summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/readconf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* add a "Match" keyword to ssh_config that allows matching on hostname,djm2013-10-141-12/+215
| | | | user and result of arbitrary commands. "nice work" markus@
* Add a ssh_config ProxyUseFDPass option that supports the use ofdjm2013-08-201-2/+10
| | | | | | | | ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@
* revert 1.203 while we investigate crashes reported by okan@dtucker2013-06-101-3/+1
|
* plug another memleak. bz#1967, from Zhenbo Xu, detected by Melton, ok djmdtucker2013-06-051-1/+3
|
* bye, bye xfree(); ok markus@djm2013-05-171-18/+12
|
* remove now-unused variablesdtucker2013-05-161-3/+3
|
* switch RekeyLimit traffic volume parsing to scan_scaled. ok djm@dtucker2013-05-161-28/+7
|
* add the ability to ignore specific unrecognised ssh_config options;djm2013-05-161-9/+26
| | | | bz#866; ok markus@
* Add an optional second argument to RekeyLimit in the client to allowdtucker2013-05-161-31/+49
| | | | | rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
* g/c unused variable (-Wunused)djm2013-03-061-3/+1
|
* Don't complain if IdentityFiles specified in system-wide configs are missing.dtucker2013-02-221-6/+7
| | | | ok djm, deraadt.
* Keep track of which IndentityFile options were manually supplied and whichdtucker2013-02-171-26/+30
| | | | were default options, and don't warn if the latter are missing. ok markus@
* unbreak remote portforwarding with dynamic allocated listen ports:markus2011-09-231-1/+2
| | | | | | | | | 1) send the actual listen port in the open message (instead of 0). this allows multiple forwardings with a dynamic listen port 2) update the matching permit-open entry, so we can identify where to connect to report: den at skbkontur.ru and P. Szczygielski feedback and ok djm@
* Remove undocumented legacy options UserKnownHostsFile2 anddjm2011-05-241-29/+40
| | | | | | GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus
* Add a RequestTTY ssh_config option to allow configuration-baseddjm2011-05-061-2/+26
| | | | control over tty allocation (like -t/-T); ok markus@
* support negated Host matching, e.g.djm2011-05-061-5/+21
| | | | | | | | Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org" ok markus@
* allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead ofdjm2010-11-131-2/+28
| | | | | | hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
* add a KexAlgorithms knob to the client and server configuration to allowdjm2010-09-221-1/+17
| | | | | | | selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-1/+7
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* add a "ControlPersist" option that automatically starts a backgrounddjm2010-07-191-2/+34
| | | | | | | | ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but further hacked on by wmertens AT cisco.com, apb AT cequrux.com, martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
* Add X11ForwardTimeout option to specify timeout for untrusted X11djm2010-06-251-3/+11
| | | | | | | | | | | authentication cookies to avoid fallback in X11 code to fully-trusted implicit authentication using SO_PEERCRED described at: http://lists.x.org/archives/xorg-devel/2010-May/008636.html After the X11ForwardTimeout has expired the client will now refuse incoming X11 channel opens. based on patch from Tavis Ormandy; "nice" markus@
* bz#1327: remove hardcoded limit of 100 permitopen clauses and portdjm2010-06-251-6/+19
| | | | forwards per direction; ok markus@ stevesk@
* mux support for remote forwarding with dynamic port allocation,markus2010-05-161-1/+2
| | | | | | use with LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` feedback and ok djm@
* replace our obsolete smartcard code with PKCS#11.markus2010-02-081-7/+9
| | | | | | | | | ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
* Remove RoutingDomain from ssh since it's now not needed. It can be replaceddtucker2010-01-091-19/+3
| | | | | | | | | | | | | with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
* Rename RDomain config option to RoutingDomain to be more clear andstevesk2009-12-291-2/+2
| | | | | | | | | consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
* validate routing domain is in range 0-RT_TABLEID_MAX.stevesk2009-12-251-2/+2
| | | | 'Looks right' deraadt@
* Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.reyk2009-10-281-3/+19
| | | | ok markus@
* disable protocol 1 by default (after a transition period of about 10 years)markus2009-10-081-2/+2
| | | | ok deraadt
* Add client option UseRoaming. It doesn't do anything yet but willandreas2009-06-271-2/+10
| | | | | | control whether the client tries to use roaming if enabled on the server. From Martin Forssen. ok markus@
* support remote port forwarding with a zero listen port (-R0:...) todjm2009-02-121-4/+9
| | | | | dyamically allocate a listen port at runtime (this is actually specified in rfc4254); bz#1003 ok markus@
* make a2port() return -1 when it encounters an invalid port numberdjm2009-01-221-3/+3
| | | | | | | | | | | rather than 0, which it will now treat as valid (needed for future work) adjust current consumers of a2port() to check its return value is <= 0, which in turn required some things to be converted from u_short => int make use of int vs. u_short consistent in some other places too feedback & ok markus@
* 1) use obsolete instead of alias for consistencystevesk2009-01-151-4/+4
| | | | | | | | 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is so move the comment. 3) reorder so like options are together ok djm@
* don't leave junk (free'd) pointers around in Forward *fwd argument ondjm2008-12-091-3/+7
| | | | | | failure; avoids double-free in ~C -L handler when given an invalid forwarding specification; bz#1539 report from adejong AT debian.org via Colin Watson; ok markus@ dtucker@
* because parse_forward() is now used to parse all forward types (DLR),stevesk2008-11-041-7/+5
| | | | | | | | | | and it malloc's space for host variables, we don't need to malloc here. fixes small memory leaks. previously dynamic forwards were not parsed in parse_forward() and space was not malloc'd in that case. ok djm@
* Add support for an experimental zero-knowledge password authenticationdjm2008-11-041-2/+16
| | | | | | | | | | | | | | | | method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
* fix commentstevesk2008-11-031-2/+2
|
* remove valueless commentstevesk2008-11-031-2/+1
|
* merge dynamic forward parsing into parse_forward(); 'i think this is OK' djm@stevesk2008-11-011-37/+45
|
* Move SSH Fingerprint Visualization away from sharing the config optiongrunk2008-06-261-18/+11
| | | | | | | | | CheckHostIP to an own config option named VisualHostKey. While there, fix the behaviour that ssh would draw a random art picture on every newly seen host even when the option was not enabled. prodded by deraadt@, discussions, help and ok markus@ djm@ dtucker@
* Introduce SSH Fingerprint ASCII Visualization, a technique inspired by thegrunk2008-06-111-2/+18
| | | | | | | | | | | | | | | | | | | | | | | graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
* promote rekeylimit to a int64 so it can hold the maximum useful limitdjm2008-01-191-5/+4
| | | | of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@
* Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patchdtucker2007-12-311-4/+5
| | | | from Dmitry V. Levin, ok djm@
* make sure that both the local and remote port are correct whenmarkus2007-10-221-2/+2
| | | | parsing -L; Jan Pechanec (bz #1378)
* remove some bogus *p tests from charles longeautedu2007-03-201-2/+2
| | | | ok deraadt millert
* spacesstevesk2007-01-211-2/+2
|
* Honour activep for times (eg ServerAliveInterval) while parsingdtucker2007-01-171-2/+2
| | | | | ssh_config and ~/.ssh/config so they work properly with Host directives. From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-4/+5
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <stdio.h> out of includes.hstevesk2006-08-011-1/+2
|
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+2
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.