From 68d3a2a059183ebd83b15e54984ffaced04d2742 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 28 Apr 2017 03:20:27 +0000 Subject: upstream commit Add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705, patch from erahn at arista.com, ok djm@ Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed --- ssh_config.5 | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 532745b2f..dd088c5ad 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.242 2017/02/27 14:30:33 jmc Exp $ -.Dd $Mdocdate: February 27 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.243 2017/04/28 03:20:27 dtucker Exp $ +.Dd $Mdocdate: April 28 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1101,6 +1101,12 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Xr ssh 1 . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is USER. .It Cm LogLevel Gives the verbosity level that is used when logging messages from .Xr ssh 1 . -- cgit v1.2.3 From 47a287bb6ac936c26b4f3ae63279c02902ded3b9 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Fri, 28 Apr 2017 06:15:03 +0000 Subject: upstream commit sort; Upstream-ID: 7e6b56e52b039cf44d0418e9de9aca20a2d2d15a --- ssh_config.5 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index dd088c5ad..c9dca08d8 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.243 2017/04/28 03:20:27 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $ .Dd $Mdocdate: April 28 2017 $ .Dt SSH_CONFIG 5 .Os @@ -1101,12 +1101,6 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. -.It Cm SyslogFacility -Gives the facility code that is used when logging messages from -.Xr ssh 1 . -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -The default is USER. .It Cm LogLevel Gives the verbosity level that is used when logging messages from .Xr ssh 1 . @@ -1537,6 +1531,12 @@ has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Xr ssh 1 . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is USER. .It Cm TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side. -- cgit v1.2.3 From 788ac799a6efa40517f2ac0d895a610394298ffc Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 30 Apr 2017 23:18:22 +0000 Subject: upstream commit remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424 --- readconf.c | 27 +-------------------- readconf.h | 7 +----- ssh.1 | 57 ++++---------------------------------------- ssh_config | 4 +--- ssh_config.5 | 77 ++++-------------------------------------------------------- 5 files changed, 12 insertions(+), 160 deletions(-) (limited to 'ssh_config.5') diff --git a/readconf.c b/readconf.c index 5a7197c14..aee5a8a79 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.274 2017/04/30 23:15:04 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.275 2017/04/30 23:18:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -951,14 +951,6 @@ parse_time: intptr = &options->pubkey_authentication; goto parse_flag; - case oRSAAuthentication: - intptr = &options->rsa_authentication; - goto parse_flag; - - case oRhostsRSAAuthentication: - intptr = &options->rhosts_rsa_authentication; - goto parse_flag; - case oHostbasedAuthentication: intptr = &options->hostbased_authentication; goto parse_flag; @@ -1009,10 +1001,6 @@ parse_time: intptr = &options->number_of_password_prompts; goto parse_int; - case oCompressionLevel: - intptr = &options->compression_level; - goto parse_int; - case oRekeyLimit: arg = strdelim(&s); if (!arg || *arg == '\0') @@ -1777,7 +1765,6 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; options->fwd_opts.streamlocal_bind_unlink = -1; options->use_privileged_port = -1; - options->rsa_authentication = -1; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -1785,14 +1772,12 @@ initialize_options(Options * options) options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; - options->rhosts_rsa_authentication = -1; options->hostbased_authentication = -1; options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; options->compression = -1; options->tcp_keep_alive = -1; - options->compression_level = -1; options->port = -1; options->address_family = -1; options->connection_attempts = -1; @@ -1916,8 +1901,6 @@ fill_default_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->use_privileged_port == -1) options->use_privileged_port = 0; - if (options->rsa_authentication == -1) - options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) @@ -1930,8 +1913,6 @@ fill_default_options(Options * options) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 1; - if (options->rhosts_rsa_authentication == -1) - options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; if (options->batch_mode == -1) @@ -1944,8 +1925,6 @@ fill_default_options(Options * options) options->compression = 0; if (options->tcp_keep_alive == -1) options->tcp_keep_alive = 1; - if (options->compression_level == -1) - options->compression_level = 6; if (options->port == -1) options->port = 0; /* Filled in ssh_connect. */ if (options->address_family == -1) @@ -2502,10 +2481,6 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass); dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication); dump_cfg_fmtint(oRequestTTY, o->request_tty); -#ifdef WITH_RSA1 - dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication); - dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication); -#endif dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking); dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive); diff --git a/readconf.h b/readconf.h index c2ffd9ed4..f47f53402 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.120 2017/04/30 23:15:04 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */ /* * Author: Tatu Ylonen @@ -37,9 +37,6 @@ typedef struct { char *xauth_location; /* Location for xauth program */ struct ForwardOptions fwd_opts; /* forwarding options */ int use_privileged_port; /* Don't use privileged port if false. */ - int rhosts_rsa_authentication; /* Try rhosts with RSA - * authentication. */ - int rsa_authentication; /* Try RSA authentication. */ int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ int challenge_response_authentication; @@ -54,8 +51,6 @@ typedef struct { int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ int compression; /* Compress packets in both directions. */ - int compression_level; /* Compression level 1 (fast) to 9 - * (best). */ int tcp_keep_alive; /* Set SO_KEEPALIVE. */ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ diff --git a/ssh.1 b/ssh.1 index 4011c65aa..325742f98 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.376 2016/07/16 06:57:55 jmc Exp $ -.Dd $Mdocdate: July 16 2016 $ +.\" $OpenBSD: ssh.1,v 1.377 2017/04/30 23:18:22 djm Exp $ +.Dd $Mdocdate: April 30 2017 $ .Dt SSH 1 .Os .Sh NAME @@ -43,7 +43,7 @@ .Sh SYNOPSIS .Nm ssh .Bk -words -.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +.Op Fl 46AaCfGgKkMNnqsTtVvXxYy .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Oo Ar bind_address : Oc Ns Ar port @@ -95,16 +95,6 @@ it is executed on the remote host instead of a login shell. The options are as follows: .Pp .Bl -tag -width Ds -compact -.It Fl 1 -Forces -.Nm -to try protocol version 1 only. -.Pp -.It Fl 2 -Forces -.Nm -to try protocol version 2 only. -.Pp .It Fl 4 Forces .Nm @@ -144,12 +134,7 @@ data for forwarded X11, TCP and .Ux Ns -domain connections). The compression algorithm is the same used by -.Xr gzip 1 , -and the -.Dq level -can be controlled by the -.Cm CompressionLevel -option for protocol version 1. +.Xr gzip 1 . Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be set on a host-by-host basis in the @@ -159,14 +144,6 @@ option. .Pp .It Fl c Ar cipher_spec Selects the cipher specification for encrypting the session. -.Pp -Protocol version 1 allows specification of a single cipher. -The supported values are -.Dq 3des , -.Dq blowfish , -and -.Dq des . -For protocol version 2, .Ar cipher_spec is a comma-separated list of ciphers listed in order of preference. @@ -290,8 +267,6 @@ private RSA key. Selects a file from which the identity (private key) for public key authentication is read. The default is -.Pa ~/.ssh/identity -for protocol version 1, and .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ed25519 @@ -495,7 +470,6 @@ For full details of the options listed below, and their possible values, see .It Ciphers .It ClearAllForwardings .It Compression -.It CompressionLevel .It ConnectionAttempts .It ConnectTimeout .It ControlMaster @@ -540,7 +514,6 @@ For full details of the options listed below, and their possible values, see .It PKCS11Provider .It Port .It PreferredAuthentications -.It Protocol .It ProxyCommand .It ProxyJump .It ProxyUseFdpass @@ -549,8 +522,6 @@ For full details of the options listed below, and their possible values, see .It RekeyLimit .It RemoteForward .It RequestTTY -.It RhostsRSAAuthentication -.It RSAAuthentication .It SendEnv .It ServerAliveInterval .It ServerAliveCountMax @@ -806,21 +777,7 @@ a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in .Xr ssh_config 5 . .Sh AUTHENTICATION -The OpenSSH SSH client supports SSH protocols 1 and 2. -The default is to use protocol 2 only, -though this can be changed via the -.Cm Protocol -option in -.Xr ssh_config 5 -or the -.Fl 1 -and -.Fl 2 -options (see above). -Protocol 1 should not be used -and is only offered to support legacy devices. -It suffers from a number of cryptographic weaknesses -and doesn't support many of the advanced features available for protocol 2. +The OpenSSH SSH client supports SSH protocol 2. .Pp The methods available for authentication are: GSSAPI-based authentication, @@ -893,8 +850,6 @@ is authorized to accept the account. The user creates his/her key pair by running .Xr ssh-keygen 1 . This stores the private key in -.Pa ~/.ssh/identity -(protocol 1), .Pa ~/.ssh/id_dsa (DSA), .Pa ~/.ssh/id_ecdsa @@ -905,8 +860,6 @@ or .Pa ~/.ssh/id_rsa (RSA) and stores the public key in -.Pa ~/.ssh/identity.pub -(protocol 1), .Pa ~/.ssh/id_dsa.pub (DSA), .Pa ~/.ssh/id_ecdsa.pub diff --git a/ssh_config b/ssh_config index 90fb63f0b..b986d52ce 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $ +# $OpenBSD: ssh_config,v 1.31 2017/04/30 23:18:22 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -20,8 +20,6 @@ # Host * # ForwardAgent no # ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no diff --git a/ssh_config.5 b/ssh_config.5 index c9dca08d8..a565f330d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.244 2017/04/28 06:15:03 jmc Exp $ -.Dd $Mdocdate: April 28 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $ +.Dd $Mdocdate: April 30 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -391,25 +391,8 @@ in the process, regardless of the setting of If the option is set to .Cm no , the check will not be executed. -.It Cm Cipher -Specifies the cipher to use for encrypting the session -in protocol version 1. -Currently, -.Cm blowfish , -.Cm 3des -(the default), -and -.Cm des -are supported, -though -.Cm des -is only supported in the -.Xr ssh 1 -client for interoperability with legacy protocol 1 implementations; -its use is strongly discouraged due to cryptographic weaknesses. .It Cm Ciphers -Specifies the ciphers allowed for protocol version 2 -in order of preference. +Specifies the ciphers allowed and their order of preference. Multiple ciphers must be comma-separated. If the specified value begins with a .Sq + @@ -472,18 +455,6 @@ The argument must be or .Cm no (the default). -.It Cm CompressionLevel -Specifies the compression level to use if compression is enabled. -The argument must be an integer from 1 (fast) to 9 (slow, best). -The default level is 6, which is good for most applications. -The meaning of the values is the same as in -.Xr gzip 1 . -Note that this option applies to protocol version 1 only. -.It Cm ConnectionAttempts -Specifies the number of tries (one per second) to make before exiting. -The argument must be an integer. -This may be useful in scripts if the connection sometimes fails. -The default is 1. .It Cm ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. @@ -902,14 +873,11 @@ section. Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read. The default is -.Pa ~/.ssh/identity -for protocol version 1, and .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ed25519 and -.Pa ~/.ssh/id_rsa -for protocol version 2. +.Pa ~/.ssh/id_rsa . Additionally, any identities represented by the authentication agent will be used for authentication unless .Cm IdentitiesOnly @@ -1192,21 +1160,6 @@ The default is: gssapi-with-mic,hostbased,publickey, keyboard-interactive,password .Ed -.It Cm Protocol -Specifies the protocol versions -.Xr ssh 1 -should support in order of preference. -The possible values are 1 and 2. -Multiple versions must be comma-separated. -When this option is set to -.Cm 2,1 -.Nm ssh -will try version 2 and fall back to version 1 -if version 2 is not available. -The default is version 2. -Protocol 1 suffers from a number of cryptographic weaknesses and should -not be used. -It is only offered to support legacy devices. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command @@ -1397,28 +1350,6 @@ an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . -.It Cm RhostsRSAAuthentication -Specifies whether to try rhosts based authentication with RSA host -authentication. -The argument must be -.Cm yes -or -.Cm no -(the default). -This option applies to protocol version 1 only and requires -.Xr ssh 1 -to be setuid root. -.It Cm RSAAuthentication -Specifies whether to try RSA authentication. -The argument to this keyword must be -.Cm yes -(the default) -or -.Cm no . -RSA authentication will only be -attempted if the identity file exists, or an authentication agent is -running. -Note that this option applies to protocol version 1 only. .It Cm SendEnv Specifies what variables from the local .Xr environ 7 -- cgit v1.2.3 From 768405fddf64ff83aa6ef701ebb3c1f82d98a2f3 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Wed, 3 May 2017 21:08:09 +0000 Subject: upstream commit remove miscellaneous SSH1 leftovers; ok markus@ Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c --- clientloop.c | 4 ++-- kex.h | 5 +---- opacket.h | 8 -------- packet.c | 21 ++------------------- packet.h | 3 +-- pathnames.h | 3 +-- ssh.h | 4 ++-- ssh_config.5 | 9 ++------- sshkey.h | 4 +--- 9 files changed, 12 insertions(+), 49 deletions(-) (limited to 'ssh_config.5') diff --git a/clientloop.c b/clientloop.c index dbc2c85c6..367b682ff 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.295 2017/04/30 23:28:41 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.296 2017/05/03 21:08:09 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -942,7 +942,7 @@ print_escape_help(Buffer *b, int escape_char, int mux_client, int using_stderr) } /* - * Process the characters one by one, call with c==NULL for proto1 case. + * Process the characters one by one. */ static int process_escapes(Channel *c, Buffer *bin, Buffer *bout, Buffer *berr, diff --git a/kex.h b/kex.h index 3794f2127..13b22351f 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.81 2016/09/28 21:44:52 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.82 2017/05/03 21:08:09 naddy Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -225,9 +225,6 @@ int kexc25519_shared_key(const u_char key[CURVE25519_SIZE], __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); -int -derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]); - #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) void dump_digest(char *, u_char *, int); #endif diff --git a/opacket.h b/opacket.h index c487f4f40..46d31f805 100644 --- a/opacket.h +++ b/opacket.h @@ -6,7 +6,6 @@ void ssh_packet_start(struct ssh *, u_char); void ssh_packet_put_char(struct ssh *, int ch); void ssh_packet_put_int(struct ssh *, u_int value); void ssh_packet_put_int64(struct ssh *, u_int64_t value); -void ssh_packet_put_bignum(struct ssh *, BIGNUM * value); void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value); void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *); void ssh_packet_put_string(struct ssh *, const void *buf, u_int len); @@ -17,7 +16,6 @@ void ssh_packet_send(struct ssh *); u_int ssh_packet_get_char(struct ssh *); u_int ssh_packet_get_int(struct ssh *); u_int64_t ssh_packet_get_int64(struct ssh *); -void ssh_packet_get_bignum(struct ssh *, BIGNUM * value); void ssh_packet_get_bignum2(struct ssh *, BIGNUM * value); void ssh_packet_get_ecpoint(struct ssh *, const EC_GROUP *, EC_POINT *); void *ssh_packet_get_string(struct ssh *, u_int *length_ptr); @@ -62,8 +60,6 @@ void packet_read_expect(int expected_type); ssh_packet_get_protocol_flags(active_state) #define packet_start_compression(level) \ ssh_packet_start_compression(active_state, (level)) -#define packet_set_encryption_key(key, keylen, number) \ - ssh_packet_set_encryption_key(active_state, (key), (keylen), (number)) #define packet_start(type) \ ssh_packet_start(active_state, (type)) #define packet_put_char(value) \ @@ -78,8 +74,6 @@ void packet_read_expect(int expected_type); ssh_packet_put_cstring(active_state, (str)) #define packet_put_raw(buf, len) \ ssh_packet_put_raw(active_state, (buf), (len)) -#define packet_put_bignum(value) \ - ssh_packet_put_bignum(active_state, (value)) #define packet_put_bignum2(value) \ ssh_packet_put_bignum2(active_state, (value)) #define packet_send() \ @@ -88,8 +82,6 @@ void packet_read_expect(int expected_type); ssh_packet_read(active_state) #define packet_get_int64() \ ssh_packet_get_int64(active_state) -#define packet_get_bignum(value) \ - ssh_packet_get_bignum(active_state, (value)) #define packet_get_bignum2(value) \ ssh_packet_get_bignum2(active_state, (value)) #define packet_remaining() \ diff --git a/packet.c b/packet.c index f997064cb..533bd1e61 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.252 2017/04/30 23:28:42 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.253 2017/05/03 21:08:09 naddy Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -184,10 +184,6 @@ struct session_state { u_int32_t rekey_interval; /* how often in seconds */ time_t rekey_time; /* time of last rekeying */ - /* Session key for protocol v1 */ - u_char ssh1_key[SSH_SESSION_KEY_LENGTH]; - u_int ssh1_keylen; - /* roundup current message to extra_pad bytes */ u_char extra_pad; @@ -278,8 +274,7 @@ ssh_packet_is_rekeying(struct ssh *ssh) } /* - * Sets the descriptors used for communication. Disables encryption until - * packet_set_encryption_key is called. + * Sets the descriptors used for communication. */ struct ssh * ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) @@ -796,18 +791,6 @@ uncompress_buffer(struct ssh *ssh, struct sshbuf *in, struct sshbuf *out) /* NOTREACHED */ } -/* - * Causes any further packets to be encrypted using the given key. The same - * key is used for both sending and reception. However, both directions are - * encrypted independently of each other. - */ - -void -ssh_packet_set_encryption_key(struct ssh *ssh, const u_char *key, u_int keylen, int number) -{ - fatal("no SSH protocol 1 support"); -} - int ssh_set_newkeys(struct ssh *ssh, int mode) { diff --git a/packet.h b/packet.h index b169f4ea1..b82f45a75 100644 --- a/packet.h +++ b/packet.h @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.h,v 1.78 2017/04/30 23:23:54 djm Exp $ */ +/* $OpenBSD: packet.h,v 1.79 2017/05/03 21:08:09 naddy Exp $ */ /* * Author: Tatu Ylonen @@ -93,7 +93,6 @@ void ssh_packet_set_nonblocking(struct ssh *); int ssh_packet_get_connection_in(struct ssh *); int ssh_packet_get_connection_out(struct ssh *); void ssh_packet_close(struct ssh *); -void ssh_packet_set_encryption_key(struct ssh *, const u_char *, u_int, int); void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); int ssh_packet_is_rekeying(struct ssh *); diff --git a/pathnames.h b/pathnames.h index a8deb9fc6..cff672e2f 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.25 2016/03/31 05:24:06 dtucker Exp $ */ +/* $OpenBSD: pathnames.h,v 1.26 2017/05/03 21:08:09 naddy Exp $ */ /* * Author: Tatu Ylonen @@ -36,7 +36,6 @@ */ #define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config" #define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config" -#define _PATH_HOST_KEY_FILE SSHDIR "/ssh_host_key" #define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key" #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" diff --git a/ssh.h b/ssh.h index 882768c5f..08d05ce29 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.85 2017/04/30 23:28:12 djm Exp $ */ +/* $OpenBSD: ssh.h,v 1.86 2017/05/03 21:08:09 naddy Exp $ */ /* * Author: Tatu Ylonen @@ -47,7 +47,7 @@ #define PROTOCOL_MAJOR_1 1 #define PROTOCOL_MINOR_1 5 -/* We support both SSH2 */ +/* We support only SSH2 */ #define PROTOCOL_MAJOR_2 2 #define PROTOCOL_MINOR_2 0 diff --git a/ssh_config.5 b/ssh_config.5 index a565f330d..e8e51d2cb 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.245 2017/04/30 23:18:22 djm Exp $ -.Dd $Mdocdate: April 30 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.246 2017/05/03 21:08:09 naddy Exp $ +.Dd $Mdocdate: May 3 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1564,11 +1564,6 @@ If set to .Cm yes , .Xr ssh 1 must be setuid root. -Note that this option must be set to -.Cm yes -for -.Cm RhostsRSAAuthentication -with older servers. .It Cm User Specifies the user to log in as. This can be useful when a different user name is used on different machines. diff --git a/sshkey.h b/sshkey.h index 0012f885d..fc1956605 100644 --- a/sshkey.h +++ b/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.16 2017/04/30 23:18:44 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.17 2017/05/03 21:08:09 naddy Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -184,8 +184,6 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **keyp); int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, const char *passphrase, const char *comment, int force_new_format, const char *new_format_cipher, int new_format_rounds); -int sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, - struct sshkey **keyp, char **commentp); int sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, struct sshkey **keyp, char **commentp); int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, -- cgit v1.2.3 From 9a82e24b986e3e0dc70849dbb2c19aa6c707b37f Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Wed, 3 May 2017 21:49:18 +0000 Subject: upstream commit restore mistakenly deleted description of the ConnectionAttempts option ok markus@ Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348 --- scp.1 | 5 +++-- sftp.1 | 3 ++- ssh.1 | 3 ++- ssh_config.5 | 7 ++++++- 4 files changed, 13 insertions(+), 5 deletions(-) (limited to 'ssh_config.5') diff --git a/scp.1 b/scp.1 index 9b5229ab1..76ce33361 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.73 2017/05/02 13:44:51 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.74 2017/05/03 21:49:18 naddy Exp $ .\" -.Dd $Mdocdate: May 2 2017 $ +.Dd $Mdocdate: May 3 2017 $ .Dt SCP 1 .Os .Sh NAME @@ -130,6 +130,7 @@ For full details of the options listed below, and their possible values, see .It CheckHostIP .It Ciphers .It Compression +.It ConnectionAttempts .It ConnectTimeout .It ControlMaster .It ControlPath diff --git a/sftp.1 b/sftp.1 index 5dce807f6..c218376fb 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.109 2017/05/03 06:32:02 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.110 2017/05/03 21:49:18 naddy Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -199,6 +199,7 @@ For full details of the options listed below, and their possible values, see .It CheckHostIP .It Ciphers .It Compression +.It ConnectionAttempts .It ConnectTimeout .It ControlMaster .It ControlPath diff --git a/ssh.1 b/ssh.1 index b9a85aff9..1c5ad7417 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.379 2017/05/03 06:32:02 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.380 2017/05/03 21:49:18 naddy Exp $ .Dd $Mdocdate: May 3 2017 $ .Dt SSH 1 .Os @@ -469,6 +469,7 @@ For full details of the options listed below, and their possible values, see .It Ciphers .It ClearAllForwardings .It Compression +.It ConnectionAttempts .It ConnectTimeout .It ControlMaster .It ControlPath diff --git a/ssh_config.5 b/ssh_config.5 index e8e51d2cb..68fd028e5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.246 2017/05/03 21:08:09 naddy Exp $ +.\" $OpenBSD: ssh_config.5,v 1.247 2017/05/03 21:49:18 naddy Exp $ .Dd $Mdocdate: May 3 2017 $ .Dt SSH_CONFIG 5 .Os @@ -455,6 +455,11 @@ The argument must be or .Cm no (the default). +.It Cm ConnectionAttempts +Specifies the number of tries (one per second) to make before exiting. +The argument must be an integer. +This may be useful in scripts if the connection sometimes fails. +The default is 1. .It Cm ConnectTimeout Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. -- cgit v1.2.3 From acaf34fd823235d549c633c0146ee03ac5956e82 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 7 May 2017 23:12:57 +0000 Subject: upstream commit As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@ Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222 --- cipher.c | 64 ++++++++++++++++------------------------------------------- cipher.h | 4 +--- packet.c | 35 ++++---------------------------- ssh_config | 6 +++--- ssh_config.5 | 9 ++------- sshd.8 | 6 +++--- sshd_config.5 | 18 ++--------------- 7 files changed, 32 insertions(+), 110 deletions(-) (limited to 'ssh_config.5') diff --git a/cipher.c b/cipher.c index 9e26b96b8..c3cd5dcf4 100644 --- a/cipher.c +++ b/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.106 2017/05/04 01:33:21 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.107 2017/05/07 23:12:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -67,7 +67,6 @@ struct sshcipher { u_int key_len; u_int iv_len; /* defaults to block_size */ u_int auth_len; - u_int discard_len; u_int flags; #define CFLAG_CBC (1<<0) #define CFLAG_CHACHAPOLY (1<<1) @@ -83,42 +82,31 @@ struct sshcipher { static const struct sshcipher ciphers[] = { #ifdef WITH_OPENSSL - { "3des-cbc", 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, -# ifndef OPENSSL_NO_BF - { "blowfish-cbc", 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, -# endif /* OPENSSL_NO_BF */ -# ifndef OPENSSL_NO_CAST - { "cast128-cbc", 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, -# endif /* OPENSSL_NO_CAST */ -# ifndef OPENSSL_NO_RC4 - { "arcfour", 8, 16, 0, 0, 0, 0, EVP_rc4 }, - { "arcfour128", 8, 16, 0, 0, 1536, 0, EVP_rc4 }, - { "arcfour256", 8, 32, 0, 0, 1536, 0, EVP_rc4 }, -# endif /* OPENSSL_NO_RC4 */ - { "aes128-cbc", 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, - { "aes192-cbc", 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, - { "aes256-cbc", 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, + { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, + { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, + { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, - { "aes128-ctr", 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, - { "aes192-ctr", 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, - { "aes256-ctr", 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, + 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, + { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, # ifdef OPENSSL_HAVE_EVPGCM { "aes128-gcm@openssh.com", - 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, + 16, 16, 12, 16, 0, EVP_aes_128_gcm }, { "aes256-gcm@openssh.com", - 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, + 16, 32, 12, 16, 0, EVP_aes_256_gcm }, # endif /* OPENSSL_HAVE_EVPGCM */ #else - { "aes128-ctr", 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL }, - { "aes192-ctr", 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL }, - { "aes256-ctr", 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL }, + { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, + { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, + { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL }, #endif { "chacha20-poly1305@openssh.com", - 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, - { "none", 8, 0, 0, 0, 0, CFLAG_NONE, NULL }, + 8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL }, + { "none", 8, 0, 0, 0, CFLAG_NONE, NULL }, - { NULL, 0, 0, 0, 0, 0, 0, NULL } + { NULL, 0, 0, 0, 0, 0, NULL } }; /*--*/ @@ -252,7 +240,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, #ifdef WITH_OPENSSL const EVP_CIPHER *type; int klen; - u_char *junk, *discard; #endif *ccp = NULL; @@ -314,23 +301,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } - - if (cipher->discard_len > 0) { - if ((junk = malloc(cipher->discard_len)) == NULL || - (discard = malloc(cipher->discard_len)) == NULL) { - free(junk); - ret = SSH_ERR_ALLOC_FAIL; - goto out; - } - ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len); - explicit_bzero(discard, cipher->discard_len); - free(junk); - free(discard); - if (ret != 1) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } - } ret = 0; #endif /* WITH_OPENSSL */ out: diff --git a/cipher.h b/cipher.h index f9ac151f7..dc7ecf113 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.51 2017/05/04 01:33:21 djm Exp $ */ +/* $OpenBSD: cipher.h,v 1.52 2017/05/07 23:12:57 djm Exp $ */ /* * Author: Tatu Ylonen @@ -71,7 +71,5 @@ u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *); int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int); int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *); int cipher_get_keyiv_len(const struct sshcipher_ctx *); -int cipher_get_keycontext(const struct sshcipher_ctx *, u_char *); -void cipher_set_keycontext(struct sshcipher_ctx *, const u_char *); #endif /* CIPHER_H */ diff --git a/packet.c b/packet.c index 533bd1e61..ec0eb0cd3 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.253 2017/05/03 21:08:09 naddy Exp $ */ +/* $OpenBSD: packet.c,v 1.254 2017/05/07 23:12:57 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -884,7 +884,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode) } /* * The 2^(blocksize*2) limit is too expensive for 3DES, - * blowfish, etc, so enforce a 1GB limit for small blocksizes. + * so enforce a 1GB limit for small blocksizes. */ if (enc->block_size >= 16) *max_blocks = (u_int64_t)1 << (enc->block_size*2); @@ -2223,8 +2223,6 @@ int ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) { struct session_state *state = ssh->state; - u_char *p; - size_t slen, rlen; int r; if ((r = kex_to_blob(m, ssh->kex)) != 0 || @@ -2242,22 +2240,6 @@ ssh_packet_get_state(struct ssh *ssh, struct sshbuf *m) (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0) return r; - slen = cipher_get_keycontext(state->send_context, NULL); - rlen = cipher_get_keycontext(state->receive_context, NULL); - if ((r = sshbuf_put_u32(m, slen)) != 0 || - (r = sshbuf_reserve(m, slen, &p)) != 0) - return r; - if (cipher_get_keycontext(state->send_context, p) != (int)slen) - return SSH_ERR_INTERNAL_ERROR; - if ((r = sshbuf_put_u32(m, rlen)) != 0 || - (r = sshbuf_reserve(m, rlen, &p)) != 0) - return r; - if (cipher_get_keycontext(state->receive_context, p) != (int)rlen) - return SSH_ERR_INTERNAL_ERROR; - if ((r = sshbuf_put_stringb(m, state->input)) != 0 || - (r = sshbuf_put_stringb(m, state->output)) != 0) - return r; - return 0; } @@ -2379,8 +2361,8 @@ int ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) { struct session_state *state = ssh->state; - const u_char *keyin, *keyout, *input, *output; - size_t rlen, slen, ilen, olen; + const u_char *input, *output; + size_t ilen, olen; int r; if ((r = kex_from_blob(m, &ssh->kex)) != 0 || @@ -2407,15 +2389,6 @@ ssh_packet_set_state(struct ssh *ssh, struct sshbuf *m) (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0) return r; - if ((r = sshbuf_get_string_direct(m, &keyout, &slen)) != 0 || - (r = sshbuf_get_string_direct(m, &keyin, &rlen)) != 0) - return r; - if (cipher_get_keycontext(state->send_context, NULL) != (int)slen || - cipher_get_keycontext(state->receive_context, NULL) != (int)rlen) - return SSH_ERR_INVALID_FORMAT; - cipher_set_keycontext(state->send_context, keyout); - cipher_set_keycontext(state->receive_context, keyin); - if ((r = ssh_packet_set_postauth(ssh)) != 0) return r; diff --git a/ssh_config b/ssh_config index 515513c3b..c12f5ef52 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.32 2017/05/03 10:01:44 jmc Exp $ +# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -35,8 +35,8 @@ # IdentityFile ~/.ssh/id_ed25519 # Port 22 # Protocol 2 -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com # EscapeChar ~ # Tunnel no # TunnelDevice any:any diff --git a/ssh_config.5 b/ssh_config.5 index 68fd028e5..db37b92cd 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.247 2017/05/03 21:49:18 naddy Exp $ -.Dd $Mdocdate: May 3 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.248 2017/05/07 23:12:57 djm Exp $ +.Dd $Mdocdate: May 7 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -414,11 +414,6 @@ aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com -arcfour -arcfour128 -arcfour256 -blowfish-cbc -cast128-cbc chacha20-poly1305@openssh.com .Ed .Pp diff --git a/sshd.8 b/sshd.8 index 7725a692c..05368f947 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.288 2017/01/30 23:27:39 dtucker Exp $ -.Dd $Mdocdate: January 30 2017 $ +.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ +.Dd $Mdocdate: May 7 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -260,7 +260,7 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, +(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. diff --git a/sshd_config.5 b/sshd_config.5 index ac6ccc793..7ccf6fd4e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.243 2017/03/14 07:19:07 djm Exp $ -.Dd $Mdocdate: March 14 2017 $ +.\" $OpenBSD: sshd_config.5,v 1.244 2017/05/07 23:12:57 djm Exp $ +.Dd $Mdocdate: May 7 2017 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -464,16 +464,6 @@ aes128-gcm@openssh.com .It aes256-gcm@openssh.com .It -arcfour -.It -arcfour128 -.It -arcfour256 -.It -blowfish-cbc -.It -cast128-cbc -.It chacha20-poly1305@openssh.com .El .Pp @@ -962,8 +952,6 @@ hmac-md5 .It hmac-md5-96 .It -hmac-ripemd160 -.It hmac-sha1 .It hmac-sha1-96 @@ -980,8 +968,6 @@ hmac-md5-etm@openssh.com .It hmac-md5-96-etm@openssh.com .It -hmac-ripemd160-etm@openssh.com -.It hmac-sha1-etm@openssh.com .It hmac-sha1-96-etm@openssh.com -- cgit v1.2.3 From 1112b534a6a7a07190e497e6bf86b0d5c5fb02dc Mon Sep 17 00:00:00 2001 From: "bluhm@openbsd.org" Date: Tue, 30 May 2017 18:58:37 +0000 Subject: upstream commit Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee --- readconf.c | 13 +++++++++++-- readconf.h | 3 ++- ssh.1 | 5 +++-- ssh.c | 40 ++++++++++++++++++++++++++++++++-------- ssh_config.5 | 12 ++++++++++-- 5 files changed, 58 insertions(+), 15 deletions(-) (limited to 'ssh_config.5') diff --git a/readconf.c b/readconf.c index 4be5327a9..b11c628f9 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.276 2017/05/20 02:35:47 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.277 2017/05/30 18:58:37 bluhm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -163,7 +163,8 @@ typedef enum { oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, - oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, oVisualHostKey, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, @@ -284,6 +285,7 @@ static struct { { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, { "permitlocalcommand", oPermitLocalCommand }, + { "remotecommand", oRemoteCommand }, { "visualhostkey", oVisualHostKey }, { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, @@ -1440,6 +1442,10 @@ parse_keytypes: intptr = &options->permit_local_command; goto parse_flag; + case oRemoteCommand: + charptr = &options->remote_command; + goto parse_command; + case oVisualHostKey: intptr = &options->visual_host_key; goto parse_flag; @@ -1828,6 +1834,7 @@ initialize_options(Options * options) options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; + options->remote_command = NULL; options->add_keys_to_agent = -1; options->identity_agent = NULL; options->visual_host_key = -1; @@ -2032,6 +2039,7 @@ fill_default_options(Options * options) } \ } while(0) CLEAR_ON_NONE(options->local_command); + CLEAR_ON_NONE(options->remote_command); CLEAR_ON_NONE(options->proxy_command); CLEAR_ON_NONE(options->control_path); CLEAR_ON_NONE(options->revoked_host_keys); @@ -2509,6 +2517,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); dump_cfg_string(oLocalCommand, o->local_command); + dump_cfg_string(oRemoteCommand, o->remote_command); dump_cfg_string(oLogLevel, log_level_name(o->log_level)); dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); #ifdef ENABLE_PKCS11 diff --git a/readconf.h b/readconf.h index f47f53402..94dd427f5 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.122 2017/05/30 18:58:37 bluhm Exp $ */ /* * Author: Tatu Ylonen @@ -134,6 +134,7 @@ typedef struct { char *local_command; int permit_local_command; + char *remote_command; int visual_host_key; int request_tty; diff --git a/ssh.1 b/ssh.1 index 10633d92b..47cd0211d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.381 2017/05/05 10:41:58 naddy Exp $ -.Dd $Mdocdate: May 5 2017 $ +.\" $OpenBSD: ssh.1,v 1.382 2017/05/30 18:58:37 bluhm Exp $ +.Dd $Mdocdate: May 30 2017 $ .Dt SSH 1 .Os .Sh NAME @@ -518,6 +518,7 @@ For full details of the options listed below, and their possible values, see .It PubkeyAcceptedKeyTypes .It PubkeyAuthentication .It RekeyLimit +.It RemoteCommand .It RemoteForward .It RequestTTY .It SendEnv diff --git a/ssh.c b/ssh.c index cfd6b70e5..6137fd7da 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.460 2017/05/30 08:52:19 markus Exp $ */ +/* $OpenBSD: ssh.c,v 1.461 2017/05/30 18:58:37 bluhm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -973,12 +973,6 @@ main(int ac, char **av) } } - /* Cannot fork to background if no command. */ - if (fork_after_authentication_flag && buffer_len(&command) == 0 && - !no_shell_flag) - fatal("Cannot fork into background without a command " - "to execute."); - /* * Initialize "log" output. Since we are the client all output * goes to stderr unless otherwise specified by -y or -E. @@ -1133,6 +1127,15 @@ main(int ac, char **av) options.use_privileged_port = 0; #endif + if (buffer_len(&command) != 0 && options.remote_command != NULL) + fatal("Cannot execute command-line and remote command."); + + /* Cannot fork to background if no command. */ + if (fork_after_authentication_flag && buffer_len(&command) == 0 && + options.remote_command == NULL && !no_shell_flag) + fatal("Cannot fork into background without a command " + "to execute."); + /* reinit */ log_init(argv0, options.log_level, options.log_facility, !use_syslog); @@ -1141,7 +1144,7 @@ main(int ac, char **av) tty_flag = 1; /* Allocate a tty by default if no command specified. */ - if (buffer_len(&command) == 0) + if (buffer_len(&command) == 0 && options.remote_command == NULL) tty_flag = options.request_tty != REQUEST_TTY_NO; /* Force no tty */ @@ -1197,6 +1200,27 @@ main(int ac, char **av) free(cp); } + if (options.remote_command != NULL) { + debug3("expanding RemoteCommand: %s", options.remote_command); + cp = options.remote_command; + options.remote_command = percent_expand(cp, + "C", conn_hash_hex, + "L", shorthost, + "d", pw->pw_dir, + "h", host, + "l", thishost, + "n", host_arg, + "p", portstr, + "r", options.user, + "u", pw->pw_name, + (char *)NULL); + debug3("expanded RemoteCommand: %s", options.remote_command); + free(cp); + buffer_append(&command, options.remote_command, + strlen(options.remote_command)); + + } + if (options.control_path != NULL) { cp = tilde_expand_filename(options.control_path, original_real_uid); diff --git a/ssh_config.5 b/ssh_config.5 index db37b92cd..2c9e20fec 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.248 2017/05/07 23:12:57 djm Exp $ -.Dd $Mdocdate: May 7 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.249 2017/05/30 18:58:37 bluhm Exp $ +.Dd $Mdocdate: May 30 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1287,6 +1287,14 @@ is .Cm default none , which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done. +.It Cm RemoteCommand +Specifies a command to execute on the remote machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +the user's shell. +The same escape character substitutions as for +.Cm LocalCommand +will be performed. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. -- cgit v1.2.3 From a3bb250c93bfe556838c46ed965066afce61cffa Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Tue, 30 May 2017 19:38:17 +0000 Subject: upstream commit tweak previous; Upstream-ID: 66987651046c42d142f7318c9695fb81a6d14031 --- ssh_config.5 | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 2c9e20fec..4277f9eac 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.249 2017/05/30 18:58:37 bluhm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ .Dd $Mdocdate: May 30 2017 $ .Dt SSH_CONFIG 5 .Os @@ -1292,9 +1292,11 @@ Specifies a command to execute on the remote machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. -The same escape character substitutions as for -.Cm LocalCommand -will be performed. +Arguments to +.Cm RemoteCommand +accept the tokens described in the +.Sx TOKENS +section. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. @@ -1710,6 +1712,9 @@ accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. .Pp .Cm ProxyCommand accepts the tokens %%, %h, %p, and %r. +.Pp +.Cm RemoteCommand +accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. .Sh FILES .Bl -tag -width Ds .It Pa ~/.ssh/config -- cgit v1.2.3 From 6f8ca3b92540fa1a9b91670edc98d15448e3d765 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 24 Jun 2017 05:35:05 +0000 Subject: upstream commit use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd --- ssh_config.5 | 6 +++--- sshconnect.c | 6 ++++-- sshd.8 | 24 +++++++++++++++++++----- 3 files changed, 26 insertions(+), 10 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 4277f9eac..1cbfe0403 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ -.Dd $Mdocdate: May 30 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $ +.Dd $Mdocdate: June 24 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -809,7 +809,7 @@ The list of available key types may also be obtained using .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -in the host key database files. +in the host key database files and when validating host certificates. This option is useful for tunneling SSH connections or for multiple servers running on a single host. .It Cm HostName diff --git a/sshconnect.c b/sshconnect.c index d4894b9f1..4100cdc8c 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, host, type, want_cert ? "certificate" : "key"); debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); - if (want_cert && !check_host_cert(hostname, host_key)) + if (want_cert && + !check_host_cert(options.host_key_alias == NULL ? + hostname : options.host_key_alias, host_key)) goto fail; if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) diff --git a/sshd.8 b/sshd.8 index 05368f947..1b18e45b3 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ -.Dd $Mdocdate: May 7 2017 $ +.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $ +.Dd $Mdocdate: June 24 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns and .Ql \&? act as -wildcards); each pattern in turn is matched against the canonical host -name (when authenticating a client) or against the user-supplied -name (when authenticating a server). +wildcards); each pattern in turn is matched against the host name. +When +.Nm sshd +is authenticating a client, such as when using +.Cm HostbasedAuthentication , +this will be the canonical client host name. +When +.Xr ssh 1 +is authenticating a server, this will be the either the host name +given by the user, the value of the +.Xr ssh 1 +.Cm HostkeyAlias +if it was specified, or the canonical server hostname if the +.Xr ssh 1 +.Cm CanonicalizeHostname +option was used. +.Pp A pattern may also be preceded by .Ql \&! to indicate negation: if the host name matches a negated -- cgit v1.2.3 From 1f3d202770a08ee6752ed2a234b7ca6f180eb498 Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Thu, 13 Jul 2017 19:16:33 +0000 Subject: upstream commit man pages with pseudo synopses which list filenames end up creating very ugly output in man -k; after some discussion with ingo, we feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly helpful at page top, is contained already in FILES, and there are sufficiently few that just zapping them is simple; ok schwarze, who also helpfully ran things through a build to check output; Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c --- ssh_config.5 | 7 ++----- sshd_config.5 | 6 ++---- 2 files changed, 4 insertions(+), 9 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 1cbfe0403..89da9b53a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,16 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $ -.Dd $Mdocdate: June 24 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.252 2017/07/13 19:16:33 jmc Exp $ +.Dd $Mdocdate: July 13 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME .Nm ssh_config .Nd OpenSSH SSH client configuration files -.Sh SYNOPSIS -.Nm ~/.ssh/config -.Nm /etc/ssh/ssh_config .Sh DESCRIPTION .Xr ssh 1 obtains configuration data from the following sources in diff --git a/sshd_config.5 b/sshd_config.5 index d12629831..6a77c9343 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,15 +33,13 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.248 2017/06/24 07:08:57 djm Exp $ -.Dd $Mdocdate: June 24 2017 $ +.\" $OpenBSD: sshd_config.5,v 1.249 2017/07/13 19:16:33 jmc Exp $ +.Dd $Mdocdate: July 13 2017 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME .Nm sshd_config .Nd OpenSSH SSH daemon configuration file -.Sh SYNOPSIS -.Nm /etc/ssh/sshd_config .Sh DESCRIPTION .Xr sshd 8 reads configuration data from -- cgit v1.2.3 From 51676ec61491ec6d7cbd06082034e29b377b3bf6 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 23 Jul 2017 23:37:02 +0000 Subject: upstream commit Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@ Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e --- misc.c | 3 ++- packet.c | 4 ++-- ssh_config.5 | 8 +++++--- sshd_config.5 | 8 +++++--- 4 files changed, 14 insertions(+), 9 deletions(-) (limited to 'ssh_config.5') diff --git a/misc.c b/misc.c index af24fa5c4..313c44109 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.110 2017/05/31 09:15:42 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.111 2017/07/23 23:37:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -1085,6 +1085,7 @@ static const struct { const char *name; int value; } ipqos[] = { + { "none", INT_MAX }, /* can't use 0 here; that's CS0 */ { "af11", IPTOS_DSCP_AF11 }, { "af12", IPTOS_DSCP_AF12 }, { "af13", IPTOS_DSCP_AF13 }, diff --git a/packet.c b/packet.c index 9458ffdb2..ff69b6601 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.262 2017/06/24 06:38:11 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.263 2017/07/23 23:37:02 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1997,7 +1997,7 @@ void ssh_packet_set_tos(struct ssh *ssh, int tos) { #ifndef IP_TOS_IS_BROKEN - if (!ssh_packet_connection_is_on_socket(ssh)) + if (!ssh_packet_connection_is_on_socket(ssh) || tos == INT_MAX) return; switch (ssh_packet_connection_af(ssh)) { # ifdef IP_TOS diff --git a/ssh_config.5 b/ssh_config.5 index 89da9b53a..15ca0b4f9 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.252 2017/07/13 19:16:33 jmc Exp $ -.Dd $Mdocdate: July 13 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.253 2017/07/23 23:37:02 djm Exp $ +.Dd $Mdocdate: July 23 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -969,7 +969,9 @@ Accepted values are .Cm lowdelay , .Cm throughput , .Cm reliability , -or a numeric value. +a numeric value, or +.Cm none +to use the operating system default. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for diff --git a/sshd_config.5 b/sshd_config.5 index 6a77c9343..76e157f2e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.249 2017/07/13 19:16:33 jmc Exp $ -.Dd $Mdocdate: July 13 2017 $ +.\" $OpenBSD: sshd_config.5,v 1.250 2017/07/23 23:37:02 djm Exp $ +.Dd $Mdocdate: July 23 2017 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -792,7 +792,9 @@ Accepted values are .Cm lowdelay , .Cm throughput , .Cm reliability , -or a numeric value. +a numeric value, or +.Cm none +to use the operating system default. This option may take one or two arguments, separated by whitespace. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for -- cgit v1.2.3 From 22376d27a349f62c502fec3396dfe0fdcb2a40b7 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 3 Sep 2017 23:33:13 +0000 Subject: upstream commit Expand ssh_config's StrictModes option with two new settings: StrictModes=accept-new will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. StrictModes=off is the same as StrictModes=no Motivation: StrictModes=no combines two behaviours for host key processing: automatically learning new hostkeys and continuing to connect to hosts with invalid/changed hostkeys. The latter behaviour is quite dangerous since it removes most of the protections the SSH protocol is supposed to provide. Quite a few users want to automatically learn hostkeys however, so this makes that feature available with less danger. At some point in the future, StrictModes=no will change to be a synonym for accept-new, with its current behaviour remaining available via StrictModes=off. bz#2400, suggested by Michael Samuel; ok markus Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64 --- readconf.c | 19 +++++++++++++++---- readconf.h | 7 ++++++- ssh_config.5 | 18 +++++++++++++----- sshconnect.c | 30 ++++++++++++++++++------------ 4 files changed, 52 insertions(+), 22 deletions(-) (limited to 'ssh_config.5') diff --git a/readconf.c b/readconf.c index b11c628f9..4f38b27cf 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.277 2017/05/30 18:58:37 bluhm Exp $ */ +/* $OpenBSD: readconf.c,v 1.278 2017/09/03 23:33:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -751,6 +751,16 @@ static const struct multistate multistate_yesnoask[] = { { "ask", 2 }, { NULL, -1 } }; +static const struct multistate multistate_strict_hostkey[] = { + { "true", SSH_STRICT_HOSTKEY_YES }, + { "false", SSH_STRICT_HOSTKEY_OFF }, + { "yes", SSH_STRICT_HOSTKEY_YES }, + { "no", SSH_STRICT_HOSTKEY_OFF }, + { "ask", SSH_STRICT_HOSTKEY_ASK }, + { "off", SSH_STRICT_HOSTKEY_OFF }, + { "accept-new", SSH_STRICT_HOSTKEY_NEW }, + { NULL, -1 } +}; static const struct multistate multistate_yesnoaskconfirm[] = { { "true", 1 }, { "false", 0 }, @@ -984,7 +994,7 @@ parse_time: case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; - multistate_ptr = multistate_yesnoask; + multistate_ptr = multistate_strict_hostkey; goto parse_multistate; case oCompression: @@ -1927,7 +1937,7 @@ fill_default_options(Options * options) if (options->check_host_ip == -1) options->check_host_ip = 1; if (options->strict_host_key_checking == -1) - options->strict_host_key_checking = 2; /* 2 is default */ + options->strict_host_key_checking = SSH_STRICT_HOSTKEY_ASK; if (options->compression == -1) options->compression = 0; if (options->tcp_keep_alive == -1) @@ -2329,9 +2339,10 @@ fmt_intarg(OpCodes code, int val) case oAddressFamily: return fmt_multistate_int(val, multistate_addressfamily); case oVerifyHostKeyDNS: - case oStrictHostKeyChecking: case oUpdateHostkeys: return fmt_multistate_int(val, multistate_yesnoask); + case oStrictHostKeyChecking: + return fmt_multistate_int(val, multistate_strict_hostkey); case oControlMaster: return fmt_multistate_int(val, multistate_controlmaster); case oTunnel: diff --git a/readconf.h b/readconf.h index 94dd427f5..22fe5c187 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.122 2017/05/30 18:58:37 bluhm Exp $ */ +/* $OpenBSD: readconf.h,v 1.123 2017/09/03 23:33:13 djm Exp $ */ /* * Author: Tatu Ylonen @@ -190,6 +190,11 @@ typedef struct { #define SSH_UPDATE_HOSTKEYS_YES 1 #define SSH_UPDATE_HOSTKEYS_ASK 2 +#define SSH_STRICT_HOSTKEY_OFF 0 +#define SSH_STRICT_HOSTKEY_NEW 1 +#define SSH_STRICT_HOSTKEY_YES 2 +#define SSH_STRICT_HOSTKEY_ASK 3 + void initialize_options(Options *); void fill_default_options(Options *); void fill_default_options_for_canonicalization(Options *); diff --git a/ssh_config.5 b/ssh_config.5 index 15ca0b4f9..3823da6f3 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.253 2017/07/23 23:37:02 djm Exp $ -.Dd $Mdocdate: July 23 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.254 2017/09/03 23:33:13 djm Exp $ +.Dd $Mdocdate: September 3 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1459,9 +1459,17 @@ frequently made. This option forces the user to manually add all new hosts. If this flag is set to -.Cm no , -ssh will automatically add new host keys to the -user known hosts files. +.Dq accept-new +then ssh will automatically add new new host keys to the user +known hosts files, but will not permit connections to hosts with +changed host keys. +If this flag is set to +.Dq no +or +.Dq off , +ssh will automatically add new host keys to the user known hosts files, +and allow connections to hosts with changed hostkeys to proceed subject +to some restrictions. If this flag is set to .Cm ask (the default), diff --git a/sshconnect.c b/sshconnect.c index 4013ec7db..2842d9e59 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.284 2017/09/01 05:53:56 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.285 2017/09/03 23:33:13 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -891,7 +891,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, if (readonly || want_cert) goto fail; /* The host is new. */ - if (options.strict_host_key_checking == 1) { + if (options.strict_host_key_checking == + SSH_STRICT_HOSTKEY_YES) { /* * User has requested strict host key checking. We * will not add the host key automatically. The only @@ -900,7 +901,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("No %s host key is known for %.200s and you " "have requested strict checking.", type, host); goto fail; - } else if (options.strict_host_key_checking == 2) { + } else if (options.strict_host_key_checking == + SSH_STRICT_HOSTKEY_ASK) { char msg1[1024], msg2[1024]; if (show_other_keys(host_hostkeys, host_key)) @@ -944,8 +946,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, hostkey_trusted = 1; /* user explicitly confirmed */ } /* - * If not in strict mode, add the key automatically to the - * local known_hosts file. + * If in "new" or "off" strict mode, add the key automatically + * to the local known_hosts file. */ if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); @@ -987,7 +989,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, * If strict host key checking is in use, the user will have * to edit the key manually and we can only abort. */ - if (options.strict_host_key_checking) { + if (options.strict_host_key_checking != + SSH_STRICT_HOSTKEY_OFF) { error("%s host key for %.200s was revoked and you have " "requested strict checking.", type, host); goto fail; @@ -1040,7 +1043,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, * If strict host key checking is in use, the user will have * to edit the key manually and we can only abort. */ - if (options.strict_host_key_checking) { + if (options.strict_host_key_checking != + SSH_STRICT_HOSTKEY_OFF) { error("%s host key for %.200s has changed and you have " "requested strict checking.", type, host); goto fail; @@ -1127,15 +1131,17 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, "\nMatching host key in %s:%lu", host_found->file, host_found->line); } - if (options.strict_host_key_checking == 1) { - logit("%s", msg); - error("Exiting, you have requested strict checking."); - goto fail; - } else if (options.strict_host_key_checking == 2) { + if (options.strict_host_key_checking == + SSH_STRICT_HOSTKEY_ASK) { strlcat(msg, "\nAre you sure you want " "to continue connecting (yes/no)? ", sizeof(msg)); if (!confirm(msg)) goto fail; + } else if (options.strict_host_key_checking != + SSH_STRICT_HOSTKEY_OFF) { + logit("%s", msg); + error("Exiting, you have requested strict checking."); + goto fail; } else { logit("%s", msg); } -- cgit v1.2.3 From 149a8cd24ce9dd47c36f571738681df5f31a326c Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Mon, 4 Sep 2017 06:34:43 +0000 Subject: upstream commit tweak previous; Upstream-ID: bb8cc40b61b15f6a13d81da465ac5bfc65cbfc4b --- ssh_config.5 | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 3823da6f3..ca5a41103 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.254 2017/09/03 23:33:13 djm Exp $ -.Dd $Mdocdate: September 3 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.255 2017/09/04 06:34:43 jmc Exp $ +.Dd $Mdocdate: September 4 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1458,18 +1458,19 @@ file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. +.Pp If this flag is set to .Dq accept-new -then ssh will automatically add new new host keys to the user +then ssh will automatically add new host keys to the user known hosts files, but will not permit connections to hosts with changed host keys. If this flag is set to .Dq no or .Dq off , -ssh will automatically add new host keys to the user known hosts files, -and allow connections to hosts with changed hostkeys to proceed subject -to some restrictions. +ssh will automatically add new host keys to the user known hosts files +and allow connections to hosts with changed hostkeys to proceed, +subject to some restrictions. If this flag is set to .Cm ask (the default), -- cgit v1.2.3 From 609d7a66ce578abf259da2d5f6f68795c2bda731 Mon Sep 17 00:00:00 2001 From: "markus@openbsd.org" Date: Thu, 21 Sep 2017 19:16:53 +0000 Subject: upstream commit Add 'reverse' dynamic forwarding which combines dynamic forwarding (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@ Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89 --- channels.c | 374 +++++++++++++++++++++++++++++++++++++++++++++-------------- channels.h | 6 +- readconf.c | 42 ++++--- ssh.1 | 21 +++- ssh.c | 5 +- ssh_config.5 | 16 ++- 6 files changed, 346 insertions(+), 118 deletions(-) (limited to 'ssh_config.5') diff --git a/channels.c b/channels.c index 89b7d3486..8ef37c453 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.371 2017/09/19 12:10:30 millert Exp $ */ +/* $OpenBSD: channels.c,v 1.372 2017/09/21 19:16:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -209,6 +209,8 @@ static const char *channel_rfwd_bind_host(const char *listen_host); /* non-blocking connect helpers */ static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); +static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); +static int rdynamic_connect_finish(struct ssh *, Channel *); /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -282,6 +284,8 @@ channel_lookup(struct ssh *ssh, int id) case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC_OPEN: + case SSH_CHANNEL_RDYNAMIC_FINISH: case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_ABANDONED: @@ -671,6 +675,7 @@ channel_still_open(struct ssh *ssh) case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC_OPEN: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: case SSH_CHANNEL_ABANDONED: @@ -681,6 +686,7 @@ channel_still_open(struct ssh *ssh) continue; case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: + case SSH_CHANNEL_RDYNAMIC_FINISH: case SSH_CHANNEL_X11_OPEN: case SSH_CHANNEL_MUX_CLIENT: case SSH_CHANNEL_MUX_PROXY: @@ -707,6 +713,8 @@ channel_find_open(struct ssh *ssh) switch (c->type) { case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC_OPEN: + case SSH_CHANNEL_RDYNAMIC_FINISH: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_RPORT_LISTENER: @@ -772,6 +780,8 @@ channel_open_message(struct ssh *ssh) case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC_OPEN: + case SSH_CHANNEL_RDYNAMIC_FINISH: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_X11_OPEN: case SSH_CHANNEL_MUX_PROXY: @@ -1124,8 +1134,7 @@ channel_pre_mux_client(struct ssh *ssh, /* try to decode a socks4 header */ static int -channel_decode_socks4(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) +channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) { const u_char *p; char *host; @@ -1141,11 +1150,11 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, debug2("channel %d: decode socks4", c->self); - have = sshbuf_len(c->input); + have = sshbuf_len(input); len = sizeof(s4_req); if (have < len) return 0; - p = sshbuf_ptr(c->input); + p = sshbuf_ptr(input); need = 1; /* SOCKS4A uses an invalid IP address 0.0.0.x */ @@ -1170,15 +1179,15 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, } if (found < need) return 0; - if ((r = sshbuf_get(c->input, &s4_req.version, 1)) != 0 || - (r = sshbuf_get(c->input, &s4_req.command, 1)) != 0 || - (r = sshbuf_get(c->input, &s4_req.dest_port, 2)) != 0 || - (r = sshbuf_get(c->input, &s4_req.dest_addr, 4)) != 0) { + if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || + (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || + (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || + (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { debug("channels %d: decode socks4: %s", c->self, ssh_err(r)); return -1; } - have = sshbuf_len(c->input); - p = sshbuf_ptr(c->input); + have = sshbuf_len(input); + p = sshbuf_ptr(input); if (memchr(p, '\0', have) == NULL) { error("channel %d: decode socks4: user not nul terminated", c->self); @@ -1188,7 +1197,7 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); len++; /* trailing '\0' */ strlcpy(username, p, sizeof(username)); - if ((r = sshbuf_consume(c->input, len)) != 0) { + if ((r = sshbuf_consume(input, len)) != 0) { fatal("%s: channel %d: consume: %s", __func__, c->self, ssh_err(r)); } @@ -1198,8 +1207,8 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, host = inet_ntoa(s4_req.dest_addr); c->path = xstrdup(host); } else { /* SOCKS4A: two strings */ - have = sshbuf_len(c->input); - p = sshbuf_ptr(c->input); + have = sshbuf_len(input); + p = sshbuf_ptr(input); if (memchr(p, '\0', have) == NULL) { error("channel %d: decode socks4a: host not nul " "terminated", c->self); @@ -1215,7 +1224,7 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, return -1; } c->path = xstrdup(p); - if ((r = sshbuf_consume(c->input, len)) != 0) { + if ((r = sshbuf_consume(input, len)) != 0) { fatal("%s: channel %d: consume: %s", __func__, c->self, ssh_err(r)); } @@ -1234,7 +1243,7 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, s4_rsp.command = 90; /* cd: req granted */ s4_rsp.dest_port = 0; /* ignored */ s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ - if ((r = sshbuf_put(c->output, &s4_rsp, sizeof(s4_rsp))) != 0) { + if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) { fatal("%s: channel %d: append reply: %s", __func__, c->self, ssh_err(r)); } @@ -1251,8 +1260,7 @@ channel_decode_socks4(struct ssh *ssh, Channel *c, #define SSH_SOCKS5_SUCCESS 0x00 static int -channel_decode_socks5(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) +channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) { /* XXX use get/put_u8 instead of trusting struct padding */ struct { @@ -1268,10 +1276,10 @@ channel_decode_socks5(struct ssh *ssh, Channel *c, int r; debug2("channel %d: decode socks5", c->self); - p = sshbuf_ptr(c->input); + p = sshbuf_ptr(input); if (p[0] != 0x05) return -1; - have = sshbuf_len(c->input); + have = sshbuf_len(input); if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { /* format: ver | nmethods | methods */ if (have < 2) @@ -1291,17 +1299,16 @@ channel_decode_socks5(struct ssh *ssh, Channel *c, c->self); return -1; } - if ((r = sshbuf_consume(c->input, nmethods + 2)) != 0) { + if ((r = sshbuf_consume(input, nmethods + 2)) != 0) { fatal("%s: channel %d: consume: %s", __func__, c->self, ssh_err(r)); } /* version, method */ - if ((r = sshbuf_put_u8(c->output, 0x05)) != 0 || - (r = sshbuf_put_u8(c->output, SSH_SOCKS5_NOAUTH)) != 0) { + if ((r = sshbuf_put_u8(output, 0x05)) != 0 || + (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) { fatal("%s: channel %d: append reply: %s", __func__, c->self, ssh_err(r)); } - FD_SET(c->sock, writeset); c->flags |= SSH_SOCKS5_AUTHDONE; debug2("channel %d: socks5 auth done", c->self); return 0; /* need more */ @@ -1338,19 +1345,19 @@ channel_decode_socks5(struct ssh *ssh, Channel *c, need++; if (have < need) return 0; - if ((r = sshbuf_consume(c->input, sizeof(s5_req))) != 0) { + if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) { fatal("%s: channel %d: consume: %s", __func__, c->self, ssh_err(r)); } if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { /* host string length */ - if ((r = sshbuf_consume(c->input, 1)) != 0) { + if ((r = sshbuf_consume(input, 1)) != 0) { fatal("%s: channel %d: consume: %s", __func__, c->self, ssh_err(r)); } } - if ((r = sshbuf_get(c->input, &dest_addr, addrlen)) != 0 || - (r = sshbuf_get(c->input, &dest_port, 2)) != 0) { + if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || + (r = sshbuf_get(input, &dest_port, 2)) != 0) { debug("channel %d: parse addr/port: %s", c->self, ssh_err(r)); return -1; } @@ -1380,9 +1387,9 @@ channel_decode_socks5(struct ssh *ssh, Channel *c, s5_rsp.atyp = SSH_SOCKS5_IPV4; dest_port = 0; /* ignored */ - if ((r = sshbuf_put(c->output, &s5_rsp, sizeof(s5_rsp))) != 0 || - (r = sshbuf_put_u32(c->output, ntohl(INADDR_ANY))) != 0 || - (r = sshbuf_put(c->output, &dest_port, sizeof(dest_port))) != 0) + if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || + (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 || + (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) fatal("%s: channel %d: append reply: %s", __func__, c->self, ssh_err(r)); return 1; @@ -1434,10 +1441,10 @@ channel_pre_dynamic(struct ssh *ssh, Channel *c, /* XXX sshbuf_peek_u8? */ switch (p[0]) { case 0x04: - ret = channel_decode_socks4(ssh, c, readset, writeset); + ret = channel_decode_socks4(c, c->input, c->output); break; case 0x05: - ret = channel_decode_socks5(ssh, c, readset, writeset); + ret = channel_decode_socks5(c, c->input, c->output); break; default: ret = -1; @@ -1449,6 +1456,8 @@ channel_pre_dynamic(struct ssh *ssh, Channel *c, debug2("channel %d: pre_dynamic: need more", c->self); /* need more */ FD_SET(c->sock, readset); + if (sshbuf_len(c->output)) + FD_SET(c->sock, writeset); } else { /* switch to the next state */ c->type = SSH_CHANNEL_OPENING; @@ -1456,6 +1465,81 @@ channel_pre_dynamic(struct ssh *ssh, Channel *c, } } +/* simulate read-error */ +static void +rdynamic_close(struct ssh *ssh, Channel *c) +{ + c->type = SSH_CHANNEL_OPEN; + chan_read_failed(ssh, c); + sshbuf_reset(c->input); + chan_ibuf_empty(ssh, c); + sshbuf_reset(c->output); + chan_write_failed(ssh, c); +} + +/* reverse dynamic port forwarding */ +static void +channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c) +{ + const u_char *p; + u_int have, len; + int r, ret; + + have = sshbuf_len(c->output); + debug2("channel %d: pre_rdynamic: have %d", c->self, have); + /* sshbuf_dump(c->output, stderr); */ + /* EOF received */ + if (c->flags & CHAN_EOF_RCVD) { + if ((r = sshbuf_consume(c->output, have)) != 0) { + fatal("%s: channel %d: consume: %s", + __func__, c->self, ssh_err(r)); + } + rdynamic_close(ssh, c); + return; + } + /* check if the fixed size part of the packet is in buffer. */ + if (have < 3) + return; + /* try to guess the protocol */ + p = sshbuf_ptr(c->output); + switch (p[0]) { + case 0x04: + /* switch input/output for reverse forwarding */ + ret = channel_decode_socks4(c, c->output, c->input); + break; + case 0x05: + ret = channel_decode_socks5(c, c->output, c->input); + break; + default: + ret = -1; + break; + } + if (ret < 0) { + rdynamic_close(ssh, c); + } else if (ret == 0) { + debug2("channel %d: pre_rdynamic: need more", c->self); + /* send socks request to peer */ + len = sshbuf_len(c->input); + if (len > 0 && len < c->remote_window) { + if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || + (r = sshpkt_put_stringb(ssh, c->input)) != 0 || + (r = sshpkt_send(ssh)) != 0) { + fatal("%s: channel %i: rdynamic: %s", __func__, + c->self, ssh_err(r)); + } + if ((r = sshbuf_consume(c->input, len)) != 0) { + fatal("%s: channel %d: consume: %s", + __func__, c->self, ssh_err(r)); + } + c->remote_window -= len; + } + } else if (rdynamic_connect_finish(ssh, c) < 0) { + /* the connect failed */ + rdynamic_close(ssh, c); + } +} + /* This is our fake X11 server socket. */ static void channel_post_x11_listener(struct ssh *ssh, Channel *c, @@ -1699,14 +1783,15 @@ static void channel_post_connecting(struct ssh *ssh, Channel *c, fd_set *readset, fd_set *writeset) { - int err = 0, sock, r; + int err = 0, sock, isopen, r; socklen_t sz = sizeof(err); if (!FD_ISSET(c->sock, writeset)) return; if (!c->have_remote_id) fatal(":%s: channel %d: no remote id", __func__, c->self); - + /* for rdynamic the OPEN_CONFIRMATION has been sent already */ + isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH); if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { err = errno; error("getsockopt SO_ERROR failed"); @@ -1716,14 +1801,21 @@ channel_post_connecting(struct ssh *ssh, Channel *c, c->self, c->connect_ctx.host, c->connect_ctx.port); channel_connect_ctx_free(&c->connect_ctx); c->type = SSH_CHANNEL_OPEN; - if ((r = sshpkt_start(ssh, - SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - (r = sshpkt_put_u32(ssh, c->self)) != 0 || - (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || - (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { - fatal("%s: channel %i: confirm: %s", __func__, - c->self, ssh_err(r)); + if (isopen) { + /* no message necessary */ + } else { + if ((r = sshpkt_start(ssh, + SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || + (r = sshpkt_put_u32(ssh, c->self)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_maxpacket)) + != 0) + fatal("%s: channel %i: confirm: %s", __func__, + c->self, ssh_err(r)); + if ((r = sshpkt_send(ssh)) != 0) + fatal("%s: channel %i: %s", __func__, c->self, + ssh_err(r)); } } else { debug("channel %d: connection failed: %s", @@ -1739,22 +1831,27 @@ channel_post_connecting(struct ssh *ssh, Channel *c, error("connect_to %.100s port %d: failed.", c->connect_ctx.host, c->connect_ctx.port); channel_connect_ctx_free(&c->connect_ctx); - if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - (r = sshpkt_put_u32(ssh, SSH2_OPEN_CONNECT_FAILED)) != 0) { - fatal("%s: channel %i: failure: %s", __func__, - c->self, ssh_err(r)); - } - if ((datafellows & SSH_BUG_OPENFAILURE) == 0 && - ((r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || - (r = sshpkt_put_cstring(ssh, "")) != 0)) { - fatal("%s: channel %i: failure: %s", __func__, - c->self, ssh_err(r)); + if (isopen) { + rdynamic_close(ssh, c); + } else { + if ((r = sshpkt_start(ssh, + SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || + (r = sshpkt_put_u32(ssh, SSH2_OPEN_CONNECT_FAILED)) + != 0) + fatal("%s: channel %i: failure: %s", __func__, + c->self, ssh_err(r)); + if ((datafellows & SSH_BUG_OPENFAILURE) == 0 && + ((r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || + (r = sshpkt_put_cstring(ssh, "")) != 0)) + fatal("%s: channel %i: failure: %s", __func__, + c->self, ssh_err(r)); + if ((r = sshpkt_send(ssh)) != 0) + fatal("%s: channel %i: %s", __func__, c->self, + ssh_err(r)); + chan_mark_dead(ssh, c); } - chan_mark_dead(ssh, c); } - if ((r = sshpkt_send(ssh)) != 0) - fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); } static int @@ -2187,6 +2284,7 @@ channel_handler_init(struct ssh_channels *sc) pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; + pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting; pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; @@ -2199,6 +2297,7 @@ channel_handler_init(struct ssh_channels *sc) post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; + post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting; post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; @@ -2279,6 +2378,27 @@ channel_handler(struct ssh *ssh, int table, __func__, (int)*unpause_secs); } +/* + * Create sockets before allocating the select bitmasks. + * This is necessary for things that need to happen after reading + * the network-input but before channel_prepare_select(). + */ +static void +channel_before_prepare_select(struct ssh *ssh) +{ + struct ssh_channels *sc = ssh->chanctxt; + Channel *c; + u_int i, oalloc; + + for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { + c = sc->channels[i]; + if (c == NULL) + continue; + if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN) + channel_before_prepare_select_rdynamic(ssh, c); + } +} + /* * Allocate/update select bitmasks and add any bits relevant to channels in * select bitmasks. @@ -2289,6 +2409,8 @@ channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp, { u_int n, sz, nfdset; + channel_before_prepare_select(ssh); /* might update channel_max_fd */ + n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd); nfdset = howmany(n+1, NFDBITS); @@ -2794,6 +2916,8 @@ channel_input_data(int type, u_int32_t seq, struct ssh *ssh) /* Ignore any data for non-open channels (might happen on close) */ if (c->type != SSH_CHANNEL_OPEN && + c->type != SSH_CHANNEL_RDYNAMIC_OPEN && + c->type != SSH_CHANNEL_RDYNAMIC_FINISH && c->type != SSH_CHANNEL_X11_OPEN) return 0; @@ -3032,7 +3156,7 @@ channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) if ((c = channel_lookup(ssh, id)) == NULL) { logit("Received window adjust for non-open channel %d.", id); return 0; - } + } if (channel_proxy_upstream(c, type, seq, ssh)) return 0; @@ -3939,21 +4063,18 @@ channel_connect_ctx_free(struct channel_connect *cctx) } /* - * Return CONNECTING channel to remote host:port or local socket path, + * Return connecting socket to remote host:port or local socket path, * passing back the failure reason if appropriate. */ -static Channel * -connect_to_reason(struct ssh *ssh, const char *name, int port, - char *ctype, char *rname, int *reason, const char **errmsg) +static int +connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, + char *ctype, char *rname, struct channel_connect *cctx, + int *reason, const char **errmsg) { struct addrinfo hints; int gaierr; int sock = -1; char strport[NI_MAXSERV]; - struct channel_connect cctx; - Channel *c; - - memset(&cctx, 0, sizeof(cctx)); if (port == PORT_STREAMLOCAL) { struct sockaddr_un *sunaddr; @@ -3961,7 +4082,7 @@ connect_to_reason(struct ssh *ssh, const char *name, int port, if (strlen(name) > sizeof(sunaddr->sun_path)) { error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); - return (NULL); + return -1; } /* @@ -3974,18 +4095,18 @@ connect_to_reason(struct ssh *ssh, const char *name, int port, ai->ai_addr = (struct sockaddr *)(ai + 1); ai->ai_addrlen = sizeof(*sunaddr); ai->ai_family = AF_UNIX; - ai->ai_socktype = SOCK_STREAM; + ai->ai_socktype = socktype; ai->ai_protocol = PF_UNSPEC; sunaddr = (struct sockaddr_un *)ai->ai_addr; sunaddr->sun_family = AF_UNIX; strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); - cctx.aitop = ai; + cctx->aitop = ai; } else { memset(&hints, 0, sizeof(hints)); hints.ai_family = ssh->chanctxt->IPv4or6; - hints.ai_socktype = SOCK_STREAM; + hints.ai_socktype = socktype; snprintf(strport, sizeof strport, "%d", port); - if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) + if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) != 0) { if (errmsg != NULL) *errmsg = ssh_gai_strerror(gaierr); @@ -3993,32 +4114,46 @@ connect_to_reason(struct ssh *ssh, const char *name, int port, *reason = SSH2_OPEN_CONNECT_FAILED; error("connect_to %.100s: unknown host (%s)", name, ssh_gai_strerror(gaierr)); - return NULL; + return -1; } } - cctx.host = xstrdup(name); - cctx.port = port; - cctx.ai = cctx.aitop; + cctx->host = xstrdup(name); + cctx->port = port; + cctx->ai = cctx->aitop; - if ((sock = connect_next(&cctx)) == -1) { + if ((sock = connect_next(cctx)) == -1) { error("connect to %.100s port %d failed: %s", name, port, strerror(errno)); - channel_connect_ctx_free(&cctx); - return NULL; + return -1; } - c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); - c->connect_ctx = cctx; - return c; + + return sock; } /* Return CONNECTING channel to remote host:port or local socket path */ static Channel * -connect_to(struct ssh *ssh, const char *name, int port, +connect_to(struct ssh *ssh, const char *host, int port, char *ctype, char *rname) { - return connect_to_reason(ssh, name, port, ctype, rname, NULL, NULL); + struct channel_connect cctx; + Channel *c; + int sock; + + memset(&cctx, 0, sizeof(cctx)); + sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, + &cctx, NULL, NULL); + if (sock == -1) { + channel_connect_ctx_free(&cctx); + return NULL; + } + c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); + c->host_port = port; + c->path = xstrdup(host); + c->connect_ctx = cctx; + + return c; } /* @@ -4038,6 +4173,9 @@ channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, if (open_listen_match_tcpip(fp, listen_host, listen_port, 1)) { if (fp->downstream) return fp->downstream; + if (fp->port_to_connect == 0) + return rdynamic_connect_prepare(ssh, + ctype, rname); return connect_to(ssh, fp->host_to_connect, fp->port_to_connect, ctype, rname); @@ -4075,7 +4213,10 @@ channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, char *ctype, char *rname, int *reason, const char **errmsg) { struct ssh_channels *sc = ssh->chanctxt; + struct channel_connect cctx; + Channel *c; u_int i, permit, permit_adm = 1; + int sock; ForwardPermission *fp; permit = sc->all_opens_permitted; @@ -4107,7 +4248,22 @@ channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; return NULL; } - return connect_to_reason(ssh, host, port, ctype, rname, reason, errmsg); + + memset(&cctx, 0, sizeof(cctx)); + sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, + &cctx, reason, errmsg); + if (sock == -1) { + channel_connect_ctx_free(&cctx); + return NULL; + } + + c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); + c->host_port = port; + c->path = xstrdup(host); + c->connect_ctx = cctx; + + return c; } /* Check if connecting to that path is permitted and connect. */ @@ -4174,6 +4330,54 @@ channel_send_window_changes(struct ssh *ssh) } } +/* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ +static Channel * +rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) +{ + Channel *c; + int r; + + c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); + c->host_port = 0; + c->path = NULL; + + /* + * We need to open the channel before we have a FD, + * so that we can get SOCKS header from peer. + */ + if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || + (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || + (r = sshpkt_put_u32(ssh, c->self)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || + (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { + fatal("%s: channel %i: confirm: %s", __func__, + c->self, ssh_err(r)); + } + return c; +} + +/* Return CONNECTING socket to remote host:port or local socket path */ +static int +rdynamic_connect_finish(struct ssh *ssh, Channel *c) +{ + struct channel_connect cctx; + int sock; + + memset(&cctx, 0, sizeof(cctx)); + sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL, + NULL, &cctx, NULL, NULL); + if (sock == -1) + channel_connect_ctx_free(&cctx); + else { + /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ + c->type = SSH_CHANNEL_RDYNAMIC_FINISH; + c->connect_ctx = cctx; + channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); + } + return sock; +} + /* -- X11 forwarding */ /* diff --git a/channels.h b/channels.h index d1cf5dc6a..126b04345 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.129 2017/09/12 06:35:32 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.130 2017/09/21 19:16:53 markus Exp $ */ /* * Author: Tatu Ylonen @@ -57,7 +57,9 @@ #define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */ #define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */ #define SSH_CHANNEL_MUX_PROXY 20 /* proxy channel for mux-slave */ -#define SSH_CHANNEL_MAX_TYPE 21 +#define SSH_CHANNEL_RDYNAMIC_OPEN 21 /* reverse SOCKS, parsing request */ +#define SSH_CHANNEL_RDYNAMIC_FINISH 22 /* reverse SOCKS, finishing connect */ +#define SSH_CHANNEL_MAX_TYPE 23 #define CHANNEL_CANCEL_PORT_STATIC -1 diff --git a/readconf.c b/readconf.c index 4f38b27cf..f63894f9c 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.278 2017/09/03 23:33:13 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.279 2017/09/21 19:16:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -836,6 +836,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, char **cpptr, fwdarg[256]; u_int i, *uintptr, max_entries = 0; int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0; + int remotefwd, dynamicfwd; LogLevel *log_level_ptr; SyslogFacility *log_facility_ptr; long long val64; @@ -1255,31 +1256,36 @@ parse_keytypes: fatal("%.200s line %d: Missing port argument.", filename, linenum); - if (opcode == oLocalForward || - opcode == oRemoteForward) { - arg2 = strdelim(&s); - if (arg2 == NULL || *arg2 == '\0') - fatal("%.200s line %d: Missing target argument.", - filename, linenum); + remotefwd = (opcode == oRemoteForward); + dynamicfwd = (opcode == oDynamicForward); - /* construct a string for parse_forward */ - snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2); - } else if (opcode == oDynamicForward) { - strlcpy(fwdarg, arg, sizeof(fwdarg)); + if (!dynamicfwd) { + arg2 = strdelim(&s); + if (arg2 == NULL || *arg2 == '\0') { + if (remotefwd) + dynamicfwd = 1; + else + fatal("%.200s line %d: Missing target " + "argument.", filename, linenum); + } else { + /* construct a string for parse_forward */ + snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, + arg2); + } } + if (dynamicfwd) + strlcpy(fwdarg, arg, sizeof(fwdarg)); - if (parse_forward(&fwd, fwdarg, - opcode == oDynamicForward ? 1 : 0, - opcode == oRemoteForward ? 1 : 0) == 0) + if (parse_forward(&fwd, fwdarg, dynamicfwd, remotefwd) == 0) fatal("%.200s line %d: Bad forwarding specification.", filename, linenum); if (*activep) { - if (opcode == oLocalForward || - opcode == oDynamicForward) - add_local_forward(options, &fwd); - else if (opcode == oRemoteForward) + if (remotefwd) { add_remote_forward(options, &fwd); + } else { + add_local_forward(options, &fwd); + } } break; diff --git a/ssh.1 b/ssh.1 index 3aacec415..2ab1697f9 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.383 2017/06/09 06:43:01 djm Exp $ -.Dd $Mdocdate: June 9 2017 $ +.\" $OpenBSD: ssh.1,v 1.384 2017/09/21 19:16:53 markus Exp $ +.Dd $Mdocdate: September 21 2017 $ .Dt SSH 1 .Os .Sh NAME @@ -592,21 +592,30 @@ Causes most warning and diagnostic messages to be suppressed. .Ar remote_socket : local_socket .Sm on .Xc +.It Fl R Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Xc Specifies that connections to the given TCP port or Unix socket on the remote -(server) host are to be forwarded to the given host and port, or Unix socket, -on the local side. +(server) host are to be forwarded to the local side. +.Pp This works by allocating a socket to listen to either a TCP .Ar port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection -is made to either +is made from the local machine to either an explicit destination specified by .Ar host port .Ar hostport , or .Ar local_socket , -from the local machine. +or, if no explicit destination was specified, +.Nm +will act as a SOCKS 4/5 proxy and forward connections to the destinations +requested by the remote SOCKS client. .Pp Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when diff --git a/ssh.c b/ssh.c index ecc50f37e..ae37432bd 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.463 2017/09/12 06:32:07 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.464 2017/09/21 19:16:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -868,7 +868,8 @@ main(int ac, char **av) break; case 'R': - if (parse_forward(&fwd, optarg, 0, 1)) { + if (parse_forward(&fwd, optarg, 0, 1) || + parse_forward(&fwd, optarg, 1, 1)) { add_remote_forward(&options, &fwd); } else { fprintf(stderr, diff --git a/ssh_config.5 b/ssh_config.5 index ca5a41103..eab8dd01c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.255 2017/09/04 06:34:43 jmc Exp $ -.Dd $Mdocdate: September 4 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.256 2017/09/21 19:16:53 markus Exp $ +.Dd $Mdocdate: September 21 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1298,13 +1298,19 @@ accept the tokens described in the section. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over -the secure channel to the specified host and port from the local machine. +the secure channel. +The remote port may either be fowarded to a specified host and port +from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote +client to connect to arbitrary destinations from the local machine. The first argument must be .Sm off .Oo Ar bind_address : Oc Ar port .Sm on -and the second argument must be -.Ar host : Ns Ar hostport . +If forwarding to a specific destination then the second argument must be +.Ar host : Ns Ar hostport , +otherwise if no destination argument is specified then the remote forwarding +will be established as a SOCKS proxy. +.Pp IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. -- cgit v1.2.3