From 3ec54c7e58eb9724a5d54d3e985992ebecbd7553 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:30:13 +1100 Subject: - djm@cvs.openbsd.org 2006/02/12 06:45:34 [ssh.c ssh_config.5] add a %l expansion code to the ControlPath, which is filled in with the local hostname at runtime. Requested by henning@ to avoid some problems with /home on NFS; ok dtucker@ --- ssh_config.5 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 5c94ffc9c..5d821a0b1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.76 2006/01/20 11:21:45 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.77 2006/02/12 06:45:34 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -306,6 +306,8 @@ section above or the string .Dq none to disable connection sharing. In the path, +.Ql %l +will be substituted by the local host name, .Ql %h will be substituted by the target host name, .Ql %p @@ -315,7 +317,7 @@ by the remote login username. It is recommended that any .Cm ControlPath used for opportunistic connection sharing include -all three of these escape sequences. +at least the last three of these escape sequences (%h, %p and %r). This ensures that shared connections are uniquely identified. .It Cm DynamicForward Specifies that a TCP port on the local machine be forwarded -- cgit v1.2.3 From 20c2ec48c376fc025774bbb903f57de449bb8c5c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:31:01 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/12 10:49:44 [ssh_config.5] slight rewording; ok djm --- ChangeLog | 5 ++++- ssh_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index f8e857153..70b3bcc62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -79,6 +79,9 @@ raise error when the user specifies a RekeyLimit that is smaller than 16 (the smallest of our cipher's blocksize) or big enough to cause integer wraparound; ok & feedback dtucker@ + - jmc@cvs.openbsd.org 2006/02/12 10:49:44 + [ssh_config.5] + slight rewording; ok djm 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -3980,4 +3983,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4161 2006/03/15 00:30:38 djm Exp $ +$Id: ChangeLog,v 1.4162 2006/03/15 00:31:01 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 5d821a0b1..62a185a39 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.77 2006/02/12 06:45:34 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.78 2006/02/12 10:49:44 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -317,7 +317,7 @@ by the remote login username. It is recommended that any .Cm ControlPath used for opportunistic connection sharing include -at least the last three of these escape sequences (%h, %p and %r). +at least %h, %p, and %r. This ensures that shared connections are uniquely identified. .It Cm DynamicForward Specifies that a TCP port on the local machine be forwarded -- cgit v1.2.3 From 5c853b531f3e2af1aa38d1a911529ecc9511c341 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:37:02 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/19 20:12:25 [ssh_config.5] add some vertical space; --- ChangeLog | 5 ++++- ssh_config.5 | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 50c42733b..d26a81071 100644 --- a/ChangeLog +++ b/ChangeLog @@ -129,6 +129,9 @@ - jmc@cvs.openbsd.org 2006/02/19 20:05:00 [sshd.8] grammar; + - jmc@cvs.openbsd.org 2006/02/19 20:12:25 + [ssh_config.5] + add some vertical space; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4030,4 +4033,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4176 2006/03/15 00:36:45 djm Exp $ +$Id: ChangeLog,v 1.4177 2006/03/15 00:37:02 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 62a185a39..44107bfe7 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.78 2006/02/12 10:49:44 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.79 2006/02/19 20:12:25 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -50,6 +50,7 @@ .Nm ssh obtains configuration data from the following sources in the following order: +.Pp .Bl -enum -offset indent -compact .It command-line options -- cgit v1.2.3 From 6def55171fa7625da63f6b5c2fc0a45211208c11 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:54:05 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 10:25:14 [ssh_config.5] add section on patterns; from dtucker + myself --- ChangeLog | 6 +++++- ssh_config.5 | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 48 insertions(+), 12 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 8d19a746d..7f34f310f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -150,6 +150,10 @@ [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c] [sshconnect.c] move #include out of includes.h; ok djm@ + - jmc@cvs.openbsd.org 2006/02/24 10:25:14 + [ssh_config.5] + add section on patterns; + from dtucker + myself 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4051,4 +4055,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4181 2006/03/15 00:53:45 djm Exp $ +$Id: ChangeLog,v 1.4182 2006/03/15 00:54:05 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 44107bfe7..5f1ced5b6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.79 2006/02/19 20:12:25 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.80 2006/02/24 10:25:14 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -73,13 +73,47 @@ The matched host name is the one given on the command line. Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. +.Sh PATTERNS +A +.Em pattern +consists of zero or more non-whitespace characters, +.Sq * +(a wildcard that matches zero or more characters), +or +.Sq ?\& +(a wildcard that matches exactly one character). +For example, to specify a set of declarations for any host in the +.Dq .co.uk +set of domains, +the following pattern could be used: +.Pp +.Dl Host *.co.uk +.Pp +The following pattern +would match any host in the 192.168.0.[0-9] network range: .Pp +.Dl Host 192.168.0.? +.Pp +A +.Em pattern-list +is a comma-separated list of patterns. +Patterns within pattern-lists may be negated +by preceding them with an exclamation mark +.Pq Sq !\& . +For example, +to allow a key to be used from anywhere within an organisation +except from the +.Dq dialup +pool, +the following entry (in authorized_keys) could be used: +.Pp +.Dl from=\&"!*.dialup.example.com,*.example.com\&" +.Sh FILE FORMAT The configuration file has the following format: .Pp Empty lines and lines starting with .Ql # are comments. -.Pp Otherwise a line is of the format .Dq keyword arguments . Configuration options may be separated by whitespace or @@ -103,15 +137,13 @@ Restricts the following declarations (up to the next .Cm Host keyword) to be only for those hosts that match one of the patterns given after the keyword. -.Ql \&* -and -.Ql \&? -can be used as wildcards in the -patterns. A single .Ql \&* as a pattern can be used to provide global defaults for all hosts. +See +.Sx PATTERNS +for more information on patterns. The host is the .Ar hostname argument given on the command line (i.e., the name is not converted to @@ -805,10 +837,10 @@ Refer to in .Xr sshd_config 5 for how to configure the server. -Variables are specified by name, which may contain the wildcard characters -.Ql \&* -and -.Ql \&? . +Variables are specified by name, which may contain wildcard characters. +See +.Sx PATTERNS +for more information on patterns. Multiple environment variables may be separated by whitespace or spread across multiple .Cm SendEnv -- cgit v1.2.3 From f54a4b9da57eff2b68c09ce7f50b3573f1fc0f4a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:54:36 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 10:37:07 [ssh_config.5] tidy up the refs to PATTERNS; --- ChangeLog | 5 ++++- ssh_config.5 | 16 +++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 4d289aa4c..7087d81f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -157,6 +157,9 @@ - jmc@cvs.openbsd.org 2006/02/24 10:33:54 [sshd_config.5] signpost to PATTERNS; + - jmc@cvs.openbsd.org 2006/02/24 10:37:07 + [ssh_config.5] + tidy up the refs to PATTERNS; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4058,4 +4061,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4183 2006/03/15 00:54:21 djm Exp $ +$Id: ChangeLog,v 1.4184 2006/03/15 00:54:36 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 5f1ced5b6..a334e57dc 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.80 2006/02/24 10:25:14 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.81 2006/02/24 10:37:07 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -141,13 +141,14 @@ A single .Ql \&* as a pattern can be used to provide global defaults for all hosts. -See -.Sx PATTERNS -for more information on patterns. The host is the .Ar hostname argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching). +.Pp +See +.Sx PATTERNS +for more information on patterns. .It Cm AddressFamily Specifies which address family to use when connecting. Valid arguments are @@ -838,14 +839,15 @@ in .Xr sshd_config 5 for how to configure the server. Variables are specified by name, which may contain wildcard characters. -See -.Sx PATTERNS -for more information on patterns. Multiple environment variables may be separated by whitespace or spread across multiple .Cm SendEnv directives. The default is not to send any environment variables. +.Pp +See +.Sx PATTERNS +for more information on patterns. .It Cm ServerAliveCountMax Sets the number of server alive messages (see below) which may be sent without -- cgit v1.2.3 From 1faa7133233075776c83a71b427d19e35790280e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:55:31 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 20:22:16 [ssh-keysign.8 ssh_config.5 sshd_config.5] some consistency fixes; --- ChangeLog | 5 ++++- ssh-keysign.8 | 10 +++++----- ssh_config.5 | 4 ++-- sshd_config.5 | 6 +++--- 4 files changed, 14 insertions(+), 11 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index b5f623a8e..730634ce7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -163,6 +163,9 @@ - jmc@cvs.openbsd.org 2006/02/24 10:39:52 [sshd.8] signpost to PATTERNS section; + - jmc@cvs.openbsd.org 2006/02/24 20:22:16 + [ssh-keysign.8 ssh_config.5 sshd_config.5] + some consistency fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4064,4 +4067,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4185 2006/03/15 00:55:08 djm Exp $ +$Id: ChangeLog,v 1.4186 2006/03/15 00:55:31 djm Exp $ diff --git a/ssh-keysign.8 b/ssh-keysign.8 index a17e8d5cf..4cdcb7a43 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -27,7 +27,7 @@ .Os .Sh NAME .Nm ssh-keysign -.Nd ssh helper program for hostbased authentication +.Nd ssh helper program for host-based authentication .Sh SYNOPSIS .Nm .Sh DESCRIPTION @@ -35,7 +35,7 @@ is used by .Xr ssh 1 to access the local host keys and generate the digital signature -required during hostbased authentication with SSH protocol version 2. +required during host-based authentication with SSH protocol version 2. .Pp .Nm is disabled by default and can only be enabled in the @@ -53,7 +53,7 @@ See .Xr ssh 1 and .Xr sshd 8 -for more information about hostbased authentication. +for more information about host-based authentication. .Sh FILES .Bl -tag -width Ds .It Pa /etc/ssh/ssh_config @@ -67,7 +67,7 @@ They should be owned by root, readable only by root, and not accessible to others. Since they are readable only by root, .Nm -must be set-uid root if hostbased authentication is used. +must be set-uid root if host-based authentication is used. .El .Sh SEE ALSO .Xr ssh 1 , diff --git a/ssh_config.5 b/ssh_config.5 index a334e57dc..5905d4c90 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.81 2006/02/24 10:37:07 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.82 2006/02/24 20:22:16 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -178,7 +178,7 @@ Note that this option does not work if is set to .Dq yes . .It Cm ChallengeResponseAuthentication -Specifies whether to use challenge response authentication. +Specifies whether to use challenge-response authentication. The argument to this keyword must be .Dq yes or diff --git a/sshd_config.5 b/sshd_config.5 index e0768230e..caeddf603 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.49 2006/02/24 10:33:54 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.50 2006/02/24 20:22:16 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -153,7 +153,7 @@ authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -Specifies whether challenge response authentication is allowed. +Specifies whether challenge-response authentication is allowed. All authentication styles from .Xr login.conf 5 are supported. @@ -291,7 +291,7 @@ Note that this option applies to protocol version 2 only. .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -(hostbased authentication). +(host-based authentication). This option is similar to .Cm RhostsRSAAuthentication and applies to protocol version 2 only. -- cgit v1.2.3 From 208f1ed6f180cc0cfd3ab59d0b1c33796cc4c641 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:56:03 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 20:31:31 [ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes; --- ChangeLog | 5 ++++- ssh.1 | 6 +++--- ssh_config.5 | 6 +++--- sshd.8 | 8 ++++---- sshd_config.5 | 8 ++++---- 5 files changed, 18 insertions(+), 15 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 730634ce7..b24ca1887 100644 --- a/ChangeLog +++ b/ChangeLog @@ -166,6 +166,9 @@ - jmc@cvs.openbsd.org 2006/02/24 20:22:16 [ssh-keysign.8 ssh_config.5 sshd_config.5] some consistency fixes; + - jmc@cvs.openbsd.org 2006/02/24 20:31:31 + [ssh.1 ssh_config.5 sshd.8 sshd_config.5] + more consistency fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4067,4 +4070,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4186 2006/03/15 00:55:31 djm Exp $ +$Id: ChangeLog,v 1.4187 2006/03/15 00:56:03 djm Exp $ diff --git a/ssh.1 b/ssh.1 index b9bbe0bd6..e66ad9e88 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.256 2006/02/15 16:53:20 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.257 2006/02/24 20:31:30 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -569,7 +569,7 @@ Disable pseudo-tty allocation. Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, -e.g., when implementing menu services. +e.g. when implementing menu services. Multiple .Fl t options force tty allocation, even if @@ -1178,7 +1178,7 @@ If the current session has no tty, this variable is not set. .It Ev TZ This variable is set to indicate the present time zone if it -was set when the daemon was started (i.e., the daemon passes the value +was set when the daemon was started (i.e. the daemon passes the value on to new connections). .It Ev USER Set to the name of the user logging in. diff --git a/ssh_config.5 b/ssh_config.5 index 5905d4c90..66c9ed3f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.82 2006/02/24 20:22:16 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.83 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -138,12 +138,12 @@ Restricts the following declarations (up to the next keyword) to be only for those hosts that match one of the patterns given after the keyword. A single -.Ql \&* +.Ql * as a pattern can be used to provide global defaults for all hosts. The host is the .Ar hostname -argument given on the command line (i.e., the name is not converted to +argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). .Pp See diff --git a/sshd.8 b/sshd.8 index d09dc4e99..0bfd68505 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.229 2006/02/24 10:39:52 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.230 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -81,7 +81,7 @@ configuration file. .Nm rereads its configuration file when it receives a hangup signal, .Dv SIGHUP , -by executing itself with the name and options it was started with, e.g., +by executing itself with the name and options it was started with, e.g.\& .Pa /usr/sbin/sshd . .Pp The options are as follows: @@ -154,7 +154,7 @@ is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. -However, with small key sizes (e.g., 512) using +However, with small key sizes (e.g. 512) using .Nm from inetd may be feasible. @@ -519,7 +519,7 @@ authentication. .It Cm no-port-forwarding Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. -This might be used, e.g., in connection with the +This might be used, e.g. in connection with the .Cm command option. .It Cm no-pty diff --git a/sshd_config.5 b/sshd_config.5 index caeddf603..642e1fa29 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.50 2006/02/24 20:22:16 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.51 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -72,7 +72,7 @@ in for how to configure the client. Note that environment passing is only supported for protocol 2. Variables are specified by name, which may contain the wildcard characters -.Ql \&* +.Ql * and .Ql \&? . Multiple environment variables may be separated by whitespace or spread @@ -456,7 +456,7 @@ The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values .Dq start:rate:full -(e.g., "10:30:60"). +(e.g. "10:30:60"). .Nm sshd will refuse connection attempts with a probability of .Dq rate/100 @@ -612,7 +612,7 @@ directory or files world-writable. The default is .Dq yes . .It Cm Subsystem -Configures an external subsystem (e.g., file transfer daemon). +Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command to execute upon subsystem request. The command -- cgit v1.2.3 From 45ee2b91e62eb382e0cd0c61a9b34c25b8efc36c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:56:18 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 23:20:07 [ssh_config.5] some grammar/wording fixes; --- ChangeLog | 5 +- ssh_config.5 | 152 +++++++++++++++++++++++++++++------------------------------ 2 files changed, 78 insertions(+), 79 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index b24ca1887..a24b2d025 100644 --- a/ChangeLog +++ b/ChangeLog @@ -169,6 +169,9 @@ - jmc@cvs.openbsd.org 2006/02/24 20:31:31 [ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes; + - jmc@cvs.openbsd.org 2006/02/24 23:20:07 + [ssh_config.5] + some grammar/wording fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4070,4 +4073,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4187 2006/03/15 00:56:03 djm Exp $ +$Id: ChangeLog,v 1.4188 2006/03/15 00:56:18 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 66c9ed3f5..40fef73cf 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.83 2006/02/24 20:31:31 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.84 2006/02/24 23:20:07 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -47,7 +47,7 @@ .It Pa /etc/ssh/ssh_config .El .Sh DESCRIPTION -.Nm ssh +.Xr ssh 1 obtains configuration data from the following sources in the following order: .Pp @@ -154,7 +154,7 @@ Specifies which address family to use when connecting. Valid arguments are .Dq any , .Dq inet -(use IPv4 only) or +(use IPv4 only), or .Dq inet6 (use IPv6 only). .It Cm BatchMode @@ -188,7 +188,8 @@ The default is .It Cm CheckHostIP If this flag is set to .Dq yes , -ssh will additionally check the host IP address in the +.Xr ssh 1 +will additionally check the host IP address in the .Pa known_hosts file. This allows ssh to detect if a host key changed due to DNS spoofing. @@ -208,7 +209,7 @@ and are supported. .Ar des is only supported in the -.Nm ssh +.Xr ssh 1 client for interoperability with legacy protocol 1 implementations that do not support the .Ar 3des @@ -234,18 +235,18 @@ The supported ciphers are .Dq blowfish-cbc , and .Dq cast128-cbc . -The default is -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, - arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, - aes192-ctr,aes256-ctr'' +The default is: +.Bd -literal -offset 3n +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, +arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, +aes192-ctr,aes256-ctr .Ed .It Cm ClearAllForwardings -Specifies that all local, remote and dynamic port forwardings +Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the -.Nm ssh +.Xr ssh 1 command line to clear port forwardings set in configuration files, and is automatically set by .Xr scp 1 @@ -278,15 +279,15 @@ The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. .It Cm ConnectTimeout -Specifies the timeout (in seconds) used when connecting to the ssh -server, instead of using the default system TCP timeout. +Specifies the timeout (in seconds) used when connecting to the +SSH server, instead of using the default system TCP timeout. This value is used only when the target is down or really unreachable, not when it refuses the connection. .It Cm ControlMaster Enables the sharing of multiple sessions over a single network connection. When set to -.Dq yes -.Nm ssh +.Dq yes , +.Xr ssh 1 will listen for connections on a control socket specified using the .Cm ControlPath argument. @@ -303,8 +304,7 @@ if the control socket does not exist, or is not listening. .Pp Setting this to .Dq ask -will cause -.Nm ssh +will cause ssh to listen for control connections, but require confirmation using the .Ev SSH_ASKPASS program before they are accepted (see @@ -312,9 +312,8 @@ program before they are accepted (see for details). If the .Cm ControlPath -can not be opened, -.Nm ssh -will continue without connecting to a master instance. +cannot be opened, +ssh will continue without connecting to a master instance. .Pp X11 and .Xr ssh-agent 1 @@ -345,7 +344,7 @@ will be substituted by the local host name, .Ql %h will be substituted by the target host name, .Ql %p -the port and +the port, and .Ql %r by the remote login username. It is recommended that any @@ -382,7 +381,7 @@ empty address or indicates that the port should be available from all interfaces. .Pp Currently the SOCKS4 and SOCKS5 protocols are supported, and -.Nm ssh +.Xr ssh 1 will act as a SOCKS server. Multiple forwardings may be specified, and additional forwardings can be given on the command line. @@ -457,12 +456,12 @@ if the option is also enabled. .It Cm ForwardX11Trusted If this option is set to -.Dq yes -then remote X11 clients will have full access to the original X11 display. +.Dq yes , +remote X11 clients will have full access to the original X11 display. .Pp If this option is set to -.Dq no -then remote X11 clients will be considered untrusted and prevented +.Dq no , +remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the @@ -479,12 +478,11 @@ the restrictions imposed on untrusted clients. Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, -.Nm ssh +.Xr ssh 1 binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. .Cm GatewayPorts -can be used to specify that -.Nm ssh +can be used to specify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be @@ -509,13 +507,13 @@ The default is Note that this option applies to protocol version 2 only. .It Cm HashKnownHosts Indicates that -.Nm ssh +.Xr ssh 1 should hash host names and addresses when they are added to .Pa ~/.ssh/known_hosts . These hashed names may be used normally by -.Nm ssh +.Xr ssh 1 and -.Nm sshd , +.Xr sshd 8 , but they do not reveal identifying information should the file's contents be disclosed. The default is @@ -544,30 +542,29 @@ The default for this option is: Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. -This option is useful for tunneling ssh connections +This option is useful for tunneling SSH connections or for multiple servers running on a single host. .It Cm HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. -Default is the name given on the command line. +The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in .Cm HostName specifications). .It Cm IdentitiesOnly Specifies that -.Nm ssh +.Xr ssh 1 should only use the authentication identity files configured in the .Nm files, -even if the -.Nm ssh-agent +even if +.Xr ssh-agent 1 offers more identities. The argument to this keyword must be .Dq yes or .Dq no . -This option is intended for situations where -.Nm ssh-agent +This option is intended for situations where ssh-agent offers many different identities. The default is .Dq no . @@ -633,9 +630,9 @@ empty address or indicates that the port should be available from all interfaces. .It Cm LogLevel Gives the verbosity level that is used when logging messages from -.Nm ssh . +.Xr ssh 1 . The possible values are: -QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. @@ -645,7 +642,7 @@ in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. -The default is +The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. @@ -660,7 +657,7 @@ The default is to check the host key for localhost. .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. -Default is 3. +The default is 3. .It Cm PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be @@ -684,7 +681,7 @@ The default is .Dq no . .It Cm Port Specifies the port number to connect on the remote host. -Default is 22. +The default is 22. .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. @@ -696,17 +693,16 @@ The default for this option is: .Dq hostbased,publickey,keyboard-interactive,password . .It Cm Protocol Specifies the protocol versions -.Nm ssh +.Xr ssh 1 should support in order of preference. The possible values are -.Dq 1 +.Sq 1 and -.Dq 2 . +.Sq 2 . Multiple versions must be comma-separated. The default is .Dq 2,1 . -This means that -.Nm ssh +This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. .It Cm ProxyCommand @@ -764,9 +760,9 @@ or .Sq G to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between -.Dq 1G +.Sq 1G and -.Dq 4G , +.Sq 4G , depending on the cipher. This option applies to protocol version 2 only. .It Cm RemoteForward @@ -812,7 +808,7 @@ or The default is .Dq no . This option applies to protocol version 1 only and requires -.Nm ssh +.Xr ssh 1 to be setuid root. .It Cm RSAAuthentication Specifies whether to try RSA authentication. @@ -830,8 +826,8 @@ Note that this option applies to protocol version 1 only. Specifies what variables from the local .Xr environ 7 should be sent to the server. -Note that environment passing is only supported for protocol 2, the -server must also support it, and the server must be configured to +Note that environment passing is only supported for protocol 2. +The server must also support it, and the server must be configured to accept these environment variables. Refer to .Cm AcceptEnv @@ -851,11 +847,10 @@ for more information on patterns. .It Cm ServerAliveCountMax Sets the number of server alive messages (see below) which may be sent without -.Nm ssh +.Xr ssh 1 receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, -.Nm ssh -will disconnect from the server, terminating the session. +ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from .Cm TCPKeepAlive @@ -871,14 +866,14 @@ server depend on knowing when a connection has become inactive. The default value is 3. If, for example, .Cm ServerAliveInterval -(see below) is set to 15, and +(see below) is set to 15 and .Cm ServerAliveCountMax -is left at the default, if the server becomes unresponsive ssh -will disconnect after approximately 45 seconds. +is left at the default, if the server becomes unresponsive, +ssh will disconnect after approximately 45 seconds. .It Cm ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, -.Nm ssh +.Xr ssh 1 will send a message through the encrypted channel to request a response from the server. The default @@ -887,41 +882,39 @@ This option applies to protocol version 2 only. .It Cm SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device -.Nm ssh +.Xr ssh 1 should use to communicate with a smartcard used for storing the user's private RSA key. By default, no device is specified and smartcard support is not activated. .It Cm StrictHostKeyChecking If this flag is set to .Dq yes , -.Nm ssh +.Xr ssh 1 will never automatically add host keys to the .Pa ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, -however, can be annoying when the +though it can be annoying when the .Pa /etc/ssh/ssh_known_hosts -file is poorly maintained, or connections to new hosts are +file is poorly maintained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set to .Dq no , -.Nm ssh -will automatically add new host keys to the +ssh will automatically add new host keys to the user known hosts files. If this flag is set to .Dq ask , new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and -.Nm ssh -will refuse to connect to hosts whose host key has changed. +ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must be .Dq yes , -.Dq no +.Dq no , or .Dq ask . The default is @@ -952,7 +945,7 @@ instead of layer 3 (point-to-point) tunneling from the server. The argument must be .Dq yes , .Dq point-to-point , -.Dq ethernet +.Dq ethernet , or .Dq no . The default is @@ -971,8 +964,8 @@ or The default is .Dq no . If set to -.Dq yes -.Nm ssh +.Dq yes , +.Xr ssh 1 must be setuid root. Note that this option must be set to .Dq yes @@ -1005,12 +998,17 @@ need to confirm new host keys according to the option. The argument must be .Dq yes , -.Dq no +.Dq no , or .Dq ask . The default is .Dq no . Note that this option applies to protocol version 2 only. +.Pp +See also +.Sx VERIFYING HOST KEYS +in +.Xr ssh 1 . .It Cm XAuthLocation Specifies the full pathname of the .Xr xauth 1 @@ -1023,9 +1021,7 @@ The default is .It Pa ~/.ssh/config This is the per-user configuration file. The format of this file is described above. -This file is used by the -.Nm ssh -client. +This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. .It Pa /etc/ssh/ssh_config -- cgit v1.2.3 From 9cfbaecb64cbfbd7e9218faa1e95985a72d73038 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:57:55 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/25 12:26:17 [ssh_config.5] document the possible values for KbdInteractiveDevices; --- ChangeLog | 5 ++++- ssh_config.5 | 9 ++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 4d21aae76..d063f9f2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -178,6 +178,9 @@ - jmc@cvs.openbsd.org 2006/02/24 23:51:17 [sshd_config.5] oops - bits i missed; + - jmc@cvs.openbsd.org 2006/02/25 12:26:17 + [ssh_config.5] + document the possible values for KbdInteractiveDevices; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4079,4 +4082,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4190 2006/03/15 00:57:25 djm Exp $ +$Id: ChangeLog,v 1.4191 2006/03/15 00:57:55 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 40fef73cf..0e6a41808 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.84 2006/02/24 23:20:07 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.85 2006/02/25 12:26:17 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -589,6 +589,13 @@ identities will be tried in sequence. Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. +The methods available vary depending on what the server supports. +For an OpenSSH server, +it may be zero or more of: +.Dq bsdauth , +.Dq pam , +and +.Dq skey . .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. -- cgit v1.2.3 From b5282c2f06ee40ee2f7e99cb315956b63c56c7cb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:59:08 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/26 17:17:18 [ssh_config.5] move PATTERNS to the end of the main body; requested by dtucker --- ChangeLog | 5 ++++- ssh_config.5 | 72 ++++++++++++++++++++++++++++++------------------------------ 2 files changed, 40 insertions(+), 37 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index bdfb7520b..dbfb130a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -186,6 +186,9 @@ [sshd_config.5] document the order in which allow/deny directives are processed; help/ok dtucker + - jmc@cvs.openbsd.org 2006/02/26 17:17:18 + [ssh_config.5] + move PATTERNS to the end of the main body; requested by dtucker 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4087,4 +4090,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4193 2006/03/15 00:58:49 djm Exp $ +$Id: ChangeLog,v 1.4194 2006/03/15 00:59:08 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 0e6a41808..3c5bf3919 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.85 2006/02/25 12:26:17 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.86 2006/02/26 17:17:18 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -73,42 +73,7 @@ The matched host name is the one given on the command line. Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. -.Sh PATTERNS -A -.Em pattern -consists of zero or more non-whitespace characters, -.Sq * -(a wildcard that matches zero or more characters), -or -.Sq ?\& -(a wildcard that matches exactly one character). -For example, to specify a set of declarations for any host in the -.Dq .co.uk -set of domains, -the following pattern could be used: -.Pp -.Dl Host *.co.uk -.Pp -The following pattern -would match any host in the 192.168.0.[0-9] network range: .Pp -.Dl Host 192.168.0.? -.Pp -A -.Em pattern-list -is a comma-separated list of patterns. -Patterns within pattern-lists may be negated -by preceding them with an exclamation mark -.Pq Sq !\& . -For example, -to allow a key to be used from anywhere within an organisation -except from the -.Dq dialup -pool, -the following entry (in authorized_keys) could be used: -.Pp -.Dl from=\&"!*.dialup.example.com,*.example.com\&" -.Sh FILE FORMAT The configuration file has the following format: .Pp Empty lines and lines starting with @@ -1023,6 +988,41 @@ program. The default is .Pa /usr/X11R6/bin/xauth . .El +.Sh PATTERNS +A +.Em pattern +consists of zero or more non-whitespace characters, +.Sq * +(a wildcard that matches zero or more characters), +or +.Sq ?\& +(a wildcard that matches exactly one character). +For example, to specify a set of declarations for any host in the +.Dq .co.uk +set of domains, +the following pattern could be used: +.Pp +.Dl Host *.co.uk +.Pp +The following pattern +would match any host in the 192.168.0.[0-9] network range: +.Pp +.Dl Host 192.168.0.? +.Pp +A +.Em pattern-list +is a comma-separated list of patterns. +Patterns within pattern-lists may be negated +by preceding them with an exclamation mark +.Pq Sq !\& . +For example, +to allow a key to be used from anywhere within an organisation +except from the +.Dq dialup +pool, +the following entry (in authorized_keys) could be used: +.Pp +.Dl from=\&"!*.dialup.example.com,*.example.com\&" .Sh FILES .Bl -tag -width Ds .It Pa ~/.ssh/config -- cgit v1.2.3 From 4aea974a1df1396a7b2300a331b5162db69a39f0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:59:39 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/26 18:03:10 [ssh_config.5] comma; --- ChangeLog | 5 ++++- ssh_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index ac7af857c..113bb2e18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -192,6 +192,9 @@ - jmc@cvs.openbsd.org 2006/02/26 18:01:13 [sshd_config.5] subsection is pointless here; + - jmc@cvs.openbsd.org 2006/02/26 18:03:10 + [ssh_config.5] + comma; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4093,4 +4096,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4195 2006/03/15 00:59:25 djm Exp $ +$Id: ChangeLog,v 1.4196 2006/03/15 00:59:39 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 3c5bf3919..ba8926e8e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.86 2006/02/26 17:17:18 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.87 2006/02/26 18:03:10 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -87,7 +87,7 @@ optional whitespace and exactly one the latter format is useful to avoid the need to quote whitespace when specifying configuration options using the .Nm ssh , -.Nm scp +.Nm scp , and .Nm sftp .Fl o -- cgit v1.2.3 From 306d118f72670f0da447f28b7eec576dcb4a6e38 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 12:05:59 +1100 Subject: - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 [misc.c ssh_config.5 sshd_config.5] Allow config directives to contain whitespace by surrounding them by double quotes. mindrot #482, man page help from jmc@, ok djm@ --- ChangeLog | 6 +++++- misc.c | 17 +++++++++++++++-- ssh_config.5 | 5 ++++- sshd_config.5 | 5 ++++- 4 files changed, 28 insertions(+), 5 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 74ece7805..c72eeed41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -220,6 +220,10 @@ Make ssh-keygen handle CR and CRLF line termination when converting IETF format keys, in adition to vanilla LF. mindrot #1157, tested by Chris Pepper, ok djm@ + - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 + [misc.c ssh_config.5 sshd_config.5] + Allow config directives to contain whitespace by surrounding them by double + quotes. mindrot #482, man page help from jmc@, ok djm@ 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4121,4 +4125,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4202 2006/03/15 01:05:40 djm Exp $ +$Id: ChangeLog,v 1.4203 2006/03/15 01:05:59 djm Exp $ diff --git a/misc.c b/misc.c index e1da651ef..662480e9e 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.45 2006/02/10 00:27:13 stevesk Exp $"); +RCSID("$OpenBSD: misc.c,v 1.46 2006/03/13 10:14:29 dtucker Exp $"); #include #include @@ -128,6 +128,7 @@ set_nodelay(int fd) /* Characters considered whitespace in strsep calls. */ #define WHITESPACE " \t\r\n" +#define QUOTE "\"" /* return next token in configuration line */ char * @@ -141,15 +142,27 @@ strdelim(char **s) old = *s; - *s = strpbrk(*s, WHITESPACE "="); + *s = strpbrk(*s, WHITESPACE QUOTE "="); if (*s == NULL) return (old); + if (*s[0] == '\"') { + memmove(*s, *s + 1, strlen(*s)); /* move nul too */ + /* Find matching quote */ + if ((*s = strpbrk(*s, QUOTE)) == NULL) { + return (NULL); /* no matching quote */ + } else { + *s[0] = '\0'; + return (old); + } + } + /* Allow only one '=' to be skipped */ if (*s[0] == '=') wspace = 1; *s[0] = '\0'; + /* Skip any extra whitespace after first token */ *s += strspn(*s + 1, WHITESPACE) + 1; if (*s[0] == '=' && !wspace) *s += strspn(*s + 1, WHITESPACE) + 1; diff --git a/ssh_config.5 b/ssh_config.5 index ba8926e8e..f7c9f7145 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.87 2006/02/26 18:03:10 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.88 2006/03/13 10:14:29 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -92,6 +92,9 @@ and .Nm sftp .Fl o option. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. .Pp The possible keywords and their meanings are as follows (note that diff --git a/sshd_config.5 b/sshd_config.5 index 446e59afd..1bd3a624f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.55 2006/02/26 18:01:13 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.56 2006/03/13 10:14:29 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -56,6 +56,9 @@ The file contains keyword-argument pairs, one per line. Lines starting with .Ql # and empty lines are interpreted as comments. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. .Pp The possible keywords and their meanings are as follows (note that -- cgit v1.2.3 From cc3e8ba3c24357b912dd7071ba34ab863de593bd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 12:06:55 +1100 Subject: - markus@cvs.openbsd.org 2006/03/14 16:32:48 [ssh_config.5 sshd_config.5] *AliveCountMax applies to protcol v2 only; ok dtucker, djm --- ChangeLog | 5 ++++- ssh_config.5 | 3 ++- sshd_config.5 | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 57c97c85e..3064b306d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -233,6 +233,9 @@ [canohost.c] log the originating address and not just the name when a reverse mapping check fails, requested by linux AT linuon.com + - markus@cvs.openbsd.org 2006/03/14 16:32:48 + [ssh_config.5 sshd_config.5] + *AliveCountMax applies to protcol v2 only; ok dtucker, djm 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4134,4 +4137,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4205 2006/03/15 01:06:41 djm Exp $ +$Id: ChangeLog,v 1.4206 2006/03/15 01:06:55 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index f7c9f7145..5b02ef821 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.88 2006/03/13 10:14:29 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.89 2006/03/14 16:32:48 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -845,6 +845,7 @@ If, for example, .Cm ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. +This option applies to protocol version 2 only. .It Cm ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, diff --git a/sshd_config.5 b/sshd_config.5 index 1bd3a624f..aad28f4c8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.56 2006/03/13 10:14:29 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.57 2006/03/14 16:32:48 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -223,6 +223,7 @@ If .Cm ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. +This option applies to protocol version 2 only. .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, -- cgit v1.2.3 From 6b1d53c2b090130440c3459876c0033c4e5a466a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 31 Mar 2006 23:13:21 +1100 Subject: - djm@cvs.openbsd.org 2006/03/30 10:41:25 [ssh.c ssh_config.5] add percent escape chars to the IdentityFile option, bz #1159 based on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@ --- ChangeLog | 6 +++++- ssh.c | 22 ++++++++++++++++------ ssh_config.5 | 17 +++++++++++++++-- 3 files changed, 36 insertions(+), 9 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 827719c9c..792d4fd68 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ silencing a heap of lint warnings. also allows them to use __bounded__ checking which can't be applied to macros; requested by and feedback from deraadt@ + - djm@cvs.openbsd.org 2006/03/30 10:41:25 + [ssh.c ssh_config.5] + add percent escape chars to the IdentityFile option, bz #1159 based + on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@ 20060326 - OpenBSD CVS Sync @@ -4479,4 +4483,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4295 2006/03/31 12:13:02 djm Exp $ +$Id: ChangeLog,v 1.4296 2006/03/31 12:13:21 djm Exp $ diff --git a/ssh.c b/ssh.c index 7e0a8ba4b..5eddd41d5 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.274 2006/03/28 00:12:31 deraadt Exp $ */ +/* $OpenBSD: ssh.c,v 1.275 2006/03/30 10:41:25 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -647,15 +647,15 @@ main(int ac, char **av) options.control_path = NULL; if (options.control_path != NULL) { - char me[NI_MAXHOST]; + char thishost[NI_MAXHOST]; - if (gethostname(me, sizeof(me)) == -1) + if (gethostname(thishost, sizeof(thishost)) == -1) fatal("gethostname: %s", strerror(errno)); snprintf(buf, sizeof(buf), "%d", options.port); cp = tilde_expand_filename(options.control_path, original_real_uid); options.control_path = percent_expand(cp, "p", buf, "h", host, - "r", options.user, "l", me, (char *)NULL); + "r", options.user, "l", thishost, (char *)NULL); xfree(cp); } if (mux_command != 0 && options.control_path == NULL) @@ -1194,9 +1194,10 @@ ssh_session2(void) static void load_public_identity_files(void) { - char *filename; + char *filename, *cp, thishost[NI_MAXHOST]; int i = 0; Key *public; + struct passwd *pw; #ifdef SMARTCARD Key **keys; @@ -1220,9 +1221,18 @@ load_public_identity_files(void) xfree(keys); } #endif /* SMARTCARD */ + if ((pw = getpwuid(original_real_uid)) == NULL) + fatal("load_public_identity_files: getpwuid failed"); + if (gethostname(thishost, sizeof(thishost)) == -1) + fatal("load_public_identity_files: gethostname: %s", + strerror(errno)); for (; i < options.num_identity_files; i++) { - filename = tilde_expand_filename(options.identity_files[i], + cp = tilde_expand_filename(options.identity_files[i], original_real_uid); + filename = percent_expand(cp, "d", pw->pw_dir, + "u", pw->pw_name, "l", thishost, "h", host, + "r", options.user, (char *)NULL); + xfree(cp); public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, public ? public->type : -1); diff --git a/ssh_config.5 b/ssh_config.5 index 5b02ef821..9c621336e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.89 2006/03/14 16:32:48 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.90 2006/03/30 10:41:25 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -548,8 +548,21 @@ and for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. +.Pp The file name may use the tilde -syntax to refer to a user's home directory. +syntax to refer to a user's home directory or one of the following +escape characters: +.Ql %d +(local user's home directory), +.Ql %u +(local user name), +.Ql %l +(local host name), +.Ql %h +(remote host name) or +.Ql %h +(remote user name). +.Pp It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. -- cgit v1.2.3 From c6437cf00a43e45f238928aea1af86457a9e262e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 31 Mar 2006 23:14:41 +1100 Subject: - jmc@cvs.openbsd.org 2006/03/31 09:09:30 [ssh_config.5] kill trailing whitespace; --- ChangeLog | 5 ++++- ssh_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 9ca87fda0..2a43234ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - dtucker@cvs.openbsd.org 2006/03/30 11:40:21 [auth.c monitor.c] Prevent duplicate log messages when privsep=yes; ok djm@ + - jmc@cvs.openbsd.org 2006/03/31 09:09:30 + [ssh_config.5] + kill trailing whitespace; 20060326 - OpenBSD CVS Sync @@ -4489,4 +4492,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4298 2006/03/31 12:14:23 djm Exp $ +$Id: ChangeLog,v 1.4299 2006/03/31 12:14:41 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 9c621336e..a1c2a5fbe 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.90 2006/03/30 10:41:25 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.91 2006/03/31 09:09:30 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -550,7 +550,7 @@ Additionally, any identities represented by the authentication agent will be used for authentication. .Pp The file name may use the tilde -syntax to refer to a user's home directory or one of the following +syntax to refer to a user's home directory or one of the following escape characters: .Ql %d (local user's home directory), -- cgit v1.2.3 From dfc6183f13d8c0d033d5b259eeb888b4f1236c2d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 31 Mar 2006 23:14:57 +1100 Subject: - djm@cvs.openbsd.org 2006/03/31 09:13:56 [ssh_config.5] remote user escape is %r not %h; spotted by jmc@ --- ChangeLog | 5 ++++- ssh_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 2a43234ca..c9d436915 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - jmc@cvs.openbsd.org 2006/03/31 09:09:30 [ssh_config.5] kill trailing whitespace; + - djm@cvs.openbsd.org 2006/03/31 09:13:56 + [ssh_config.5] + remote user escape is %r not %h; spotted by jmc@ 20060326 - OpenBSD CVS Sync @@ -4492,4 +4495,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4299 2006/03/31 12:14:41 djm Exp $ +$Id: ChangeLog,v 1.4300 2006/03/31 12:14:57 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index a1c2a5fbe..7744e95f9 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.91 2006/03/31 09:09:30 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.92 2006/03/31 09:13:56 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -560,7 +560,7 @@ escape characters: (local host name), .Ql %h (remote host name) or -.Ql %h +.Ql %r (remote user name). .Pp It is possible to have -- cgit v1.2.3 From 658f9455386fb81d03429a00976986ac18ba4d5e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Jun 2006 13:00:55 +1000 Subject: - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 [ssh_config.5] Add gssapi-with-mic to PreferredAuthentications default list; ok jmc --- ChangeLog | 5 ++++- ssh_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index ae7b7562e..54f18b659 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - miod@cvs.openbsd.org 2006/05/18 21:27:25 [kexdhc.c kexgexc.c] paramter -> parameter + - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 + [ssh_config.5] + Add gssapi-with-mic to PreferredAuthentications default list; ok jmc 20060521 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor @@ -4646,4 +4649,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4334 2006/06/13 03:00:41 djm Exp $ +$Id: ChangeLog,v 1.4335 2006/06/13 03:00:55 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 7744e95f9..5f66cd9d8 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.92 2006/03/31 09:13:56 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.93 2006/05/29 12:54:08 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -678,7 +678,7 @@ This allows a client to prefer one method (e.g.\& over another method (e.g.\& .Cm password ) The default for this option is: -.Dq hostbased,publickey,keyboard-interactive,password . +.Dq gssapi-with-mic,hostbased,publickey,keyboard-interactive,password . .It Cm Protocol Specifies the protocol versions .Xr ssh 1 -- cgit v1.2.3 From 3c6ed7bbd569a33d31533587e41b8ff87d282de0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Jun 2006 13:01:41 +1000 Subject: - jmc@cvs.openbsd.org 2006/05/29 16:10:03 [ssh_config.5] oops - previous was too long; split the list of auths up --- ChangeLog | 9 ++++++--- ssh_config.5 | 9 +++++++-- 2 files changed, 13 insertions(+), 5 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 0d9449ec6..d130a420f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,8 +18,11 @@ Add gssapi-with-mic to PreferredAuthentications default list; ok jmc - dtucker@cvs.openbsd.org 2006/05/29 12:56:33 [ssh_config] - Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in sample - ssh_config. ok markus@ + Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in + sample ssh_config. ok markus@ + - jmc@cvs.openbsd.org 2006/05/29 16:10:03 + [ssh_config.5] + oops - previous was too long; split the list of auths up 20060521 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor @@ -4653,4 +4656,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4336 2006/06/13 03:01:09 djm Exp $ +$Id: ChangeLog,v 1.4337 2006/06/13 03:01:41 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 5f66cd9d8..0d40fd63e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.93 2006/05/29 12:54:08 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.94 2006/05/29 16:10:03 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -678,7 +678,12 @@ This allows a client to prefer one method (e.g.\& over another method (e.g.\& .Cm password ) The default for this option is: -.Dq gssapi-with-mic,hostbased,publickey,keyboard-interactive,password . +.Do gssapi-with-mic , +hostbased, +publickey, +keyboard-interactive, +password +.Dc . .It Cm Protocol Specifies the protocol versions .Xr ssh 1 -- cgit v1.2.3 From 991dba43e17f7e4c8706158ecee32f2bfd18cac4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Jul 2006 20:16:27 +1000 Subject: - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 [ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@ --- ChangeLog | 6 +++++- ssh.1 | 38 +++++++++++++++++++++++++------------- ssh.c | 4 ++-- ssh_config.5 | 38 +++++++++++++++++++++++++++++--------- sshd_config.5 | 15 +++++++++++---- 5 files changed, 72 insertions(+), 29 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 4a3ee6670..f31d44bcd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ [clientloop.c] mention optional bind_address in runtime port forwarding setup command-line help. patch from santhi.amirta AT gmail.com + - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 + [ssh.1 ssh.c ssh_config.5 sshd_config.5] + more details and clarity for tun(4) device forwarding; ok and help + jmc@ 20060706 - (dtucker) [configure.ac] Try AIX blibpath test in different order when @@ -4741,4 +4745,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4361 2006/07/10 10:16:12 djm Exp $ +$Id: ChangeLog,v 1.4362 2006/07/10 10:16:27 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 874a5d2fe..4067a9362 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.260 2006/05/29 16:13:23 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.261 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -78,7 +78,8 @@ .Oc .Op Fl S Ar ctl_path .Bk -words -.Op Fl w Ar tunnel : Ns Ar tunnel +.Oo Fl w Ar local_tun Ns +.Op : Ns Ar remote_tun Oc .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek @@ -588,24 +589,35 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. -.It Fl w Ar tunnel : Ns Ar tunnel -Requests a +.It Fl w Xo +.Ar local_tun Ns Op : Ns Ar remote_tun +.Xc +Requests +tunnel +device forwarding with the specified .Xr tun 4 -device on the client -(first -.Ar tunnel -arg) -and server -(second -.Ar tunnel -arg). +devices between the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp The devices may be specified by numerical ID or the keyword .Dq any , which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Dq any . See also the .Cm Tunnel -directive in +and +.Cm TunnelDevice +directives in .Xr ssh_config 5 . +If the +.Cm Tunnel +directive is unset, it is set to the default tunnel mode, which is +.Dq point-to-point . .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. diff --git a/ssh.c b/ssh.c index 01303dc97..9d50e42fd 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.276 2006/04/25 08:02:27 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.277 2006/07/02 17:12:58 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -176,7 +176,7 @@ usage(void) " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [-w tunnel:tunnel] [user@]hostname [command]\n" +" [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); } diff --git a/ssh_config.5 b/ssh_config.5 index 0d40fd63e..68ec311b2 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.94 2006/05/29 16:10:03 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.95 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -931,24 +931,44 @@ This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to .Dq no . .It Cm Tunnel -Request starting +Request .Xr tun 4 device forwarding between the client and the server. -This option also allows requesting layer 2 (ethernet) -instead of layer 3 (point-to-point) tunneling from the server. The argument must be .Dq yes , -.Dq point-to-point , -.Dq ethernet , +.Dq point-to-point +(layer 3), +.Dq ethernet +(layer 2), or .Dq no . +Specifying +.Dq yes +requests the default tunnel mode, which is +.Dq point-to-point . The default is .Dq no . .It Cm TunnelDevice -Force a specified +Specifies the .Xr tun 4 -device on the client. -Without this option, the next available device will be used. +devices to open on the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp +The argument must be +.Sm off +.Ar local_tun Op : Ar remote_tun . +.Sm on +The devices may be specified by numerical ID or the keyword +.Dq any , +which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Dq any . +The default is +.Dq any:any . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be diff --git a/sshd_config.5 b/sshd_config.5 index aad28f4c8..836add94f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.57 2006/03/14 16:32:48 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.58 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -537,10 +537,17 @@ Specifies whether device forwarding is allowed. The argument must be .Dq yes , -.Dq point-to-point , -.Dq ethernet , -or +.Dq point-to-point +(layer 3), +.Dq ethernet +(layer 2), or .Dq no . +Specifying +.Dq yes +permits both +.Dq point-to-point +and +.Dq ethernet . The default is .Dq no . .It Cm PermitUserEnvironment -- cgit v1.2.3 From e7d4b19f755c0d33122ef373e54b69e6b93cb0b4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 12 Jul 2006 22:17:10 +1000 Subject: - markus@cvs.openbsd.org 2006/07/11 18:50:48 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c channels.h readconf.c] add ExitOnForwardFailure: terminate the connection if ssh(1) cannot set up all requested dynamic, local, and remote port forwardings. ok djm, dtucker, stevesk, jmc --- ChangeLog | 8 +++++++- channels.c | 17 ++++++++++------- channels.h | 6 +++--- clientloop.c | 9 ++++++--- readconf.c | 11 ++++++++++- readconf.h | 3 ++- session.c | 8 ++++++-- ssh.1 | 3 ++- ssh.c | 27 +++++++++++++++++++++------ ssh_config.5 | 13 ++++++++++++- 10 files changed, 79 insertions(+), 26 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index b5c849806..74bfb0d3b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,12 @@ Only copy the part of environment variable that we actually use. Prevents ssh bailing when SendEnv is used and an environment variable with a really long value exists. ok djm@ + - markus@cvs.openbsd.org 2006/07/11 18:50:48 + [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c + channels.h readconf.c] + add ExitOnForwardFailure: terminate the connection if ssh(1) + cannot set up all requested dynamic, local, and remote port + forwardings. ok djm, dtucker, stevesk, jmc 20060711 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c @@ -4872,4 +4878,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4395 2006/07/12 12:16:23 dtucker Exp $ +$Id: ChangeLog,v 1.4396 2006/07/12 12:17:10 dtucker Exp $ diff --git a/channels.c b/channels.c index cd68efded..51718578b 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.252 2006/07/10 12:08:08 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.253 2006/07/11 18:50:47 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2481,7 +2481,7 @@ channel_setup_remote_fwd_listener(const char *listen_address, * the secure channel to host:port from local side. */ -void +int channel_request_remote_forwarding(const char *listen_host, u_short listen_port, const char *host_to_connect, u_short port_to_connect) { @@ -2525,7 +2525,6 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port, success = 1; break; case SSH_SMSG_FAILURE: - logit("Warning: Server denied remote port forwarding."); break; default: /* Unknown packet */ @@ -2539,6 +2538,7 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port, permitted_opens[num_permitted_opens].listen_port = listen_port; num_permitted_opens++; } + return (success ? 0 : -1); } /* @@ -2578,12 +2578,13 @@ channel_request_rforward_cancel(const char *host, u_short port) /* * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates * listening for the port, and sends back a success reply (or disconnect - * message if there was an error). This never returns if there was an error. + * message if there was an error). */ -void +int channel_input_port_forward_request(int is_root, int gateway_ports) { u_short port, host_port; + int success = 0; char *hostname; /* Get arguments from the packet. */ @@ -2605,11 +2606,13 @@ channel_input_port_forward_request(int is_root, int gateway_ports) #endif /* Initiate forwarding */ - channel_setup_local_fwd_listener(NULL, port, hostname, + success = channel_setup_local_fwd_listener(NULL, port, hostname, host_port, gateway_ports); /* Free the argument string. */ xfree(hostname); + + return (success ? 0 : -1); } /* @@ -2628,7 +2631,7 @@ void channel_add_permitted_opens(char *host, int port) { if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) - fatal("channel_request_remote_forwarding: too many forwards"); + fatal("channel_add_permitted_opens: too many forwards"); debug("allow port forwarding to host %s port %d", host, port); permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); diff --git a/channels.h b/channels.h index ee1d260fd..d21319a2b 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.84 2006/03/25 22:22:42 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.85 2006/07/11 18:50:47 markus Exp $ */ /* * Author: Tatu Ylonen @@ -208,10 +208,10 @@ void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); void channel_clear_permitted_opens(void); -void channel_input_port_forward_request(int, int); +int channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); -void channel_request_remote_forwarding(const char *, u_short, +int channel_request_remote_forwarding(const char *, u_short, const char *, u_short); int channel_setup_local_fwd_listener(const char *, u_short, const char *, u_short, int); diff --git a/clientloop.c b/clientloop.c index c59d573c5..6cb2a7ac7 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.166 2006/07/08 21:47:12 stevesk Exp $ */ +/* $OpenBSD: clientloop.c,v 1.167 2006/07/11 18:50:47 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -996,9 +996,12 @@ process_cmdline(void) goto out; } } else { - channel_request_remote_forwarding(fwd.listen_host, + if (channel_request_remote_forwarding(fwd.listen_host, fwd.listen_port, fwd.connect_host, - fwd.connect_port); + fwd.connect_port) < 0) { + logit("Port forwarding failed."); + goto out; + } } logit("Forwarding port."); diff --git a/readconf.c b/readconf.c index df5e566a5..d25f93012 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.152 2006/07/05 02:42:09 stevesk Exp $ */ +/* $OpenBSD: readconf.c,v 1.153 2006/07/11 18:50:48 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -102,6 +102,7 @@ typedef enum { oBadOption, oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, + oExitOnForwardFailure, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, @@ -132,6 +133,7 @@ static struct { { "forwardagent", oForwardAgent }, { "forwardx11", oForwardX11 }, { "forwardx11trusted", oForwardX11Trusted }, + { "exitonforwardfailure", oExitOnForwardFailure }, { "xauthlocation", oXAuthLocation }, { "gatewayports", oGatewayPorts }, { "useprivilegedport", oUsePrivilegedPort }, @@ -386,6 +388,10 @@ parse_flag: intptr = &options->gateway_ports; goto parse_flag; + case oExitOnForwardFailure: + intptr = &options->exit_on_forward_failure; + goto parse_flag; + case oUsePrivilegedPort: intptr = &options->use_privileged_port; goto parse_flag; @@ -987,6 +993,7 @@ initialize_options(Options * options) options->forward_agent = -1; options->forward_x11 = -1; options->forward_x11_trusted = -1; + options->exit_on_forward_failure = -1; options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; @@ -1067,6 +1074,8 @@ fill_default_options(Options * options) options->forward_x11 = 0; if (options->forward_x11_trusted == -1) options->forward_x11_trusted = 0; + if (options->exit_on_forward_failure == -1) + options->exit_on_forward_failure = 0; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; if (options->gateway_ports == -1) diff --git a/readconf.h b/readconf.h index 7fc2ea47c..e99b1ff25 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.69 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.70 2006/07/11 18:50:48 markus Exp $ */ /* * Author: Tatu Ylonen @@ -34,6 +34,7 @@ typedef struct { int forward_agent; /* Forward authentication agent. */ int forward_x11; /* Forward X11 display. */ int forward_x11_trusted; /* Trust Forward X11 display. */ + int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */ char *xauth_location; /* Location for xauth program */ int gateway_ports; /* Allow remote connects to forwarded ports. */ int use_privileged_port; /* Don't use privileged port if false. */ diff --git a/session.c b/session.c index 0a321be30..33be91545 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.207 2006/07/08 21:48:53 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.208 2006/07/11 18:50:48 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -338,7 +338,11 @@ do_authenticated1(Authctxt *authctxt) break; } debug("Received TCP/IP port forwarding request."); - channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); + if (channel_input_port_forward_request(s->pw->pw_uid == 0, + options.gateway_ports) < 0) { + debug("Port forwarding failed."); + break; + } success = 1; break; diff --git a/ssh.1 b/ssh.1 index f44b6f29a..6e41bcd8b 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.262 2006/07/02 23:01:55 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.263 2006/07/11 18:50:48 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -449,6 +449,7 @@ For full details of the options listed below, and their possible values, see .It ControlPath .It DynamicForward .It EscapeChar +.It ExitOnForwardFailure .It ForwardAgent .It ForwardX11 .It ForwardX11Trusted diff --git a/ssh.c b/ssh.c index bd92206d4..2e0ef2f9f 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.282 2006/07/11 10:12:07 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.283 2006/07/11 18:50:48 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -817,6 +817,8 @@ ssh_init_forwarding(void) options.local_forwards[i].connect_port, options.gateway_ports); } + if (i > 0 && success != i && options.exit_on_forward_failure) + fatal("Could not request local forwarding."); if (i > 0 && success == 0) error("Could not request local forwarding."); @@ -829,11 +831,17 @@ ssh_init_forwarding(void) options.remote_forwards[i].listen_port, options.remote_forwards[i].connect_host, options.remote_forwards[i].connect_port); - channel_request_remote_forwarding( + if (channel_request_remote_forwarding( options.remote_forwards[i].listen_host, options.remote_forwards[i].listen_port, options.remote_forwards[i].connect_host, - options.remote_forwards[i].connect_port); + options.remote_forwards[i].connect_port) < 0) { + if (options.exit_on_forward_failure) + fatal("Could not request remote forwarding."); + else + logit("Warning: Could not request remote " + "forwarding."); + } } } @@ -1015,9 +1023,16 @@ client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt) options.remote_forwards[i].listen_port, options.remote_forwards[i].connect_host, options.remote_forwards[i].connect_port); - if (type == SSH2_MSG_REQUEST_FAILURE) - logit("Warning: remote port forwarding failed for listen " - "port %d", options.remote_forwards[i].listen_port); + if (type == SSH2_MSG_REQUEST_FAILURE) { + if (options.exit_on_forward_failure) + fatal("Error: remote port forwarding failed for " + "listen port %d", + options.remote_forwards[i].listen_port); + else + logit("Warning: remote port forwarding failed for " + "listen port %d", + options.remote_forwards[i].listen_port); + } } static void diff --git a/ssh_config.5 b/ssh_config.5 index 68ec311b2..55ca55303 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.95 2006/07/02 17:12:58 stevesk Exp $ +.\" $OpenBSD: ssh_config.5,v 1.96 2006/07/11 18:50:48 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -385,6 +385,17 @@ followed by a letter, or to disable the escape character entirely (making the connection transparent for binary data). +.It Cm ExitOnForwardFailure +Specifies whether +.Xr ssh 1 +should terminate the connection if it cannot set up all requested +dynamic, local, and remote port forwardings. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -- cgit v1.2.3 From 858bb7dc7c41816e0c779b1bda09324b9ea97ddf Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Aug 2006 11:34:51 +1000 Subject: - jmc@cvs.openbsd.org 2006/07/27 08:00:50 [ssh_config.5] avoid confusing wording in HashKnownHosts: originally spotted by alan amesbury; ok deraadt --- ChangeLog | 7 ++++++- ssh_config.5 | 7 ++++--- 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index b9a3ca2fb..54fa577b3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,11 @@ [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c] [sshconnect1.c sshd.c xmalloc.c] move #include out of includes.h + - jmc@cvs.openbsd.org 2006/07/27 08:00:50 + [ssh_config.5] + avoid confusing wording in HashKnownHosts: + originally spotted by alan amesbury; + ok deraadt 20060804 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent @@ -5095,4 +5100,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4446 2006/08/05 01:34:19 djm Exp $ +$Id: ChangeLog,v 1.4447 2006/08/05 01:34:51 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 55ca55303..20c58934a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.96 2006/07/11 18:50:48 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -497,8 +497,9 @@ but they do not reveal identifying information should the file's contents be disclosed. The default is .Dq no . -Note that hashing of names and addresses will not be retrospectively applied -to existing known hosts files, but these may be manually hashed using +Note that existing names and addresses in known hosts files +will not be converted automatically, +but may be manually hashed using .Xr ssh-keygen 1 . .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key -- cgit v1.2.3 From bf6b328f27ec0e99fbcd5a22f1eab139be0a1fc0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 19 Feb 2007 22:08:17 +1100 Subject: - jmc@cvs.openbsd.org 2007/01/10 13:23:22 [ssh_config.5] do not use a list for SYNOPSIS; this is actually part of a larger report sent by eric s. raymond and forwarded by brad, but i only read half of it. spotted by brad. --- ChangeLog | 10 +++++++++- ssh_config.5 | 8 +++----- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'ssh_config.5') diff --git a/ChangeLog b/ChangeLog index 481bcfddf..fa869b11f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20070219 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2007/01/10 13:23:22 + [ssh_config.5] + do not use a list for SYNOPSIS; + this is actually part of a larger report sent by eric s. raymond + and forwarded by brad, but i only read half of it. spotted by brad. + 20070128 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) when closing a tty session when a background process still holds tty @@ -2692,4 +2700,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4609 2007/01/28 23:16:28 djm Exp $ +$Id: ChangeLog,v 1.4610 2007/02/19 11:08:17 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 20c58934a..c1ad53dcf 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -42,10 +42,8 @@ .Nm ssh_config .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa ~/.ssh/config -.It Pa /etc/ssh/ssh_config -.El +.Nm ~/.ssh/config +.Nm /etc/ssh/ssh_config .Sh DESCRIPTION .Xr ssh 1 obtains configuration data from the following sources in -- cgit v1.2.3