| Age | Commit message (Collapse) | Author |
|---|
|
the same name in the server; bz2745 ok dtucker@
|
|
commandline to be exactly two characters long. Avoids one by OOB
read if ssh is invoked as "ssh -e^ ..."
Spotted by Maciej Domanski in GHPR368
|
|
ok markus@
|
|
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
|
|
|
|
the empty string if this option is not being used).
bz3610, ok dtucker
|
|
|
|
in the server. ok markus@
|
|
requested a tty; enables keystroke timing obfuscation for most
ControlPersist sessions. Spotted by naddy@
|
|
cases (inc. ControlPersist). bz3589 bz3589
Based on patches by Peter Chubb; ok dtucker@
|
|
- sync the arg name to -J in usage() with that in ssh.1
- reformat usage() to match what "man ssh" does on 80width
|
|
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
ok markus
|
|
ok djm@ dtucker@
|
|
are valid for CA signing. Previous behaviour was to list all signing
algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@
|
|
Previously ssh would incorrectly refuse to canonicalise the hostname
if ProxyJump was explicitly set to "none" when CanonicalizeHostname=yes
bz3567; ok dtucker
|
|
but it if returns on failure we immediately exit. Coverity CID 405050.
|
|
bz#3552, ok djm@
|
|
bz3532
|
|
This was missed when the fallthrough in the switch case above it
was removed. OK deraadt@
|
|
Inspired by patch from vincent at bernat.ch via bz#3343, ok djm@
|
|
This will forcibly close an open channel by simulating read/write errors,
draining the IO buffers and calling the detach function.
Previously the detach function was only ever called during channel garbage
collection, but there was no way to signal the user of a channel (e.g.
session.c) that its channel was being closed deliberately (vs. by the
usual state-machine logic). So this adds an extra "force" argument to the
channel cleanup callback to indicate this condition.
ok markus dtucker
|
|
|
|
|
|
don't follow CNAMEs with invalid characters when canonicalising
and never write a name with bad characters to a known_hosts file.
reported by David Leadbeater, ok deraadt@
|
|
ok djm@
|
|
(022); based on patch from Alex Henrie, ok dtucker@ deraadt@
|
|
User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then
the connection will be terminated (unfortunately there are no
fallbacks in the protocol for host authentication).
feedback deraadt, Dmitry Belyavskiy; ok markus@
|
|
which performs operations that could cause one; Reported by
Noam Lewis via bz3454, ok dtucker@
|
|
remaining available ones in a comment
|
|
Historicallly, hpdelim accepted ":" or "/" as a port delimiter between
hosts (or addresses) and ports. These days most of the uses for "/"
are no longer accepted, so there are several places where it checks the
delimiter to disallow it. Make hpdelim accept only ":" and use hpdelim2
in the other cases. ok djm@
|
|
ok markus@
|
|
|
|
unable to kill such a session. bz3360; ok dtucker@
|
|
gmail.com via github PR#272, ok deraadt@
|
|
|
|
Prompted by github PR#139 from EvanTheB, feedback & ok djm@ jmc@
|
|
goetze at dovetail.com, ok djm@ deraadt@
|
|
message and partial auth success messages (all at LogLevel=verbose)
ok dtucker@
|
|
ssh(1) -f flag. Last part of GHPR231 from Volker Diels-Grabsch.
ok dtucker
|
|
file to do the same thing as -n does on the ssh(1) commandline.
Patch from Volker Diels-Grabsch via GHPR231; ok dtucker
|
|
|
|
change; spotted by sthen@
|
|
file to offer equivalent control to the -N (no session) and -s
(subsystem) command-line flags.
Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
feedback and ok dtucker@
|
|
This fixes a couple of problems with the previous tokeniser,
strdelim()
1. strdelim() is permissive wrt accepting '=' characters. This is
intended to allow it to tokenise "Option=value" but because it
cannot keep state, it will incorrectly split "Opt=val=val2".
2. strdelim() has rudimentry handling of quoted strings, but it
is incomplete and inconsistent. E.g. it doesn't handle escaped
quotes inside a quoted string.
3. It has no support for stopping on a (unquoted) comment. Because
of this readconf.c r1.343 added chopping of lines at '#', but
this caused a regression because these characters may legitimately
appear inside quoted strings.
The new tokeniser is stricter is a number of cases, including #1 above
but previously it was also possible for some directives to appear
without arguments. AFAIK these were nonsensical in all cases, and the
new tokeniser refuses to accept them.
The new code handles quotes much better, permitting quoted space as
well as escaped closing quotes. Finally, comment handling should be
fixed - the tokeniser will terminate only on unquoted # characters.
feedback & ok markus@
tested in snaps for the last five or so days - thanks Theo and those who
caught bugs
|
|
specially by the protocol. Useful in ~/.ssh/config to set TERM to
something generic (e.g. "xterm" instead of "xterm-256color") for
destinations that lack terminfo entries. feedback and ok dtucker@
|
|
ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.
> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable
This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.
This was reported as bz3280 and GHPR246; ok dtucker@
|
|
naddy@ and sthen@, ok sthen@
|
|
clobbered
|
|
when the -N (no shell) option was specified. bz3290 reported by
Richard Schwab; patch from markus@ ok me
|
|
providers get upset if C_Initialize is not matched with C_Finalize.
From Adithya Baglody via GHPR#234; ok markus
|
