summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* make UID available as a %-expansion everywhere that the username isdjm2018-06-011-8/+22
| | | | | | | available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
* prefer argv0 to "ssh" when re-executing ssh for ProxyJump directive;djm2018-06-011-2/+11
| | | | bz2831, feedback and ok dtucker@
* don't free the %C expansion, it's used later for LocalCommanddjm2018-04-141-2/+1
|
* lots of typos in comments/docs. Patch from Karsten Weiss after checkingdjm2018-04-101-2/+2
| | | | with codespell tool (https://github.com/lucasdemarchi/codespell)
* Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)markus2018-02-231-3/+12
| | | | | | | The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
* Add BindInterface ssh_config directive and -B command-line argumentdjm2018-02-231-9/+12
| | | | | | | | | | | to ssh(1) that directs it to bind its outgoing connection to the address of the specified network interface. BindInterface prefers to use addresses that aren't loopback or link- local, but will fall back to those if no other addresses of the required family are available on that interface. Based on patch by Mike Manning in bz#2820, ok dtucker@
* remove space before tabdjm2018-02-131-18/+18
|
* Don't reset signal handlers inside handlers.dtucker2018-02-111-3/+1
| | | | | | | | | The signal handlers from the original ssh1 code on which OpenSSH is based assume unreliable signals and reinstall their handlers. Since OpenBSD (and pretty much every current system) has reliable signals this is not needed. In the unlikely even that -portable is still being used on such systems we will deal with it in the compat layer. ok deraadt@
* Drop compatibility hacks for some ancient SSH implementations, includingdjm2018-01-231-2/+2
| | | | | | | | | | ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The hacks in question aren't necessary for RFC- compliant SSH implementations. ok markus@
* don't attempt to force hostnames that are addresses to lowercase, butdjm2018-01-231-17/+71
| | | | | | instead canonicalise them through getnameinfo/getaddrinfo to remove ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts; bz#2763, ok dtucker@
* fix broken stdout in ControlPersist mode, introduced by me in r1.467djm2017-11-011-8/+10
| | | | and reported by Alf Schlichting
* whitespace at EOLdjm2017-10-271-6/+6
|
* transfer ownership of stdout to the session channel by dup2'ingdjm2017-10-251-2/+16
| | | | | /dev/null to fd 1. This allows propagation of remote stdout close to the local side; reported by David Newall, ok markus@
* Expose devices allocated for tun/tap forwarding.djm2017-10-231-54/+54
| | | | | | | | | | | At the client, the device may be obtained from a new %T expansion for LocalCommand. At the server, the allocated devices will be listed in a SSH_TUNNEL variable exposed to the environment of any user sessions started after the tunnel forwarding was established. ok markus
* Add URI support to ssh, sftp and scp. For example ssh://user@hostmillert2017-10-211-15/+41
| | | | | | | or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@
* Add 'reverse' dynamic forwarding which combines dynamic forwardingmarkus2017-09-211-2/+3
| | | | | | | | | | | | | | (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@
* refactor channels.cdjm2017-09-121-40/+48
| | | | | | | | | | | | | | | | | | Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@
* make "--" before the hostname terminate command-line option processingdjm2017-08-121-4/+7
| | | | | | | | completely; previous behaviour would not prevent further options appearing after the hostname (ssh has a supported options after the hostname for >20 years, so that's too late to change). ok deraadt@
* Add RemoteCommand option to specify a command in the ssh configbluhm2017-05-301-8/+32
| | | | | | | file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@
* switch from Key typedef with struct sshkey; ok djm@markus2017-05-301-5/+5
|
* remove options -12 from usage();jmc2017-05-021-2/+2
|
* obliterate ssh1.h and some dead code that used itdjm2017-04-301-2/+1
| | | | ok markus@
* remove KEY_RSA1djm2017-04-301-3/+2
| | | | ok markus@
* remove SSHv1 ciphers; ok markus@djm2017-04-301-17/+4
|
* remove compat20/compat13/compat15 variablesdjm2017-04-301-172/+2
| | | | ok markus@
* remove options.protocol and client Protocol configuration knobdjm2017-04-301-3/+3
| | | | ok markus@
* unifdef WITH_SSH1djm2017-04-301-9/+1
| | | | ok markus@
* Add SyslogFacility option to ssh(1) matching the equivalent option indtucker2017-04-281-4/+7
| | | | sshd(8). bz#2705, patch from erahn at arista.com, ok djm@
* fix regression in 7.4 server-sig-algs, where we were accidentallydjm2017-03-101-4/+4
| | | | | excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
* quote [host]:port in generated ProxyJump commandline; the [ / ]djm2017-03-081-2/+2
| | | | | characters can confuse some shells (e.g. zsh). Reported by Lauri Tirkkonen via bugs@
* For ProxyJump/-J, surround host name with brackets to allowdjm2017-02-171-2/+2
| | | | literal IPv6 addresses. From Dick Visser; ok dtucker@
* make IdentityFile successfully load and use certificates that have nodjm2016-12-061-2/+3
| | | | | | | corresponding bare public key. E.g. just a private id_rsa and certificate id_rsa-cert.pub (and no id_rsa.pub). bz#2617 ok dtucker@
* ssh proxy mux mode (-O proxy; idea from Simon Tatham):markus2016-09-301-9/+18
| | | | | | | | | - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
* list all supported signature algorithms in the server-sig-algsdjm2016-09-121-4/+4
| | | | | Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
* support UTF-8 characters in ssh(1) banners using schwarze@'sdjm2016-07-171-1/+4
| | | | | | safe fmprintf printer; bz#2058 feedback schwarze@ ok dtucker@
* - add proxyjump to the options listjmc2016-07-161-5/+6
| | | | | | | - formatting fixes - update usage() ok djm
* Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1)djm2016-07-151-14/+63
| | | | | | | | | | | | | | command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@
* Allow ExitOnForwardFailure and ClearAllForwardings to be overridden whendtucker2016-06-031-3/+1
| | | | using ssh -W (but still default to yes in that case). bz#2577, ok djm@.
* Move the host and port used by ssh -W into the Options struct.dtucker2016-06-031-13/+10
| | | | This will make future changes a bit easier. ok djm@
* allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@markus2016-05-041-2/+3
|
* IdentityAgent for specifying specific agent sockets; ok djm@markus2016-05-041-1/+17
|
* close ControlPersist background process stderr when not indjm2016-04-291-3/+5
| | | | | debug mode or when logging to a file or syslog. bz#1988 ok dtucker
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-2/+5
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* Add a function to enable security-related malloc_options. With and okdtucker2016-02-151-1/+2
| | | | deraadt@, something similar has been in the snaps for a while.
* remove roaming support; ok djm@markus2016-01-141-2/+1
|
* Disable experimental client-side roaming support. Server side wasderaadt2016-01-141-4/+1
| | | | | | disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys
* eliminate fallback from untrusted X11 forwarding to trusteddjm2016-01-131-14/+9
| | | | | forwarding when the X server disables the SECURITY extension; Reported by Thomas Hoger; ok deraadt@
* don't try to load SSHv1 private key when compiled without SSHv1djm2015-12-111-1/+3
| | | | support. From Iain Morgan bz#2505
* Remove NULL-checks before free().mmcc2015-12-101-3/+2
| | | | ok dtucker@
* ban ConnectionAttempts=0, it makes no sense and would causedjm2015-11-191-1/+4
| | | | | ssh_connect_direct() to print an uninitialised stack variable; bz#2500 reported by dvw AT phas.ubc.ca
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.