summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* add -Q to usage; reminded by jmc@djm2013-04-191-2/+2
|
* add the ability to query supported ciphers, MACs, key type and KEXdjm2013-04-191-2/+18
| | | | | algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
* Add -E option to ssh and sshd to append debugging logs to a specified filedtucker2013-04-071-8/+20
| | | | instead of stderr or syslog. ok markus@, man page help jmc@
* allow "ssh -f none ..." ok markus@djm2013-03-081-2/+3
|
* Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlierdjm2013-02-221-2/+3
| | | | version)
* Don't complain if IdentityFiles specified in system-wide configs are missing.dtucker2013-02-221-4/+6
| | | | ok djm, deraadt.
* Keep track of which IndentityFile options were manually supplied and whichdtucker2013-02-171-7/+2
| | | | were default options, and don't warn if the latter are missing. ok markus@
* move setting of tty_flag to after config parsing so RequestTTY optionsdjm2012-07-061-22/+21
| | | | | are correctly picked up. bz#1995 patch from przemoc AT gmail.com; ok dtucker@
* set interactive ToS for forwarded X11 sessions. ok djm@dtucker2012-07-021-1/+5
|
* bz#1943: unbreak stdio forwarding when ControlPersist is in user - sshdjm2011-10-241-25/+27
| | | | | was incorrectly requesting the forward in both the control master and slave. skip requesting it in the master to fix. ok markus@
* ssh(1): skip attempting to create ~/.ssh when -F is passed; ok markus@djm2011-10-181-6/+9
|
* unbreak remote portforwarding with dynamic allocated listen ports:markus2011-09-231-10/+19
| | | | | | | | | 1) send the actual listen port in the open message (instead of 0). this allows multiple forwardings with a dynamic listen port 2) update the matching permit-open entry, so we can identify where to connect to report: den at skbkontur.ru and P. Szczygielski feedback and ok djm@
* support for cancelling local and remote port forwards via the multiplexdjm2011-09-091-1/+3
| | | | | socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings; ok markus@
* typo in commentdjm2011-08-021-2/+2
|
* hook up a channel confirm callback to warn the user then requested X11djm2011-06-221-5/+7
| | | | forwarding was refused by the server; ok markus@
* bz#1883 - setproctitle() to identify mux master; patch from Bert.Wesargdjm2011-06-031-1/+2
| | | | AT googlemail.com; ok dtucker@
* Remove undocumented legacy options UserKnownHostsFile2 anddjm2011-05-241-10/+18
| | | | | | GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus
* fix dropping from previous diffdjm2011-05-061-2/+1
|
* Add a RequestTTY ssh_config option to allow configuration-baseddjm2011-05-061-19/+22
| | | | control over tty allocation (like -t/-T); ok markus@
* add a %L expansion (short-form of the local host name) for ControlPath;djm2011-05-061-14/+14
| | | | sync some more expansions with LocalCommand; ok markus@
* allow graceful shutdown of multiplexing: request that a mux server removesdjm2011-04-171-1/+3
| | | | its listener socket and refuse future multiplexing requests; ok markus@
* unbreak %n expansion in LocalCommand; patch from bert.wesarg ATdjm2011-01-061-3/+5
| | | | googlemail.com; ok markus@
* automatically order the hostkeys requested by the client based ondjm2010-11-291-2/+2
| | | | | | which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
* allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead ofdjm2010-11-131-4/+3
| | | | | | hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
* kill proxy command on fatal() (we already kill it on clean exit);djm2010-10-061-10/+3
| | | | ok markus@
* install a SIGCHLD handler to reap expiried child process; ok markus@djm2010-09-201-1/+20
|
* unbreak ControlPersist=yes for ControlMaster=yes; ok djm@markus2010-09-021-1/+2
|
* reintroduce commit from tedu@, which I pulled out for release engineering:djm2010-08-311-2/+2
| | | | | OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-9/+18
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* backout previous temporarily; discussed with deraadt@djm2010-08-161-2/+2
|
* OpenSSL_add_all_algorithms is the name of the function we have a man pagetedu2010-08-121-2/+2
| | | | for, so use that. ok djm
* close any extra file descriptors inherited from parent at start anddjm2010-08-121-1/+18
| | | | | | | | | | | | reopen stdin/stdout to /dev/null when forking for ControlPersist. prevents tools that fork and run a captive ssh for communication from failing to exit when the ssh completes while they wait for these fds to close. The inherited fds may persist arbitrarily long if a background mux master has been started by ControlPersist. cvs and scp were effected by this. "please commit" markus@
* enable certificates for hostbased authentication, from Iain Morgan;djm2010-08-041-8/+16
| | | | "looks ok" markus@
* add a "ControlPersist" option that automatically starts a backgrounddjm2010-07-191-22/+95
| | | | | | | | ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but further hacked on by wmertens AT cisco.com, apb AT cequrux.com, martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
* expand %h to the hostname in ssh_config Hostname options. While thisdjm2010-07-121-7/+8
| | | | | | | | | | | | sounds useless, it is actually handy for working with unqualified hostnames: Host *.* Hostname %h Host * Hostname %h.example.org "I like it" markus@
* Make ExitOnForwardFailure work with fork-after-authentication ("ssh -f")djm2010-07-121-3/+8
| | | | for protocol 2. ok markus@
* oops, forgot to #include <canohost.h>; spotted and patch from chl@djm2010-06-261-1/+2
|
* Add X11ForwardTimeout option to specify timeout for untrusted X11djm2010-06-251-3/+6
| | | | | | | | | | | authentication cookies to avoid fallback in X11 code to fully-trusted implicit authentication using SO_PEERCRED described at: http://lists.x.org/archives/xorg-devel/2010-May/008636.html After the X11ForwardTimeout has expired the client will now refuse incoming X11 channel opens. based on patch from Tavis Ormandy; "nice" markus@
* log the hostname and address that we connected to at LogLevel=verbosedjm2010-06-251-1/+8
| | | | | | | after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts; "nice!" markus@
* mux support for remote forwarding with dynamic port allocation,markus2010-05-161-3/+6
| | | | | | use with LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` feedback and ok djm@
* Pause the mux channel while waiting for reply from aynch callbacks.djm2010-05-141-2/+5
| | | | | | | | | | | | Prevents misordering of replies if new requests arrive while waiting. Extend channel open confirm callback to allow signalling failure conditions as well as success. Use this to 1) fix a memory leak, 2) start using the above pause mechanism and 3) delay sending a success/ failure message on mux slave session open until we receive a reply from the server. motivated by and with feedback from markus@
* bz#1746 - suppress spurious tty warning when using -O and stdindjm2010-04-101-2/+2
| | | | is not a tty; ok dtucker@ markus@
* Add support for certificate key types for users and hosts.djm2010-02-261-19/+52
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* tweak previous; ok markusjmc2010-02-081-2/+3
|
* replace our obsolete smartcard code with PKCS#11.markus2010-02-081-12/+17
| | | | | | | | | ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
* rewrite ssh(1) multiplexing code to a more sensible protocol.djm2010-01-261-3/+19
| | | | | | | | | | | | | | | | | | | | | | The new multiplexing code uses channels for the listener and accepted control sockets to make the mux master non-blocking, so no stalls when processing messages from a slave. avoid use of fatal() in mux master protocol parsing so an errant slave process cannot take down a running master. implement requesting of port-forwards over multiplexed sessions. Any port forwards requested by the slave are added to those the master has established. add support for stdio forwarding ("ssh -W host:port ...") in mux slaves. document master/slave mux protocol so that other tools can use it to control a running ssh(1). Note: there are no guarantees that this protocol won't be incompatibly changed (though it is versioned). feedback Salvador Fandino, dtucker@ channel changes ok markus@
* Add a 'netcat mode' (ssh -W). This connects stdio on the client to a singledtucker2010-01-111-3/+54
| | | | | | port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz #1618, man page help from jmc@, ok markus@
* Remove RoutingDomain from ssh since it's now not needed. It can be replaceddtucker2010-01-091-2/+1
| | | | | | | | | | | | | with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
* When passing user-controlled options with arguments to other programs,guenther2009-12-201-2/+2
| | | | | | | | | | | | pass the option and option argument as separate argv entries and not smashed into one (e.g., as -l foo and not -lfoo). Also, always pass a "--" argument to stop option parsing, so that a positional argument that starts with a '-' isn't treated as an option. This fixes some error cases as well as the handling of hostnames and filenames that start with a '-'. Based on a diff by halex@ ok halex@ djm@ deraadt@
* Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.reyk2009-10-281-1/+2
| | | | ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.