Commit Graph

315 Commits

Author SHA1 Message Date
djm@openbsd.org
68d2dfc464 upstream commit
Allow "ssh -Q protocol-version" to list supported SSH
 protocol versions. Useful for detecting builds without SSH v.1 support; idea
 and ok markus@
2015-03-04 04:54:11 +11:00
djm@openbsd.org
46347ed596 upstream commit
Add a ssh_config HostbasedKeyType option to control which
 host public key types are tried during hostbased authentication.

This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.

bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-30 22:47:01 +11:00
djm@openbsd.org
1d1092bff8 upstream commit
correct description of UpdateHostKeys in ssh_config.5 and
 add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-27 00:00:58 +11:00
jmc@openbsd.org
8abd80315d upstream commit
add fingerprinthash to the options list;
2015-01-09 00:13:35 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
jmc@openbsd.org
b1ba15f388 upstream commit
tweak previous;
2014-10-20 14:40:05 +11:00
djm@openbsd.org
957fbceb0f upstream commit
Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus
2014-10-13 11:41:48 +11:00
sobrado@openbsd.org
f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller
a8a0f65c57 - OpenBSD CVS Sync
- millert@cvs.openbsd.org 2014/07/24 22:57:10
     [ssh.1]
     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
2014-07-30 12:32:28 +10:00
Damien Miller
6d57656331 - jmc@cvs.openbsd.org 2014/07/16 14:48:57
[ssh.1]
     add the streamlocal* options to ssh's -o list; millert says they're
     irrelevant for scp/sftp;

     ok markus millert
2014-07-18 15:02:06 +10:00
Damien Miller
49d9bfe2b2 - djm@cvs.openbsd.org 2014/07/03 05:38:17
[ssh.1]
     document that -g will only work in the multiplexed case if applied to
     the mux master
2014-07-03 21:26:42 +10:00
Damien Miller
16f85cbc7e - tedu@cvs.openbsd.org 2014/04/19 18:42:19
[ssh.1]
     delete .xr to hosts.equiv. there's still an unfortunate amount of
     documentation referring to rhosts equivalency in here.
2014-04-20 13:29:28 +10:00
Damien Miller
eb1b7c514d - tedu@cvs.openbsd.org 2014/03/17 19:44:10
[ssh.1]
     old descriptions of des and blowfish are old. maybe ok deraadt
2014-04-20 13:02:26 +10:00
Damien Miller
8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller
bdb352a54f - jmc@cvs.openbsd.org 2013/11/26 12:14:54
[ssh.1 ssh.c]
     - put -Q in the right place
     - Ar was a poor choice for the arguments to -Q. i've chosen an
       admittedly equally poor Cm, at least consistent with the rest
       of the docs. also no need for multiple instances
     - zap a now redundant Nm
     - usage() sync
2013-12-05 10:20:52 +11:00
Damien Miller
d937dc084a - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
[ssh.1 ssh.c]
     improve -Q usage and such.  One usage change is that the option is now
     case-sensitive
     ok dtucker markus djm
2013-12-05 10:19:54 +11:00
Damien Miller
0fde8acdad - djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
     cipher "chacha20-poly1305@openssh.com" that combines Daniel
     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
     authenticated encryption mode.

     Inspired by and similar to Adam Langley's proposal for TLS:
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
     but differs in layout used for the MAC calculation and the use of a
     second ChaCha20 instance to separately encrypt packet lengths.
     Details are in the PROTOCOL.chacha20poly1305 file.

     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
     ok markus@ naddy@
2013-11-21 14:12:23 +11:00
Damien Miller
3850559be9 - djm@cvs.openbsd.org 2013/10/16 22:49:39
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
     s/canonicalise/canonicalize/ for consistency with existing spelling,
     e.g. authorized_keys; pointed out by naddy@
2013-10-17 11:48:13 +11:00
Damien Miller
0faf747e2f - djm@cvs.openbsd.org 2013/10/16 02:31:47
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
     [sshconnect.c sshconnect.h]
     Implement client-side hostname canonicalisation to allow an explicit
     search path of domain suffixes to use to convert unqualified host names
     to fully-qualified ones for host key matching.
     This is particularly useful for host certificates, which would otherwise
     need to list unqualified names alongside fully-qualified ones (and this
     causes a number of problems).
     "looks fine" markus@
2013-10-17 11:47:23 +11:00
Damien Miller
d77b81f856 - jmc@cvs.openbsd.org 2013/10/15 14:10:25
[ssh.1 ssh_config.5]
     tweak previous;
2013-10-17 11:39:00 +11:00
Damien Miller
f2f6c315a9 - jmc@cvs.openbsd.org 2013/08/20 06:56:07
[ssh.1 ssh_config.5]
     some proxyusefdpass tweaks;
2013-08-21 02:44:58 +10:00
Damien Miller
b7727df37e - jmc@cvs.openbsd.org 2013/08/14 08:39:27
[scp.1 ssh.1]
     some Bx/Ox conversion;
     From: Jan Stary
2013-08-21 02:43:49 +10:00
Damien Miller
d93340cbb6 - djm@cvs.openbsd.org 2013/07/18 01:12:26
[ssh.1]
     be more exact wrt perms for ~/.ssh/config; bz#2078
2013-07-18 16:14:34 +10:00
Damien Miller
fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller
ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller
03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Darren Tucker
427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Darren Tucker
628a3fdce2 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
[ssh.1]
     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
     references into a STANDARDS section;
2012-10-05 10:50:15 +10:00
Darren Tucker
83d0af6907 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
[ssh.1]
     missing letter in previous;
2012-09-07 11:21:03 +10:00
Darren Tucker
50a48d025f - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
[clientloop.c log.c ssh.1 log.h]
     Add ~v and ~V escape sequences to raise and lower the logging level
     respectively. Man page help from jmc, ok deraadt jmc
2012-09-06 21:25:37 +10:00
Damien Miller
36378c6413 - dtucker@cvs.openbsd.org 2012/06/18 12:17:18
[ssh.1]
     Clarify description of -W.  Noted by Steve.McClellan at radisys com, ok jmc
2012-06-20 21:53:25 +10:00
Damien Miller
b9902cf6f6 - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
[ssh.1 sshd.8]
     Remove mention of 'three' key files since there are now four.  From
     Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
Damien Miller
70b2d5550b - jmc@cvs.openbsd.org 2012/04/20 16:26:22
[ssh.1]
     use "brackets" instead of "braces", for consistency;
2012-04-22 11:26:10 +10:00
Damien Miller
1bcbd0a9de - okan@cvs.openbsd.org 2011/09/11 06:59:05
[ssh.1]
     document new -O cancel command; ok djm@
2011-09-22 21:40:45 +10:00
Damien Miller
ff773644e6 - markus@cvs.openbsd.org 2011/09/10 22:26:34
[channels.c channels.h clientloop.c ssh.1]
     support cancellation of local/dynamic forwardings from ~C commandline;
     ok & feedback djm@
2011-09-22 21:39:48 +10:00
Damien Miller
efad727517 - djm@cvs.openbsd.org 2011/08/26 01:45:15
[ssh.1]
     Add some missing ssh_config(5) options that can be used in ssh(1)'s
     -o argument. Patch from duclare AT guu.fi
2011-09-22 21:33:53 +10:00
Damien Miller
20bd4535c0 - djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     Add new SHA256 and SHA512 based HMAC modes from
     http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
     Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
Damien Miller
f4b32aad05 - jmc@cvs.openbsd.org 2011/05/07 23:20:25
[ssh.1]
     +.It RequestTTY
2011-05-15 08:47:43 +10:00
Damien Miller
8cb1cda1e3 - djm@cvs.openbsd.org 2011/04/18 00:46:05
[ssh-keygen.c]
     certificate options are supposed to be packed in lexical order of
     option name (though we don't actually enforce this at present).
     Move one up that was out of sequence
2011-05-05 14:16:56 +10:00
Damien Miller
6c3eec7ab2 - djm@cvs.openbsd.org 2011/04/17 22:42:42
[PROTOCOL.mux clientloop.c clientloop.h mux.c ssh.1 ssh.c]
     allow graceful shutdown of multiplexing: request that a mux server
     removes its listener socket and refuse future multiplexing requests;
     ok markus@
2011-05-05 14:16:22 +10:00
Damien Miller
0a1847347d - jmc@cvs.openbsd.org 2010/11/18 15:01:00
[scp.1 sftp.1 ssh.1 sshd_config.5]
     add IPQoS to the various -o lists, and zap some trailing whitespace;
2010-11-20 15:21:03 +11:00
Damien Miller
55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller
7fe2b1fec3 - jmc@cvs.openbsd.org 2010/09/22 08:30:08
[ssh.1 ssh_config.5]
     ssh.1: add kexalgorithms to the -o list
     ssh_config.5: format the kexalgorithms in a more consistent
     (prettier!) way
     ok djm
2010-09-24 22:11:53 +10:00
Damien Miller
1ca9469318 - djm@cvs.openbsd.org 2010/09/11 21:44:20
[ssh.1]
     mention RFC 5656 for ECC stuff
2010-09-24 22:01:22 +10:00
Damien Miller
daa7b2254f - jmc@cvs.openbsd.org 2010/09/04 09:38:34
[ssh-add.1 ssh.1]
     two more EXIT STATUS sections;
2010-09-10 11:19:33 +10:00
Damien Miller
d442790292 - jmc@cvs.openbsd.org 2010/08/31 21:14:58
[ssh.1]
     small text tweak to accommodate previous;
2010-09-10 11:15:10 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
afdae61635 - jmc@cvs.openbsd.org 2010/08/08 19:36:30
[ssh-keysign.8 ssh.1 sshd.8]
     use the same template for all FILES sections; i.e. -compact/.Pp where we
     have multiple items, and .Pa for path names;
2010-08-31 22:31:14 +10:00
Damien Miller
7fa96602e5 - djm@cvs.openbsd.org 2010/08/04 05:37:01
[ssh.1 ssh_config.5 sshd.8]
     Remove mentions of weird "addr/port" alternate address format for IPv6
     addresses combinations. It hasn't worked for ages and we have supported
     the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-05 13:03:13 +10:00
Damien Miller
081f3c73d8 - dtucker@cvs.openbsd.org 2010/07/23 08:49:25
[ssh.1]
     Ciphers is documented in ssh_config(5) these days
2010-08-03 16:05:25 +10:00