summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* fix some signed/unsigned integer type mismatches in formatdjm2015-10-151-2/+2
| | | | strings; reported by Nicholas Lemonias
* add ssh_config CertificateFile option to explicitly listdjm2015-09-241-7/+58
| | | | a certificate; patch from Meghana Bhat on bz#2436; ok markus@
* sync -Q in usage() to SYNOPSIS; since it's drastically shorter,jmc2015-09-111-6/+4
| | | | | i've reformatted the block to sync with the man (80 cols) and saved a line;
* Update usage to match man page.dtucker2015-09-111-2/+2
|
* expand %i in ControlPath to UID; bz#2449djm2015-09-111-3/+4
| | | | patch from Christian Hesse w/ feedback from dtucker@
* Plug minor memory leaks when options are used more than once. bz#2182,dtucker2015-09-041-7/+8
| | | | patch from Tiago Cunha, ok deraadt djm
* add a debug2() right before DNS resolution; it's a place wheredjm2015-09-041-1/+2
| | | | ssh could previously silently hang for a while. bz#2433
* Allow ssh_config and sshd_config kex parameters options be prefixeddjm2015-07-301-17/+18
| | | | | | | by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
* Sync usage with SYNOPSISmillert2015-07-201-3/+3
|
* Remove pattern length argument from match_pattern_list(),djm2015-05-041-5/+3
| | | | | | | | | | we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
* debug log missing DISPLAY environment when X11 forwardingdjm2015-04-171-1/+5
| | | | requested; bz#1682 ok dtucker@
* Allow "ssh -Q protocol-version" to list supported SSH protocoldjm2015-03-031-1/+8
| | | | | versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
* UpdateHostKeys fixes:djm2015-02-201-1/+7
| | | | | | | | | | | | | | I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-4/+4
| | | | ok djm markus
* when hostname canonicalisation is enabled, try to parse hostnamesdjm2015-01-161-5/+72
| | | | | | as addresses before looking them up for canonicalisation. fixes bz#2074 and avoids needless DNS lookups in some cases; ok markus
* move authfd.c and its tentacles to the new buffer/key API;djm2015-01-141-2/+9
| | | | ok markus@
* reorder hostbased key attempts to better match the defaultdjm2015-01-081-17/+17
| | | | hostkey algorithms order in myproposal.h; ok markus@
* Nuke more obvious #include duplications.krw2014-11-181-2/+1
| | | | ok deraadt@ millert@ tedu@
* tweak previous;jmc2014-10-091-2/+2
|
* Tweak config reparsing with host canonicalisationdjm2014-10-081-19/+61
| | | | | | | | | | | | | | | | Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
* reflect stdio-forward ("ssh -W host:port ...") failures in exit status.djm2014-07-171-1/+9
| | | | | previously we were always returning 0. bz#2255 reported by Brendan Germain; ok dtucker
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-25/+37
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* Add a %C escape sequence for LocalCommand and ControlPath that expandsdjm2014-07-031-8/+36
| | | | | | | | | | to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
* fix remote fwding with same listen port but different listen addressmarkus2014-06-271-2/+4
| | | | with gerhard@, ok djm@
* don't fatal() when hostname canonicalisation fails with adjm2014-06-241-5/+9
| | | | | | ProxyCommand in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
* make compiling against OpenSSL optional (make OPENSSL=no);markus2014-04-291-3/+19
| | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* bz#2205: avoid early hostname lookups unless canonicalisation is enabled;djm2014-02-261-6/+24
| | | | ok dtucker@ markus@
* reparse ssh_config and ~/.ssh/config if hostname canonicalisation changesdjm2014-02-231-56/+94
| | | | | | | | | | | | | | | | the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
* delay lowercasing of hostname until right before hostnamedjm2014-02-041-2/+2
| | | | | canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@
* replace most bzero with explicit_bzero, except a few that cna be memsettedu2014-01-311-6/+6
| | | | ok djm dtucker
* don't forget to load Ed25519 certs toodjm2013-12-291-12/+16
|
* support ed25519 keys (hostkeys and user identities) using the public domainmarkus2013-12-061-4/+13
| | | | | ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* - put -Q in the right placejmc2013-11-261-5/+5
| | | | | | | | - Ar was a poor choice for the arguments to -Q. i've chosen an admittedly equally poor Cm, at least consistent with the rest of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync
* improve -Q usage and such. One usage change is that the option is nowderaadt2013-11-251-10/+10
| | | | | case-sensitive ok dtucker markus djm
* Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com"djm2013-11-211-2/+4
| | | | | | | | | | | | | | that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
* Output the effective values of Ciphers, MACs and KexAlgorithms whendtucker2013-11-071-4/+4
| | | | the default has not been overridden. ok markus@
* fix crash when using ProxyCommand caused by previous commit - was callingdjm2013-10-251-2/+4
| | | | freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
* fix bug introduced in hostname canonicalisation commit: don't try todjm2013-10-241-3/+5
| | | | | resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan
* commentdjm2013-10-231-1/+2
|
* rearrange check to reduce diff against -portabledjm2013-10-171-2/+4
|
* one I missed in previous: s/isation/ization/djm2013-10-161-6/+6
|
* s/canonicalise/canonicalize/ for consistency with existing spelling,djm2013-10-161-16/+16
| | | | e.g. authorized_keys; pointed out by naddy@
* Implement client-side hostname canonicalisation to allow an explicitdjm2013-10-161-11/+162
| | | | | | | | | | search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
* whitespace at EOL; pointed out by markus@djm2013-10-141-4/+4
|
* refactor client config code a little:djm2013-10-141-19/+9
| | | | | | | | | | | | add multistate option partsing to readconf.c, similar to servconf.c's existing code. move checking of options that accept "none" as an argument to readconf.c add a lowercase() function and use it instead of explicit tolower() in loops part of a larger diff that was ok markus@
* add a "Match" keyword to ssh_config that allows matching on hostname,djm2013-10-141-13/+10
| | | | user and result of arbitrary commands. "nice work" markus@
* daemonise backgrounded (ControlPersist'ed) multiplexing master to ensuredjm2013-07-251-1/+2
| | | | | | it is fully detached from its controlling terminal. based on debugging and patch from tedu@ ok dtucker@ "be careful" deraadt@
* More useful error message on missing current user in /etc/passwddjm2013-07-201-2/+2
|
* set TCP nodelay for connections started with -N; bz#2124 ok dtucker@djm2013-07-121-1/+6
|
* bye, bye xfree(); ok markus@djm2013-05-171-23/+21
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.