From acaf34fd823235d549c633c0146ee03ac5956e82 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sun, 7 May 2017 23:12:57 +0000 Subject: upstream commit As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@ Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222 --- sshd.8 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 7725a692c..05368f947 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.288 2017/01/30 23:27:39 dtucker Exp $ -.Dd $Mdocdate: January 30 2017 $ +.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ +.Dd $Mdocdate: May 7 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -260,7 +260,7 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160, +(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. -- cgit v1.2.3 From 6f8ca3b92540fa1a9b91670edc98d15448e3d765 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 24 Jun 2017 05:35:05 +0000 Subject: upstream commit use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd --- ssh_config.5 | 6 +++--- sshconnect.c | 6 ++++-- sshd.8 | 24 +++++++++++++++++++----- 3 files changed, 26 insertions(+), 10 deletions(-) (limited to 'sshd.8') diff --git a/ssh_config.5 b/ssh_config.5 index 4277f9eac..1cbfe0403 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.250 2017/05/30 19:38:17 jmc Exp $ -.Dd $Mdocdate: May 30 2017 $ +.\" $OpenBSD: ssh_config.5,v 1.251 2017/06/24 05:35:05 djm Exp $ +.Dd $Mdocdate: June 24 2017 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -809,7 +809,7 @@ The list of available key types may also be obtained using .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -in the host key database files. +in the host key database files and when validating host certificates. This option is useful for tunneling SSH connections or for multiple servers running on a single host. .It Cm HostName diff --git a/sshconnect.c b/sshconnect.c index d4894b9f1..4100cdc8c 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.280 2017/05/30 14:13:40 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.281 2017/06/24 05:35:05 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -863,7 +863,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, host, type, want_cert ? "certificate" : "key"); debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); - if (want_cert && !check_host_cert(hostname, host_key)) + if (want_cert && + !check_host_cert(options.host_key_alias == NULL ? + hostname : options.host_key_alias, host_key)) goto fail; if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) diff --git a/sshd.8 b/sshd.8 index 05368f947..1b18e45b3 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $ -.Dd $Mdocdate: May 7 2017 $ +.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $ +.Dd $Mdocdate: June 24 2017 $ .Dt SSHD 8 .Os .Sh NAME @@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns and .Ql \&? act as -wildcards); each pattern in turn is matched against the canonical host -name (when authenticating a client) or against the user-supplied -name (when authenticating a server). +wildcards); each pattern in turn is matched against the host name. +When +.Nm sshd +is authenticating a client, such as when using +.Cm HostbasedAuthentication , +this will be the canonical client host name. +When +.Xr ssh 1 +is authenticating a server, this will be the either the host name +given by the user, the value of the +.Xr ssh 1 +.Cm HostkeyAlias +if it was specified, or the canonical server hostname if the +.Xr ssh 1 +.Cm CanonicalizeHostname +option was used. +.Pp A pattern may also be preceded by .Ql \&! to indicate negation: if the host name matches a negated -- cgit v1.2.3 From e2004d4bb7eb01c663dd3a3e7eb224f1ccdc9bba Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Sat, 24 Jun 2017 06:28:50 +0000 Subject: upstream commit word fix; Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5 --- sshd.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sshd.8') diff --git a/sshd.8 b/sshd.8 index 1b18e45b3..a4201146b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.291 2017/06/24 06:28:50 jmc Exp $ .Dd $Mdocdate: June 24 2017 $ .Dt SSHD 8 .Os @@ -660,7 +660,7 @@ is authenticating a client, such as when using this will be the canonical client host name. When .Xr ssh 1 -is authenticating a server, this will be the either the host name +is authenticating a server, this will be the host name given by the user, the value of the .Xr ssh 1 .Cm HostkeyAlias -- cgit v1.2.3