summaryrefslogtreecommitdiffstats
path: root/readconf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: support VersionAddendum in the client, mirroring thedjm@openbsd.org2024-12-071-1/+27
| | | | | | option of the same name in the server; bz2745 ok dtucker@ OpenBSD-Commit-ID: 6ff7905b3f9806649bde750515786553fb89cdf4
* upstream: fix argument of "Compression" directive in ssh -G configdjm@openbsd.org2024-11-271-1/+3
| | | | | | dump, which used to work but broke in 9.8 OpenBSD-Commit-ID: c79936242d29c70d01941b28d2d07fd0b85fe46f
* upstream: fix previous change to ssh_config Match, which broken ondjm@openbsd.org2024-09-271-7/+7
| | | | | | negated Matches; spotted by phessler@ ok deraadt@ OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
* upstream: fix regression introduced when I switched the "Match"djm@openbsd.org2024-09-251-5/+23
| | | | | | | | | | | | | criteria tokeniser to a more shell-like one. Apparently the old tokeniser (accidentally?) allowed "Match criteria=argument" as well as the "Match criteria argument" syntax that we tested for. People were using this syntax so this adds back support for "Match criteria=argument" bz3739 ok dtucker OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
* upstream: switch "Match" directive processing over to the argvdjm@openbsd.org2024-09-151-21/+14
| | | | | | | string tokeniser, making it possible to use shell-like quoting in Match directives, particularly "Match exec". ok markus@ OpenBSD-Commit-ID: 0877309650b76f624b2194c35dbacaf065e769a5
* upstream: allow the "Include" directive to expand the same set ofdjm@openbsd.org2024-09-031-44/+85
| | | | | | | | %-tokens that "Match Exec" and environment variables. ok dtucker@ OpenBSD-Commit-ID: 12ef521eaa966a9241e684258564f52f1f3c5d37
* upstream: As defined in the RFC, the SSH protocol has negotiablederaadt@openbsd.org2024-08-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | compression support (which is requested as the name "zlib"). Compression starts very early in the session. Relative early in OpenSSH lifetime, privsep was added to sshd, and this required a shared-memory hack so the two processes could see what was going on in the dataflow. This shared-memory hack was soon recognized as a tremendous complexity risk, because it put libz (which very much trusts it's memory) in a dangerous place, and a new option ("zlib@openssh.com") was added begins compression after authentication (aka delayed-compression). That change also permitted removal of the shared-memory hack. Despite removal from the server, the old "zlib" support remained in the client, to allow negotiation with non-OpenSSH daemons which lack the delayed-compression option. This commit deletes support for the older "zlib" option in the client. It reduces our featureset in a small way, and encourages other servers to move to a better design. The SSH protocol is different enough that compressed-key-material attacks like BEAST are unlikely, but who wants to take the chance? We encourage other ssh servers who care about optional compression support to add delayed-zlib support. (Some already do "zlib@openssh.com") ok djm markus OpenBSD-Commit-ID: 6df986f38e4ab389f795a6e39e7c6857a763ba72
* upstream: spelling; ok djm@jsg@openbsd.org2024-05-171-2/+2
| | | | OpenBSD-Commit-ID: bdea29bb3ed2a5a7782999c4c663b219d2270483
* upstream: fix leak of CanonicalizePermittedCNAMEs on error path;djm@openbsd.org2024-03-041-7/+19
| | | | | | spotted by Coverity (CID 438039) OpenBSD-Commit-ID: 208839699939721f452a4418afc028a9f9d3d8af
* upstream: Separate parsing of string array options from applying themdjm@openbsd.org2024-03-041-61/+86
| | | | | | | | | | | | | to the active configuration. This fixes the config parser from erroneously rejecting cases like: AuthenticationMethods password Match User ivy AuthenticationMethods any bz3657 ok markus@ OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
* upstream: make DSA key support compile-time optional, defaulting todjm@openbsd.org2024-01-111-1/+3
| | | | | | | | on ok markus@ OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
* upstream: add %j token that expands to the configured ProxyJumpdjm@openbsd.org2023-10-121-4/+8
| | | | | | | hostname (or the empty string if this option is not being used). bz3610, ok dtucker OpenBSD-Commit-ID: ce9983f7efe6a178db90dc5c1698df025df5e339
* upstream: add ChannelTimeout support to the client, mirroring thedjm@openbsd.org2023-10-121-2/+45
| | | | | | same option in the server. ok markus@ OpenBSD-Commit-ID: 55630b26f390ac063980cfe7ad8c54b03284ef02
* upstream: Add keystroke timing obfuscation to the client.djm@openbsd.org2023-08-281-2/+62
| | | | | | | | | | | | This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword/ feedback/ok markus@ OpenBSD-Commit-ID: 02231ddd4f442212820976068c34a36e3c1b15be
* conditionalise match localnetwork on ifaddrs.hDamien Miller2023-07-181-0/+5
| | | | Fixes build breakage on platforms that lack getifaddrs()
* upstream: missing match localnetwork negation checkdjm@openbsd.org2023-07-171-1/+3
| | | | OpenBSD-Commit-ID: 9a08ed8dae27d3f38cf280f1b28d4e0ff41a737a
* avoid AF_LINK on platforms that don't define itDamien Miller2023-07-171-0/+2
|
* upstream: Add support for configuration tags to ssh(1).djm@openbsd.org2023-07-171-2/+13
| | | | | | | | | | | This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. ok markus OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3
* upstream: add a "match localnetwork" predicate.djm@openbsd.org2023-07-171-4/+73
| | | | | | | | | | | This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location (e.g. to use a ProxyJump when not on a particular network). ok markus@ OpenBSD-Commit-ID: cffb6ff9a3803abfc52b5cad0aa190c5e424c139
* upstream: better validate CASignatureAlgorithms in ssh_config anddjm@openbsd.org2023-06-211-3/+7
| | | | | | | | | | | sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. part of bz3577; ok dtucker@ OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
* upstream: don't leak arg2 on parse_pubkey_algos error path; okdjm@openbsd.org2023-03-311-1/+2
| | | | | | dtucker@ OpenBSD-Commit-ID: 7d0270ad3dd102412ca76add2b3760518abdef75
* upstream: Remove no-op (int) > INT_MAX checksdtucker@openbsd.org2023-03-101-5/+3
| | | | | | since they can never be true. From Coverity CID 405031, ok djm@ OpenBSD-Commit-ID: 9df3783b181e056595e2bb9edf7ed41d61cf8e84
* upstream: modify parentheses in conditionals to make it clearer what isjcs@openbsd.org2023-03-101-2/+2
| | | | | | | | being assigned and what is being checked ok djm dtucker OpenBSD-Commit-ID: 19c10baa46ae559474409f75a5cb3d0eade7a9b8
* upstream: Remove unused compat.h includes.dtucker@openbsd.org2023-03-051-2/+1
| | | | | | | | We've previously removed a lot of the really old compatibility code, and with it went the need to include compat.h in most of the files that have it. OpenBSD-Commit-ID: 5af8baa194be00a3092d17598e88a5b29f7ea2b4
* upstream: Add a "Host" line to the output of ssh -G showing thedtucker@openbsd.org2023-01-131-1/+3
| | | | | | | original host arg. Inspired by patch from vincent at bernat.ch via bz#3343, ok djm@ OpenBSD-Commit-ID: 59c0f60a222113a44d0650cd394376e3beecc883
* upstream: fix bug in PermitRemoteOpen which caused it to ignore itsdjm@openbsd.org2023-01-031-29/+33
| | | | | | | | first argument unless it was one of the special keywords "any" or "none". Reported by Georges Chaudy in bz3515; ok dtucker@ OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5
* upstream: New EnableEscapeCommandline ssh_config(5) optiondjm@openbsd.org2022-11-301-1/+11
| | | | | | | | | | This option (default "no") controls whether the ~C escape is available. Turning it off by default means we will soon be able to use a stricter default pledge(2) in the client. feedback deraadt@ dtucker@; tested in snaps for a while OpenBSD-Commit-ID: 7e277595d60acb8263118dcb66554472257b387a
* upstream: add a RequiredRSASize for checking RSA key length indjm@openbsd.org2022-09-171-2/+11
| | | | | | | | | | | ssh(1). User authentication keys that fall beneath this limit will be ignored. If a host presents a host key beneath this limit then the connection will be terminated (unfortunately there are no fallbacks in the protocol for host authentication). feedback deraadt, Dmitry Belyavskiy; ok markus@ OpenBSD-Commit-ID: 430e339b2a79fa9ecc63f2837b06fdd88a7da13a
* upstream: Make SetEnv directives first-match-wins in bothdjm@openbsd.org2022-06-031-26/+15
| | | | | | | | | | | sshd_config and sshd_config; previously if the same name was reused then the last would win (which is the opposite to how the config is supposed to work). While there, make the ssh_config parsing more like sshd_config. bz3438, ok dtucker OpenBSD-Commit-ID: 797909c1e0262c0d00e09280459d7ab00f18273b
* upstream: Avoid an unnecessary xstrdup in rm_env() when matchingmillert@openbsd.org2022-04-271-7/+3
| | | | | | | | patterns. Since match_pattern() doesn't modify its arguments (they are const), there is no need to make an extra copy of the strings in options->send_env. From Martin Vahlensieck OpenBSD-Commit-ID: 2c9db31e3f4d3403b49642c64ee048b2a0a39351
* Really move DSA to end of list.Darren Tucker2022-02-201-2/+2
| | | | | In commit ad16a84e syncing from OpenBSD, RSA was accidentally moved to the end of the list instead of DSA. Spotted by andrew at fyfe.gb.net.
* upstream: Switch hpdelim interface to accept only ":" as delimiter.dtucker@openbsd.org2022-02-101-5/+4
| | | | | | | | | | Historicallly, hpdelim accepted ":" or "/" as a port delimiter between hosts (or addresses) and ports. These days most of the uses for "/" are no longer accepted, so there are several places where it checks the delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2 in the other cases. ok djm@ OpenBSD-Commit-ID: 7e6420bd1be87590b6840973f5ad5305804e3102
* upstream: Since they are deprecated, move DSA to the end of thedtucker@openbsd.org2022-02-071-2/+2
| | | | | | | default list of public keys so that they will be tried last. From github PR#295 from "ProBackup-nl", ok djm@ OpenBSD-Commit-ID: 7e5d575cf4971d4e2de92e0b6d6efaba53598bf0
* upstream: PubkeyAuthentication=yes|no|unbound|host-bounddjm@openbsd.org2021-12-191-3/+15
| | | | | | | | | | | | Allow control over which pubkey methods are used. Added out of concern that some hardware devices may have difficulty signing the longer pubkey authentication challenges. This provides a way for them to disable the extension. It's also handy for testing. feedback / ok markus@ OpenBSD-Commit-ID: ee52580db95c355cf6d563ba89974c210e603b1a
* upstream: missing space character in ssh -G output broke thedjm@openbsd.org2021-09-161-2/+2
| | | | | | t-sshcfgparse regression test; spotted by anton@ OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0
* upstream: allow CanonicalizePermittedCNAMEs=none in ssh_config; okdjm@openbsd.org2021-09-161-11/+47
| | | | | | markus@ OpenBSD-Commit-ID: 668a82ba8e56d731b26ffc5703213bfe071df623
* upstream: Add a ForkAfterAuthentication ssh_config(5) counterpartdjm@openbsd.org2021-07-231-2/+11
| | | | | | | to the ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch. ok dtucker OpenBSD-Commit-ID: b18aeda12efdebe2093d55263c90fe4ea0bce0d3
* upstream: Add a StdinNull directive to ssh_config(5) that allowsdjm@openbsd.org2021-07-231-2/+11
| | | | | | | the config file to do the same thing as -n does on the ssh(1) commandline. Patch from Volker Diels-Grabsch via GHPR231; ok dtucker OpenBSD-Commit-ID: 66ddf3f15c76796d4dcd22ff464aed1edd62468e
* upstream: add a SessionType directive to ssh_config, allowing thedjm@openbsd.org2021-07-141-2/+21
| | | | | | | | | | configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags. Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks; feedback and ok dtucker@ OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
* upstream: Remove references to ChallengeResponseAuthentication indtucker@openbsd.org2021-07-021-13/+5
| | | | | | | | | | | | | favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
* upstream: fix regression in r1.356: for ssh_config options thatdjm@openbsd.org2021-06-091-2/+3
| | | | | | | accepted multiple string arguments, ssh was only recording the first. Reported by Lucas via bugs@ OpenBSD-Commit-ID: 7cbf182f7449bf1cb7c5b4452667dc2b41170d6d
* upstream: Switch ssh_config parsing to use argv_split()djm@openbsd.org2021-06-081-150/+266
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a couple of problems with the previous tokeniser, strdelim() 1. strdelim() is permissive wrt accepting '=' characters. This is intended to allow it to tokenise "Option=value" but because it cannot keep state, it will incorrectly split "Opt=val=val2". 2. strdelim() has rudimentry handling of quoted strings, but it is incomplete and inconsistent. E.g. it doesn't handle escaped quotes inside a quoted string. 3. It has no support for stopping on a (unquoted) comment. Because of this readconf.c r1.343 added chopping of lines at '#', but this caused a regression because these characters may legitimately appear inside quoted strings. The new tokeniser is stricter is a number of cases, including #1 above but previously it was also possible for some directives to appear without arguments. AFAIK these were nonsensical in all cases, and the new tokeniser refuses to accept them. The new code handles quotes much better, permitting quoted space as well as escaped closing quotes. Finally, comment handling should be fixed - the tokeniser will terminate only on unquoted # characters. feedback & ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs OpenBSD-Commit-ID: dc72fd12af9d5398f4d9e159d671f9269c5b14d5
* upstream: Check if IPQoS or TunnelDevice are already set beforedtucker@openbsd.org2021-06-081-3/+3
| | | | | | | overriding. Prevents values in config files from overriding values supplied on the command line. bz#3319, ok markus. OpenBSD-Commit-ID: f3b08b898c324debb9195e6865d8999406938f74
* upstream: ssh: The client configuration keyword isnaddy@openbsd.org2021-05-261-2/+2
| | | | | | | | | | | "hostbasedacceptedalgorithms" This fixes a mistake that slipped in when "HostbasedKeyTypes" was renamed to "HostbasedAcceptedAlgorithms". Bug report by zack@philomathiclife.com OpenBSD-Commit-ID: d745a7e8e50b2589fc56877f322ea204bc784f38
* upstream: highly polished whitespace, mostly fixing spaces-for-tabdjm@openbsd.org2021-04-031-4/+4
| | | | | | and bad indentation on continuation lines. Prompted by GHPR#185 OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
* upstream: Put obsolete aliases for hostbasedalgorithms anddtucker@openbsd.org2021-02-241-3/+3
| | | | | | | pubkeyacceptedalgorithms after their current names so that the config-dump mode finds and uses the current names. Spotted by Phil Pennock. OpenBSD-Commit-ID: 5dd10e93cccfaff3aaaa09060c917adff04a9b15
* upstream: ssh: add PermitRemoteOpen for remote dynamic forwardingmarkus@openbsd.org2021-02-171-3/+60
| | | | | | with SOCKS ok djm@, dtucker@ OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
* upstream: Rename HostbasedKeyTypes (ssh) anddtucker@openbsd.org2021-01-261-9/+10
| | | | | | | | | HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@ OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
* upstream: Rename PubkeyAcceptedKeyTypes keyword todtucker@openbsd.org2021-01-221-13/+14
| | | | | | | | | | PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
* upstream: make CheckHostIP default to 'no'. It doesn't provide anydjm@openbsd.org2021-01-081-2/+2
| | | | | | | | | perceptible value and makes it much harder for hosts to change host keys, particularly ones that use IP-based load-balancing. ok dtucker@ OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 08:35:55 +0100