From c53c2af173cf67fd1c26f98e7900299b1b65b6ec Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:28:16 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/16 02:00:34 [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c ssh_config.5 packet.h] Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm --- ssh_config.5 | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 269529c00..97897e00e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.161 2013/01/08 18:49:04 markus Exp $ -.Dd $Mdocdate: January 8 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -931,8 +931,9 @@ The default is This option applies to protocol version 2 only. .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted before the -session key is renegotiated. -The argument is the number of bytes, with an optional suffix of +session key is renegotiated, optionally followed a maximum amount of +time that may pass before the session key is renegotiated. +The first argument is specified in bytes and may have a suffix of .Sq K , .Sq M , or @@ -943,6 +944,17 @@ The default is between and .Sq 4G , depending on the cipher. +The optional second value is specified in seconds and may use any of the +units documented in the +.Sx TIME FORMATS +section of +.Xr sshd_config 5 . +The default value for +.Cm RekeyLimit +is +.Dq default none , +which means that rekeying is performed after the cipher's default amount +of data has been sent or received and no time based rekeying is done. This option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over -- cgit v1.2.3 From 0763698f71efef8b3f8460c5700758359219eb7c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:30:03 +1000 Subject: - djm@cvs.openbsd.org 2013/05/16 04:27:50 [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ --- ChangeLog | 4 ++++ readconf.c | 35 ++++++++++++++++++++++++++--------- readconf.h | 4 +++- ssh_config.5 | 13 ++++++++++++- 4 files changed, 45 insertions(+), 11 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 186c43247..ae0f84777 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page. + - djm@cvs.openbsd.org 2013/05/16 04:27:50 + [ssh_config.5 readconf.h readconf.c] + add the ability to ignore specific unrecognised ssh_config options; + bz#866; ok markus@ 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/readconf.c b/readconf.c index d8898a029..51b23a3b8 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.198 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.199 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -134,8 +134,8 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, - oDeprecated, oUnsupported + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -246,6 +246,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } }; @@ -351,14 +352,17 @@ add_identity_file(Options *options, const char *dir, const char *filename, */ static OpCodes -parse_token(const char *cp, const char *filename, int linenum) +parse_token(const char *cp, const char *filename, int linenum, + const char *ignored_unknown) { - u_int i; + int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - + if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, + strlen(ignored_unknown), 1) == 1) + return oIgnoredUnknownOption; error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); return oBadOption; @@ -377,7 +381,7 @@ process_config_line(Options *options, const char *host, { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; char **cpptr, fwdarg[256]; - u_int *uintptr, max_entries = 0; + u_int i, *uintptr, max_entries = 0; int negated, opcode, *intptr, value, value2, scale; LogLevel *log_level_ptr; long long orig, val64; @@ -400,14 +404,22 @@ process_config_line(Options *options, const char *host, keyword = strdelim(&s); if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#') return 0; + /* Match lowercase keyword */ + for (i = 0; i < strlen(keyword); i++) + keyword[i] = tolower(keyword[i]); - opcode = parse_token(keyword, filename, linenum); + opcode = parse_token(keyword, filename, linenum, + options->ignored_unknown); switch (opcode) { case oBadOption: /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oIgnoredUnknownOption: + debug("%s line %d: Ignored unknown option \"%s\"", + filename, linenum, keyword); + return 0; case oConnectTimeout: intptr = &options->connection_timeout; parse_time: @@ -1077,6 +1089,10 @@ parse_int: *intptr = value; break; + case oIgnoreUnknown: + charptr = &options->ignored_unknown; + goto parse_string; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1238,6 +1254,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->ignored_unknown = NULL; } /* diff --git a/readconf.h b/readconf.h index e20573090..23fc500da 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.94 2013/05/16 02:00:34 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ /* * Author: Tatu Ylonen @@ -137,6 +137,8 @@ typedef struct { int use_roaming; int request_tty; + + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; #define SSHCTL_MASTER_NO 0 diff --git a/ssh_config.5 b/ssh_config.5 index 97897e00e..955afe351 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.162 2013/05/16 02:00:34 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,6 +597,17 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 -- cgit v1.2.3 From 63e0df2b936770baadc8844617b99e5174b476d0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 16 May 2013 20:30:31 +1000 Subject: - jmc@cvs.openbsd.org 2013/05/16 06:28:45 [ssh_config.5] put IgnoreUnknown in the right place; --- ChangeLog | 3 +++ ssh_config.5 | 24 ++++++++++++------------ 2 files changed, 15 insertions(+), 12 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index ae0f84777..2eaa2a857 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ [ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@ + - jmc@cvs.openbsd.org 2013/05/16 06:28:45 + [ssh_config.5] + put IgnoreUnknown in the right place; 20130510 - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler diff --git a/ssh_config.5 b/ssh_config.5 index 955afe351..003ed68ff 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.163 2013/05/16 04:27:50 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ .Dd $Mdocdate: May 16 2013 $ .Dt SSH_CONFIG 5 .Os @@ -597,17 +597,6 @@ The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). -.It Cm IgnoreUnknown -Specifies a pattern-list of unknown options to be ignored if they are -encountered in configuration parsing. -This may be used to suppress errors if -.Nm -contains options that are unrecognised by -.Xr ssh 1 . -It is recommended that -.Cm IgnoreUnknown -be listed early in the configuration file as it will not be applied -to unknown options that appear before it. .It Cm IdentitiesOnly Specifies that .Xr ssh 1 @@ -668,6 +657,17 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.It Cm IgnoreUnknown +Specifies a pattern-list of unknown options to be ignored if they are +encountered in configuration parsing. +This may be used to suppress errors if +.Nm +contains options that are unrecognised by +.Xr ssh 1 . +It is recommended that +.Cm IgnoreUnknown +be listed early in the configuration file as it will not be applied +to unknown options that appear before it. .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for connections. Accepted values are -- cgit v1.2.3 From 7f2b438ca0b7c3b9684a03d7bf3eaf379da16de9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:10:29 +1000 Subject: - djm@cvs.openbsd.org 2013/06/21 00:37:49 [ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent. --- ChangeLog | 4 ++++ ssh_config.5 | 13 ++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index f8e2c6858..4b8a82591 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@ + - djm@cvs.openbsd.org 2013/06/21 00:37:49 + [ssh_config.5] + explicitly mention that IdentitiesOnly can be used with IdentityFile + to control which keys are offered from an agent. 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh_config.5 b/ssh_config.5 index 003ed68ff..86906a488 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.164 2013/05/16 06:28:45 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ +.Dd $Mdocdate: June 21 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -628,7 +628,9 @@ and .Pa ~/.ssh/id_rsa for protocol version 2. Additionally, any identities represented by the authentication agent -will be used for authentication. +will be used for authentication unless +.Cm IdentitiesOnly +is set. .Xr ssh 1 will try to load certificate information from the filename obtained by appending @@ -657,6 +659,11 @@ Multiple .Cm IdentityFile directives will add to the list of identities tried (this behaviour differs from that of other configuration directives). +.Pp +.Cm IdentityFile +may be used in conjunction with +.Cm IdentitiesOnly +to select which identities in an agent are offered during authentication. .It Cm IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. -- cgit v1.2.3 From fecfd118d6c90df4fcd3cec7b14e4d3ce69a41d5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jul 2013 16:11:50 +1000 Subject: - jmc@cvs.openbsd.org 2013/06/27 14:05:37 [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm --- ChangeLog | 5 +++++ ssh-keygen.1 | 7 +++---- ssh.1 | 12 ++++-------- ssh_config.5 | 14 +++++--------- sshd.8 | 8 +++----- sshd_config.5 | 41 ++++++++++++----------------------------- 6 files changed, 32 insertions(+), 55 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 1502ec873..9cabcb46d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,11 @@ - djm@cvs.openbsd.org 2013/06/22 06:31:57 [scp.c] improved time_t overflow check suggested by guenther@ + - jmc@cvs.openbsd.org 2013/06/27 14:05:37 + [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] + do not use Sx for sections outwith the man page - ingo informs me that + stuff like html will render with broken links; + issue reported by Eric S. Raymond, via djm 20130702 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 7da73e07c..0d55854e9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 19 2013 $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -516,8 +516,7 @@ of two times separated by a colon to indicate an explicit time interval. The start time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. diff --git a/ssh.1 b/ssh.1 index dc7af4864..3cb4254eb 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.332 2013/04/19 01:06:50 djm Exp $ -.Dd $Mdocdate: April 19 2013 $ +.\" $OpenBSD: ssh.1,v 1.333 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -754,9 +754,7 @@ implements public key authentication protocol automatically, using one of the DSA, ECDSA or RSA algorithms. Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. -The -.Sx HISTORY -section of +The HISTORY section of .Xr ssl 8 contains a brief discussion of the DSA and RSA algorithms. .Pp @@ -812,9 +810,7 @@ instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. -See the -.Sx CERTIFICATES -section of +See the CERTIFICATES section of .Xr ssh-keygen 1 for more information. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 86906a488..5d76c6d2d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.165 2013/06/21 00:37:49 djm Exp $ -.Dd $Mdocdate: June 21 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -474,8 +474,7 @@ option is also enabled. .It Cm ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 @@ -964,8 +963,7 @@ and depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the -.Sx TIME FORMATS -section of +TIME FORMATS section of .Xr sshd_config 5 . The default value for .Cm RekeyLimit @@ -1251,9 +1249,7 @@ The default is .Dq no . Note that this option applies to protocol version 2 only. .Pp -See also -.Sx VERIFYING HOST KEYS -in +See also VERIFYING HOST KEYS in .Xr ssh 1 . .It Cm VisualHostKey If this flag is set to diff --git a/sshd.8 b/sshd.8 index 03b77b04e..b0c7ab6bd 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.269 2013/04/07 09:40:27 dtucker Exp $ -.Dd $Mdocdate: April 7 2013 $ +.\" $OpenBSD: sshd.8,v 1.270 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD 8 .Os .Sh NAME @@ -567,9 +567,7 @@ is enabled. Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .Pp diff --git a/sshd_config.5 b/sshd_config.5 index 18b1d81a0..3807c0f3c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.160 2013/05/16 06:30:06 jmc Exp $ -.Dd $Mdocdate: May 16 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.161 2013/06/27 14:05:37 jmc Exp $ +.Dd $Mdocdate: June 27 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -117,9 +117,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AllowTcpForwarding @@ -159,9 +157,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm AuthenticationMethods @@ -205,9 +201,7 @@ Specifies a program to be used to look up the user's public keys. The program must be owned by root and not writable by group or others. It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or -more lines of authorized_keys output (see -.Sx AUTHORIZED_KEYS -in +more lines of authorized_keys output (see AUTHORIZED_KEYS in .Xr sshd 8 ) . If a key supplied by AuthorizedKeysCommand does not successfully authenticate and authorize the user then public key authentication continues using the usual @@ -222,7 +216,7 @@ than running authorized keys commands. Specifies the file that contains the public keys that can be used for user authentication. The format is described in the -.Sx AUTHORIZED_KEYS FILE FORMAT +AUTHORIZED_KEYS FILE FORMAT section of .Xr sshd 8 . .Cm AuthorizedKeysFile @@ -246,9 +240,7 @@ When using certificates signed by a key listed in this file lists names, one of which must appear in the certificate for it to be accepted for authentication. Names are listed one per line preceded by key options (as described -in -.Sx AUTHORIZED_KEYS FILE FORMAT -in +in AUTHORIZED_KEYS FILE FORMAT in .Xr sshd 8 ) . Empty lines and comments starting with .Ql # @@ -426,9 +418,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm DenyUsers @@ -447,9 +437,7 @@ The allow/deny directives are processed in the following order: and finally .Cm AllowGroups . .Pp -See -.Sx PATTERNS -in +See PATTERNS in .Xr ssh_config 5 for more information on patterns. .It Cm ForceCommand @@ -761,8 +749,7 @@ and .Cm Address . The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the -.Sx PATTERNS -section of +PATTERNS section of .Xr ssh_config 5 . .Pp The patterns in an @@ -1043,9 +1030,7 @@ be refused for all users. Keys may be specified as a text file, listing one public key per line, or as an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . -For more information on KRLs, see the -.Sx KEY REVOCATION LISTS -section in +For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together @@ -1134,9 +1119,7 @@ listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using .Cm TrustedUserCAKeys . -For more details on certificates, see the -.Sx CERTIFICATES -section in +For more details on certificates, see the CERTIFICATES section in .Xr ssh-keygen 1 . .It Cm UseDNS Specifies whether -- cgit v1.2.3 From 1262b6638f7d01ab110fd373dd90d915c882fe1a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:44:24 +1000 Subject: - djm@cvs.openbsd.org 2013/08/20 00:11:38 [readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ --- ChangeLog | 8 ++++ readconf.c | 12 +++++- readconf.h | 4 +- ssh_config.5 | 12 +++++- sshconnect.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++--------- 5 files changed, 137 insertions(+), 23 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index a3ac3d537..6b0afa720 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,14 @@ [scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary + - djm@cvs.openbsd.org 2013/08/20 00:11:38 + [readconf.c readconf.h ssh_config.5 sshconnect.c] + Add a ssh_config ProxyUseFDPass option that supports the use of + ProxyCommands that establish a connection and then pass a connected + file descriptor back to ssh(1). This allows the ProxyCommand to exit + rather than have to shuffle data back and forth and enables ssh to use + getpeername, etc. to obtain address information just like it does with + regular directly-connected sockets. ok markus@ 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/readconf.c b/readconf.c index 1464430a4..7450081cd 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.205 2013/08/20 00:11:37 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -137,7 +137,7 @@ typedef enum { oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -249,6 +249,7 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, + { "proxyusefdpass", oProxyUseFdpass }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } @@ -1072,6 +1073,10 @@ parse_int: charptr = &options->ignored_unknown; goto parse_string; + case oProxyUseFdpass: + intptr = &options->proxy_use_fdpass; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1233,6 +1238,7 @@ initialize_options(Options * options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->request_tty = -1; + options->proxy_use_fdpass = -1; options->ignored_unknown = NULL; } @@ -1385,6 +1391,8 @@ fill_default_options(Options * options) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; + if (options->proxy_use_fdpass == -1) + options->proxy_use_fdpass = 0; /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index 23fc500da..ca4a042ad 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.95 2013/05/16 04:27:50 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.96 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen @@ -138,6 +138,8 @@ typedef struct { int request_tty; + int proxy_use_fdpass; + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/ssh_config.5 b/ssh_config.5 index 5d76c6d2d..e89d694c7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.166 2013/06/27 14:05:37 jmc Exp $ -.Dd $Mdocdate: June 27 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -937,6 +937,14 @@ For example, the following directive would connect via an HTTP proxy at .Bd -literal -offset 3n ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed +.It Cm ProxyUseFdpass +Specifies that the a +.Cm ProxyCommand +will pass a connected file descriptor back to +.Nm ssh +instead of continuing to execute and pass data. +The default is +.Dq no . .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be diff --git a/sshconnect.c b/sshconnect.c index 483eb85ac..76bb5cdac 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.238 2013/05/17 00:13:14 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.239 2013/08/20 00:11:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -59,6 +59,7 @@ #include "misc.h" #include "dns.h" #include "roaming.h" +#include "monitor_fdpass.h" #include "ssh2.h" #include "version.h" @@ -78,16 +79,113 @@ extern uid_t original_effective_uid; static int show_other_keys(struct hostkeys *, Key *); static void warn_changed_key(Key *); +/* Expand a proxy command */ +static char * +expand_proxy_command(const char *proxy_command, const char *user, + const char *host, int port) +{ + char *tmp, *ret, strport[NI_MAXSERV]; + + snprintf(strport, sizeof strport, "%hu", port); + xasprintf(&tmp, "exec %s", proxy_command); + ret = percent_expand(tmp, "h", host, "p", strport, + "r", options.user, (char *)NULL); + free(tmp); + return ret; +} + +/* + * Connect to the given ssh server using a proxy command that passes a + * a connected fd back to us. + */ +static int +ssh_proxy_fdpass_connect(const char *host, u_short port, + const char *proxy_command) +{ + char *command_string; + int sp[2], sock; + pid_t pid; + char *shell; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) + fatal("Could not create socketpair to communicate with " + "proxy dialer: %.100s", strerror(errno)); + + command_string = expand_proxy_command(proxy_command, options.user, + host, port); + debug("Executing proxy dialer command: %.500s", command_string); + + /* Fork and execute the proxy command. */ + if ((pid = fork()) == 0) { + char *argv[10]; + + /* Child. Permanently give up superuser privileges. */ + permanently_drop_suid(original_real_uid); + + close(sp[1]); + /* Redirect stdin and stdout. */ + if (sp[0] != 0) { + if (dup2(sp[0], 0) < 0) + perror("dup2 stdin"); + } + if (sp[0] != 1) { + if (dup2(sp[0], 1) < 0) + perror("dup2 stdout"); + } + if (sp[0] >= 2) + close(sp[0]); + + /* + * Stderr is left as it is so that error messages get + * printed on the user's terminal. + */ + argv[0] = shell; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + /* + * Execute the proxy command. + * Note that we gave up any extra privileges above. + */ + execv(argv[0], argv); + perror(argv[0]); + exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("fork failed: %.100s", strerror(errno)); + close(sp[0]); + free(command_string); + + if ((sock = mm_receive_fd(sp[1])) == -1) + fatal("proxy dialer did not pass back a connection"); + + while (waitpid(pid, NULL, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + /* Set the connection file descriptors. */ + packet_set_connection(sock, sock); + packet_set_timeout(options.server_alive_interval, + options.server_alive_count_max); + + return 0; +} + /* * Connect to the given ssh server using a proxy command. */ static int ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { - char *command_string, *tmp; + char *command_string; int pin[2], pout[2]; pid_t pid; - char *shell, strport[NI_MAXSERV]; + char *shell; if (!strcmp(proxy_command, "-")) { packet_set_connection(STDIN_FILENO, STDOUT_FILENO); @@ -96,29 +194,19 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) return 0; } + if (options.proxy_use_fdpass) + return ssh_proxy_fdpass_connect(host, port, proxy_command); + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; - /* Convert the port number into a string. */ - snprintf(strport, sizeof strport, "%hu", port); - - /* - * Build the final command string in the buffer by making the - * appropriate substitutions to the given proxy command. - * - * Use "exec" to avoid "sh -c" processes on some platforms - * (e.g. Solaris) - */ - xasprintf(&tmp, "exec %s", proxy_command); - command_string = percent_expand(tmp, "h", host, "p", strport, - "r", options.user, (char *)NULL); - free(tmp); - /* Create pipes for communicating with the proxy. */ if (pipe(pin) < 0 || pipe(pout) < 0) fatal("Could not create pipes to communicate with the proxy: %.100s", strerror(errno)); + command_string = expand_proxy_command(proxy_command, options.user, + host, port); debug("Executing proxy command: %.500s", command_string); /* Fork and execute the proxy command. */ -- cgit v1.2.3 From f2f6c315a920a256937e1b6a3702757f3195a592 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Aug 2013 02:44:58 +1000 Subject: - jmc@cvs.openbsd.org 2013/08/20 06:56:07 [ssh.1 ssh_config.5] some proxyusefdpass tweaks; --- ChangeLog | 3 +++ ssh.1 | 5 +++-- ssh_config.5 | 6 +++--- 3 files changed, 9 insertions(+), 5 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 6b0afa720..e39f68a5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,9 @@ rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@ + - jmc@cvs.openbsd.org 2013/08/20 06:56:07 + [ssh.1 ssh_config.5] + some proxyusefdpass tweaks; 20130808 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt diff --git a/ssh.1 b/ssh.1 index 09c9dbcbd..227654016 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.335 2013/08/14 08:39:27 jmc Exp $ -.Dd $Mdocdate: August 14 2013 $ +.\" $OpenBSD: ssh.1,v 1.336 2013/08/20 06:56:07 jmc Exp $ +.Dd $Mdocdate: August 20 2013 $ .Dt SSH 1 .Os .Sh NAME @@ -465,6 +465,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It Protocol .It ProxyCommand +.It ProxyUseFdpass .It PubkeyAuthentication .It RekeyLimit .It RemoteForward diff --git a/ssh_config.5 b/ssh_config.5 index e89d694c7..9ddd6b8a6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.167 2013/08/20 00:11:38 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.168 2013/08/20 06:56:07 jmc Exp $ .Dd $Mdocdate: August 20 2013 $ .Dt SSH_CONFIG 5 .Os @@ -938,10 +938,10 @@ For example, the following directive would connect via an HTTP proxy at ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p .Ed .It Cm ProxyUseFdpass -Specifies that the a +Specifies that .Cm ProxyCommand will pass a connected file descriptor back to -.Nm ssh +.Xr ssh 1 instead of continuing to execute and pass data. The default is .Dq no . -- cgit v1.2.3