SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync code with last improvements from OpenBSD

Browse source
This commit is contained in:
purplerain 2023-10-13 03:26:36 +00:00
parent e5a8beb33e
commit 2ec21d9c19
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
205 changed files with 4715 additions and 23023 deletions
Download patch file Download diff file Expand all files Collapse all files

31
usr.bin/ssh/clientloop.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.398 2023/09/10 03:51:55 djm Exp $ */
/* $OpenBSD: clientloop.c,v 1.400 2023/10/12 02:12:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -672,7 +672,7 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
static void
client_wait_until_can_do_something(struct ssh *ssh, struct pollfd **pfdp,
u_int *npfd_allocp, u_int *npfd_activep, int channel_did_enqueue,
int *conn_in_readyp, int *conn_out_readyp)
sigset_t *sigsetp, int *conn_in_readyp, int *conn_out_readyp)
{
struct timespec timeout;
int ret, oready;
@ -719,7 +719,7 @@ client_wait_until_can_do_something(struct ssh *ssh, struct pollfd **pfdp,
ssh_packet_get_rekey_timeout(ssh));
}
ret = ppoll(*pfdp, *npfd_activep, ptimeout_get_tsp(&timeout), NULL);
ret = ppoll(*pfdp, *npfd_activep, ptimeout_get_tsp(&timeout), sigsetp);
if (ret == -1) {
/*
@ -1439,6 +1439,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
int channel_did_enqueue = 0, r, len;
u_int64_t ibytes, obytes;
int conn_in_ready, conn_out_ready;
sigset_t bsigset, osigset;
debug("Entering interactive session.");
session_ident = ssh2_chan_id;
@ -1524,6 +1525,13 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
schedule_server_alive_check();
if (sigemptyset(&bsigset) == -1 ||
sigaddset(&bsigset, SIGHUP) == -1 ||
sigaddset(&bsigset, SIGINT) == -1 ||
sigaddset(&bsigset, SIGQUIT) == -1 ||
sigaddset(&bsigset, SIGTERM) == -1)
error_f("bsigset setup: %s", strerror(errno));
/* Main loop of the client for the interactive session mode. */
while (!quit_pending) {
channel_did_enqueue = 0;
@ -1555,17 +1563,20 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
* message about it to the server if so.
*/
client_check_window_change(ssh);
if (quit_pending)
break;
}
/*
* Wait until we have something to do (something becomes
* available on one of the descriptors).
*/
if (sigprocmask(SIG_BLOCK, &bsigset, &osigset) == -1)
error_f("bsigset sigprocmask: %s", strerror(errno));
if (quit_pending)
break;
client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
&npfd_active, channel_did_enqueue,
&npfd_active, channel_did_enqueue, &osigset,
&conn_in_ready, &conn_out_ready);
if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
error_f("osigset sigprocmask: %s", strerror(errno));
if (quit_pending)
break;
@ -1792,7 +1803,7 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
c = channel_new(ssh, "x11",
c = channel_new(ssh, "x11-connection",
SSH_CHANNEL_X11_OPEN, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
c->force_drain = 1;
@ -1827,7 +1838,7 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
else
debug2_fr(r, "ssh_agent_bind_hostkey");
c = channel_new(ssh, "authentication agent connection",
c = channel_new(ssh, "agent-connection",
SSH_CHANNEL_OPEN, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
"authentication agent connection", 1);
@ -1855,7 +1866,7 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
c = channel_new(ssh, "tun-connection", SSH_CHANNEL_OPENING, fd, fd, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
c->datagram = 1;

4
usr.bin/ssh/kex.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.181 2023/08/28 03:28:43 djm Exp $ */
/* $OpenBSD: kex.c,v 1.182 2023/10/11 04:46:29 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@ -1293,7 +1293,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
sshbuf_reset(our_version);
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {

41
usr.bin/ssh/misc.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.187 2023/08/28 03:31:16 djm Exp $ */
/* $OpenBSD: misc.c,v 1.189 2023/10/12 03:36:32 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@ -1197,7 +1197,7 @@ static char *
vdollar_percent_expand(int *parseerror, int dollar, int percent,
const char *string, va_list ap)
{
#define EXPAND_MAX_KEYS 16
#define EXPAND_MAX_KEYS 64
u_int num_keys = 0, i;
struct {
const char *key;
@ -2386,6 +2386,43 @@ format_absolute_time(uint64_t t, char *buf, size_t len)
strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm);
}
/*
* Parse a "pattern=interval" clause (e.g. a ChannelTimeout).
* Returns 0 on success or non-zero on failure.
* Caller must free *typep.
*/
int
parse_pattern_interval(const char *s, char **typep, int *secsp)
{
char *cp, *sdup;
int secs;
if (typep != NULL)
*typep = NULL;
if (secsp != NULL)
*secsp = 0;
if (s == NULL)
return -1;
sdup = xstrdup(s);
if ((cp = strchr(sdup, '=')) == NULL || cp == sdup) {
free(sdup);
return -1;
}
*cp++ = '\0';
if ((secs = convtime(cp)) < 0) {
free(sdup);
return -1;
}
/* success */
if (typep != NULL)
*typep = xstrdup(sdup);
if (secsp != NULL)
*secsp = secs;
free(sdup);
return 0;
}
/* check if path is absolute */
int
path_absolute(const char *path)

3
usr.bin/ssh/misc.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: misc.h,v 1.105 2023/08/28 03:31:16 djm Exp $ */
/* $OpenBSD: misc.h,v 1.106 2023/10/11 22:42:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -95,6 +95,7 @@ int valid_env_name(const char *);
const char *atoi_err(const char *, int *);
int parse_absolute_time(const char *, uint64_t *);
void format_absolute_time(uint64_t, char *, size_t);
int parse_pattern_interval(const char *, char **, int *);
int path_absolute(const char *);
int stdfd_devnull(int, int, int);
int lib_contains_symbol(const char *, const char *);

57
usr.bin/ssh/readconf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.381 2023/08/28 03:31:16 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.383 2023/10/12 02:18:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -162,7 +162,7 @@ typedef enum {
oFingerprintHash, oUpdateHostkeys, oHostbasedAcceptedAlgorithms,
oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
oEnableEscapeCommandline, oObscureKeystrokeTiming,
oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@ -312,6 +312,7 @@ static struct {
{ "requiredrsasize", oRequiredRSASize },
{ "enableescapecommandline", oEnableEscapeCommandline },
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
{ NULL, oBadOption }
};
@ -335,7 +336,7 @@ kex_default_pk_alg(void)
char *
ssh_connection_hash(const char *thishost, const char *host, const char *portstr,
const char *user)
const char *user, const char *jumphost)
{
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
@ -345,6 +346,7 @@ ssh_connection_hash(const char *thishost, const char *host, const char *portstr,
ssh_digest_update(md, host, strlen(host)) < 0 ||
ssh_digest_update(md, portstr, strlen(portstr)) < 0 ||
ssh_digest_update(md, user, strlen(user)) < 0 ||
ssh_digest_update(md, jumphost, strlen(jumphost)) < 0 ||
ssh_digest_final(md, conn_hash, sizeof(conn_hash)) < 0)
fatal_f("mux digest failed");
ssh_digest_free(md);
@ -740,17 +742,19 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
if (r == (negate ? 1 : 0))
this_result = result = 0;
} else if (strcasecmp(attrib, "exec") == 0) {
char *conn_hash_hex, *keyalias;
char *conn_hash_hex, *keyalias, *jmphost;
if (gethostname(thishost, sizeof(thishost)) == -1)
fatal("gethostname: %s", strerror(errno));
jmphost = option_clear_or_none(options->jump_host) ?
"" : options->jump_host;
strlcpy(shorthost, thishost, sizeof(shorthost));
shorthost[strcspn(thishost, ".")] = '\0';
snprintf(portstr, sizeof(portstr), "%d", port);
snprintf(uidstr, sizeof(uidstr), "%llu",
(unsigned long long)pw->pw_uid);
conn_hash_hex = ssh_connection_hash(thishost, host,
portstr, ruser);
portstr, ruser, jmphost);
keyalias = options->host_key_alias ?
options->host_key_alias : host;
@ -766,6 +770,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
"r", ruser,
"u", pw->pw_name,
"i", uidstr,
"j", jmphost,
(char *)NULL);
free(conn_hash_hex);
if (result != 1) {
@ -2300,6 +2305,31 @@ parse_pubkey_algos:
*intptr = value;
break;
case oChannelTimeout:
uvalue = options->num_channel_timeouts;
i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
/* Allow "none" only in first position */
if (strcasecmp(arg, "none") == 0) {
if (i > 0 || ac > 0) {
error("%s line %d: keyword %s \"none\" "
"argument must appear alone.",
filename, linenum, keyword);
goto out;
}
} else if (parse_pattern_interval(arg,
NULL, NULL) != 0) {
fatal("%s line %d: invalid channel timeout %s",
filename, linenum, arg);
}
if (!*activep || uvalue != 0)
continue;
opt_array_append(filename, linenum, keyword,
&options->channel_timeouts,
&options->num_channel_timeouts, arg);
}
break;
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@ -2552,6 +2582,8 @@ initialize_options(Options * options)
options->enable_escape_commandline = -1;
options->obscure_keystroke_timing_interval = -1;
options->tag = NULL;
options->channel_timeouts = NULL;
options->num_channel_timeouts = 0;
}
/*
@ -2785,6 +2817,16 @@ fill_default_options(Options * options)
v = NULL; \
} \
} while(0)
#define CLEAR_ON_NONE_ARRAY(v, nv, none) \
do { \
if (options->nv == 1 && \
strcasecmp(options->v[0], none) == 0) { \
free(options->v[0]); \
free(options->v); \
options->v = NULL; \
options->nv = 0; \
} \
} while (0)
CLEAR_ON_NONE(options->local_command);
CLEAR_ON_NONE(options->remote_command);
CLEAR_ON_NONE(options->proxy_command);
@ -2793,6 +2835,9 @@ fill_default_options(Options * options)
CLEAR_ON_NONE(options->pkcs11_provider);
CLEAR_ON_NONE(options->sk_provider);
CLEAR_ON_NONE(options->known_hosts_command);
CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
#undef CLEAR_ON_NONE
#undef CLEAR_ON_NONE_ARRAY
if (options->jump_host != NULL &&
strcmp(options->jump_host, "none") == 0 &&
options->jump_port == 0 && options->jump_user == NULL) {
@ -3497,6 +3542,8 @@ dump_client_config(Options *o, const char *host)
dump_cfg_strarray(oSetEnv, o->num_setenv, o->setenv);
dump_cfg_strarray_oneline(oLogVerbose,
o->num_log_verbose, o->log_verbose);
dump_cfg_strarray_oneline(oChannelTimeout,
o->num_channel_timeouts, o->channel_timeouts);
/* Special cases */

7
usr.bin/ssh/readconf.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.152 2023/08/28 03:31:16 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.154 2023/10/12 02:18:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -182,6 +182,9 @@ typedef struct {
int enable_escape_commandline; /* ~C commandline */
int obscure_keystroke_timing_interval;
char **channel_timeouts; /* inactivity timeout by channel type */
u_int num_channel_timeouts;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
@ -230,7 +233,7 @@ typedef struct {
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user);
const char *portstr, const char *user, const char *jump_host);
void initialize_options(Options *);
int fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);

12
usr.bin/ssh/scp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.259 2023/09/10 23:12:32 djm Exp $ */
/* $OpenBSD: scp.c,v 1.260 2023/10/11 05:42:08 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@ -1752,8 +1752,16 @@ sink(int argc, char **argv, const char *src)
fnmatch(patterns[n], cp, 0) == 0)
break;
}
if (n >= npatterns)
if (n >= npatterns) {
debug2_f("incoming filename \"%s\" does not "
"match any of %zu expected patterns", cp,
npatterns);
for (n = 0; n < npatterns; n++) {
debug3_f("expected pattern %zu: \"%s\"",
n, patterns[n]);
}
SCREWUP("filename does not match request");
}
}
if (targisdir) {
static char *namebuf;

40
usr.bin/ssh/servconf.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.c,v 1.402 2023/09/08 06:34:24 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.403 2023/10/11 22:42:26 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -905,39 +905,6 @@ process_permitopen(struct ssh *ssh, ServerOptions *options)
options->num_permitted_listens);
}
/* Parse a ChannelTimeout clause "pattern=interval" */
static int
parse_timeout(const char *s, char **typep, int *secsp)
{
char *cp, *sdup;
int secs;
if (typep != NULL)
*typep = NULL;
if (secsp != NULL)
*secsp = 0;
if (s == NULL)
return -1;
sdup = xstrdup(s);
if ((cp = strchr(sdup, '=')) == NULL || cp == sdup) {
free(sdup);
return -1;
}
*cp++ = '\0';
if ((secs = convtime(cp)) < 0) {
free(sdup);
return -1;
}
/* success */
if (typep != NULL)
*typep = xstrdup(sdup);
if (secsp != NULL)
*secsp = secs;
free(sdup);
return 0;
}
void
process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
{
@ -948,7 +915,7 @@ process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
debug3_f("setting %u timeouts", options->num_channel_timeouts);
channel_clear_timeouts(ssh);
for (i = 0; i < options->num_channel_timeouts; i++) {
if (parse_timeout(options->channel_timeouts[i],
if (parse_pattern_interval(options->channel_timeouts[i],
&type, &secs) != 0) {
fatal_f("internal error: bad timeout %s",
options->channel_timeouts[i]);
@ -2488,7 +2455,8 @@ process_server_config_line_depth(ServerOptions *options, char *line,
filename, linenum, keyword);
goto out;
}
} else if (parse_timeout(arg, NULL, NULL) != 0) {
} else if (parse_pattern_interval(arg,
NULL, NULL) != 0) {
fatal("%s line %d: invalid channel timeout %s",
filename, linenum, arg);
}

7
usr.bin/ssh/ssh.1
View file

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.437 2023/07/23 20:04:45 naddy Exp $
.Dd $Mdocdate: July 23 2023 $
.\" $OpenBSD: ssh.1,v 1.438 2023/10/11 23:14:33 djm Exp $
.Dd $Mdocdate: October 11 2023 $
.Dt SSH 1
.Os
.Sh NAME
@ -60,13 +60,14 @@
.Op Fl o Ar option
.Op Fl P Ar tag
.Op Fl p Ar port
.Op Fl Q Ar query_option
.Op Fl R Ar address
.Op Fl S Ar ctl_path
.Op Fl W Ar host : Ns Ar port
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
.Ar destination
.Op Ar command Op Ar argument ...
.Nm
.Op Fl Q Ar query_option
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for

28
usr.bin/ssh/ssh.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.594 2023/09/03 23:59:32 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.598 2023/10/12 02:48:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -168,9 +168,10 @@ usage(void)
" [-c cipher_spec] [-D [bind_address:]port] [-E log_file]\n"
" [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]\n"
" [-J destination] [-L address] [-l login_name] [-m mac_spec]\n"
" [-O ctl_cmd] [-o option] [-P tag] [-p port] [-Q query_option]\n"
" [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
" [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]\n"
" [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]\n"
" destination [command [argument ...]]\n"
" ssh [-Q query_option]\n"
);
exit(255);
}
@ -605,6 +606,7 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
free(cinfo->remuser);
free(cinfo->homedir);
free(cinfo->locuser);
free(cinfo->jmphost);
free(cinfo);
}
@ -1366,13 +1368,15 @@ main(int ac, char **av)
(unsigned long long)pw->pw_uid);
cinfo->keyalias = xstrdup(options.host_key_alias ?
options.host_key_alias : options.host_arg);
cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, host,
cinfo->portstr, options.user);
cinfo->host_arg = xstrdup(options.host_arg);
cinfo->remhost = xstrdup(host);
cinfo->remuser = xstrdup(options.user);
cinfo->homedir = xstrdup(pw->pw_dir);
cinfo->locuser = xstrdup(pw->pw_name);
cinfo->jmphost = xstrdup(options.jump_host == NULL ?
"" : options.jump_host);
cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost);
/*
* Expand tokens in arguments. NB. LocalCommand is expanded later,
@ -1552,6 +1556,20 @@ main(int ac, char **av)
else
timeout_ms = options.connection_timeout * 1000;
/* Apply channels timeouts, if set */
channel_clear_timeouts(ssh);
for (j = 0; j < options.num_channel_timeouts; j++) {
debug3("applying channel timeout %s",
options.channel_timeouts[j]);
if (parse_pattern_interval(options.channel_timeouts[j],
&cp, &i) != 0) {
fatal_f("internal error: bad timeout %s",
options.channel_timeouts[j]);
}
channel_add_timeout(ssh, cp, i);
free(cp);
}
/* Open a connection to the remote host. */
if (ssh_connect(ssh, host, options.host_arg, addrs, &hostaddr,
options.port, options.connection_attempts,

81
usr.bin/ssh/ssh_config.5
View file

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.388 2023/10/04 05:42:10 jmc Exp $
.Dd $Mdocdate: October 4 2023 $
.\" $OpenBSD: ssh_config.5,v 1.391 2023/10/12 02:18:18 djm Exp $
.Dd $Mdocdate: October 12 2023 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@ -455,6 +455,73 @@ Multiple
.Cm CertificateFile
directives will add to the list of certificates used for
authentication.
.It Cm ChannelTimeout
Specifies whether and how quickly
.Xr ssh 1
should close inactive channels.
Timeouts are specified as one or more
.Dq type=interval
pairs separated by whitespace, where the
.Dq type
must be a channel type name (as described in the table below), optionally
containing wildcard characters.
.Pp
The timeout value
.Dq interval
is specified in seconds or may use any of the units documented in the
.Sx TIME FORMATS
section.
For example,
.Dq session=5m
would cause the interactive session to terminate after five minutes of
inactivity.
Specifying a zero value disables the inactivity timeout.
.Pp
The available channel types include:
.Bl -tag -width Ds
.It Cm agent-connection
Open connections to
.Xr ssh-agent 1 .
.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
Open TCP or Unix socket (respectively) connections that have
been established from a
.Xr ssh 1
local forwarding, i.e.\&
.Cm LocalForward
or
.Cm DynamicForward .
.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
Open TCP or Unix socket (respectively) connections that have been
established to a
.Xr sshd 8
listening on behalf of a
.Xr ssh 1
remote forwarding, i.e.\&
.Cm RemoteForward .
.It Cm session
The interactive main session, including shell session, command execution,
.Xr scp 1 ,
.Xr sftp 1 ,
etc.
.It Cm tun-connection
Open
.Cm TunnelForward
connections.
.It Cm x11-connection
Open X11 forwarding sessions.
.El
.Pp
Note that in all the above cases, terminating an inactive session does not
guarantee to remove all resources associated with the session, e.g. shell
processes or X11 clients relating to the session may continue to execute.
.Pp
Moreover, terminating an inactive channel or session does not necessarily
close the SSH connection, nor does it prevent a client from
requesting another channel of the same type.
In particular, expiring an inactive forwarding session does not prevent
another identical forwarding from being subsequently created.
.Pp
The default is not to expire channels of any type for inactivity.
.It Cm CheckHostIP
If set to
.Cm yes ,
@ -1070,6 +1137,9 @@ may use the tilde syntax to refer to a user's home directory
or the tokens described in the
.Sx TOKENS
section.
Alternately an argument of
.Cm none
may be used to indicate no identity files should be loaded.
.Pp
It is possible to have
multiple identity files specified in configuration files; all these
@ -2123,7 +2193,7 @@ which are expanded at runtime:
A literal
.Sq % .
.It \&%C
Hash of %l%h%p%r.
Hash of %l%h%p%r%j.
.It %d
Local user's home directory.
.It %f
@ -2149,6 +2219,9 @@ when preparing the host key algorithm preference list to use for the
destination host.
.It %i
The local user ID.
.It %j
The contents of the ProxyJump option, or the empty string if this
option is unset.
.It %K
The base64 encoded host key.
.It %k
@ -2192,7 +2265,7 @@ The local username.
.Cm RevokedHostKeys ,
and
.Cm UserKnownHostsFile
accept the tokens %%, %C, %d, %h, %i, %k, %L, %l, %n, %p, %r, and %u.
accept the tokens %%, %C, %d, %h, %i, %j, %k, %L, %l, %n, %p, %r, and %u.
.Pp
.Cm KnownHostsCommand
additionally accepts the tokens %f, %H, %I, %K and %t.

6
usr.bin/ssh/sshconnect.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.h,v 1.46 2020/12/22 00:15:23 djm Exp $ */
/* $OpenBSD: sshconnect.h,v 1.47 2023/10/12 02:18:18 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -42,6 +42,7 @@ struct ssh_conn_info {
char *remuser;
char *homedir;
char *locuser;
char *jmphost;
};
struct addrinfo;
@ -61,7 +62,8 @@ struct ssh_conn_info;
"d", conn_info->homedir, \
"h", conn_info->remhost, \
"r", conn_info->remuser, \
"u", conn_info->locuser
"u", conn_info->locuser, \
"j", conn_info->jmphost
int ssh_connect(struct ssh *, const char *, const char *,
struct addrinfo *, struct sockaddr_storage *, u_short,

13
usr.bin/ssh/sshconnect2.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.367 2023/08/01 08:15:04 dtucker Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.368 2023/10/12 02:15:53 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@ -469,6 +469,14 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
pubkey_cleanup(ssh);
#ifdef GSSAPI
if (authctxt.gss_supported_mechs != NULL) {
u_int ms;
gss_release_oid_set(&ms, &authctxt.gss_supported_mechs);
authctxt.gss_supported_mechs = NULL;
}
#endif
ssh->authctxt = NULL;
ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
@ -813,9 +821,6 @@ userauth_gssapi_cleanup(struct ssh *ssh)
ssh_gssapi_delete_ctx(&gssctxt);
authctxt->methoddata = NULL;
free(authctxt->gss_supported_mechs);
authctxt->gss_supported_mechs = NULL;
}
static OM_uint32

37
usr.bin/ssh/sshkey.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.138 2023/08/21 04:36:46 djm Exp $ */
/* $OpenBSD: sshkey.c,v 1.139 2023/10/11 22:41:05 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -3367,6 +3367,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
struct sshkey *prv = NULL;
BIO *bio = NULL;
int r;
size_t len;
if (keyp != NULL)
*keyp = NULL;
@ -3442,6 +3443,39 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
#ifdef DEBUG_PK
if (prv != NULL && prv->ecdsa != NULL)
sshkey_dump_ec_key(prv->ecdsa);
#endif
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519 &&
(type == KEY_UNSPEC || type == KEY_ED25519)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL ||
(prv->ed25519_sk = calloc(1, ED25519_SK_SZ)) == NULL ||
(prv->ed25519_pk = calloc(1, ED25519_PK_SZ)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
prv->type = KEY_ED25519;
len = ED25519_PK_SZ;
if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (len != ED25519_PK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
len = ED25519_SK_SZ - ED25519_PK_SZ;
if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (len != ED25519_SK_SZ - ED25519_PK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* Append the public key to our private key */
memcpy(prv->ed25519_sk + (ED25519_SK_SZ - ED25519_PK_SZ),
prv->ed25519_pk, ED25519_PK_SZ);
#ifdef DEBUG_PK
sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ, stderr);
#endif
} else {
r = SSH_ERR_INVALID_FORMAT;
@ -3472,7 +3506,6 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
*commentp = NULL;
switch (type) {
case KEY_ED25519:
case KEY_XMSS:
/* No fallback for new-format-only keys */
return sshkey_parse_private2(blob, type, passphrase,