d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of OpenSSH 8.8p1

Browse Source
This commit is contained in:
Ed Maste 2021-11-04 13:16:52 -04:00
parent 66719ee573
commit 4f19900354
53 changed files with 938 additions and 1054 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/setup_ci.sh vendored
View File

@ -11,6 +11,7 @@ TARGETS=$@
PACKAGES=""
INSTALL_FIDO_PPA="no"
export DEBIAN_FRONTEND=noninteractive
#echo "Setting up for '$TARGETS'"
@ -54,6 +55,7 @@ for TARGET in $TARGETS; do
openssl-*)
INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
case ${INSTALL_OPENSSL} in
1.1.1_stable) INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
1.*) INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
3.*) INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
esac
@ -78,8 +80,8 @@ done
if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
sudo apt update -qq
sudo apt install software-properties-common
sudo apt-add-repository ppa:yubico/stable
sudo apt install -qy software-properties-common
sudo apt-add-repository -y ppa:yubico/stable
fi
if [ "x" != "x$PACKAGES" ]; then

7
.github/workflows/c-cpp.yml vendored
View File

@ -31,7 +31,9 @@ jobs:
- { os: ubuntu-latest, configs: libressl-2.2.9 }
- { os: ubuntu-latest, configs: libressl-2.8.3 }
- { os: ubuntu-latest, configs: libressl-3.0.2 }
- { os: ubuntu-latest, configs: libressl-3.2.5 }
- { os: ubuntu-latest, configs: libressl-3.2.6 }
- { os: ubuntu-latest, configs: libressl-3.3.4 }
- { os: ubuntu-latest, configs: libressl-3.4.0 }
- { os: ubuntu-latest, configs: openssl-master }
- { os: ubuntu-latest, configs: openssl-noec }
- { os: ubuntu-latest, configs: openssl-1.0.1 }
@ -40,6 +42,9 @@ jobs:
- { os: ubuntu-latest, configs: openssl-1.1.0h }
- { os: ubuntu-latest, configs: openssl-1.1.1 }
- { os: ubuntu-latest, configs: openssl-1.1.1k }
- { os: ubuntu-latest, configs: openssl-3.0.0 }
- { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
- { os: ubuntu-latest, configs: openssl-3.0 } # stable branch
- { os: ubuntu-18.04, configs: pam }
- { os: ubuntu-18.04, configs: kerberos5 }
- { os: ubuntu-18.04, configs: libedit }

1162
ChangeLog
View File

File diff suppressed because it is too large Load Diff

2
README
View File

@ -1,4 +1,4 @@
See https://www.openssh.com/releasenotes.html#8.7p1 for the release notes.
See https://www.openssh.com/releasenotes.html#8.8p1 for the release notes.
Please read https://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or

1
auth-pam.c
View File

@ -886,6 +886,7 @@ sshpam_query(void *ctx, char **name, char **info,
case PAM_AUTH_ERR:
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
if (**prompts != NULL && strlen(**prompts) != 0) {
free(*info);
*info = **prompts;
**prompts = NULL;
*num = 0;

8
channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.407 2021/05/19 01:24:05 djm Exp $ */
/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -629,9 +629,11 @@ channel_free(struct ssh *ssh, Channel *c)
debug("channel %d: free: %s, nchannels %u", c->self,
c->remote_name ? c->remote_name : "???", n);
if (c->type == SSH_CHANNEL_MUX_CLIENT)
if (c->type == SSH_CHANNEL_MUX_CLIENT) {
mux_remove_remote_forwardings(ssh, c);
else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
free(c->mux_ctx);
c->mux_ctx = NULL;
} else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
free(c->mux_ctx);
c->mux_ctx = NULL;
}

5
clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.369 2021/07/23 04:04:52 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1405,7 +1405,8 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
* exit status to be returned. In that case, clear error code if the
* connection was deliberately terminated at this end.
*/
if (options.session_type == SESSION_TYPE_NONE && received_signal == SIGTERM) {
if (options.session_type == SESSION_TYPE_NONE &&
received_signal == SIGTERM) {
received_signal = 0;
exit_status = 0;
}

3
compat.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */
/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@ -69,7 +69,6 @@ compat_banner(struct ssh *ssh, const char *version)
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
"OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},

6
config.h.in
View File

@ -1061,6 +1061,9 @@
/* Define to 1 if you have the <priv.h> header file. */
#undef HAVE_PRIV_H
/* Define to 1 if you have the `procctl' function. */
#undef HAVE_PROCCTL
/* Define if you have /proc/$pid/fd */
#undef HAVE_PROC_PID
@ -1485,6 +1488,9 @@
/* Define to 1 if you have the <sys/prctl.h> header file. */
#undef HAVE_SYS_PRCTL_H
/* Define to 1 if you have the <sys/procctl.h> header file. */
#undef HAVE_SYS_PROCCTL_H
/* Define to 1 if you have the <sys/pstat.h> header file. */
#undef HAVE_SYS_PSTAT_H

11
configure vendored
View File

@ -645,7 +645,6 @@ SSHDLIBS
SSH_PRIVSEP_USER
LIBFIDO2
SK_DUMMY_LIBRARY
COMMENT_OUT_ECC
TEST_SSH_ECC
PICFLAG
LIBEDIT
@ -7138,6 +7137,7 @@ for ac_header in \
sys/ndir.h \
sys/poll.h \
sys/prctl.h \
sys/procctl.h \
sys/pstat.h \
sys/ptrace.h \
sys/random.h \
@ -11515,6 +11515,7 @@ for ac_func in \
pledge \
poll \
prctl \
procctl \
pselect \
pstat \
raise \
@ -13470,7 +13471,8 @@ if ac_fn_c_try_run "$LINENO"; then :
;;
101*) ;; # 1.1.x
200*) ;; # LibreSSL
300*) ;; # OpenSSL development branch.
300*) ;; # OpenSSL 3
301*) ;; # OpenSSL development branch.
*)
as_fn_error $? "Unknown/unsupported OpenSSL version (\"$ssl_library_ver\")" "$LINENO" 5
;;
@ -14171,7 +14173,6 @@ fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
COMMENT_OUT_ECC="#no ecc#"
TEST_SSH_ECC=no
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
@ -14199,7 +14200,6 @@ done
$as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp256 \
@ -14211,7 +14211,6 @@ $as_echo "#define OPENSSL_HAS_NISTP256 1" >>confdefs.h
$as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp384 \
@ -14223,7 +14222,6 @@ $as_echo "#define OPENSSL_HAS_NISTP384 1" >>confdefs.h
$as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdh-sha2-nistp521 \
@ -14232,7 +14230,6 @@ $as_echo "#define OPENSSL_HAS_NISTP521 1" >>confdefs.h
fi
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypt in -lcrypt" >&5
$as_echo_n "checking for crypt in -lcrypt... " >&6; }

10
configure.ac
View File

@ -454,6 +454,7 @@ AC_CHECK_HEADERS([ \
sys/ndir.h \
sys/poll.h \
sys/prctl.h \
sys/procctl.h \
sys/pstat.h \
sys/ptrace.h \
sys/random.h \
@ -1868,6 +1869,7 @@ AC_CHECK_FUNCS([ \
pledge \
poll \
prctl \
procctl \
pselect \
pstat \
raise \
@ -2761,7 +2763,8 @@ if test "x$openssl" = "xyes" ; then
;;
101*) ;; # 1.1.x
200*) ;; # LibreSSL
300*) ;; # OpenSSL development branch.
300*) ;; # OpenSSL 3
301*) ;; # OpenSSL development branch.
*)
AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
;;
@ -3100,7 +3103,6 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([no])
)
COMMENT_OUT_ECC="#no ecc#"
TEST_SSH_ECC=no
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
@ -3115,7 +3117,6 @@ if test "x$openssl" = "xyes" ; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
[libcrypto has NID_X9_62_prime256v1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp256 \
@ -3125,7 +3126,6 @@ if test "x$openssl" = "xyes" ; then
if test x$enable_nistp384 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp384 \
@ -3135,7 +3135,6 @@ if test "x$openssl" = "xyes" ; then
if test x$enable_nistp521 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms \
ecdh-sha2-nistp521 \
@ -3144,7 +3143,6 @@ if test "x$openssl" = "xyes" ; then
fi
AC_SUBST([TEST_SSH_ECC])
AC_SUBST([COMMENT_OUT_ECC])
else
AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
AC_CHECK_FUNCS([crypt])

2
contrib/redhat/openssh.spec
View File

@ -1,4 +1,4 @@
%global ver 8.7p1
%global ver 8.8p1
%global rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID

155
contrib/redhat/sshd.init.old
View File

@ -1,155 +0,0 @@
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
my_success() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="done"
fi
case "`type -type success`" in
function)
success "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
my_failure() {
local msg
if [ $# -gt 1 ]; then
msg="$2"
else
msg="FAILED"
fi
case "`type -type failure`" in
function)
failure "$1"
;;
*)
echo -n "${msg}"
;;
esac
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
my_success "RSA key generation"
echo
else
my_failure "RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n "Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
my_success "DSA key generation"
echo
else
my_failure "DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check() {
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
my_failure "Configuration file or keys"
echo
fi
}
case "$1" in
start)
# Create keys if necessary
do_rsa_keygen;
do_dsa_keygen;
echo -n "Starting sshd: "
if [ ! -f $PID_FILE ] ; then
sshd $OPTIONS
RETVAL=$?
if [ "$RETVAL" = "0" ] ; then
my_success "sshd startup" "sshd"
touch /var/lock/subsys/sshd
else
my_failure "sshd startup" ""
fi
fi
echo
;;
stop)
echo -n "Shutting down sshd: "
if [ -f $PID_FILE ] ; then
killproc sshd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
fi
echo
;;
restart)
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
$0 stop
$0 start
RETVAL=$?
fi
;;
status)
status sshd
RETVAL=$?
;;
*)
echo "Usage: sshd {start|stop|restart|status|condrestart}"
exit 1
;;
esac
exit $RETVAL

8
contrib/redhat/sshd.pam.old
View File

@ -1,8 +0,0 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

2
contrib/suse/openssh.spec
View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 8.7p1
Version: 8.8p1
URL: https://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz

11
log.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: log.c,v 1.59 2021/05/07 04:11:51 djm Exp $ */
/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -346,6 +346,7 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
int pri = LOG_INFO;
int saved_errno = errno;
log_handler_fn *tmp_handler;
const char *progname = argv0 != NULL ? argv0 : __progname;
if (!force && level > log_level)
return;
@ -403,16 +404,18 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
tmp_handler(level, force, fmtbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
(log_on_stderr > 1) ? progname : "",
(log_on_stderr > 1) ? ": " : "",
(int)sizeof msgbuf - 3, fmtbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
openlog_r(progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", fmtbuf);
closelog_r(&sdata);
#else
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
openlog(progname, LOG_PID, log_facility);
syslog(pri, "%.500s", fmtbuf);
closelog();
#endif

9
misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@ -56,6 +56,7 @@
#ifdef HAVE_PATHS_H
# include <paths.h>
#include <pwd.h>
#include <grp.h>
#endif
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
}
closefrom(STDERR_FILENO + 1);
if (geteuid() == 0 &&
initgroups(pw->pw_name, pw->pw_gid) == -1) {
error("%s: initgroups(%s, %u): %s", tag,
pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
_exit(1);
}
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));

6
myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -46,7 +46,6 @@
"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
"ssh-ed25519," \
"ecdsa-sha2-nistp256," \
"ecdsa-sha2-nistp384," \
@ -54,8 +53,7 @@
"sk-ssh-ed25519@openssh.com," \
"sk-ecdsa-sha2-nistp256@openssh.com," \
"rsa-sha2-512," \
"rsa-sha2-256," \
"ssh-rsa"
"rsa-sha2-256"
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \

2
openbsd-compat/bsd-pselect.c
View File

@ -188,7 +188,7 @@ pselect(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds,
if (unmasked) {
pselect_notify_setup();
pselect_notify_prepare(readfds);
nfds = MAX(nfds, notify_pipe[0]);
nfds = MAX(nfds, notify_pipe[0] + 1);
}
/* Unmask signals, call select then restore signal mask. */

22
opensshd.init.in
View File

@ -17,26 +17,6 @@ PIDFILE=$piddir/sshd.pid
PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
[ X$PidFile = X ] || PIDFILE=$PidFile
SSH_KEYGEN=$prefix/bin/ssh-keygen
HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key
checkkeys() {
if [ ! -f $HOST_KEY_DSA ]; then
${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
fi
if [ ! -f $HOST_KEY_RSA ]; then
${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
fi
@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then
@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
@COMMENT_OUT_ECC@ fi
if [ ! -f $HOST_KEY_ED25519 ]; then
${SSH_KEYGEN} -t ed25519 -f ${HOST_KEY_ED25519} -N ""
fi
}
stop_service() {
if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
@ -54,7 +34,7 @@ start_service() {
# XXX we will opt out at this time. - Bal
# Check to see if we have keys that need to be made
checkkeys
${SSH_KEYGEN} -A
# Start SSHD
echo "starting $SSHD... \c" ; $SSHD

10
platform-tracing.c
View File

@ -17,6 +17,9 @@
#include "includes.h"
#include <sys/types.h>
#ifdef HAVE_SYS_PROCCTL_H
#include <sys/procctl.h>
#endif
#if defined(HAVE_SYS_PRCTL_H)
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
#endif
@ -33,6 +36,13 @@
void
platform_disable_tracing(int strict)
{
#if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
fatal("unable to make the process untraceable");
#endif
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict)

58
readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2011,11 +2011,23 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
case oCanonicalizePermittedCNAMEs:
value = options->num_permitted_cnames != 0;
i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
/* Either '*' for everything or 'list:list' */
if (strcmp(arg, "*") == 0)
/*
* Either 'none' (only in first position), '*' for
* everything or 'list:list'
*/
if (strcasecmp(arg, "none") == 0) {
if (i > 0 || ac > 0) {
error("%s line %d: keyword %s \"none\" "
"argument must appear alone.",
filename, linenum, keyword);
goto out;
}
arg2 = "";
} else if (strcmp(arg, "*") == 0) {
arg2 = arg;
else {
} else {
lowercase(arg);
if ((arg2 = strchr(arg, ':')) == NULL ||
arg2[1] == '\0') {
@ -2027,6 +2039,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
*arg2 = '\0';
arg2++;
}
i++;
if (!*activep || value)
continue;
if (options->num_permitted_cnames >=
@ -2280,6 +2293,20 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
/*
* Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
* Allowed to be called on non-final configuration.
*/
int
config_has_permitted_cnames(Options *options)
{
if (options->num_permitted_cnames == 1 &&
strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
strcmp(options->permitted_cnames[0].target_list, "") == 0)
return 0;
return options->num_permitted_cnames > 0;
}
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@ -2648,6 +2675,15 @@ fill_default_options(Options * options)
free(options->jump_host);
options->jump_host = NULL;
}
if (options->num_permitted_cnames == 1 &&
!config_has_permitted_cnames(options)) {
/* clean up CanonicalizePermittedCNAMEs=none */
free(options->permitted_cnames[0].source_list);
free(options->permitted_cnames[0].target_list);
memset(options->permitted_cnames, '\0',
sizeof(*options->permitted_cnames));
options->num_permitted_cnames = 0;
}
/* options->identity_agent distinguishes NULL from 'none' */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
@ -3363,14 +3399,14 @@ dump_client_config(Options *o, const char *host)
printf("\n");
/* oCanonicalizePermittedCNAMEs */
if ( o->num_permitted_cnames > 0) {
printf("canonicalizePermittedcnames");
for (i = 0; i < o->num_permitted_cnames; i++) {
printf(" %s:%s", o->permitted_cnames[i].source_list,
o->permitted_cnames[i].target_list);
}
printf("\n");
printf("canonicalizePermittedcnames");
if (o->num_permitted_cnames == 0)
printf(" none");
for (i = 0; i < o->num_permitted_cnames; i++) {
printf(" %s:%s", o->permitted_cnames[i].source_list,
o->permitted_cnames[i].target_list);
}
printf("\n");
/* oControlPersist */
if (o->control_persist == 0 || o->control_persist_timeout == 0)

3
readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -228,6 +228,7 @@ int parse_jump(const char *, Options *, int);
int parse_ssh_uri(const char *, char **, char **, int *);
int default_ssh_port(void);
int option_clear_or_none(const char *);
int config_has_permitted_cnames(Options *);
void dump_client_config(Options *o, const char *host);
void add_local_forward(Options *, const struct Forward *);

3
regress/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.116 2021/08/04 21:28:00 djm Exp $
# $OpenBSD: Makefile,v 1.117 2021/09/03 04:11:13 dtucker Exp $
tests: prep file-tests t-exec unit
@ -27,6 +27,7 @@ LTESTS= connect \
proto-version \
proto-mismatch \
exit-status \
exit-status-signal \
envpass \
transfer \
banner \

12
regress/agent-getpeereid.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
# $OpenBSD: agent-getpeereid.sh,v 1.13 2021/09/01 00:50:27 dtucker Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
@ -10,19 +10,15 @@ SSH_AUTH_SOCK=/nonexistent
if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then
:
else
echo "skipped (not supported on this platform)"
exit 0
skip "skipped (not supported on this platform)"
fi
case "x$SUDO" in
xsudo) sudo=1;;
xdoas|xdoas\ *) ;;
x)
echo "need SUDO to switch to uid $UNPRIV"
echo SKIPPED
exit 0 ;;
skip "need SUDO to switch to uid $UNPRIV" ;;
*)
echo "unsupported $SUDO - "doas" and "sudo" are allowed"
exit 0 ;;
skip "unsupported $SUDO - "doas" and "sudo" are allowed" ;;
esac
trace "start agent"

24
regress/exit-status-signal.sh Normal file
View File

@ -0,0 +1,24 @@
# This test performs validation that ssh client is not successive on being terminated
tid="exit status on signal"
# spawn client in background
rm -f $OBJ/remote_pid
${SSH} -F $OBJ/ssh_proxy somehost 'echo $$ >'$OBJ'/remote_pid; sleep 444' &
ssh_pid=$!
# wait for it to start
n=20
while [ ! -f $OBJ/remote_pid ] && [ $n -gt 0 ]; do
n=$(($n - 1))
sleep 1
done
kill $ssh_pid
wait $ssh_pid
exit_code=$?
if [ $exit_code -eq 0 ]; then
fail "ssh client should fail on signal"
fi

19
regress/hostkey-rotate.sh
View File

@ -3,6 +3,25 @@
tid="hostkey rotate"
#
# GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will occasionally
# fail to find ssh host keys in the hostkey-rotate test. If we have those
# versions, use awk instead.
# See # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258616
#
case `grep --version 2>&1 | awk '/GNU grep/{print $4}'` in
2.19) fgrep=good ;;
1.*|2.?|2.?.?|2.1?) fgrep=bad ;; # stock GNU grep
2.5.1*) fgrep=bad ;; # FreeBSD and NetBSD
*) fgrep=good ;;
esac
if test "x$fgrep" = "xbad"; then
fgrep()
{
awk 'BEGIN{e=1} {if (index($0,"'$1'")>0){e=0;print}} END{exit e}' $2
}
fi
rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig $OBJ/ssh_proxy.orig
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig

4
regress/keys-command.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
# $OpenBSD: keys-command.sh,v 1.7 2021/09/01 00:50:27 dtucker Exp $
# Placed in the Public Domain.
tid="authorized keys from command"
@ -77,5 +77,5 @@ if [ -x $KEY_COMMAND ]; then
fail "connect failed"
fi
else
echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
skip "$KEY_COMMAND not executable (/var/run mounted noexec?)"
fi

6
regress/knownhosts-command.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: knownhosts-command.sh,v 1.2 2020/12/22 06:47:24 djm Exp $
# $OpenBSD: knownhosts-command.sh,v 1.3 2021/08/30 01:15:45 djm Exp $
# Placed in the Public Domain.
tid="known hosts command "
@ -39,7 +39,9 @@ chmod a+x $OBJ/knownhosts_command
${SSH} -F $OBJ/ssh_proxy x true && fail "ssh connect succeeded with bad exit"
for keytype in ${SSH_HOSTKEY_TYPES} ; do
algs=$keytype
test "x$keytype" = "xssh-dss" && continue
test "x$keytype" = "xssh-rsa" && algs=ssh-rsa,rsa-sha2-256,rsa-sha2-512
verbose "keytype $keytype"
cat > $OBJ/knownhosts_command << _EOF
#!/bin/sh
@ -48,6 +50,6 @@ test "x\$1" = "x$keytype" || die "wrong keytype \$1 (expected $keytype)"
test "x\$3" = "x$LOGNAME" || die "wrong username \$3 (expected $LOGNAME)"
grep -- "\$1.*\$2" $OBJ/known_hosts
_EOF
${SSH} -F $OBJ/ssh_proxy -oHostKeyAlgorithms=$keytype x true ||
${SSH} -F $OBJ/ssh_proxy -oHostKeyAlgorithms=$algs x true ||
fail "ssh connect failed for keytype $x"
done

12
regress/putty-ciphers.sh
View File

@ -1,11 +1,17 @@
# $OpenBSD: putty-ciphers.sh,v 1.7 2020/01/23 03:35:07 dtucker Exp $
# $OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
# Placed in the Public Domain.
tid="putty ciphers"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
echo "putty interop tests not enabled"
exit 0
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions.
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do

12
regress/putty-kex.sh
View File

@ -1,11 +1,17 @@
# $OpenBSD: putty-kex.sh,v 1.5 2020/01/23 03:24:38 dtucker Exp $
# $OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $
# Placed in the Public Domain.
tid="putty KEX"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
echo "putty interop tests not enabled"
exit 0
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions.
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do

12
regress/putty-transfer.sh
View File

@ -1,11 +1,17 @@
# $OpenBSD: putty-transfer.sh,v 1.7 2020/01/23 11:19:12 dtucker Exp $
# $OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
# Placed in the Public Domain.
tid="putty transfer data"
if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
echo "putty interop tests not enabled"
exit 0
skip "putty interop tests not enabled"
fi
# Re-enable ssh-rsa on older PuTTY versions.
oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
if [ "x$oldver" = "xyes" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
if [ "`${SSH} -Q compression`" = "none" ]; then

9
regress/sftp-chroot.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: sftp-chroot.sh,v 1.7 2018/11/22 08:48:32 dtucker Exp $
# $OpenBSD: sftp-chroot.sh,v 1.8 2021/09/01 00:50:27 dtucker Exp $
# Placed in the Public Domain.
tid="sftp in chroot"
@ -9,14 +9,11 @@ PRIVDATA=${CHROOT}/${FILENAME}
trap "${SUDO} rm -f ${PRIVDATA}" 0
if [ -z "$SUDO" -a ! -w /var/run ]; then
echo "need SUDO to create file in /var/run, test won't work without"
echo SKIPPED
exit 0
skip "need SUDO to create file in /var/run, test won't work without"
fi
if ! $OBJ/check-perm -m chroot "$CHROOT" ; then
echo "skipped: $CHROOT is unsuitable as ChrootDirectory"
exit 0
skip "$CHROOT is unsuitable as ChrootDirectory"
fi
$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \

14
regress/sshfp-connect.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshfp-connect.sh,v 1.2 2021/07/19 08:48:33 dtucker Exp $
# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $
# Placed in the Public Domain.
# This test requires external setup and thus is skipped unless
@ -24,9 +24,11 @@
tid="sshfp connect"
if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
$SSH -Q key-plain | grep ssh-rsa >/dev/null; then
if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
skip "RSA keys not supported."
elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
skip "TEST_SSH_SSHFP_DOMAIN not set."
else
# Set RSA host key to match fingerprints above.
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
@ -45,7 +47,7 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
trace "sshfp connect $n good fingerprint"
host="${n}.dtucker.net"
opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes "
opts="$opts -o HostKeyAlgorithms=ssh-rsa"
opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256"
host="${n}.${TEST_SSH_SSHFP_DOMAIN}"
SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
@ -61,6 +63,4 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
fail "sshfp-connect succeeded with bad SSHFP record"
fi
done
else
echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set.
fi

10
regress/test-exec.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: test-exec.sh,v 1.86 2021/08/08 08:27:28 dtucker Exp $
# $OpenBSD: test-exec.sh,v 1.87 2021/09/01 00:50:27 dtucker Exp $
# Placed in the Public Domain.
#SUDO=sudo
@ -462,6 +462,14 @@ fatal ()
exit $RESULT
}
# Skip remaining tests in script.
skip ()
{
echo "SKIPPED: $@"
cleanup
exit $RESULT
}
RESULT=0
PIDFILE=$OBJ/pidfile

40
scp.0
View File

@ -12,8 +12,7 @@ DESCRIPTION
scp copies files between hosts on a network.
It uses ssh(1) for data transfer, and uses the same authentication and
provides the same security as a login session. The scp protocol requires
execution of the remote user's shell to perform glob(3) pattern matching.
provides the same security as a login session.
scp will ask for passwords or passphrases if they are needed for
authentication.
@ -31,7 +30,7 @@ DESCRIPTION
-3 Copies between two remote hosts are transferred through the local
host. Without this option the data is copied directly between
the two remote hosts. Note that, when using the legacy SCP
the two remote hosts. Note that, when using the original SCP
protocol (the default), this option selects batch mode for the
second host as scp cannot ask for passwords or passphrases for
both hosts. This mode is the default.
@ -54,7 +53,7 @@ DESCRIPTION
option is directly passed to ssh(1).
-D sftp_server_path
When using the SFTP protocol support via -M, connect directly to
When using the SFTP protocol support via -s, connect directly to
a local SFTP server program rather than a remote one via ssh(1).
This option may be useful in debugging the client and server.
@ -78,11 +77,12 @@ DESCRIPTION
-l limit
Limits the used bandwidth, specified in Kbit/s.
-O Use the legacy SCP protocol for file transfers instead of the
-O Use the original SCP protocol for file transfers instead of the
SFTP protocol. Forcing the use of the SCP protocol may be
necessary for servers that do not implement SFTP or for
backwards-compatibility for particular filename wildcard
patterns. This mode is the default.
necessary for servers that do not implement SFTP, for backwards-
compatibility for particular filename wildcard patterns and for
expanding paths with a M-bM-^@M-^X~M-bM-^@M-^Y prefix for older SFTP servers. This
mode is the default.
-o ssh_option
Can be used to pass options to ssh in the format used in
@ -155,10 +155,10 @@ DESCRIPTION
-P port
Specifies the port to connect to on the remote host. Note that
this option is written with a capital M-bM-^@M-^XPM-bM-^@M-^Y, because -p is already
reserved for preserving the times and modes of the file.
reserved for preserving the times and mode bits of the file.
-p Preserves modification times, access times, and modes from the
original file.
-p Preserves modification times, access times, and file mode bits
from the source file.
-q Quiet mode: disables the progress meter as well as warning and
diagnostic messages from ssh(1).
@ -175,14 +175,8 @@ DESCRIPTION
Name of program to use for the encrypted connection. The program
must understand ssh(1) options.
-s Use the SFTP protocol for file transfers instead of the legacy
SCP protocol. Using SFTP avoids invoking a shell on the remote
side and provides more predictable filename handling, as the SCP
protocol relied on the remote shell for expanding glob(3)
wildcards.
A near-future release of OpenSSH will make the SFTP protocol the
default. This option will be deleted before the end of 2022.
-s Use the SFTP protocol for transfers rather than the original scp
protocol.
-T Disable strict filename checking. By default when copying files
from a remote host to a local directory scp checks that the
@ -213,4 +207,10 @@ AUTHORS
Timo Rinne <tri@iki.fi>
Tatu Ylonen <ylo@cs.hut.fi>
OpenBSD 6.9 August 11, 2021 OpenBSD 6.9
CAVEATS
The original SCP protocol (used by default) requires execution of the
remote user's shell to perform glob(3) pattern matching. This requires
careful quoting of any characters that have special meaning to the remote
shell, such as quote characters.
OpenBSD 6.9 September 20, 2021 OpenBSD 6.9

42
scp.1
View File

@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
.\" $OpenBSD: scp.1,v 1.105 2021/09/20 06:53:56 djm Exp $
.\"
.Dd $Mdocdate: August 11 2021 $
.Dd $Mdocdate: September 20 2021 $
.Dt SCP 1
.Os
.Sh NAME
@ -37,9 +37,6 @@ It uses
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
The scp protocol requires execution of the remote user's shell to perform
.Xr glob 3
pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@ -79,7 +76,7 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
Note that, when using the legacy SCP protocol (the default), this option
Note that, when using the original SCP protocol (the default), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@ -112,7 +109,7 @@ This option is directly passed to
.Xr ssh 1 .
.It Fl D Ar sftp_server_path
When using the SFTP protocol support via
.Fl M ,
.Fl s ,
connect directly to a local SFTP server program rather than a
remote one via
.Xr ssh 1 .
@ -144,10 +141,12 @@ This option is directly passed to
.It Fl l Ar limit
Limits the used bandwidth, specified in Kbit/s.
.It Fl O
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
Use the original SCP protocol for file transfers instead of the SFTP protocol.
Forcing the use of the SCP protocol may be necessary for servers that do
not implement SFTP or for backwards-compatibility for particular filename
wildcard patterns.
not implement SFTP, for backwards-compatibility for particular filename
wildcard patterns and for expanding paths with a
.Sq ~
prefix for older SFTP servers.
This mode is the default.
.It Fl o Ar ssh_option
Can be used to pass options to
@ -229,10 +228,10 @@ Note that this option is written with a capital
.Sq P ,
because
.Fl p
is already reserved for preserving the times and modes of the file.
is already reserved for preserving the times and mode bits of the file.
.It Fl p
Preserves modification times, access times, and modes from the
original file.
Preserves modification times, access times, and file mode bits from the
source file.
.It Fl q
Quiet mode: disables the progress meter as well as warning and diagnostic
messages from
@ -259,15 +258,7 @@ The program must understand
.Xr ssh 1
options.
.It Fl s
Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
Using SFTP avoids invoking a shell on the remote side and provides
more predictable filename handling, as the SCP protocol
relied on the remote shell for expanding
.Xr glob 3
wildcards.
.Pp
A near-future release of OpenSSH will make the SFTP protocol the default.
This option will be deleted before the end of 2022.
Use the SFTP protocol for transfers rather than the original scp protocol.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@ -307,3 +298,10 @@ source code from the Regents of the University of California.
.Sh AUTHORS
.An Timo Rinne Aq Mt tri@iki.fi
.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
.Sh CAVEATS
The original SCP protocol (used by default) requires execution of the
remote user's shell to perform
.Xr glob 3
pattern matching.
This requires careful quoting of any characters that have special meaning to
the remote shell, such as quote characters.

40
scp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -467,7 +467,7 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
memset(&args, '\0', sizeof(args));
memset(&remote_remote_args, '\0', sizeof(remote_remote_args));
@ -588,7 +588,7 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
/* Do this last because we want the user to be able to override it */
addargs(&args, "-oForwardAgent=no");
@ -652,7 +652,7 @@ main(int argc, char **argv)
* Finally check the exit status of the ssh process, if one was forked
* and no error has occurred yet
*/
if (do_cmd_pid != -1 && errs == 0) {
if (do_cmd_pid != -1 && (mode == MODE_SFTP || errs == 0)) {
if (remin != -1)
(void) close(remin);
if (remout != -1)
@ -1213,8 +1213,7 @@ tolocal(int argc, char **argv, enum scp_mode_e mode, char *sftp_direct)
conn = do_sftp_connect(host, suser, sport,
sftp_direct, &remin, &remout, &do_cmd_pid);
if (conn == NULL) {
error("Couldn't make sftp connection "
"to server");
error("sftp connection failed");
++errs;
continue;
}
@ -1261,7 +1260,8 @@ prepare_remote_path(struct sftp_conn *conn, const char *path)
if (can_expand_path(conn))
return do_expand_path(conn, path);
/* No protocol extension */
error("~user paths are not currently supported");
error("server expand-path extension is required "
"for ~user paths in SFTP mode");
return NULL;
}
@ -1296,11 +1296,14 @@ source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn)
if (local_is_dir(src) && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
fatal("failed to upload directory %s to %s",
error("failed to upload directory %s to %s",
src, abs_dst);
errs = 1;
}
} else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0)
fatal("failed to upload file %s to %s", src, abs_dst);
} else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) {
error("failed to upload file %s to %s", src, abs_dst);
errs = 1;
}
free(abs_dst);
free(target);
@ -1490,9 +1493,9 @@ sink_sftp(int argc, char *dst, const char *src, struct sftp_conn *conn)
debug3_f("copying remote %s to local %s", abs_src, dst);
if ((r = remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) != 0) {
if (r == GLOB_NOSPACE)
error("Too many glob matches for \"%s\".", abs_src);
error("%s: too many glob matches", abs_src);
else
error("File \"%s\" not found.", abs_src);
error("%s: %s", abs_src, strerror(ENOENT));
err = -1;
goto out;
}
@ -1537,9 +1540,8 @@ sink_sftp(int argc, char *dst, const char *src, struct sftp_conn *conn)
free(abs_src);
free(tmp);
globfree(&g);
if (err == -1) {
fatal("Failed to download file '%s'", src);
}
if (err == -1)
errs = 1;
}
@ -1887,7 +1889,7 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
targetisdir = remote_is_dir(to, target);
if (!targetisdir && targetshouldbedirectory) {
error("Destination path \"%s\" is not a directory", target);
error("%s: destination is not a directory", target);
err = -1;
goto out;
}
@ -1895,9 +1897,9 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
debug3_f("copying remote %s to remote %s", abs_src, target);
if ((r = remote_glob(from, abs_src, GLOB_MARK, NULL, &g)) != 0) {
if (r == GLOB_NOSPACE)
error("Too many glob matches for \"%s\".", abs_src);
error("%s: too many glob matches", abs_src);
else
error("File \"%s\" not found.", abs_src);
error("%s: %s", abs_src, strerror(ENOENT));
err = -1;
goto out;
}
@ -1938,7 +1940,7 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
free(tmp);
globfree(&g);
if (err == -1)
fatal("Failed to download file '%s'", src);
errs = 1;
}
int

7
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
/* $OpenBSD: servconf.c,v 1.382 2021/09/06 00:36:01 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -490,9 +490,8 @@ typedef enum {
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosGetAFSToken, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sKerberosGetAFSToken, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,

3
sftp-client.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.154 2021/08/09 23:47:44 djm Exp $ */
/* $OpenBSD: sftp-client.c,v 1.155 2021/09/03 05:12:25 dtucker Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -2039,7 +2039,6 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
if (print_flag && print_flag != SFTP_PROGRESS_ONLY)
mprintf("Entering %s\n", src);
attrib_clear(&a);
stat_to_attrib(&sb, &a);
a.flags &= ~SSH2_FILEXFER_ATTR_SIZE;
a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID;

3
sftp-realpath.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-realpath.c,v 1.1 2019/07/05 04:55:40 djm Exp $ */
/* $OpenBSD: sftp-realpath.c,v 1.2 2021/09/02 21:03:54 deraadt Exp $ */
/*
* Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
*
@ -30,7 +30,6 @@
#include "includes.h"
#include <sys/types.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <errno.h>

23
sftp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp.c,v 1.211 2021/08/12 09:59:00 schwarze Exp $ */
/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -2204,28 +2204,31 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
interactive = !batchmode && isatty(STDIN_FILENO);
err = 0;
for (;;) {
struct sigaction sa;
interrupted = 0;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = interactive ? read_interrupt : killchild;
if (sigaction(SIGINT, &sa, NULL) == -1) {
debug3("sigaction(%s): %s", strsignal(SIGINT),
strerror(errno));
break;
}
if (el == NULL) {
if (interactive)
printf("sftp> ");
if (fgets(cmd, sizeof(cmd), infile) == NULL) {
if (interactive)
printf("\n");
if (interrupted)
continue;
break;
}
} else {
#ifdef USE_LIBEDIT
const char *line;
int count = 0;
struct sigaction sa;
interrupted = 0;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = read_interrupt;
if (sigaction(SIGINT, &sa, NULL) == -1) {
debug3("sigaction(%s): %s",
strsignal(SIGINT), strerror(errno));
break;
}
if ((line = el_gets(el, &count)) == NULL ||
count <= 0) {
printf("\n");

5
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2680,7 +2680,8 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep,
time_t now;
*verify_timep = 0;
*print_pubkey = 0;
if (print_pubkey != NULL)
*print_pubkey = 0;
for (i = 0; i < nopts; i++) {
if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
if (parse_absolute_time(opts[i] + 12,

32
ssh.0
View File

@ -10,7 +10,7 @@ SYNOPSIS
[-J destination] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination
[command]
[command [argument ...]]
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for
@ -24,8 +24,11 @@ DESCRIPTION
ssh://[user@]hostname[:port]. The user must prove their identity to the
remote machine using one of several methods (see below).
If a command is specified, it is executed on the remote host instead of a
login shell.
If a command is specified, it will be executed on the remote host instead
of a login shell. A complete command line may be specified as command,
or it may have additional arguments. If supplied, the arguments will be
appended to the command, separated by spaces, before it is sent to the
server to be executed.
The options are as follows:
@ -137,15 +140,18 @@ DESCRIPTION
-i identity_file
Selects a file from which the identity (private key) for public
key authentication is read. The default is ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa. Identity files may also
be specified on a per-host basis in the configuration file. It
is possible to have multiple -i options (and multiple identities
specified in configuration files). If no certificates have been
explicitly specified by the CertificateFile directive, ssh will
also try to load certificate information from the filename
obtained by appending -cert.pub to identity filenames.
key authentication is read. You can also specify a public key
file to use the corresponding private key that is loaded in
ssh-agent(1) when the private key file is not present locally.
The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and
~/.ssh/id_rsa. Identity files may also be specified on a per-
host basis in the configuration file. It is possible to have
multiple -i options (and multiple identities specified in
configuration files). If no certificates have been explicitly
specified by the CertificateFile directive, ssh will also try to
load certificate information from the filename obtained by
appending -cert.pub to identity filenames.
-J destination
Connect to the target host by first making a ssh connection to
@ -1007,4 +1013,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 6.9 July 28, 2021 OpenBSD 6.9
OpenBSD 6.9 September 10, 2021 OpenBSD 6.9

17
ssh.1
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.425 2021/07/28 05:57:42 jmc Exp $
.Dd $Mdocdate: July 28 2021 $
.\" $OpenBSD: ssh.1,v 1.427 2021/09/10 10:26:02 dtucker Exp $
.Dd $Mdocdate: September 10 2021 $
.Dt SSH 1
.Os
.Sh NAME
@ -65,7 +65,7 @@
.Op Fl W Ar host : Ns Ar port
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
.Ar destination
.Op Ar command
.Op Ar command Op Ar argument ...
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for
@ -94,7 +94,12 @@ their identity to the remote machine using one of several methods
If a
.Ar command
is specified,
it is executed on the remote host instead of a login shell.
it will be executed on the remote host instead of a login shell.
A complete command line may be specified as
.Ar command ,
or it may have additional arguments.
If supplied, the arguments will be appended to the command, separated by
spaces, before it is sent to the server to be executed.
.Pp
The options are as follows:
.Pp
@ -288,6 +293,10 @@ authentication.
.It Fl i Ar identity_file
Selects a file from which the identity (private key) for
public key authentication is read.
You can also specify a public key file to use the corresponding
private key that is loaded in
.Xr ssh-agent 1
when the private key file is not present locally.
The default is
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,

12
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.566 2021/08/08 08:49:09 dtucker Exp $ */
/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -185,7 +185,7 @@ usage(void)
" [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
" [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
" [-w local_tun[:remote_tun]] destination [command]\n"
" [-w local_tun[:remote_tun]] destination [command [argument ...]]\n"
);
exit(255);
}
@ -259,6 +259,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
port = default_ssh_port();
if (cname != NULL)
*cname = '\0';
debug3_f("lookup %s:%d", name, port);
snprintf(strport, sizeof strport, "%d", port);
memset(&hints, 0, sizeof(hints));
@ -382,7 +383,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
int i;
struct allowed_cname *rule;
if (*cname == '\0' || options.num_permitted_cnames == 0 ||
if (*cname == '\0' || !config_has_permitted_cnames(&options) ||
strcmp(*namep, cname) == 0)
return 0;
if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
@ -1186,7 +1187,7 @@ main(int ac, char **av)
*/
direct = option_clear_or_none(options.proxy_command) &&
options.jump_host == NULL;
if (addrs == NULL && options.num_permitted_cnames != 0 && (direct ||
if (addrs == NULL && config_has_permitted_cnames(&options) && (direct ||
options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
if ((addrs = resolve_host(host, options.port,
direct, cname, sizeof(cname))) == NULL) {
@ -1792,7 +1793,8 @@ ssh_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
rfwd->allocated_port = (int)port;
logit("Allocated port %u for remote "
"forward to %s:%d",
rfwd->allocated_port, rfwd->connect_host,
rfwd->allocated_port, rfwd->connect_path ?
rfwd->connect_path : rfwd->connect_host,
rfwd->connect_port);
channel_update_permission(ssh,
rfwd->handle, rfwd->allocated_port);

38
ssh_config.0
View File

@ -173,6 +173,9 @@ DESCRIPTION
canonicalized to names in the "*.b.example.com" or
"*.c.example.com" domains.
A single argument of "none" causes no CNAMEs to be considered for
canonicalization. This is the default behaviour.
CASignatureAlgorithms
Specifies which algorithms are allowed for signing of
certificates by certificate authorities (CAs). The default is:
@ -494,12 +497,11 @@ DESCRIPTION
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
The -Q option of ssh(1) may be used to list supported signature
algorithms. This was formerly named HostbasedKeyTypes.
@ -529,12 +531,11 @@ DESCRIPTION
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,
sk-ssh-ed25519@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
If hostkeys are known for the destination host then this default
is modified to prefer their algorithms.
@ -661,13 +662,13 @@ DESCRIPTION
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. If the specified list begins
with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will be appended
to the default set instead of replacing them. If the specified
list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified methods
(including wildcards) will be removed from the default set
instead of replacing them. If the specified list begins with a
M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the
head of the default set. The default is:
with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms will be
appended to the default set instead of replacing them. If the
specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
algorithms (including wildcards) will be removed from the default
set instead of replacing them. If the specified list begins with
a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will be placed at
the head of the default set. The default is:
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
@ -895,12 +896,11 @@ DESCRIPTION
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
The list of available signature algorithms may also be obtained
using "ssh -Q PubkeyAcceptedAlgorithms".
@ -1080,11 +1080,11 @@ DESCRIPTION
maintained or when connections to new hosts are frequently made.
This option forces the user to manually add all new hosts.
If this flag is set to M-bM-^@M-^\accept-newM-bM-^@M-^] then ssh will automatically
add new host keys to the user's known_hosts file, but will not
permit connections to hosts with changed host keys. If this flag
is set to M-bM-^@M-^\noM-bM-^@M-^] or M-bM-^@M-^\offM-bM-^@M-^], ssh will automatically add new host keys
to the user known hosts files and allow connections to hosts with
If this flag is set to accept-new then ssh will automatically add
new host keys to the user's known_hosts file, but will not permit
connections to hosts with changed host keys. If this flag is set
to no or off, ssh will automatically add new host keys to the
user known hosts files and allow connections to hosts with
changed hostkeys to proceed, subject to some restrictions. If
this flag is set to ask (the default), new host keys will be
added to the user known host files only after the user has
@ -1303,4 +1303,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
OpenBSD 6.9 August 12, 2021 OpenBSD 6.9
OpenBSD 6.9 September 25, 2021 OpenBSD 6.9

30
ssh_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
.Dd $Mdocdate: August 12 2021 $
.\" $OpenBSD: ssh_config.5,v 1.366 2021/09/25 09:40:33 kn Exp $
.Dd $Mdocdate: September 25 2021 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -372,6 +372,11 @@ to be canonicalized to names in the
or
.Qq *.c.example.com
domains.
.Pp
A single argument of
.Qq none
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
@ -874,12 +879,11 @@ sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
The
@ -921,12 +925,11 @@ sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ecdsa-sha2-nistp256@openssh.com,
sk-ssh-ed25519@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@ -1150,15 +1153,15 @@ Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
character, then the specified methods will be appended to the default set
character, then the specified algorithms will be appended to the default set
instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
character, then the specified algorithms will be placed at the head of the
default set.
The default is:
.Bd -literal -offset indent
@ -1504,12 +1507,11 @@ sk-ssh-ed25519-cert-v01@openssh.com,
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,
rsa-sha2-256-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,
sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256,ssh-rsa
rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
The list of available signature algorithms may also be obtained using
@ -1788,15 +1790,15 @@ This option forces the user to manually
add all new hosts.
.Pp
If this flag is set to
.Dq accept-new
.Cm accept-new
then ssh will automatically add new host keys to the user's
.Pa known_hosts
file, but will not permit connections to hosts with
changed host keys.
If this flag is set to
.Dq no
.Cm no
or
.Dq off ,
.Cm off ,
ssh will automatically add new host keys to the user known hosts files
and allow connections to hosts with changed hostkeys to proceed,
subject to some restrictions.

12
sshd.0
View File

@ -157,10 +157,12 @@ AUTHENTICATION
connections, or forwarding the authentication agent connection over the
secure channel.
After this, the client either requests a shell or execution of a command.
The sides then enter session mode. In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or command
on the server side, and the user terminal in the client side.
After this, the client either requests an interactive shell or execution
or a non-interactive command, which sshd will execute via the user's
shell using its -c option. The sides then enter session mode. In this
mode, either side may send data at any time, and such data is forwarded
to/from the shell or command on the server side, and the user terminal in
the client side.
When the user program terminates and all forwarded X11 and other
connections have been closed, the server sends command exit status to the
@ -670,4 +672,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
OpenBSD 6.9 July 30, 2021 OpenBSD 6.9
OpenBSD 6.9 September 10, 2021 OpenBSD 6.9

11
sshd.8
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $
.Dd $Mdocdate: July 30 2021 $
.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $
.Dd $Mdocdate: September 10 2021 $
.Dt SSHD 8
.Os
.Sh NAME
@ -303,7 +303,12 @@ things like allocating a pseudo-tty, forwarding X11 connections,
forwarding TCP connections, or forwarding the authentication agent
connection over the secure channel.
.Pp
After this, the client either requests a shell or execution of a command.
After this, the client either requests an interactive shell or execution
or a non-interactive command, which
.Nm
will execute via the user's shell using its
.Fl c
option.
The sides then enter session mode.
In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or

17
sshd_config.0
View File

@ -554,13 +554,14 @@ DESCRIPTION
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. Alternately if the specified
list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified methods will
be appended to the default set instead of replacing them. If the
specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the specified
methods (including wildcards) will be removed from the default
set instead of replacing them. If the specified list begins with
a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified methods will be placed at the
head of the default set. The supported algorithms are:
list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms
will be appended to the default set instead of replacing them.
If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
specified algorithms (including wildcards) will be removed from
the default set instead of replacing them. If the specified list
begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will
be placed at the head of the default set. The supported
algorithms are:
curve25519-sha256
curve25519-sha256@libssh.org
@ -1191,4 +1192,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
OpenBSD 6.9 August 12, 2021 OpenBSD 6.9
OpenBSD 6.9 September 3, 2021 OpenBSD 6.9

10
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
.Dd $Mdocdate: August 12 2021 $
.\" $OpenBSD: sshd_config.5,v 1.335 2021/09/03 05:25:50 dtucker Exp $
.Dd $Mdocdate: September 3 2021 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -920,15 +920,15 @@ Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a
.Sq +
character, then the specified methods will be appended to the default set
character, then the specified algorithms will be appended to the default set
instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
character, then the specified algorithms will be placed at the head of the
default set.
The supported algorithms are:
.Pp

4
version.h
View File

@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.91 2021/08/20 03:22:55 djm Exp $ */
/* $OpenBSD: version.h,v 1.92 2021/09/26 14:01:11 djm Exp $ */
#define SSH_VERSION "OpenSSH_8.7"
#define SSH_VERSION "OpenSSH_8.8"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE