From db7606d4a62fee67b0cb2f32dfcbd7b3642bfef5 Mon Sep 17 00:00:00 2001 From: "schwarze@openbsd.org" Date: Tue, 14 May 2019 12:47:17 +0000 Subject: upstream: Delete some .Sx macros that were used in a wrong way. Part of a patch from Stephen Gregoratto . OpenBSD-Commit-ID: 15501ed13c595f135e7610b1a5d8345ccdb513b7 --- ssh_config.5 | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 412629637..234ca7a9a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.292 2019/03/01 02:16:47 djm Exp $ -.Dd $Mdocdate: March 1 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.293 2019/05/14 12:47:17 schwarze Exp $ +.Dd $Mdocdate: May 14 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1326,9 +1326,7 @@ and .Sq 4G , depending on the cipher. The optional second value is specified in seconds and may use any of the -units documented in the -.Sx TIME FORMATS -section of +units documented in the TIME FORMATS section of .Xr sshd_config 5 . The default value for .Cm RekeyLimit -- cgit v1.2.3 From d1bbfdd932db9b9b799db865ee1ff50060dfc895 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Tue, 11 Jun 2019 13:39:40 +0000 Subject: upstream: consistent lettering for "HostName" keyword; from lauri tirkkonen OpenBSD-Commit-ID: 0c267a1257ed7482b13ef550837b6496e657d563 --- ssh_config.5 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 234ca7a9a..9601ce46c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.293 2019/05/14 12:47:17 schwarze Exp $ -.Dd $Mdocdate: May 14 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.294 2019/06/11 13:39:40 jmc Exp $ +.Dd $Mdocdate: June 11 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -203,7 +203,7 @@ The criteria for the .Cm host keyword are matched against the target hostname, after any substitution by the -.Cm Hostname +.Cm HostName or .Cm CanonicalizeHostname options. -- cgit v1.2.3 From 76af9c57387243556d38935555c227d0b34062c5 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Wed, 12 Jun 2019 05:53:21 +0000 Subject: upstream: deraadt noticed some inconsistency in the way we denote the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent (effectively reversing my commit of yesterday); ok deraadt markus djm OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667 --- ssh_config.5 | 14 +++++++------- sshd_config.5 | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 9601ce46c..4e72d2ea9 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.294 2019/06/11 13:39:40 jmc Exp $ -.Dd $Mdocdate: June 11 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.295 2019/06/12 05:53:21 jmc Exp $ +.Dd $Mdocdate: June 12 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -203,7 +203,7 @@ The criteria for the .Cm host keyword are matched against the target hostname, after any substitution by the -.Cm HostName +.Cm Hostname or .Cm CanonicalizeHostname options. @@ -845,16 +845,16 @@ real host name when looking up or saving the host key in the host key database files and when validating host certificates. This option is useful for tunneling SSH connections or for multiple servers running on a single host. -.It Cm HostName +.It Cm Hostname Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. Arguments to -.Cm HostName +.Cm Hostname accept the tokens described in the .Sx TOKENS section. Numeric IP addresses are also permitted (both on the command line and in -.Cm HostName +.Cm Hostname specifications). The default is the name given on the command line. .It Cm IdentitiesOnly @@ -1785,7 +1785,7 @@ accepts the tokens %%, %d, %h, %i, %l, %r, and %u. .Cm ControlPath accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. .Pp -.Cm HostName +.Cm Hostname accepts the tokens %% and %h. .Pp .Cm IdentityAgent diff --git a/sshd_config.5 b/sshd_config.5 index 9f59584f2..fd83bcef1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.285 2019/05/14 12:47:17 schwarze Exp $ -.Dd $Mdocdate: May 14 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.286 2019/06/12 05:53:21 jmc Exp $ +.Dd $Mdocdate: June 12 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1155,7 +1155,7 @@ Available keywords are .Cm X11DisplayOffset , .Cm X11Forwarding and -.Cm X11UseLocalHost . +.Cm X11UseLocalhost . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. -- cgit v1.2.3 From 7349149da1074d82b71722338e05b6a282f126cc Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Wed, 12 Jun 2019 11:31:50 +0000 Subject: upstream: Hostname->HostName cleanup; from lauri tirkkonen ok dtucker OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4 --- clientloop.c | 4 ++-- readconf.c | 12 ++++++------ scp.1 | 6 +++--- sftp.1 | 6 +++--- ssh.1 | 6 +++--- ssh.c | 4 ++-- ssh_config.5 | 6 +++--- 7 files changed, 22 insertions(+), 22 deletions(-) (limited to 'ssh_config.5') diff --git a/clientloop.c b/clientloop.c index 755f29231..244de9871 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.323 2019/04/23 11:56:41 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.324 2019/06/12 11:31:50 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -129,7 +129,7 @@ extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */ /* * Name of the host we are connecting to. This is the name given on the - * command line, or the HostName specified for the user-supplied name in a + * command line, or the Hostname specified for the user-supplied name in a * configuration file. */ extern char *host; diff --git a/readconf.c b/readconf.c index c143fa2e2..ec30ab30a 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.305 2019/06/07 14:18:48 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.306 2019/06/12 11:31:50 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -86,7 +86,7 @@ User foo Host fake.com - HostName another.host.name.real.org + Hostname another.host.name.real.org User blaah Port 34289 ForwardX11 no @@ -148,7 +148,7 @@ typedef enum { oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, - oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, + oIdentityFile, oHostname, oPort, oCipher, oRemoteForward, oLocalForward, oCertificateFile, oAddKeysToAgent, oIdentityAgent, oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -240,7 +240,7 @@ static struct { { "certificatefile", oCertificateFile }, { "addkeystoagent", oAddKeysToAgent }, { "identityagent", oIdentityAgent }, - { "hostname", oHostName }, + { "hostname", oHostname }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, { "port", oPort }, @@ -1117,7 +1117,7 @@ parse_char_array: max_entries = SSH_MAX_HOSTS_FILES; goto parse_char_array; - case oHostName: + case oHostname: charptr = &options->hostname; goto parse_string; @@ -2593,7 +2593,7 @@ dump_client_config(Options *o, const char *host) /* Most interesting options first: user, host, port */ dump_cfg_string(oUser, o->user); - dump_cfg_string(oHostName, host); + dump_cfg_string(oHostname, host); dump_cfg_int(oPort, o->port); /* Flag options */ diff --git a/scp.1 b/scp.1 index a2833dab0..dee7fcead 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.85 2019/01/26 22:41:28 djm Exp $ +.\" $OpenBSD: scp.1,v 1.86 2019/06/12 11:31:50 jmc Exp $ .\" -.Dd $Mdocdate: January 26 2019 $ +.Dd $Mdocdate: June 12 2019 $ .Dt SCP 1 .Os .Sh NAME @@ -164,7 +164,7 @@ For full details of the options listed below, and their possible values, see .It HostbasedKeyTypes .It HostKeyAlgorithms .It HostKeyAlias -.It HostName +.It Hostname .It IdentitiesOnly .It IdentityAgent .It IdentityFile diff --git a/sftp.1 b/sftp.1 index 259095885..4554ae4f3 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.125 2019/01/22 06:58:31 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.126 2019/06/12 11:31:50 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 22 2019 $ +.Dd $Mdocdate: June 12 2019 $ .Dt SFTP 1 .Os .Sh NAME @@ -241,7 +241,7 @@ For full details of the options listed below, and their possible values, see .It HostbasedKeyTypes .It HostKeyAlgorithms .It HostKeyAlias -.It HostName +.It Hostname .It IdentitiesOnly .It IdentityAgent .It IdentityFile diff --git a/ssh.1 b/ssh.1 index 9480eba8d..424d6c3e8 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $ -.Dd $Mdocdate: March 16 2019 $ +.\" $OpenBSD: ssh.1,v 1.403 2019/06/12 11:31:50 jmc Exp $ +.Dd $Mdocdate: June 12 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -504,7 +504,7 @@ For full details of the options listed below, and their possible values, see .It HostbasedKeyTypes .It HostKeyAlgorithms .It HostKeyAlias -.It HostName +.It Hostname .It IdentitiesOnly .It IdentityAgent .It IdentityFile diff --git a/ssh.c b/ssh.c index d8d614111..a9903b6f9 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.502 2019/06/06 05:13:13 otto Exp $ */ +/* $OpenBSD: ssh.c,v 1.503 2019/06/12 11:31:50 jmc Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -162,7 +162,7 @@ char *config = NULL; /* * Name of the host we are connecting to. This is the name given on the - * command line, or the HostName specified for the user-supplied name in a + * command line, or the Hostname specified for the user-supplied name in a * configuration file. */ char *host; diff --git a/ssh_config.5 b/ssh_config.5 index 4e72d2ea9..806676bba 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.295 2019/06/12 05:53:21 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.296 2019/06/12 11:31:50 jmc Exp $ .Dd $Mdocdate: June 12 2019 $ .Dt SSH_CONFIG 5 .Os @@ -1222,8 +1222,8 @@ server running on some machine, or execute .Ic sshd -i somewhere. Host key management will be done using the -HostName of the host being connected (defaulting to the name typed by -the user). +.Cm Hostname +of the host being connected (defaulting to the name typed by the user). Setting the command to .Cm none disables this option entirely. -- cgit v1.2.3 From 6e76e69dc0c7712e9ac599af34bd091b0e7dcdb5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 2 Aug 2019 01:23:19 +0000 Subject: upstream: typo; from Christian Hesse OpenBSD-Commit-ID: 82f6de7438ea7ee5a14f44fdf5058ed57688fdc3 --- ssh_config.5 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 806676bba..03321432f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.296 2019/06/12 11:31:50 jmc Exp $ -.Dd $Mdocdate: June 12 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.297 2019/08/02 01:23:19 djm Exp $ +.Dd $Mdocdate: August 2 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -361,7 +361,7 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp -- cgit v1.2.3 From 8fdbc7247f432578abaaca1b72a0dbf5058d67e5 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 9 Aug 2019 04:24:03 +0000 Subject: upstream: Change description of TCPKeepAlive from "inactive" to "unresponsive" to clarify what it checks for. Patch from jblaine at kickflop.net via github pr#129, ok djm@. OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9 --- ssh_config.5 | 6 +++--- sshd_config.5 | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 03321432f..53cb5abfe 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.297 2019/08/02 01:23:19 djm Exp $ -.Dd $Mdocdate: August 2 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.298 2019/08/09 04:24:03 dtucker Exp $ +.Dd $Mdocdate: August 9 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1460,7 +1460,7 @@ The TCP keepalive option enabled by .Cm TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or -server depend on knowing when a connection has become inactive. +server depend on knowing when a connection has become unresponsive. .Pp The default value is 3. If, for example, diff --git a/sshd_config.5 b/sshd_config.5 index 9b155f6c1..e6ae87145 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.287 2019/07/23 23:06:57 dtucker Exp $ -.Dd $Mdocdate: July 23 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.288 2019/08/09 04:24:03 dtucker Exp $ +.Dd $Mdocdate: August 9 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -512,7 +512,7 @@ The TCP keepalive option enabled by .Cm TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or -server depend on knowing when a connection has become inactive. +server depend on knowing when a connection has become unresponsive. .Pp The default value is 3. If -- cgit v1.2.3 From dc2ca588144f088a54febebfde3414568dc73d5f Mon Sep 17 00:00:00 2001 From: "kn@openbsd.org" Date: Fri, 16 Aug 2019 11:16:32 +0000 Subject: upstream: Call comma-separated lists as such to clarify semantics Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting this semantics (those that provide a list of available elements via "ssh -Q ..."). Input and OK jmc OpenBSD-Commit-ID: 4fdd175b0e5f5cb10ab3f26ccc38a93bb6515d57 --- ssh_config.5 | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 53cb5abfe..14d57d77d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.298 2019/08/09 04:24:03 dtucker Exp $ -.Dd $Mdocdate: August 9 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.299 2019/08/16 11:16:32 kn Exp $ +.Dd $Mdocdate: August 16 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -422,11 +422,11 @@ the check will not be executed. .It Cm Ciphers Specifies the ciphers allowed and their order of preference. Multiple ciphers must be comma-separated. -If the specified value begins with a +If the specified list begins with a .Sq + character, then the specified ciphers will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. @@ -1043,11 +1043,11 @@ and .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -Alternately if the specified value begins with a +If the specified list begins with a .Sq + character, then the specified methods will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. @@ -1124,11 +1124,11 @@ Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. -If the specified value begins with a +If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. @@ -1281,11 +1281,11 @@ The default is .It Cm PubkeyAcceptedKeyTypes Specifies the key types that will be used for public key authentication as a comma-separated list of patterns. -Alternately if the specified value begins with a +If the specified list begins with a .Sq + character, then the key types after it will be appended to the default instead of replacing it. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. -- cgit v1.2.3 From 4f9d75fbafde83d428e291516f8ce98e6b3a7c4b Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Wed, 4 Sep 2019 20:31:15 +0000 Subject: upstream: Call comma-separated lists as such to clarify semantics. Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list, respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting these semantics. Fix instances missed in first commit. ok jmc@ kn@ OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417 --- ssh_config.5 | 12 ++++++------ sshd_config.5 | 24 ++++++++++++------------ 2 files changed, 18 insertions(+), 18 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 14d57d77d..14d96beaf 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.299 2019/08/16 11:16:32 kn Exp $ -.Dd $Mdocdate: August 16 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $ +.Dd $Mdocdate: September 4 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -786,11 +786,11 @@ or .It Cm HostbasedKeyTypes Specifies the key types that will be used for hostbased authentication as a comma-separated list of patterns. -Alternately if the specified value begins with a +Alternately if the specified list begins with a .Sq + character, then the specified key types will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. @@ -814,11 +814,11 @@ may be used to list supported key types. .It Cm HostKeyAlgorithms Specifies the host key algorithms that the client wants to use in order of preference. -Alternately if the specified value begins with a +Alternately if the specified list begins with a .Sq + character, then the specified key types will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. diff --git a/sshd_config.5 b/sshd_config.5 index e6ae87145..f42d10417 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.288 2019/08/09 04:24:03 dtucker Exp $ -.Dd $Mdocdate: August 9 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $ +.Dd $Mdocdate: September 4 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -454,11 +454,11 @@ indicating not to .It Cm Ciphers Specifies the ciphers allowed. Multiple ciphers must be comma-separated. -If the specified value begins with a +If the specified list begins with a .Sq + character, then the specified ciphers will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. @@ -668,11 +668,11 @@ The default is .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a list of comma-separated patterns. -Alternately if the specified value begins with a +Alternately if the specified list begins with a .Sq + character, then the specified key types will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. @@ -873,11 +873,11 @@ The default is .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -Alternately if the specified value begins with a +Alternately if the specified list begins with a .Sq + character, then the specified methods will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. @@ -990,11 +990,11 @@ Logging with a DEBUG level violates the privacy of users and is not recommended. Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. -If the specified value begins with a +If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. @@ -1395,11 +1395,11 @@ The default is .It Cm PubkeyAcceptedKeyTypes Specifies the key types that will be accepted for public key authentication as a list of comma-separated patterns. -Alternately if the specified value begins with a +Alternately if the specified list begins with a .Sq + character, then the specified key types will be appended to the default set instead of replacing them. -If the specified value begins with a +If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. -- cgit v1.2.3 From 91a2135f32acdd6378476c5bae475a6e7811a6a2 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Fri, 6 Sep 2019 14:45:34 +0000 Subject: upstream: Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97 --- kex.c | 15 ++++++++++++--- readconf.c | 14 +++++++++----- servconf.c | 14 +++++++++----- ssh.c | 4 ++-- ssh_config.5 | 28 ++++++++++++++++++++++++++-- sshd_config.5 | 24 ++++++++++++++++++++++-- 6 files changed, 80 insertions(+), 19 deletions(-) (limited to 'ssh_config.5') diff --git a/kex.c b/kex.c index 84f8e2aa9..5a8a03aad 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -213,8 +213,9 @@ kex_names_cat(const char *a, const char *b) /* * Assemble a list of algorithms from a default list and a string from a * configuration file. The user-provided string may begin with '+' to - * indicate that it should be appended to the default or '-' that the - * specified names should be removed. + * indicate that it should be appended to the default, '-' that the + * specified names should be removed, or '^' that they should be placed + * at the head. */ int kex_assemble_names(char **listp, const char *def, const char *all) @@ -251,6 +252,14 @@ kex_assemble_names(char **listp, const char *def, const char *all) free(list); /* filtering has already been done */ return 0; + } else if (*list == '^') { + /* Place names at head of default list */ + if ((tmp = kex_names_cat(list + 1, def)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto fail; + } + free(list); + list = tmp; } else { /* Explicit list, overrides default - just use "list" as is */ } diff --git a/readconf.c b/readconf.c index d1b7871ec..f78b4d6fe 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.308 2019/08/09 05:05:54 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1199,7 +1199,8 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->ciphers == NULL) @@ -1210,7 +1211,8 @@ parse_int: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->macs == NULL) @@ -1223,7 +1225,8 @@ parse_int: fatal("%.200s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) + !kex_names_valid(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (*activep && options->kex_algorithms == NULL) @@ -1238,7 +1241,8 @@ parse_keytypes: fatal("%.200s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? + arg + 1 : arg, 1)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) diff --git a/servconf.c b/servconf.c index 340045b28..e76f9c39e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.351 2019/04/18 18:56:16 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1444,7 +1444,8 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) + !sshkey_names_valid2(*arg == '+' || *arg == '^' ? + arg + 1 : arg, 1)) fatal("%s line %d: Bad key types '%s'.", filename, linenum, arg ? arg : ""); if (*activep && *charptr == NULL) @@ -1715,7 +1716,8 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : ""); if (options->ciphers == NULL) @@ -1726,7 +1728,8 @@ process_server_config_line(ServerOptions *options, char *line, arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", filename, linenum); - if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) + if (*arg != '-' && + !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) fatal("%s line %d: Bad SSH2 mac spec '%s'.", filename, linenum, arg ? arg : ""); if (options->macs == NULL) @@ -1739,7 +1742,8 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: Missing argument.", filename, linenum); if (*arg != '-' && - !kex_names_valid(*arg == '+' ? arg + 1 : arg)) + !kex_names_valid(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : ""); if (options->kex_algorithms == NULL) diff --git a/ssh.c b/ssh.c index 654376981..cb321bcf3 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.505 2019/06/28 13:35:04 deraadt Exp $ */ +/* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -877,7 +877,7 @@ main(int ac, char **av) } break; case 'c': - if (!ciphers_valid(*optarg == '+' ? + if (!ciphers_valid(*optarg == '+' || *optarg == '^' ? optarg + 1 : optarg)) { fprintf(stderr, "Unknown cipher type '%s'\n", optarg); diff --git a/ssh_config.5 b/ssh_config.5 index 14d96beaf..e114b1dfe 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $ -.Dd $Mdocdate: September 4 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $ +.Dd $Mdocdate: September 6 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -430,6 +430,10 @@ If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. .Pp The supported ciphers are: .Bd -literal -offset indent @@ -794,6 +798,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -822,6 +830,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -1051,6 +1063,10 @@ If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified methods will be placed at the head of the +default set. The default is: .Bd -literal -offset indent curve25519-sha256,curve25519-sha256@libssh.org, @@ -1132,6 +1148,10 @@ If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. .Pp The algorithms that contain .Qq -etm @@ -1289,6 +1309,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, diff --git a/sshd_config.5 b/sshd_config.5 index f42d10417..9486f2a1c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $ -.Dd $Mdocdate: September 4 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ +.Dd $Mdocdate: September 6 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -462,6 +462,10 @@ If the specified list begins with a .Sq - character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified ciphers will be placed at the head of the +default set. .Pp The supported ciphers are: .Pp @@ -676,6 +680,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -881,6 +889,10 @@ If the specified list begins with a .Sq - character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified methods will be placed at the head of the +default set. The supported algorithms are: .Pp .Bl -item -compact -offset indent @@ -998,6 +1010,10 @@ If the specified list begins with a .Sq - character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified algorithms will be placed at the head of the +default set. .Pp The algorithms that contain .Qq -etm @@ -1403,6 +1419,10 @@ If the specified list begins with a .Sq - character, then the specified key types (including wildcards) will be removed from the default set instead of replacing them. +If the specified list begins with a +.Sq ^ +character, then the specified key types will be placed at the head of the +default set. The default for this option is: .Bd -literal -offset 3n ecdsa-sha2-nistp256-cert-v01@openssh.com, -- cgit v1.2.3 From 2ce1d11600e13bee0667d6b717ffcc18a057b821 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 13 Sep 2019 04:07:42 +0000 Subject: upstream: clarify that ConnectTimeout applies both to the TCP connection and to the protocol handshake/KEX. From Jean-Charles Longuet via Github PR140 OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf --- ssh_config.5 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index e114b1dfe..b10c55492 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $ -.Dd $Mdocdate: September 6 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.302 2019/09/13 04:07:42 djm Exp $ +.Dd $Mdocdate: September 13 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -489,8 +489,8 @@ The default is 1. .It Cm ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. -This value is used only when the target is down or really unreachable, -not when it refuses the connection. +This timeout is applied both to establishing the connection and to performing +the initial SSH protocol handshake and key exchange. .It Cm ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to -- cgit v1.2.3 From fbe24b142915331ceb2a3a76be3dc5b6d204fddf Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 13 Sep 2019 04:27:35 +0000 Subject: upstream: allow %n to be expanded in ProxyCommand strings From Zachary Harmany via github.com/openssh/openssh-portable/pull/118 ok dtucker@ OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6 --- ssh.c | 4 ++-- ssh_config.5 | 4 ++-- sshconnect.c | 35 ++++++++++++++++++++--------------- sshconnect.h | 7 ++++--- 4 files changed, 28 insertions(+), 22 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh.c b/ssh.c index cb321bcf3..ee51823cd 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */ +/* $OpenBSD: ssh.c,v 1.507 2019/09/13 04:27:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1369,7 +1369,7 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; /* Open a connection to the remote host. */ - if (ssh_connect(ssh, host, addrs, &hostaddr, options.port, + if (ssh_connect(ssh, host_arg, host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, options.tcp_keep_alive) != 0) exit(255); diff --git a/ssh_config.5 b/ssh_config.5 index b10c55492..867c916a7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.302 2019/09/13 04:07:42 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.303 2019/09/13 04:27:35 djm Exp $ .Dd $Mdocdate: September 13 2019 $ .Dt SSH_CONFIG 5 .Os @@ -1821,7 +1821,7 @@ accept the tokens %%, %d, %h, %i, %l, %r, and %u. accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, %T, and %u. .Pp .Cm ProxyCommand -accepts the tokens %%, %h, %p, and %r. +accepts the tokens %%, %h, %n, %p, and %r. .Pp .Cm RemoteCommand accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. diff --git a/sshconnect.c b/sshconnect.c index ed44fccb8..740780443 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.317 2019/06/28 13:35:04 deraadt Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.318 2019/09/13 04:27:35 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -87,14 +87,18 @@ static void warn_changed_key(struct sshkey *); /* Expand a proxy command */ static char * expand_proxy_command(const char *proxy_command, const char *user, - const char *host, int port) + const char *host, const char *host_arg, int port) { char *tmp, *ret, strport[NI_MAXSERV]; snprintf(strport, sizeof strport, "%d", port); xasprintf(&tmp, "exec %s", proxy_command); - ret = percent_expand(tmp, "h", host, "p", strport, - "r", options.user, (char *)NULL); + ret = percent_expand(tmp, + "h", host, + "n", host_arg, + "p", strport, + "r", options.user, + (char *)NULL); free(tmp); return ret; } @@ -122,8 +126,8 @@ stderr_null(void) * a connected fd back to us. */ static int -ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port, - const char *proxy_command) +ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, + const char *host_arg, u_short port, const char *proxy_command) { char *command_string; int sp[2], sock; @@ -138,7 +142,7 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port, "proxy dialer: %.100s", strerror(errno)); command_string = expand_proxy_command(proxy_command, options.user, - host, port); + host_arg, host, port); debug("Executing proxy dialer command: %.500s", command_string); /* Fork and execute the proxy command. */ @@ -204,8 +208,8 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port, * Connect to the given ssh server using a proxy command. */ static int -ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, - const char *proxy_command) +ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, + u_short port, const char *proxy_command) { char *command_string; int pin[2], pout[2]; @@ -221,7 +225,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, strerror(errno)); command_string = expand_proxy_command(proxy_command, options.user, - host, port); + host_arg, host, port); debug("Executing proxy command: %.500s", command_string); /* Fork and execute the proxy command. */ @@ -543,9 +547,9 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, } int -ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs, - struct sockaddr_storage *hostaddr, u_short port, int family, - int connection_attempts, int *timeout_ms, int want_keepalive) +ssh_connect(struct ssh *ssh, const char *host, const char *host_arg, + struct addrinfo *addrs, struct sockaddr_storage *hostaddr, u_short port, + int family, int connection_attempts, int *timeout_ms, int want_keepalive) { int in, out; @@ -564,10 +568,11 @@ ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs, return -1; /* ssh_packet_set_connection logs error */ return 0; } else if (options.proxy_use_fdpass) { - return ssh_proxy_fdpass_connect(ssh, host, port, + return ssh_proxy_fdpass_connect(ssh, host, host_arg, port, options.proxy_command); } - return ssh_proxy_connect(ssh, host, port, options.proxy_command); + return ssh_proxy_connect(ssh, host, host_arg, port, + options.proxy_command); } /* defaults to 'no' */ diff --git a/sshconnect.h b/sshconnect.h index b455d7c20..2e84b8bc5 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.38 2019/06/21 04:21:05 djm Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.39 2019/09/13 04:27:35 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -33,8 +33,9 @@ struct Sensitive { struct addrinfo; struct ssh; -int ssh_connect(struct ssh *, const char *, struct addrinfo *, - struct sockaddr_storage *, u_short, int, int, int *, int); +int ssh_connect(struct ssh *, const char *, const char *, + struct addrinfo *, struct sockaddr_storage *, u_short, + int, int, int *, int); void ssh_kill_proxy_command(void); void ssh_login(struct ssh *, Sensitive *, const char *, -- cgit v1.2.3 From 7047d5afe3103f0f07966c05b810682d92add359 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 13 Sep 2019 04:52:34 +0000 Subject: upstream: clarify that IdentitiesOnly also applies to the default ~/.ssh/id_* keys; bz#3062 OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa --- ssh_config.5 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 867c916a7..02a87892d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.303 2019/09/13 04:27:35 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $ .Dd $Mdocdate: September 13 2019 $ .Dt SSH_CONFIG 5 .Os @@ -872,13 +872,13 @@ The default is the name given on the command line. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 -should only use the authentication identity and certificate files explicitly -configured in the +should only use the configured authentication identity and certificate files +(either the default files, or those explicitly configured in the .Nm files or passed on the .Xr ssh 1 -command-line, +command-line), even if .Xr ssh-agent 1 or a -- cgit v1.2.3