); #include @@ -59,12 +59,11 @@ static void warn_changed_key(Key *); static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - Buffer command; - const char *cp; - char *command_string; + char *command_string, *tmp; int pin[2], pout[2]; pid_t pid; char strport[NI_MAXSERV]; + size_t len; /* Convert the port number into a string. */ snprintf(strport, sizeof strport, "%hu", port); @@ -76,31 +75,13 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) * Use "exec" to avoid "sh -c" processes on some platforms * (e.g. Solaris) */ - buffer_init(&command); - buffer_append(&command, "exec ", 5); - - for (cp = proxy_command; *cp; cp++) { - if (cp[0] == '%' && cp[1] == '%') { - buffer_append(&command, "%", 1); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'h') { - buffer_append(&command, host, strlen(host)); - cp++; - continue; - } - if (cp[0] == '%' && cp[1] == 'p') { - buffer_append(&command, strport, strlen(strport)); - cp++; - continue; - } - buffer_append(&command, cp, 1); - } - buffer_append(&command, "\0", 1); - - /* Get the final command string. */ - command_string = buffer_ptr(&command); + len = strlen(proxy_command) + 6; + tmp = xmalloc(len); + strlcpy(tmp, "exec ", len); + strlcat(tmp, proxy_command, len); + command_string = percent_expand(tmp, "h", host, + "p", strport, (char *)NULL); + xfree(tmp); /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) @@ -154,7 +135,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) close(pout[1]); /* Free the command name. */ - buffer_free(&command); + xfree(command_string); /* Set the connection file descriptors. */ packet_set_connection(pout[0], pin[1]); -- cgit v1.2.3 From d14b1e731cf4cb79c3ff5ced9315cc11f1fceced Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 16 Jun 2005 13:19:41 +1000 Subject: - djm@cvs.openbsd.org 2005/06/08 11:25:09 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] add ControlMaster=auto/autoask options to support opportunistic multiplexing; tested avsm@ and jakob@, ok markus@ --- ChangeLog | 6 +++++- clientloop.c | 8 +++++--- readconf.c | 24 ++++++++++++++++++++++-- readconf.h | 7 ++++++- ssh.c | 32 ++++++++++++++++++++++++-------- ssh_config.5 | 18 +++++++++++++++++- 6 files changed, 79 insertions(+), 16 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 728026a62..35249dd85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [ssh-keygen.1 ssh-keygen.c sshd.8] increase default rsa/dsa key length from 1024 to 2048 bits; ok markus@ deraadt@ + - djm@cvs.openbsd.org 2005/06/08 11:25:09 + [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] + add ControlMaster=auto/autoask options to support opportunistic + multiplexing; tested avsm@ and jakob@, ok markus@ 20050609 - (dtucker) [cipher.c openbsd-compat/Makefile.in @@ -2706,4 +2710,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3818 2005/06/16 03:19:06 djm Exp $ +$Id: ChangeLog,v 1.3819 2005/06/16 03:19:41 djm Exp $ diff --git a/clientloop.c b/clientloop.c index 1591215bd..ae4dce820 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.136 2005/03/10 22:01:05 deraadt Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.137 2005/06/08 11:25:09 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -616,13 +616,15 @@ client_process_control(fd_set * readset) switch (command) { case SSHMUX_COMMAND_OPEN: - if (options.control_master == 2) + if (options.control_master == SSHCTL_MASTER_ASK || + options.control_master == SSHCTL_MASTER_AUTO_ASK) allowed = ask_permission("Allow shared connection " "to %s? ", host); /* continue below */ break; case SSHMUX_COMMAND_TERMINATE: - if (options.control_master == 2) + if (options.control_master == SSHCTL_MASTER_ASK || + options.control_master == SSHCTL_MASTER_AUTO_ASK) allowed = ask_permission("Terminate shared connection " "to %s? ", host); if (allowed) diff --git a/readconf.c b/readconf.c index d41220807..5ec89e2f0 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.140 2005/05/16 15:30:51 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.141 2005/06/08 11:25:09 djm Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -796,7 +796,27 @@ parse_int: case oControlMaster: intptr = &options->control_master; - goto parse_yesnoask; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing ControlMaster argument.", + filename, linenum); + value = 0; /* To avoid compiler warning... */ + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) + value = SSHCTL_MASTER_YES; + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) + value = SSHCTL_MASTER_NO; + else if (strcmp(arg, "auto") == 0) + value = SSHCTL_MASTER_AUTO; + else if (strcmp(arg, "ask") == 0) + value = SSHCTL_MASTER_ASK; + else if (strcmp(arg, "autoask") == 0) + value = SSHCTL_MASTER_AUTO_ASK; + else + fatal("%.200s line %d: Bad ControlMaster argument.", + filename, linenum); + if (*activep && *intptr == -1) + *intptr = value; + break; case oHashKnownHosts: intptr = &options->hash_known_hosts; diff --git a/readconf.h b/readconf.h index de4b4cb27..2b9deb9db 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.66 2005/03/01 10:40:27 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ /* * Author: Tatu Ylonen @@ -116,6 +116,11 @@ typedef struct { int hash_known_hosts; } Options; +#define SSHCTL_MASTER_NO 0 +#define SSHCTL_MASTER_YES 1 +#define SSHCTL_MASTER_AUTO 2 +#define SSHCTL_MASTER_ASK 3 +#define SSHCTL_MASTER_AUTO_ASK 4 void initialize_options(Options *); void fill_default_options(Options *); diff --git a/ssh.c b/ssh.c index 0871d06de..a27c45725 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.241 2005/06/06 11:20:36 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.242 2005/06/08 11:25:09 djm Exp $"); #include #include @@ -386,8 +386,10 @@ again: } break; case 'M': - options.control_master = - (options.control_master >= 1) ? 2 : 1; + if (options.control_master == SSHCTL_MASTER_YES) + options.control_master = SSHCTL_MASTER_ASK; + else + options.control_master = SSHCTL_MASTER_YES; break; case 'p': options.port = a2port(optarg); @@ -618,11 +620,8 @@ again: } if (mux_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); - if (options.control_path != NULL && options.control_master == 0) { - if (mux_command == 0) - mux_command = SSHMUX_COMMAND_OPEN; + if (options.control_path != NULL) control_client(options.control_path); - } /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, @@ -1086,9 +1085,12 @@ ssh_control_listener(void) mode_t old_umask; int addr_len; - if (options.control_path == NULL || options.control_master <= 0) + if (options.control_path == NULL || + options.control_master == SSHCTL_MASTER_NO) return; + debug("setting up multiplex master socket"); + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + @@ -1299,6 +1301,20 @@ control_client(const char *path) extern char **environ; u_int flags; + if (mux_command == 0) + mux_command = SSHMUX_COMMAND_OPEN; + + switch (options.control_master) { + case SSHCTL_MASTER_AUTO: + case SSHCTL_MASTER_AUTO_ASK: + debug("auto-mux: Trying existing master"); + /* FALLTHROUGH */ + case SSHCTL_MASTER_NO: + break; + default: + return; + } + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; addr_len = offsetof(struct sockaddr_un, sun_path) + diff --git a/ssh_config.5 b/ssh_config.5 index 2afc3c093..a04ffc288 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.55 2005/06/06 11:20:36 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.56 2005/06/08 11:25:09 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -278,6 +278,17 @@ If the can not be opened, .Nm ssh will continue without connecting to a master instance. +.Pp +Two additional options allow for opportunistic multiplexing: try to use a +master connection but fall back to creating a new one if one does not already +exist. +These options are: +.Dq auto +and +.Dq autoask . +The latter requires confirmation like the +.Dq ask +option. .It Cm ControlPath Specify the path to the control socket used for connection sharing as described in the @@ -290,6 +301,11 @@ will be substituted by the target host name, the port and .Ql %r by the remote login username. +It is recommended that any +.Cm ControlPath +used for opportunistic connection sharing include +all three of these escape sequences. +This ensures that shared connections are uniquely identified. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application -- cgit v1.2.3 From 8f74c8fc3216af41e466dbe7abbe8660679588ad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Jun 2005 08:56:03 +1000 Subject: - djm@cvs.openbsd.org 2005/06/18 04:30:36 [ssh.c ssh_config.5] allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ --- ChangeLog | 5 ++++- ssh.c | 5 ++++- ssh_config.5 | 6 ++++-- 3 files changed, 12 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index c60eacc11..519168aa3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [ssh.c sshconnect.c] Fix ControlPath's %p expanding to "0" for a default port, spotted dwmw2 AT infradead.org; ok markus@ + - djm@cvs.openbsd.org 2005/06/18 04:30:36 + [ssh.c ssh_config.5] + allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ 20050618 - (djm) OpenBSD CVS Sync @@ -2756,4 +2759,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3828 2005/06/25 22:55:25 djm Exp $ +$Id: ChangeLog,v 1.3829 2005/06/25 22:56:03 djm Exp $ diff --git a/ssh.c b/ssh.c index 2e93b161a..91f8559de 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.244 2005/06/17 22:53:46 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.245 2005/06/18 04:30:36 djm Exp $"); #include #include @@ -610,6 +610,9 @@ again: if (options.proxy_command != NULL && strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; + if (options.control_path != NULL && + strcmp(options.control_path, "none") == 0) + options.control_path = NULL; if (options.control_path != NULL) { snprintf(buf, sizeof(buf), "%d", options.port); diff --git a/ssh_config.5 b/ssh_config.5 index a04ffc288..3e7ca8f28 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.56 2005/06/08 11:25:09 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.57 2005/06/18 04:30:36 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -293,7 +293,9 @@ option. Specify the path to the control socket used for connection sharing as described in the .Cm ControlMaster -section above. +section above or the string +.Dq none +to disable connection sharing. In the path, .Ql %h will be substituted by the target host name, -- cgit v1.2.3 From 1339002e8b05d89b10767849d9ee9be55e460f4c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 6 Jul 2005 09:44:19 +1000 Subject: - djm@cvs.openbsd.org 2005/07/04 00:58:43 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] implement support for X11 and agent forwarding over multiplex slave connections. Because of protocol limitations, the slave connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding their own. ok dtucker@ "put it in" deraadt@ --- ChangeLog | 9 ++++++++- channels.c | 61 +++++++++++++++++++++++++++++++++--------------------------- clientloop.c | 35 ++++++++++++++++++++++++++++------ clientloop.h | 7 ++++++- misc.c | 19 ++++++++++++++++++- misc.h | 3 ++- ssh.c | 45 +++++++++++++++++++++++--------------------- ssh_config.5 | 8 +++++++- 8 files changed, 128 insertions(+), 59 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 85d4e91c9..58607022a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,13 @@ - markus@cvs.openbsd.org 2005/07/01 13:19:47 [channels.c] don't free() if getaddrinfo() fails; report mpech@ + - djm@cvs.openbsd.org 2005/07/04 00:58:43 + [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] + implement support for X11 and agent forwarding over multiplex slave + connections. Because of protocol limitations, the slave connections inherit + the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding + their own. + ok dtucker@ "put it in" deraadt@ 20050626 - (djm) OpenBSD CVS Sync @@ -2769,4 +2776,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3832 2005/07/05 23:36:05 djm Exp $ +$Id: ChangeLog,v 1.3833 2005/07/05 23:44:19 djm Exp $ diff --git a/channels.c b/channels.c index b58902328..14ff166ae 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.218 2005/07/01 13:19:47 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.219 2005/07/04 00:58:42 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -111,6 +111,9 @@ static int all_opens_permitted = 0; /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 +/* Saved X11 local (client) display. */ +static char *x11_saved_display = NULL; + /* Saved X11 authentication protocol name. */ static char *x11_saved_proto = NULL; @@ -2955,12 +2958,18 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, const char *proto, const char *data) { u_int data_len = (u_int) strlen(data) / 2; - u_int i, value, len; + u_int i, value; char *new_data; int screen_number; const char *cp; u_int32_t rnd = 0; + if (x11_saved_display && strcmp(disp, x11_saved_display) != 0) { + error("x11_request_forwarding_with_spoofing: different " + "$DISPLAY already forwarded"); + return; + } + cp = disp; if (disp) cp = strchr(disp, ':'); @@ -2971,33 +2980,31 @@ x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, else screen_number = 0; - /* Save protocol name. */ - x11_saved_proto = xstrdup(proto); - - /* - * Extract real authentication data and generate fake data of the - * same length. - */ - x11_saved_data = xmalloc(data_len); - x11_fake_data = xmalloc(data_len); - for (i = 0; i < data_len; i++) { - if (sscanf(data + 2 * i, "%2x", &value) != 1) - fatal("x11_request_forwarding: bad authentication data: %.100s", data); - if (i % 4 == 0) - rnd = arc4random(); - x11_saved_data[i] = value; - x11_fake_data[i] = rnd & 0xff; - rnd >>= 8; - } - x11_saved_data_len = data_len; - x11_fake_data_len = data_len; + if (x11_saved_proto == NULL) { + /* Save protocol name. */ + x11_saved_proto = xstrdup(proto); + /* + * Extract real authentication data and generate fake data + * of the same length. + */ + x11_saved_data = xmalloc(data_len); + x11_fake_data = xmalloc(data_len); + for (i = 0; i < data_len; i++) { + if (sscanf(data + 2 * i, "%2x", &value) != 1) + fatal("x11_request_forwarding: bad " + "authentication data: %.100s", data); + if (i % 4 == 0) + rnd = arc4random(); + x11_saved_data[i] = value; + x11_fake_data[i] = rnd & 0xff; + rnd >>= 8; + } + x11_saved_data_len = data_len; + x11_fake_data_len = data_len; + } /* Convert the fake data into hex. */ - len = 2 * data_len + 1; - new_data = xmalloc(len); - for (i = 0; i < data_len; i++) - snprintf(new_data + 2 * i, len - 2 * i, - "%02x", (u_char) x11_fake_data[i]); + new_data = tohex(x11_fake_data, data_len); /* Send the request packet. */ if (compat20) { diff --git a/clientloop.c b/clientloop.c index a030cf6e4..9611a5e3e 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.139 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.140 2005/07/04 00:58:43 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -140,6 +140,8 @@ int session_ident = -1; struct confirm_ctx { int want_tty; int want_subsys; + int want_x_fwd; + int want_agent_fwd; Buffer cmd; char *term; struct termios tio; @@ -631,6 +633,7 @@ static void client_extra_session2_setup(int id, void *arg) { struct confirm_ctx *cctx = arg; + const char *display; Channel *c; int i; @@ -639,6 +642,24 @@ client_extra_session2_setup(int id, void *arg) if ((c = channel_lookup(id)) == NULL) fatal("%s: no channel for id %d", __func__, id); + display = getenv("DISPLAY"); + if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { + char *proto, *data; + /* Get reasonable local authentication information. */ + client_x11_get_proto(display, options.xauth_location, + options.forward_x11_trusted, &proto, &data); + /* Request forwarding with authentication spoofing. */ + debug("Requesting X11 forwarding with authentication spoofing."); + x11_request_forwarding_with_spoofing(id, display, proto, data); + /* XXX wait for reply */ + } + + if (cctx->want_agent_fwd && options.forward_agent) { + debug("Requesting authentication agent forwarding."); + channel_request_start(id, "auth-agent-req@openssh.com", 0); + packet_send(); + } + client_session2_setup(id, cctx->want_tty, cctx->want_subsys, cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env, client_subsystem_reply); @@ -704,7 +725,7 @@ client_process_control(fd_set * readset) buffer_free(&m); return; } - if ((ver = buffer_get_char(&m)) != 1) { + if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { error("%s: wrong client version %d", __func__, ver); buffer_free(&m); close(client_fd); @@ -738,7 +759,7 @@ client_process_control(fd_set * readset) buffer_clear(&m); buffer_put_int(&m, allowed); buffer_put_int(&m, getpid()); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); buffer_free(&m); @@ -758,7 +779,7 @@ client_process_control(fd_set * readset) buffer_clear(&m); buffer_put_int(&m, allowed); buffer_put_int(&m, getpid()); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); buffer_free(&m); @@ -779,7 +800,7 @@ client_process_control(fd_set * readset) buffer_free(&m); return; } - if ((ver = buffer_get_char(&m)) != 1) { + if ((ver = buffer_get_char(&m)) != SSHMUX_VER) { error("%s: wrong client version %d", __func__, ver); buffer_free(&m); close(client_fd); @@ -790,6 +811,8 @@ client_process_control(fd_set * readset) memset(cctx, 0, sizeof(*cctx)); cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0; cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0; + cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0; + cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0; cctx->term = buffer_get_string(&m, &len); cmd = buffer_get_string(&m, &len); @@ -823,7 +846,7 @@ client_process_control(fd_set * readset) /* This roundtrip is just for synchronisation of ttymodes */ buffer_clear(&m); - if (ssh_msg_send(client_fd, /* version */1, &m) == -1) { + if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) { error("%s: client msg_send failed", __func__); close(client_fd); close(new_fd[0]); diff --git a/clientloop.h b/clientloop.h index 71c61b5d2..aed2d918b 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.13 2005/06/16 03:38:36 djm Exp $ */ +/* $OpenBSD: clientloop.h,v 1.14 2005/07/04 00:58:43 djm Exp $ */ /* * Author: Tatu Ylonen @@ -43,6 +43,9 @@ void client_global_request_reply_fwd(int, u_int32_t, void *); void client_session2_setup(int, int, int, const char *, struct termios *, int, Buffer *, char **, dispatch_fn *); +/* Multiplexing protocol version */ +#define SSHMUX_VER 1 + /* Multiplexing control protocol flags */ #define SSHMUX_COMMAND_OPEN 1 /* Open new connection */ #define SSHMUX_COMMAND_ALIVE_CHECK 2 /* Check master is alive */ @@ -50,3 +53,5 @@ void client_session2_setup(int, int, int, const char *, struct termios *, #define SSHMUX_FLAG_TTY (1) /* Request tty on open */ #define SSHMUX_FLAG_SUBSYS (1<<1) /* Subsystem request on open */ +#define SSHMUX_FLAG_X11_FWD (1<<2) /* Request X11 forwarding */ +#define SSHMUX_FLAG_AGENT_FWD (1<<3) /* Request agent forwarding */ diff --git a/misc.c b/misc.c index c5ca0ce38..808b7ba27 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.32 2005/06/17 02:44:32 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.33 2005/07/04 00:58:43 djm Exp $"); #include "misc.h" #include "log.h" @@ -506,3 +506,20 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, } return -1; } + +char * +tohex(const u_char *d, u_int l) +{ + char b[3], *r; + u_int i, hl; + + hl = l * 2 + 1; + r = xmalloc(hl); + *r = '\0'; + for (i = 0; i < l; i++) { + snprintf(b, sizeof(b), "%02x", d[i]); + strlcat(r, b, hl); + } + return (r); +} + diff --git a/misc.h b/misc.h index a85fcd134..92848b28e 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.23 2005/06/06 11:20:36 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.24 2005/07/04 00:58:43 djm Exp $ */ /* * Author: Tatu Ylonen @@ -26,6 +26,7 @@ char *colon(char *); long convtime(const char *); char *tilde_expand_filename(const char *, uid_t); char *percent_expand(const char *, ...) __attribute__((sentinel)); +char *tohex(const u_char *, u_int); struct passwd *pwcopy(struct passwd *); diff --git a/ssh.c b/ssh.c index 67af53e69..43d97abcc 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.246 2005/06/25 22:47:49 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.247 2005/07/04 00:58:43 djm Exp $"); #include #include @@ -1250,41 +1250,44 @@ control_client(const char *path) error("Control socket connect(%.100s): %s", path, strerror(errno)); } - close(sock); - return; - } - - if (stdin_null_flag) { - if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) - fatal("open(/dev/null): %s", strerror(errno)); - if (dup2(fd, STDIN_FILENO) == -1) - fatal("dup2: %s", strerror(errno)); - if (fd > STDERR_FILENO) - close(fd); - } - - if ((term = getenv("TERM")) == NULL) - term = ""; + close(sock); + return; + } + + if (stdin_null_flag) { + if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1) + fatal("open(/dev/null): %s", strerror(errno)); + if (dup2(fd, STDIN_FILENO) == -1) + fatal("dup2: %s", strerror(errno)); + if (fd > STDERR_FILENO) + close(fd); + } + + term = getenv("TERM"); flags = 0; if (tty_flag) flags |= SSHMUX_FLAG_TTY; if (subsystem_flag) flags |= SSHMUX_FLAG_SUBSYS; + if (options.forward_x11) + flags |= SSHMUX_FLAG_X11_FWD; + if (options.forward_agent) + flags |= SSHMUX_FLAG_AGENT_FWD; buffer_init(&m); /* Send our command to server */ buffer_put_int(&m, mux_command); buffer_put_int(&m, flags); - if (ssh_msg_send(sock, /* version */1, &m) == -1) + if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1) fatal("%s: msg_send", __func__); buffer_clear(&m); /* Get authorisation status and PID of controlee */ if (ssh_msg_recv(sock, &m) == -1) fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) + if (buffer_get_char(&m) != SSHMUX_VER) fatal("%s: wrong version", __func__); if (buffer_get_int(&m) != 1) fatal("Connection to master denied"); @@ -1308,7 +1311,7 @@ control_client(const char *path) } /* SSHMUX_COMMAND_OPEN */ - buffer_put_cstring(&m, term); + buffer_put_cstring(&m, term ? term : ""); buffer_append(&command, "\0", 1); buffer_put_cstring(&m, buffer_ptr(&command)); @@ -1330,7 +1333,7 @@ control_client(const char *path) } } - if (ssh_msg_send(sock, /* version */1, &m) == -1) + if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1) fatal("%s: msg_send", __func__); mm_send_fd(sock, STDIN_FILENO); @@ -1341,7 +1344,7 @@ control_client(const char *path) buffer_clear(&m); if (ssh_msg_recv(sock, &m) == -1) fatal("%s: msg_recv", __func__); - if (buffer_get_char(&m) != 1) + if (buffer_get_char(&m) != SSHMUX_VER) fatal("%s: wrong version", __func__); buffer_free(&m); diff --git a/ssh_config.5 b/ssh_config.5 index 3e7ca8f28..40774297c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.57 2005/06/18 04:30:36 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.58 2005/07/04 00:58:43 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -279,6 +279,12 @@ can not be opened, .Nm ssh will continue without connecting to a master instance. .Pp +X11 and +.Xr ssh-agent 4 +forwarding is supported over these multiplexed connections, however the +display and agent fowarded will be the one belonging to the master +connection. I.e. it is not possible to forward multiple displays or agents. +.Pp Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already exist. -- cgit v1.2.3 From fd94fbaf563d2d9a0c512e59085fe91d7e693576 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 6 Jul 2005 09:44:59 +1000 Subject: - jmc@cvs.openbsd.org 2005/07/04 11:29:51 [ssh_config.5] fix Xr and a little grammar; --- ChangeLog | 5 ++++- ssh_config.5 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 58607022a..b391c6727 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding their own. ok dtucker@ "put it in" deraadt@ + - jmc@cvs.openbsd.org 2005/07/04 11:29:51 + [ssh_config.5] + fix Xr and a little grammar; 20050626 - (djm) OpenBSD CVS Sync @@ -2776,4 +2779,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3833 2005/07/05 23:44:19 djm Exp $ +$Id: ChangeLog,v 1.3834 2005/07/05 23:44:59 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 40774297c..2b2b14364 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.58 2005/07/04 00:58:43 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.59 2005/07/04 11:29:51 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -280,10 +280,10 @@ can not be opened, will continue without connecting to a master instance. .Pp X11 and -.Xr ssh-agent 4 +.Xr ssh-agent 1 forwarding is supported over these multiplexed connections, however the display and agent fowarded will be the one belonging to the master -connection. I.e. it is not possible to forward multiple displays or agents. +connection i.e. it is not possible to forward multiple displays or agents. .Pp Two additional options allow for opportunistic multiplexing: try to use a master connection but fall back to creating a new one if one does not already -- cgit v1.2.3 From 89f4d47e66697d10d9f48461e20da67640cbd220 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 14 Jul 2005 17:06:21 +1000 Subject: - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 [ssh_config.5] change BindAddress to match recent ssh -b change; prompted by markus@ --- ChangeLog | 5 ++++- ssh_config.5 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 2d1efea7e..909439a1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ 2a) no EOF has been seen OR 2b) there is buffered data report, initial fix and testing Chuck Cranor + - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 + [ssh_config.5] + change BindAddress to match recent ssh -b change; prompted by markus@ 20050707 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for @@ -2812,4 +2815,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3841 2005/07/14 07:05:51 dtucker Exp $ +$Id: ChangeLog,v 1.3842 2005/07/14 07:06:21 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 2b2b14364..9413cb617 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.59 2005/07/04 11:29:51 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.60 2005/07/08 10:20:41 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -136,8 +136,8 @@ or The default is .Dq no . .It Cm BindAddress -Specify the interface to transmit from on machines with multiple -interfaces or aliased addresses. +Use the specified address on the local machine as the source address of +the connection. Only useful on systems with more than one address. Note that this option does not work if .Cm UsePrivilegedPort is set to -- cgit v1.2.3 From 6c71d20d7689bf2c9c22f39b2355de8db975b586 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 14 Jul 2005 17:06:50 +1000 Subject: - jmc@cvs.openbsd.org 2005/07/08 12:53:10 [ssh_config.5] new sentence, new line; --- ChangeLog | 5 ++++- ssh_config.5 | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 909439a1b..1d4bcde07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,9 @@ - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 [ssh_config.5] change BindAddress to match recent ssh -b change; prompted by markus@ + - jmc@cvs.openbsd.org 2005/07/08 12:53:10 + [ssh_config.5] + new sentence, new line; 20050707 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for @@ -2815,4 +2818,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3842 2005/07/14 07:06:21 dtucker Exp $ +$Id: ChangeLog,v 1.3843 2005/07/14 07:06:50 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 9413cb617..9ddb09480 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.60 2005/07/08 10:20:41 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -137,7 +137,8 @@ The default is .Dq no . .It Cm BindAddress Use the specified address on the local machine as the source address of -the connection. Only useful on systems with more than one address. +the connection. +Only useful on systems with more than one address. Note that this option does not work if .Cm UsePrivilegedPort is set to -- cgit v1.2.3