summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* unifdef WITH_SSH1djm2017-04-301-9/+1
| | | | ok markus@
* Add SyslogFacility option to ssh(1) matching the equivalent option indtucker2017-04-281-4/+7
| | | | sshd(8). bz#2705, patch from erahn at arista.com, ok djm@
* fix regression in 7.4 server-sig-algs, where we were accidentallydjm2017-03-101-4/+4
| | | | | excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@
* quote [host]:port in generated ProxyJump commandline; the [ / ]djm2017-03-081-2/+2
| | | | | characters can confuse some shells (e.g. zsh). Reported by Lauri Tirkkonen via bugs@
* For ProxyJump/-J, surround host name with brackets to allowdjm2017-02-171-2/+2
| | | | literal IPv6 addresses. From Dick Visser; ok dtucker@
* make IdentityFile successfully load and use certificates that have nodjm2016-12-061-2/+3
| | | | | | | corresponding bare public key. E.g. just a private id_rsa and certificate id_rsa-cert.pub (and no id_rsa.pub). bz#2617 ok dtucker@
* ssh proxy mux mode (-O proxy; idea from Simon Tatham):markus2016-09-301-9/+18
| | | | | | | | | - mux client speaks the ssh-packet protocol directly over unix-domain socket. - mux server acts as a proxy, translates channel IDs and relays to the server. - no filedescriptor passing necessary. - combined with unix-domain forwarding it's even possible to run mux client and server on different machines. feedback & ok djm@
* list all supported signature algorithms in the server-sig-algsdjm2016-09-121-4/+4
| | | | | Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@
* support UTF-8 characters in ssh(1) banners using schwarze@'sdjm2016-07-171-1/+4
| | | | | | safe fmprintf printer; bz#2058 feedback schwarze@ ok dtucker@
* - add proxyjump to the options listjmc2016-07-161-5/+6
| | | | | | | - formatting fixes - update usage() ok djm
* Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1)djm2016-07-151-14/+63
| | | | | | | | | | | | | | command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@
* Allow ExitOnForwardFailure and ClearAllForwardings to be overridden whendtucker2016-06-031-3/+1
| | | | using ssh -W (but still default to yes in that case). bz#2577, ok djm@.
* Move the host and port used by ssh -W into the Options struct.dtucker2016-06-031-13/+10
| | | | This will make future changes a bit easier. ok djm@
* allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@markus2016-05-041-2/+3
|
* IdentityAgent for specifying specific agent sockets; ok djm@markus2016-05-041-1/+17
|
* close ControlPersist background process stderr when not indjm2016-04-291-3/+5
| | | | | debug mode or when logging to a file or syslog. bz#1988 ok dtucker
* refactor canohost.c: move functions that cache results closer to thedjm2016-03-071-2/+5
| | | | | | | places that use them (authn and session code). After this, no state is cached in canohost.c feedback and ok markus@
* Add a function to enable security-related malloc_options. With and okdtucker2016-02-151-1/+2
| | | | deraadt@, something similar has been in the snaps for a while.
* remove roaming support; ok djm@markus2016-01-141-2/+1
|
* Disable experimental client-side roaming support. Server side wasderaadt2016-01-141-4/+1
| | | | | | disabled/gutted for years already, but this aspect was surprisingly forgotten. Thanks for report from Qualys
* eliminate fallback from untrusted X11 forwarding to trusteddjm2016-01-131-14/+9
| | | | | forwarding when the X server disables the SECURITY extension; Reported by Thomas Hoger; ok deraadt@
* don't try to load SSHv1 private key when compiled without SSHv1djm2015-12-111-1/+3
| | | | support. From Iain Morgan bz#2505
* Remove NULL-checks before free().mmcc2015-12-101-3/+2
| | | | ok dtucker@
* ban ConnectionAttempts=0, it makes no sense and would causedjm2015-11-191-1/+4
| | | | | ssh_connect_direct() to print an uninitialised stack variable; bz#2500 reported by dvw AT phas.ubc.ca
* Expand tildes in filenames passed to -i before checking whether or not thedtucker2015-10-251-6/+7
| | | | | | identity file exists. This means that if the shell doesn't do the expansion (eg because the option and filename were given as a single argument) then we'll still add the key. bz#2481, ok markus@
* better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostnamedjm2015-10-161-1/+14
| | | | | canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config; ok markus@
* fix some signed/unsigned integer type mismatches in formatdjm2015-10-151-2/+2
| | | | strings; reported by Nicholas Lemonias
* add ssh_config CertificateFile option to explicitly listdjm2015-09-241-7/+58
| | | | a certificate; patch from Meghana Bhat on bz#2436; ok markus@
* sync -Q in usage() to SYNOPSIS; since it's drastically shorter,jmc2015-09-111-6/+4
| | | | | i've reformatted the block to sync with the man (80 cols) and saved a line;
* Update usage to match man page.dtucker2015-09-111-2/+2
|
* expand %i in ControlPath to UID; bz#2449djm2015-09-111-3/+4
| | | | patch from Christian Hesse w/ feedback from dtucker@
* Plug minor memory leaks when options are used more than once. bz#2182,dtucker2015-09-041-7/+8
| | | | patch from Tiago Cunha, ok deraadt djm
* add a debug2() right before DNS resolution; it's a place wheredjm2015-09-041-1/+2
| | | | ssh could previously silently hang for a while. bz#2433
* Allow ssh_config and sshd_config kex parameters options be prefixeddjm2015-07-301-17/+18
| | | | | | | by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
* Sync usage with SYNOPSISmillert2015-07-201-3/+3
|
* Remove pattern length argument from match_pattern_list(),djm2015-05-041-5/+3
| | | | | | | | | | we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@
* debug log missing DISPLAY environment when X11 forwardingdjm2015-04-171-1/+5
| | | | requested; bz#1682 ok dtucker@
* Allow "ssh -Q protocol-version" to list supported SSH protocoldjm2015-03-031-1/+8
| | | | | versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
* UpdateHostKeys fixes:djm2015-02-201-1/+7
| | | | | | | | | | | | | | I accidentally changed the format of the hostkeys@openssh.com messages last week without changing the extension name, and this has been causing connection failures for people who are running -current. First reported by sthen@ s/hostkeys@openssh.com/hostkeys-00@openssh.com/ Change the name of the proof message too, and reorder it a little. Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY available to read the response) so disable UpdateHostKeys if it is in ask mode and ControlPersist is active (and document this)
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-4/+4
| | | | ok djm markus
* when hostname canonicalisation is enabled, try to parse hostnamesdjm2015-01-161-5/+72
| | | | | | as addresses before looking them up for canonicalisation. fixes bz#2074 and avoids needless DNS lookups in some cases; ok markus
* move authfd.c and its tentacles to the new buffer/key API;djm2015-01-141-2/+9
| | | | ok markus@
* reorder hostbased key attempts to better match the defaultdjm2015-01-081-17/+17
| | | | hostkey algorithms order in myproposal.h; ok markus@
* Nuke more obvious #include duplications.krw2014-11-181-2/+1
| | | | ok deraadt@ millert@ tedu@
* tweak previous;jmc2014-10-091-2/+2
|
* Tweak config reparsing with host canonicalisationdjm2014-10-081-19/+61
| | | | | | | | | | | | | | | | Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
* reflect stdio-forward ("ssh -W host:port ...") failures in exit status.djm2014-07-171-1/+9
| | | | | previously we were always returning 0. bz#2255 reported by Brendan Germain; ok dtucker
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-25/+37
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* Add a %C escape sequence for LocalCommand and ControlPath that expandsdjm2014-07-031-8/+36
| | | | | | | | | | to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
* fix remote fwding with same listen port but different listen addressmarkus2014-06-271-2/+4
| | | | with gerhard@, ok djm@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.