Commit Graph

344 Commits

Author SHA1 Message Date
dtucker@openbsd.org
ee9c0da803 upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.  Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading.  The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
2021-01-22 15:03:56 +11:00
rob@openbsd.org
a164862dfa upstream: Minor grammatical correction.
OK jmc@

OpenBSD-Commit-ID: de0fad0581e212b2750751e479b79c18ff8cac02
2021-01-18 18:43:43 +11:00
djm@openbsd.org
6cb52d5bf7 upstream: make CheckHostIP default to 'no'. It doesn't provide any
perceptible value and makes it much harder for hosts to change host keys,
particularly ones that use IP-based load-balancing.

ok dtucker@

OpenBSD-Commit-ID: 0db98413e82074f78c7d46784b1286d08aee78f0
2021-01-08 16:01:30 +11:00
jmc@openbsd.org
09d070ccc3 upstream: tweak the description of KnownHostsCommand in ssh_conf.5,
and add entries for it to the -O list in scp.1 and sftp.1;

ok djm

OpenBSD-Commit-ID: aba31ebea03f38f8d218857f7ce16a500c3e4aff
2020-12-29 12:02:51 +11:00
djm@openbsd.org
da4bf0db94 upstream: add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0
2020-12-22 15:43:59 +11:00
jmc@openbsd.org
616029a85a upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: bb81e2ed5a77832fe62ab30a915ae67cda57633e
2020-10-17 22:45:37 +11:00
djm@openbsd.org
793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org
3205eaa3f8 upstream: clarify conditions for UpdateHostkeys
OpenBSD-Commit-ID: 9cba714cf6aeed769f998ccbe8c483077a618e27
2020-10-08 12:28:06 +11:00
djm@openbsd.org
e79957e877 upstream: disable UpdateHostkeys by default if VerifyHostKeyDNS is
enabled; suggested by Mark D. Baushke

OpenBSD-Commit-ID: 85a1b88592c81bc85df7ee7787dbbe721a0542bf
2020-10-07 13:34:11 +11:00
djm@openbsd.org
1286981d08 upstream: enable UpdateHostkeys by default when the configuration
has not overridden UserKnownHostsFile; ok markus@ "The timing is perfect"
deraadt@

OpenBSD-Commit-ID: 62df71c9c5242da5763cb473c2a2deefbd0cef60
2020-10-03 18:31:49 +10:00
djm@openbsd.org
12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
djm@openbsd.org
d0a195c89e upstream: let ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-limited keys
will automatically be removed from ssh-agent after their expiry time has
passed; ok markus@

OpenBSD-Commit-ID: 792e71cacbbc25faab5424cf80bee4a006119f94
2020-08-27 11:27:01 +10:00
jmc@openbsd.org
69860769fa upstream: fix macro slip in previous;
OpenBSD-Commit-ID: 624e47ab209450ad9ad5c69f54fa69244de5ed9a
2020-07-17 18:03:28 +10:00
dtucker@openbsd.org
8df5774a42 upstream: Add a '%k' TOKEN that expands to the effective HostKey of
the destination.  This allows, eg, keeping host keys in individual files
using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654, ok djm@, jmc@
(man page bits)

OpenBSD-Commit-ID: 7084d723c9cc987a5c47194219efd099af5beadc
2020-07-17 13:52:46 +10:00
dtucker@openbsd.org
c4f239944a upstream: Add %-TOKEN, environment variable and tilde expansion to
UserKnownHostsFile, allowing the file to be automagically split up in the
configuration (eg bz#1654).  ok djm@, man page parts jmc@

OpenBSD-Commit-ID: 7e1b406caf147638bb51558836a72d6cc0bd1b18
2020-07-17 13:52:46 +10:00
jmc@openbsd.org
ec1d50b01c upstream: remove a stray .El;
OpenBSD-Commit-ID: 58ddfe6f8a15fe10209db6664ecbe7896f1d167c
2020-05-29 20:10:21 +10:00
djm@openbsd.org
188e332d1c upstream: mention that wildcards are processed in lexical order;
bz#3165

OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
2020-05-29 15:46:47 +10:00
dtucker@openbsd.org
4a1b46e6d0 upstream: Allow some keywords to expand shell-style ${ENV}
environment variables on the client side.  The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus
LocalForward and RemoteForward when used for Unix domain socket paths.  This
would for example allow forwarding of Unix domain socket paths that change at
runtime.  bz#3140, ok djm@

OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
2020-05-29 15:46:47 +10:00
jmc@openbsd.org
ca5403b085 upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: e579e4d95eef13059c30931ea1f09ed8296b819c
2020-04-17 14:03:16 +10:00
dtucker@openbsd.org
990687a033 upstream: Add TOKEN percent expansion to LocalFoward and RemoteForward
when used for Unix domain socket forwarding.  Factor out the code for the
config keywords that use the most common subset of TOKENS into its own
function. bz#3014, ok jmc@ (man page bits) djm@

OpenBSD-Commit-ID: bffc9f7e7b5cf420309a057408bef55171fd0b97
2020-04-10 11:47:19 +10:00
dtucker@openbsd.org
ed833da176 upstream: Make with config keywords support which
percent_expansions more consistent.  - %C is moved into its own function and
added to Match Exec.  - move the common (global) options into a macro.  This
is ugly but it's    the least-ugly way I could come up with.  - move
IdentityAgent and ForwardAgent percent expansion to before the    config dump
to make it regression-testable.  - document all of the above

ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest.

OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
2020-04-03 13:33:37 +11:00
dtucker@openbsd.org
d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
jmc@openbsd.org
ba261a1dd3 upstream: spelling fix;
OpenBSD-Commit-ID: 3c079523c4b161725a4b15dd06348186da912402
2020-02-01 10:15:27 +11:00
djm@openbsd.org
771891a044 upstream: document changed default for UpdateHostKeys
OpenBSD-Commit-ID: 25c390b21d142f78ac0106241d13441c4265fd2c
2020-01-31 09:27:10 +11:00
djm@openbsd.org
4594c76276 upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,
based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
2020-01-28 12:52:46 +11:00
djm@openbsd.org
469df611f7 upstream: clarify that BatchMode applies to all interactive prompts
(e.g. host key confirmation) and not just password prompts.

OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
2020-01-26 10:34:50 +11:00
tedu@openbsd.org
0b813436bb upstream: group14-sha1 is no longer a default algorithm
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25 18:20:01 +11:00
djm@openbsd.org
3432b6e05d upstream: reword HashKnownHosts description a little more; some
people found the wording confusing (bz#2560)

OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
2020-01-25 18:20:01 +11:00
djm@openbsd.org
f80d7d6aa9 upstream: weaken the language for what HashKnownHosts provides with
regards to known_hosts name privacy, it's not practical for this option to
offer any guarantee that hostnames cannot be recovered from a disclosed
known_hosts file (e.g. by brute force).

OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
2020-01-25 18:20:01 +11:00
naddy@openbsd.org
a78c66d5d2 upstream: document the default value of the ControlPersist option;
ok dtucker@ djm@

OpenBSD-Commit-ID: 0788e7f2b5a9d4e36d3d2ab378f73329320fef66
2020-01-22 09:41:41 +11:00
naddy@openbsd.org
141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
djm@openbsd.org
40be78f503 upstream: Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in addition
to yes/no.

Patch by Eric Chiang, manpage by me; ok markus@

OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-21 13:22:07 +11:00
naddy@openbsd.org
ae024b22c4 upstream: Document that security key-hosted keys can act as host
keys.

Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5.  Copy the description of the SecurityKeyProvider
option to sshd_config.5.

ok jmc@

OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-20 14:25:08 +11:00
jmc@openbsd.org
483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
naddy@openbsd.org
2cf262c21f upstream: document '$' environment variable expansion for
SecurityKeyProvider; ok djm@

OpenBSD-Commit-ID: 76db507ebd336a573e1cd4146cc40019332c5799
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
f0edda81c5 upstream: more missing mentions of ed25519-sk; ok djm@
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20 09:27:29 +11:00
djm@openbsd.org
e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
djm@openbsd.org
6bff9521ab upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15 09:57:30 +11:00
naddy@openbsd.org
aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
djm@openbsd.org
7047d5afe3 upstream: clarify that IdentitiesOnly also applies to the default
~/.ssh/id_* keys; bz#3062

OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa
2019-09-13 14:53:45 +10:00
djm@openbsd.org
fbe24b1429 upstream: allow %n to be expanded in ProxyCommand strings
From Zachary Harmany via github.com/openssh/openssh-portable/pull/118
ok dtucker@

OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6
2019-09-13 14:28:44 +10:00
djm@openbsd.org
2ce1d11600 upstream: clarify that ConnectTimeout applies both to the TCP
connection and to the protocol handshake/KEX. From Jean-Charles Longuet via
Github PR140

OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf
2019-09-13 14:09:21 +10:00
naddy@openbsd.org
91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00
naddy@openbsd.org
4f9d75fbaf upstream: Call comma-separated lists as such to clarify semantics.
Options such as Ciphers take values that may be a list of ciphers; the
complete list, not indiviual elements, may be prefixed with a dash or plus
character to remove from or append to the default list, respectively.

Users might read the current text as if each elment took an optional prefix,
so tweak the wording from "values" to "list" to prevent such ambiguity for
all options supporting these semantics.

Fix instances missed in first commit.  ok jmc@ kn@

OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417
2019-09-05 14:56:51 +10:00
kn@openbsd.org
dc2ca58814 upstream: Call comma-separated lists as such to clarify semantics
Options such as Ciphers take values that may be a list of ciphers;  the
complete list, not indiviual elements, may be prefixed with a dash or plus
character to remove from or append to the default list respectively.

Users might read the current text as if each elment took an optional prefix,
so tweak the wording from "values" to "list" to prevent such ambiguity for
all options supporting this semantics (those that provide a list of
available elements via "ssh -Q ...").

Input and OK jmc

OpenBSD-Commit-ID: 4fdd175b0e5f5cb10ab3f26ccc38a93bb6515d57
2019-08-29 19:21:42 +10:00
dtucker@openbsd.org
8fdbc7247f upstream: Change description of TCPKeepAlive from "inactive" to
"unresponsive" to clarify what it checks for.  Patch from jblaine at
kickflop.net via github pr#129, ok djm@.

OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9
2019-08-09 15:11:30 +10:00
djm@openbsd.org
6e76e69dc0 upstream: typo; from Christian Hesse
OpenBSD-Commit-ID: 82f6de7438ea7ee5a14f44fdf5058ed57688fdc3
2019-08-02 11:25:46 +10:00
jmc@openbsd.org
7349149da1 upstream: Hostname->HostName cleanup; from lauri tirkkonen ok
dtucker

OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
76af9c5738 upstream: deraadt noticed some inconsistency in the way we denote
the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent
(effectively reversing my commit of yesterday);

ok deraadt markus djm

OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667
2019-06-14 13:01:28 +10:00
jmc@openbsd.org
d1bbfdd932 upstream: consistent lettering for "HostName" keyword; from lauri
tirkkonen

OpenBSD-Commit-ID: 0c267a1257ed7482b13ef550837b6496e657d563
2019-06-14 13:01:27 +10:00