Module Name: src
Committed By: christos
Date: Mon Sep 27 17:03:13 UTC 2021
Modified Files:
src/crypto/external/bsd/openssh/dist: channels.c clientloop.c compat.c
log.c misc.c myproposal.h readconf.c readconf.h scp.1 scp.c
servconf.c sftp-client.c sftp-realpath.c sftp.c ssh-keygen.c ssh.1
ssh.c ssh_config.5 sshd.8 sshd_config.5 version.h
Log Message:
Merge conflicts between OpenSSH 8.7 and 8.8
To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 src/crypto/external/bsd/openssh/dist/channels.c \
src/crypto/external/bsd/openssh/dist/ssh_config.5
cvs rdiff -u -r1.33 -r1.34 src/crypto/external/bsd/openssh/dist/clientloop.c \
src/crypto/external/bsd/openssh/dist/sftp.c
cvs rdiff -u -r1.23 -r1.24 src/crypto/external/bsd/openssh/dist/compat.c
cvs rdiff -u -r1.24 -r1.25 src/crypto/external/bsd/openssh/dist/log.c \
src/crypto/external/bsd/openssh/dist/scp.1
cvs rdiff -u -r1.27 -r1.28 src/crypto/external/bsd/openssh/dist/misc.c \
src/crypto/external/bsd/openssh/dist/readconf.h
cvs rdiff -u -r1.21 -r1.22 src/crypto/external/bsd/openssh/dist/myproposal.h
cvs rdiff -u -r1.36 -r1.37 src/crypto/external/bsd/openssh/dist/readconf.c
cvs rdiff -u -r1.32 -r1.33 src/crypto/external/bsd/openssh/dist/scp.c
cvs rdiff -u -r1.37 -r1.38 src/crypto/external/bsd/openssh/dist/servconf.c \
src/crypto/external/bsd/openssh/dist/ssh.c \
src/crypto/external/bsd/openssh/dist/version.h
cvs rdiff -u -r1.28 -r1.29 src/crypto/external/bsd/openssh/dist/sftp-client.c
cvs rdiff -u -r1.2 -r1.3 src/crypto/external/bsd/openssh/dist/sftp-realpath.c
cvs rdiff -u -r1.40 -r1.41 src/crypto/external/bsd/openssh/dist/ssh-keygen.c
cvs rdiff -u -r1.30 -r1.31 src/crypto/external/bsd/openssh/dist/ssh.1
cvs rdiff -u -r1.25 -r1.26 src/crypto/external/bsd/openssh/dist/sshd.8
cvs rdiff -u -r1.35 -r1.36 src/crypto/external/bsd/openssh/dist/sshd_config.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssh/dist/channels.c
diff -u src/crypto/external/bsd/openssh/dist/channels.c:1.31 src/crypto/external/bsd/openssh/dist/channels.c:1.32
--- src/crypto/external/bsd/openssh/dist/channels.c:1.31 Thu Sep 2 07:26:17 2021
+++ src/crypto/external/bsd/openssh/dist/channels.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: channels.c,v 1.31 2021/09/02 11:26:17 christos Exp $ */
-/* $OpenBSD: channels.c,v 1.407 2021/05/19 01:24:05 djm Exp $ */
+/* $NetBSD: channels.c,v 1.32 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -42,7 +42,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: channels.c,v 1.31 2021/09/02 11:26:17 christos Exp $");
+__RCSID("$NetBSD: channels.c,v 1.32 2021/09/27 17:03:13 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -632,9 +632,11 @@ channel_free(struct ssh *ssh, Channel *c
debug("channel %d: free: %s, nchannels %u", c->self,
c->remote_name ? c->remote_name : "???", n);
- if (c->type == SSH_CHANNEL_MUX_CLIENT)
+ if (c->type == SSH_CHANNEL_MUX_CLIENT) {
mux_remove_remote_forwardings(ssh, c);
- else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
+ free(c->mux_ctx);
+ c->mux_ctx = NULL;
+ } else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
free(c->mux_ctx);
c->mux_ctx = NULL;
}
Index: src/crypto/external/bsd/openssh/dist/ssh_config.5
diff -u src/crypto/external/bsd/openssh/dist/ssh_config.5:1.31 src/crypto/external/bsd/openssh/dist/ssh_config.5:1.32
--- src/crypto/external/bsd/openssh/dist/ssh_config.5:1.31 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/ssh_config.5 Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: ssh_config.5,v 1.31 2021/09/02 11:26:18 christos Exp $
+.\" $NetBSD: ssh_config.5,v 1.32 2021/09/27 17:03:13 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <[email protected]>
@@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
-.Dd August 12 2021
+.\" $OpenBSD: ssh_config.5,v 1.366 2021/09/25 09:40:33 kn Exp $
+.Dd September 25 2021
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -374,6 +374,11 @@ to be canonicalized to names in the
or
.Qq *.c.example.com
domains.
+.Pp
+A single argument of
+.Qq none
+causes no CNAMEs to be considered for canonicalization.
+This is the default behaviour.
.It Cm CASignatureAlgorithms
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
@@ -876,12 +881,11 @@ [email protected],
[email protected],
[email protected],
[email protected],
[email protected],
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
[email protected],
[email protected],
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
The
@@ -923,12 +927,11 @@ [email protected],
[email protected],
[email protected],
[email protected],
[email protected],
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
[email protected],
[email protected],
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
If hostkeys are known for the destination host then this default is modified
@@ -1153,15 +1156,15 @@ Specifies the available KEX (Key Exchang
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
+character, then the specified algorithms will be appended to the default set
instead of replacing them.
If the specified list begins with a
.Sq -
-character, then the specified methods (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
-character, then the specified methods will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
default set.
The default is:
.Bd -literal -offset indent
@@ -1507,12 +1510,11 @@ [email protected],
[email protected],
[email protected],
[email protected],
[email protected],
ssh-ed25519,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
[email protected],
[email protected],
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
The list of available signature algorithms may also be obtained using
@@ -1791,15 +1793,15 @@ This option forces the user to manually
add all new hosts.
.Pp
If this flag is set to
-.Dq accept-new
+.Cm accept-new
then ssh will automatically add new host keys to the user's
.Pa known_hosts
file, but will not permit connections to hosts with
changed host keys.
If this flag is set to
-.Dq no
+.Cm no
or
-.Dq off ,
+.Cm off ,
ssh will automatically add new host keys to the user known hosts files
and allow connections to hosts with changed hostkeys to proceed,
subject to some restrictions.
Index: src/crypto/external/bsd/openssh/dist/clientloop.c
diff -u src/crypto/external/bsd/openssh/dist/clientloop.c:1.33 src/crypto/external/bsd/openssh/dist/clientloop.c:1.34
--- src/crypto/external/bsd/openssh/dist/clientloop.c:1.33 Thu Sep 2 07:26:17 2021
+++ src/crypto/external/bsd/openssh/dist/clientloop.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: clientloop.c,v 1.33 2021/09/02 11:26:17 christos Exp $ */
-/* $OpenBSD: clientloop.c,v 1.369 2021/07/23 04:04:52 djm Exp $ */
+/* $NetBSD: clientloop.c,v 1.34 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -62,7 +62,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: clientloop.c,v 1.33 2021/09/02 11:26:17 christos Exp $");
+__RCSID("$NetBSD: clientloop.c,v 1.34 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -1405,7 +1405,8 @@ client_loop(struct ssh *ssh, int have_pt
* exit status to be returned. In that case, clear error code if the
* connection was deliberately terminated at this end.
*/
- if (options.session_type == SESSION_TYPE_NONE && received_signal == SIGTERM) {
+ if (options.session_type == SESSION_TYPE_NONE &&
+ received_signal == SIGTERM) {
received_signal = 0;
exit_status = 0;
}
Index: src/crypto/external/bsd/openssh/dist/sftp.c
diff -u src/crypto/external/bsd/openssh/dist/sftp.c:1.33 src/crypto/external/bsd/openssh/dist/sftp.c:1.34
--- src/crypto/external/bsd/openssh/dist/sftp.c:1.33 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/sftp.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: sftp.c,v 1.33 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: sftp.c,v 1.211 2021/08/12 09:59:00 schwarze Exp $ */
+/* $NetBSD: sftp.c,v 1.34 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <[email protected]>
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: sftp.c,v 1.33 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: sftp.c,v 1.34 2021/09/27 17:03:13 christos Exp $");
#include <sys/param.h> /* MIN MAX */
#include <sys/types.h>
@@ -2214,29 +2214,29 @@ interactive_loop(struct sftp_conn *conn,
interactive = !batchmode && isatty(STDIN_FILENO);
err = 0;
for (;;) {
+ struct sigaction sa;
const char *line;
int count = 0;
+ interrupted = 0;
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_handler = interactive ? read_interrupt : killchild;
+ if (sigaction(SIGINT, &sa, NULL) == -1) {
+ debug3("sigaction(%s): %s", strsignal(SIGINT),
+ strerror(errno));
+ break;
+ }
if (el == NULL) {
- ssh_signal(SIGINT, SIG_IGN);
if (interactive)
printf("sftp> ");
if (fgets(cmd, sizeof(cmd), infile) == NULL) {
if (interactive)
printf("\n");
+ if (interrupted)
+ continue;
break;
}
} else {
- struct sigaction sa;
-
- interrupted = 0;
- memset(&sa, 0, sizeof(sa));
- sa.sa_handler = read_interrupt;
- if (sigaction(SIGINT, &sa, NULL) == -1) {
- debug3("sigaction(%s): %s",
- strsignal(SIGINT), strerror(errno));
- break;
- }
if ((line = el_gets(el, &count)) == NULL ||
count <= 0) {
printf("\n");
Index: src/crypto/external/bsd/openssh/dist/compat.c
diff -u src/crypto/external/bsd/openssh/dist/compat.c:1.23 src/crypto/external/bsd/openssh/dist/compat.c:1.24
--- src/crypto/external/bsd/openssh/dist/compat.c:1.23 Thu Sep 2 07:26:17 2021
+++ src/crypto/external/bsd/openssh/dist/compat.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: compat.c,v 1.23 2021/09/02 11:26:17 christos Exp $ */
-/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */
+/* $NetBSD: compat.c,v 1.24 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
@@ -26,7 +26,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: compat.c,v 1.23 2021/09/02 11:26:17 christos Exp $");
+__RCSID("$NetBSD: compat.c,v 1.24 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <stdlib.h>
@@ -71,7 +71,6 @@ compat_banner(struct ssh *ssh, const cha
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
- "OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
Index: src/crypto/external/bsd/openssh/dist/log.c
diff -u src/crypto/external/bsd/openssh/dist/log.c:1.24 src/crypto/external/bsd/openssh/dist/log.c:1.25
--- src/crypto/external/bsd/openssh/dist/log.c:1.24 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/log.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: log.c,v 1.24 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: log.c,v 1.59 2021/05/07 04:11:51 djm Exp $ */
+/* $NetBSD: log.c,v 1.25 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -37,7 +37,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: log.c,v 1.24 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: log.c,v 1.25 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/uio.h>
@@ -319,6 +319,7 @@ do_log(LogLevel level, int force, const
int pri = LOG_INFO;
int saved_errno = errno;
log_handler_fn *tmp_handler;
+ const char *progname = argv0 != NULL ? argv0 : __progname;
if (!force && level > log_level)
return;
@@ -382,16 +383,18 @@ do_log(LogLevel level, int force, const
tmp_handler(level, force, visbuf, log_handler_ctx);
log_handler = tmp_handler;
} else if (log_on_stderr) {
- snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
- (int)sizeof msgbuf - 3, visbuf);
+ snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
+ (log_on_stderr > 1) ? progname : "",
+ (log_on_stderr > 1) ? ": " : "",
+ (int)sizeof msgbuf - 10, visbuf);
(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
} else {
#ifdef SYSLOG_DATA_INIT
- openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
+ openlog_r(progname, LOG_PID, log_facility, &sdata);
syslog_r(pri, &sdata, "%.500s", visbuf);
closelog_r(&sdata);
#else
- openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+ openlog(progname, LOG_PID, log_facility);
syslog(pri, "%.500s", visbuf);
closelog();
#endif
Index: src/crypto/external/bsd/openssh/dist/scp.1
diff -u src/crypto/external/bsd/openssh/dist/scp.1:1.24 src/crypto/external/bsd/openssh/dist/scp.1:1.25
--- src/crypto/external/bsd/openssh/dist/scp.1:1.24 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/scp.1 Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: scp.1,v 1.24 2021/09/02 11:26:18 christos Exp $
+.\" $NetBSD: scp.1,v 1.25 2021/09/27 17:03:13 christos Exp $
.\" -*- nroff -*-
.\"
.\" scp.1
@@ -10,9 +10,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.105 2021/09/20 06:53:56 djm Exp $
.\"
-.Dd August 11 2021
+.Dd September 20 2021
.Dt SCP 1
.Os
.Sh NAME
@@ -39,9 +39,6 @@ It uses
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@@ -81,7 +78,7 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the original SCP protocol (the default), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -114,7 +111,7 @@ This option is directly passed to
.Xr ssh 1 .
.It Fl D Ar sftp_server_path
When using the SFTP protocol support via
-.Fl M ,
+.Fl s ,
connect directly to a local SFTP server program rather than a
remote one via
.Xr ssh 1 .
@@ -146,10 +143,12 @@ This option is directly passed to
.It Fl l Ar limit
Limits the used bandwidth, specified in Kbit/s.
.It Fl O
-Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
+Use the original SCP protocol for file transfers instead of the SFTP protocol.
Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
+not implement SFTP, for backwards-compatibility for particular filename
+wildcard patterns and for expanding paths with a
+.Sq ~
+prefix for older SFTP servers.
This mode is the default.
.It Fl o Ar ssh_option
Can be used to pass options to
@@ -231,10 +230,10 @@ Note that this option is written with a
.Sq P ,
because
.Fl p
-is already reserved for preserving the times and modes of the file.
+is already reserved for preserving the times and mode bits of the file.
.It Fl p
-Preserves modification times, access times, and modes from the
-original file.
+Preserves modification times, access times, and file mode bits from the
+source file.
.It Fl q
Quiet mode: disables the progress meter as well as warning and diagnostic
messages from
@@ -261,15 +260,7 @@ The program must understand
.Xr ssh 1
options.
.It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
+Use the SFTP protocol for transfers rather than the original scp protocol.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@@ -309,3 +300,10 @@ source code from the Regents of the Univ
.Sh AUTHORS
.An Timo Rinne Aq Mt [email protected]
.An Tatu Ylonen Aq Mt [email protected]
+.Sh CAVEATS
+The original SCP protocol (used by default) requires execution of the
+remote user's shell to perform
+.Xr glob 3
+pattern matching.
+This requires careful quoting of any characters that have special meaning to
+the remote shell, such as quote characters.
Index: src/crypto/external/bsd/openssh/dist/misc.c
diff -u src/crypto/external/bsd/openssh/dist/misc.c:1.27 src/crypto/external/bsd/openssh/dist/misc.c:1.28
--- src/crypto/external/bsd/openssh/dist/misc.c:1.27 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/misc.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: misc.c,v 1.27 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
+/* $NetBSD: misc.c,v 1.28 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -20,7 +20,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: misc.c,v 1.27 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: misc.c,v 1.28 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -2634,6 +2634,12 @@ subprocess(const char *tag, const char *
#define setresuid(a, b, c) setuid(a)
#endif
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));
Index: src/crypto/external/bsd/openssh/dist/readconf.h
diff -u src/crypto/external/bsd/openssh/dist/readconf.h:1.27 src/crypto/external/bsd/openssh/dist/readconf.h:1.28
--- src/crypto/external/bsd/openssh/dist/readconf.h:1.27 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/readconf.h Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: readconf.h,v 1.27 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
+/* $NetBSD: readconf.h,v 1.28 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -247,6 +247,7 @@ int parse_jump(const char *, Options *,
int parse_ssh_uri(const char *, char **, char **, int *);
int default_ssh_port(void);
int option_clear_or_none(const char *);
+int config_has_permitted_cnames(Options *);
void dump_client_config(Options *o, const char *host);
void add_local_forward(Options *, const struct Forward *);
Index: src/crypto/external/bsd/openssh/dist/myproposal.h
diff -u src/crypto/external/bsd/openssh/dist/myproposal.h:1.21 src/crypto/external/bsd/openssh/dist/myproposal.h:1.22
--- src/crypto/external/bsd/openssh/dist/myproposal.h:1.21 Fri Mar 5 12:47:16 2021
+++ src/crypto/external/bsd/openssh/dist/myproposal.h Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: myproposal.h,v 1.21 2021/03/05 17:47:16 christos Exp $ */
-/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
+/* $NetBSD: myproposal.h,v 1.22 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: myproposal.h,v 1.69 2021/08/29 23:53:10 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -47,7 +47,6 @@
"[email protected]," \
"[email protected]," \
"[email protected]," \
- "[email protected]," \
"ssh-ed25519," \
"ecdsa-sha2-nistp256," \
"ecdsa-sha2-nistp384," \
@@ -55,8 +54,7 @@
"[email protected]," \
"[email protected]," \
"rsa-sha2-512," \
- "rsa-sha2-256," \
- "ssh-rsa"
+ "rsa-sha2-256"
#define KEX_SERVER_ENCRYPT \
"[email protected]," \
Index: src/crypto/external/bsd/openssh/dist/readconf.c
diff -u src/crypto/external/bsd/openssh/dist/readconf.c:1.36 src/crypto/external/bsd/openssh/dist/readconf.c:1.37
--- src/crypto/external/bsd/openssh/dist/readconf.c:1.36 Mon Sep 27 07:05:50 2021
+++ src/crypto/external/bsd/openssh/dist/readconf.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: readconf.c,v 1.36 2021/09/27 11:05:50 kim Exp $ */
-/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */
+/* $NetBSD: readconf.c,v 1.37 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -15,7 +15,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: readconf.c,v 1.36 2021/09/27 11:05:50 kim Exp $");
+__RCSID("$NetBSD: readconf.c,v 1.37 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
@@ -2101,11 +2101,24 @@ parse_pubkey_algos:
case oCanonicalizePermittedCNAMEs:
value = options->num_permitted_cnames != 0;
+ i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
- /* Either '*' for everything or 'list:list' */
- if (strcmp(arg, "*") == 0)
+ char empty[] = "";
+ /*
+ * Either 'none' (only in first position), '*' for
+ * everything or 'list:list'
+ */
+ if (strcasecmp(arg, "none") == 0) {
+ if (i > 0 || ac > 0) {
+ error("%s line %d: keyword %s \"none\" "
+ "argument must appear alone.",
+ filename, linenum, keyword);
+ goto out;
+ }
+ arg2 = empty;
+ } else if (strcmp(arg, "*") == 0) {
arg2 = arg;
- else {
+ } else {
lowercase(arg);
if ((arg2 = strchr(arg, ':')) == NULL ||
arg2[1] == '\0') {
@@ -2117,6 +2130,7 @@ parse_pubkey_algos:
*arg2 = '\0';
arg2++;
}
+ i++;
if (!*activep || value)
continue;
if (options->num_permitted_cnames >=
@@ -2371,6 +2385,20 @@ option_clear_or_none(const char *o)
}
/*
+ * Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
+ * Allowed to be called on non-final configuration.
+ */
+int
+config_has_permitted_cnames(Options *options)
+{
+ if (options->num_permitted_cnames == 1 &&
+ strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
+ strcmp(options->permitted_cnames[0].target_list, "") == 0)
+ return 0;
+ return options->num_permitted_cnames > 0;
+}
+
+/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
* are processed in the following order: command line, user config file,
@@ -2784,6 +2812,15 @@ fill_default_options(Options * options)
free(options->jump_host);
options->jump_host = NULL;
}
+ if (options->num_permitted_cnames == 1 &&
+ !config_has_permitted_cnames(options)) {
+ /* clean up CanonicalizePermittedCNAMEs=none */
+ free(options->permitted_cnames[0].source_list);
+ free(options->permitted_cnames[0].target_list);
+ memset(options->permitted_cnames, '\0',
+ sizeof(*options->permitted_cnames));
+ options->num_permitted_cnames = 0;
+ }
/* options->identity_agent distinguishes NULL from 'none' */
/* options->user will be set in the main program if appropriate */
/* options->hostname will be set in the main program if appropriate */
@@ -3499,14 +3536,14 @@ dump_client_config(Options *o, const cha
printf("\n");
/* oCanonicalizePermittedCNAMEs */
- if ( o->num_permitted_cnames > 0) {
- printf("canonicalizePermittedcnames");
- for (i = 0; i < o->num_permitted_cnames; i++) {
- printf(" %s:%s", o->permitted_cnames[i].source_list,
- o->permitted_cnames[i].target_list);
- }
- printf("\n");
+ printf("canonicalizePermittedcnames");
+ if (o->num_permitted_cnames == 0)
+ printf(" none");
+ for (i = 0; i < o->num_permitted_cnames; i++) {
+ printf(" %s:%s", o->permitted_cnames[i].source_list,
+ o->permitted_cnames[i].target_list);
}
+ printf("\n");
/* oControlPersist */
if (o->control_persist == 0 || o->control_persist_timeout == 0)
Index: src/crypto/external/bsd/openssh/dist/scp.c
diff -u src/crypto/external/bsd/openssh/dist/scp.c:1.32 src/crypto/external/bsd/openssh/dist/scp.c:1.33
--- src/crypto/external/bsd/openssh/dist/scp.c:1.32 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/scp.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: scp.c,v 1.32 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
+/* $NetBSD: scp.c,v 1.33 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
@@ -74,7 +74,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: scp.c,v 1.32 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: scp.c,v 1.33 2021/09/27 17:03:13 christos Exp $");
#include <sys/param.h> /* roundup MAX */
#include <sys/types.h>
@@ -449,7 +449,7 @@ main(int argc, char **argv)
newargv[n] = xstrdup(argv[n]);
argv = newargv;
- log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
+ log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
memset(&args, '\0', sizeof(args));
memset(&remote_remote_args, '\0', sizeof(remote_remote_args));
@@ -567,7 +567,7 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
- log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
+ log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
/* Do this last because we want the user to be able to override it */
addargs(&args, "-oForwardAgent=no");
@@ -633,7 +633,7 @@ main(int argc, char **argv)
* Finally check the exit status of the ssh process, if one was forked
* and no error has occurred yet
*/
- if (do_cmd_pid != -1 && errs == 0) {
+ if (do_cmd_pid != -1 && (mode == MODE_SFTP || errs == 0)) {
if (remin != -1)
(void) close(remin);
if (remout != -1)
@@ -1193,8 +1193,7 @@ tolocal(int argc, char **argv, enum scp_
conn = do_sftp_connect(host, suser, sport,
sftp_direct, &remin, &remout, &do_cmd_pid);
if (conn == NULL) {
- error("Couldn't make sftp connection "
- "to server");
+ error("sftp connection failed");
++errs;
continue;
}
@@ -1241,7 +1240,8 @@ prepare_remote_path(struct sftp_conn *co
if (can_expand_path(conn))
return do_expand_path(conn, path);
/* No protocol extension */
- error("~user paths are not currently supported");
+ error("server expand-path extension is required "
+ "for ~user paths in SFTP mode");
return NULL;
}
@@ -1276,11 +1276,14 @@ source_sftp(int argc, char *src, char *t
if (local_is_dir(src) && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
- fatal("failed to upload directory %s to %s",
+ error("failed to upload directory %s to %s",
src, abs_dst);
+ errs = 1;
}
- } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0)
- fatal("failed to upload file %s to %s", src, abs_dst);
+ } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) {
+ error("failed to upload file %s to %s", src, abs_dst);
+ errs = 1;
+ }
free(abs_dst);
free(target);
@@ -1471,9 +1474,9 @@ sink_sftp(int argc, char *dst, const cha
debug3_f("copying remote %s to local %s", abs_src, dst);
if ((r = remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) != 0) {
if (r == GLOB_NOSPACE)
- error("Too many glob matches for \"%s\".", abs_src);
+ error("%s: too many glob matches", abs_src);
else
- error("File \"%s\" not found.", abs_src);
+ error("%s: %s", abs_src, strerror(ENOENT));
err = -1;
goto out;
}
@@ -1518,9 +1521,8 @@ out:
free(abs_src);
free(tmp);
globfree(&g);
- if (err == -1) {
- fatal("Failed to download file '%s'", src);
- }
+ if (err == -1)
+ errs = 1;
}
@@ -1861,7 +1863,7 @@ throughlocal_sftp(struct sftp_conn *from
targetisdir = remote_is_dir(to, target);
if (!targetisdir && targetshouldbedirectory) {
- error("Destination path \"%s\" is not a directory", target);
+ error("%s: destination is not a directory", target);
err = -1;
goto out;
}
@@ -1869,9 +1871,9 @@ throughlocal_sftp(struct sftp_conn *from
debug3_f("copying remote %s to remote %s", abs_src, target);
if ((r = remote_glob(from, abs_src, GLOB_MARK, NULL, &g)) != 0) {
if (r == GLOB_NOSPACE)
- error("Too many glob matches for \"%s\".", abs_src);
+ error("%s: too many glob matches", abs_src);
else
- error("File \"%s\" not found.", abs_src);
+ error("%s: %s", abs_src, strerror(ENOENT));
err = -1;
goto out;
}
@@ -1912,7 +1914,7 @@ out:
free(tmp);
globfree(&g);
if (err == -1)
- fatal("Failed to download file '%s'", src);
+ errs = 1;
}
int
Index: src/crypto/external/bsd/openssh/dist/servconf.c
diff -u src/crypto/external/bsd/openssh/dist/servconf.c:1.37 src/crypto/external/bsd/openssh/dist/servconf.c:1.38
--- src/crypto/external/bsd/openssh/dist/servconf.c:1.37 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/servconf.c Mon Sep 27 13:03:13 2021
@@ -1,6 +1,6 @@
-/* $NetBSD: servconf.c,v 1.37 2021/09/02 11:26:18 christos Exp $ */
+/* $NetBSD: servconf.c,v 1.38 2021/09/27 17:03:13 christos Exp $ */
-/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.382 2021/09/06 00:36:01 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
* All rights reserved
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: servconf.c,v 1.37 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: servconf.c,v 1.38 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/queue.h>
@@ -603,8 +603,8 @@ typedef enum {
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosGetAFSToken,
sKerberosTgtPassing,
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
+ sPasswordAuthentication,
+ sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Index: src/crypto/external/bsd/openssh/dist/ssh.c
diff -u src/crypto/external/bsd/openssh/dist/ssh.c:1.37 src/crypto/external/bsd/openssh/dist/ssh.c:1.38
--- src/crypto/external/bsd/openssh/dist/ssh.c:1.37 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/ssh.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: ssh.c,v 1.37 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: ssh.c,v 1.566 2021/08/08 08:49:09 dtucker Exp $ */
+/* $NetBSD: ssh.c,v 1.38 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -43,7 +43,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: ssh.c,v 1.37 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: ssh.c,v 1.38 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/ioctl.h>
@@ -176,7 +176,7 @@ usage(void)
" [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
" [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
-" [-w local_tun[:remote_tun]] destination [command]\n"
+" [-w local_tun[:remote_tun]] destination [command [argument ...]]\n"
);
exit(255);
}
@@ -250,6 +250,7 @@ resolve_host(const char *name, int port,
port = default_ssh_port();
if (cname != NULL)
*cname = '\0';
+ debug3_f("lookup %s:%d", name, port);
snprintf(strport, sizeof strport, "%d", port);
memset(&hints, 0, sizeof(hints));
@@ -373,7 +374,7 @@ check_follow_cname(int direct, char **na
int i;
struct allowed_cname *rule;
- if (*cname == '\0' || options.num_permitted_cnames == 0 ||
+ if (*cname == '\0' || !config_has_permitted_cnames(&options) ||
strcmp(*namep, cname) == 0)
return 0;
if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
@@ -1177,7 +1178,7 @@ main(int ac, char **av)
*/
direct = option_clear_or_none(options.proxy_command) &&
options.jump_host == NULL;
- if (addrs == NULL && options.num_permitted_cnames != 0 && (direct ||
+ if (addrs == NULL && config_has_permitted_cnames(&options) && (direct ||
options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
if ((addrs = resolve_host(host, options.port,
direct, cname, sizeof(cname))) == NULL) {
@@ -1783,7 +1784,8 @@ ssh_confirm_remote_forward(struct ssh *s
rfwd->allocated_port = (int)port;
logit("Allocated port %u for remote "
"forward to %s:%d",
- rfwd->allocated_port, rfwd->connect_host,
+ rfwd->allocated_port, rfwd->connect_path ?
+ rfwd->connect_path : rfwd->connect_host,
rfwd->connect_port);
channel_update_permission(ssh,
rfwd->handle, rfwd->allocated_port);
Index: src/crypto/external/bsd/openssh/dist/version.h
diff -u src/crypto/external/bsd/openssh/dist/version.h:1.37 src/crypto/external/bsd/openssh/dist/version.h:1.38
--- src/crypto/external/bsd/openssh/dist/version.h:1.37 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/version.h Mon Sep 27 13:03:13 2021
@@ -1,8 +1,8 @@
-/* $NetBSD: version.h,v 1.37 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: version.h,v 1.91 2021/08/20 03:22:55 djm Exp $ */
+/* $NetBSD: version.h,v 1.38 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: version.h,v 1.92 2021/09/26 14:01:11 djm Exp $ */
-#define __OPENSSH_VERSION "OpenSSH_8.7"
-#define __NETBSDSSH_VERSION "NetBSD_Secure_Shell-20210902"
+#define __OPENSSH_VERSION "OpenSSH_8.8"
+#define __NETBSDSSH_VERSION "NetBSD_Secure_Shell-20210927"
#define SSH_HPN "-hpn13v14"
#define SSH_LPK "-lpk"
/*
Index: src/crypto/external/bsd/openssh/dist/sftp-client.c
diff -u src/crypto/external/bsd/openssh/dist/sftp-client.c:1.28 src/crypto/external/bsd/openssh/dist/sftp-client.c:1.29
--- src/crypto/external/bsd/openssh/dist/sftp-client.c:1.28 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/sftp-client.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: sftp-client.c,v 1.28 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: sftp-client.c,v 1.154 2021/08/09 23:47:44 djm Exp $ */
+/* $NetBSD: sftp-client.c,v 1.29 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.155 2021/09/03 05:12:25 dtucker Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <[email protected]>
@@ -23,7 +23,7 @@
/* XXX: copy between two remote sites */
#include "includes.h"
-__RCSID("$NetBSD: sftp-client.c,v 1.28 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: sftp-client.c,v 1.29 2021/09/27 17:03:13 christos Exp $");
#include <sys/param.h> /* MIN MAX */
#include <sys/types.h>
@@ -2021,7 +2021,6 @@ upload_dir_internal(struct sftp_conn *co
if (print_flag && print_flag != SFTP_PROGRESS_ONLY)
mprintf("Entering %s\n", src);
- attrib_clear(&a);
stat_to_attrib(&sb, &a);
a.flags &= ~SSH2_FILEXFER_ATTR_SIZE;
a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID;
Index: src/crypto/external/bsd/openssh/dist/sftp-realpath.c
diff -u src/crypto/external/bsd/openssh/dist/sftp-realpath.c:1.2 src/crypto/external/bsd/openssh/dist/sftp-realpath.c:1.3
--- src/crypto/external/bsd/openssh/dist/sftp-realpath.c:1.2 Wed Feb 26 19:24:40 2020
+++ src/crypto/external/bsd/openssh/dist/sftp-realpath.c Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-realpath.c,v 1.1 2019/07/05 04:55:40 djm Exp $ */
+/* $OpenBSD: sftp-realpath.c,v 1.2 2021/09/02 21:03:54 deraadt Exp $ */
/*
* Copyright (c) 2003 Constantin S. Svintsoff <[email protected]>
*
@@ -27,10 +27,9 @@
* SUCH DAMAGE.
*/
#include "includes.h"
-__RCSID("$NetBSD: sftp-realpath.c,v 1.2 2020/02/27 00:24:40 christos Exp $");
+__RCSID("$NetBSD: sftp-realpath.c,v 1.3 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
-#include <sys/param.h>
#include <sys/stat.h>
#include <errno.h>
Index: src/crypto/external/bsd/openssh/dist/ssh-keygen.c
diff -u src/crypto/external/bsd/openssh/dist/ssh-keygen.c:1.40 src/crypto/external/bsd/openssh/dist/ssh-keygen.c:1.41
--- src/crypto/external/bsd/openssh/dist/ssh-keygen.c:1.40 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/ssh-keygen.c Mon Sep 27 13:03:13 2021
@@ -1,5 +1,5 @@
-/* $NetBSD: ssh-keygen.c,v 1.40 2021/09/02 11:26:18 christos Exp $ */
-/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */
+/* $NetBSD: ssh-keygen.c,v 1.41 2021/09/27 17:03:13 christos Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
/*
* Author: Tatu Ylonen <[email protected]>
@@ -15,7 +15,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: ssh-keygen.c,v 1.40 2021/09/02 11:26:18 christos Exp $");
+__RCSID("$NetBSD: ssh-keygen.c,v 1.41 2021/09/27 17:03:13 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
@@ -2661,7 +2661,8 @@ sig_process_opts(char * const *opts, siz
time_t now;
*verify_timep = 0;
- *print_pubkey = 0;
+ if (print_pubkey != NULL)
+ *print_pubkey = 0;
for (i = 0; i < nopts; i++) {
if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
if (parse_absolute_time(opts[i] + 12,
Index: src/crypto/external/bsd/openssh/dist/ssh.1
diff -u src/crypto/external/bsd/openssh/dist/ssh.1:1.30 src/crypto/external/bsd/openssh/dist/ssh.1:1.31
--- src/crypto/external/bsd/openssh/dist/ssh.1:1.30 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/ssh.1 Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: ssh.1,v 1.30 2021/09/02 11:26:18 christos Exp $
+.\" $NetBSD: ssh.1,v 1.31 2021/09/27 17:03:13 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <[email protected]>
@@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.425 2021/07/28 05:57:42 jmc Exp $
-.Dd July 28 2021
+.\" $OpenBSD: ssh.1,v 1.427 2021/09/10 10:26:02 dtucker Exp $
+.Dd September 10 2021
.Dt SSH 1
.Os
.Sh NAME
@@ -67,7 +67,7 @@
.Op Fl W Ar host : Ns Ar port
.Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
.Ar destination
-.Op Ar command
+.Op Ar command Op Ar argument ...
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for
@@ -96,7 +96,12 @@ their identity to the remote machine usi
If a
.Ar command
is specified,
-it is executed on the remote host instead of a login shell.
+it will be executed on the remote host instead of a login shell.
+A complete command line may be specified as
+.Ar command ,
+or it may have additional arguments.
+If supplied, the arguments will be appended to the command, separated by
+spaces, before it is sent to the server to be executed.
.Pp
The options are as follows:
.Pp
@@ -290,6 +295,10 @@ authentication.
.It Fl i Ar identity_file
Selects a file from which the identity (private key) for
public key authentication is read.
+You can also specify a public key file to use the corresponding
+private key that is loaded in
+.Xr ssh-agent 1
+when the private key file is not present locally.
The default is
.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
Index: src/crypto/external/bsd/openssh/dist/sshd.8
diff -u src/crypto/external/bsd/openssh/dist/sshd.8:1.25 src/crypto/external/bsd/openssh/dist/sshd.8:1.26
--- src/crypto/external/bsd/openssh/dist/sshd.8:1.25 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/sshd.8 Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: sshd.8,v 1.25 2021/09/02 11:26:18 christos Exp $
+.\" $NetBSD: sshd.8,v 1.26 2021/09/27 17:03:13 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <[email protected]>
@@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $
-.Dd July 30 2021
+.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $
+.Dd September 10 2021
.Dt SSHD 8
.Os
.Sh NAME
@@ -278,7 +278,12 @@ things like allocating a pseudo-tty, for
forwarding TCP connections, or forwarding the authentication agent
connection over the secure channel.
.Pp
-After this, the client either requests a shell or execution of a command.
+After this, the client either requests an interactive shell or execution
+or a non-interactive command, which
+.Nm
+will execute via the user's shell using its
+.Fl c
+option.
The sides then enter session mode.
In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or
Index: src/crypto/external/bsd/openssh/dist/sshd_config.5
diff -u src/crypto/external/bsd/openssh/dist/sshd_config.5:1.35 src/crypto/external/bsd/openssh/dist/sshd_config.5:1.36
--- src/crypto/external/bsd/openssh/dist/sshd_config.5:1.35 Thu Sep 2 07:26:18 2021
+++ src/crypto/external/bsd/openssh/dist/sshd_config.5 Mon Sep 27 13:03:13 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: sshd_config.5,v 1.35 2021/09/02 11:26:18 christos Exp $
+.\" $NetBSD: sshd_config.5,v 1.36 2021/09/27 17:03:13 christos Exp $
.\" -*- nroff -*-
.\"
.\" Author: Tatu Ylonen <[email protected]>
@@ -35,8 +35,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
-.Dd August 12 2021
+.\" $OpenBSD: sshd_config.5,v 1.335 2021/09/03 05:25:50 dtucker Exp $
+.Dd September 3 2021
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -923,15 +923,15 @@ Specifies the available KEX (Key Exchang
Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
+character, then the specified algorithms will be appended to the default set
instead of replacing them.
If the specified list begins with a
.Sq -
-character, then the specified methods (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
from the default set instead of replacing them.
If the specified list begins with a
.Sq ^
-character, then the specified methods will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
default set.
The supported algorithms are:
.Pp
