summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/readconf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Allow ExitOnForwardFailure and ClearAllForwardings to be overridden whendtucker2016-06-031-5/+15
| | | | using ssh -W (but still default to yes in that case). bz#2577, ok djm@.
* Move the host and port used by ssh -W into the Options struct.dtucker2016-06-031-1/+3
| | | | This will make future changes a bit easier. ok djm@
* allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@markus2016-05-041-1/+2
|
* IdentityAgent for specifying specific agent sockets; ok djm@markus2016-05-041-2/+9
|
* Include directive for ssh_config(5); feedback & ok markus@djm2016-04-151-11/+101
|
* don't record duplicate LocalForward and RemoteForward entries;djm2016-04-061-1/+13
| | | | | | fixes failure with ExitOnForwardFailure+hostname canonicalisation where the same forwards are added on the second pass through the configuration file. bz#2562; ok dtucker@
* don't attempt to percent_expand() already-canonicalised addresses,djm2016-02-081-3/+6
| | | | | avoiding unnecessary failures when attempting to connect to scoped IPv6 addresses (that naturally contain '%' characters)
* Allow RekeyLimits in excess of 4G up to 2**63 bits (limited by the returndtucker2016-01-291-8/+4
| | | | type of scan_scaled). Part of bz#2521, ok djm.
* remove roaming support; ok djm@markus2016-01-141-9/+3
|
* Disable experimental client-side roaming support. Server side wasderaadt2016-01-141-4/+3
| | | | | | disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys
* Add an AddKeysToAgent client option which can be set to 'yes', 'no',jcs2015-11-151-2/+20
| | | | | | | | | | 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). Initial version from Joachim Schipper many years ago. ok markus@
* fix execv arguments in a way less likely to cause grief for -portable;djm2015-10-271-2/+7
| | | | ok dtucker@
* avoid de-const warning & shrink; ok dtucker@djm2015-10-271-7/+2
|
* Do not prepend "exec" to the shell command run by "Match exec" in a configdtucker2015-10-251-10/+3
| | | | | | file. It's an unnecessary optimization from repurposed ProxyCommand code and prevents some things working with some shells. bz#2471, pointed out by res at qoxp.net. ok markus@
* include PubkeyAcceptedKeyTypes in ssh -G config dumpdjm2015-10-071-1/+2
|
* add ssh_config CertificateFile option to explicitly listdjm2015-09-241-1/+46
| | | | a certificate; patch from Meghana Bhat on bz#2436; ok markus@
* Fix printing (ssh -G ...) of HostKeyAlgorithms=+...djm2015-08-211-2/+6
| | | | Reported by Bryan Drewery
* Allow ssh_config and sshd_config kex parameters options be prefixeddjm2015-07-301-12/+13
| | | | | | | by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
* Turn off DSA by default; add HostKeyAlgorithms to the server andmarkus2015-07-101-17/+20
| | | | | PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
* Fix \-escaping bug that caused forward path parsing to skip twodjm2015-06-261-2/+3
| | | | | | characters and skip past the end of the string. Based on patch by Salvador Fandino; ok dtucker@
* Reorder EscapeChar option parsing to avoid a single-byte out-djm2015-05-221-6/+6
| | | | of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
* Remove pattern length argument from match_pattern_list(),djm2015-05-041-9/+7
| | | | | | | | | | we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
* rename xrealloc() to xreallocarray() since it follows that form.deraadt2015-04-241-3/+3
| | | | ok djm
* fix uninitialised memory read when parsing a config file consistingdjm2015-03-301-2/+4
| | | | | of a single nul byte. Found by hanno AT hboeck.de using AFL; ok dtucker
* Revise hostkeys@openssh.com hostkey learning extension.djm2015-02-161-2/+4
| | | | | | | | | | The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
* turn UpdateHostkeys off by default until I figure out mlarkin@'sdjm2015-02-021-2/+2
| | | | warning message; requested by deraadt@
* Add a ssh_config HostbasedKeyType option to control whichdjm2015-01-301-3/+22
| | | | | | | | | host public key types are tried during hostbased authentication. This may be used to prevent too many keys being sent to the server, and blowing past its MaxAuthTries limit. bz#2211 based on patch by Iain Morgan; ok markus@
* Host key rotation support.djm2015-01-261-2/+11
| | | | | | | | | | | | | Add a hostkeys@openssh.com protocol extension (global request) for a server to inform a client of all its available host key after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default on). ok markus@
* Replace <sys/param.h> with <limits.h> and other less dirty headers wherederaadt2015-01-161-1/+2
| | | | | | | | | possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
* sync ssh-keysign, ssh-keygen and some dependencies to the newdjm2015-01-151-3/+2
| | | | buffer/key API; mostly mechanical, ok markus@
* add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypesdjm2015-01-131-2/+2
| | | | | options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
* fix ssh_config FingerprintHash evaluation order; from Petr Lautrbachdjm2015-01-081-3/+4
|
* Add FingerprintHash option to control algorithm used for keydjm2014-12-211-1/+23
| | | | | | | fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* add RevokedHostKeys option for the clientdjm2014-12-041-2/+10
| | | | Allow textfile or KRL-based revocation of hostkeys.
* Remove unnecessary include: netinet/in_systm.h is not needed by theselteo2014-10-241-2/+1
| | | | | | programs. ok deraadt@ millert@
* Tweak config reparsing with host canonicalisationdjm2014-10-081-68/+380
| | | | | | | | | | | | | | | | Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-38/+186
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* don't record duplicate IdentityFilesdjm2014-04-231-1/+12
|
* reparse ssh_config and ~/.ssh/config if hostname canonicalisation changesdjm2014-02-231-3/+24
| | | | | | | | | | | | | | | | the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
* when processing Match blocks, skip 'exec' clauses if previous predicatesdjm2014-02-221-10/+21
| | | | failed to match; ok markus@
* remove experimental, never-enabled JPAKE code; ok markus@djm2014-01-291-15/+2
|
* support ed25519 keys (hostkeys and user identities) using the public domainmarkus2013-12-061-1/+3
| | | | | ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* unsigned casts for ctype macros where neccessaryderaadt2013-11-201-2/+2
| | | | ok guenther millert markus
* Disallow empty Match statements and add "Match all" which matches everything.dtucker2013-10-241-2/+20
| | | | ok djm, man page help jmc@
* commentdjm2013-10-231-1/+2
|
* Hostname may have %h sequences that should be expanded prior to Matchdjm2013-10-231-6/+14
| | | | evaluation; spotted by Iain Morgan
* rename "command" subclause of the recently-added "Match" keyword todjm2013-10-201-4/+4
| | | | | | "exec"; it's shorter, clearer in intent and we might want to add the ability to match against the command being executed at the remote end in the future.
* s/canonicalise/canonicalize/ for consistency with existing spelling,djm2013-10-161-25/+25
| | | | e.g. authorized_keys; pointed out by naddy@
* Implement client-side hostname canonicalisation to allow an explicitdjm2013-10-161-1/+112
| | | | | | | | | | search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
* refactor client config code a little:djm2013-10-141-104/+95
| | | | | | | | | | | | add multistate option partsing to readconf.c, similar to servconf.c's existing code. move checking of options that accept "none" as an argument to readconf.c add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.