From e41e10e3956bbdc62b15cc3991e218376689320b Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 17 Jul 2023 04:08:31 +0000 Subject: [PATCH] Add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. ok markus --- usr.bin/ssh/readconf.c | 15 +++++++++++++-- usr.bin/ssh/readconf.h | 3 ++- usr.bin/ssh/ssh.1 | 15 +++++++++++++-- usr.bin/ssh/ssh.c | 8 +++++--- usr.bin/ssh/ssh_config.5 | 16 +++++++++++++++- 5 files changed, 48 insertions(+), 9 deletions(-) diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 9895524b585..21a552e7c5a 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.378 2023/07/17 04:04:36 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.379 2023/07/17 04:08:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -128,7 +128,7 @@ static int process_config_line_depth(Options *options, struct passwd *pw, typedef enum { oBadOption, - oHost, oMatch, oInclude, + oHost, oMatch, oInclude, oTag, oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, oGatewayPorts, oExitOnForwardFailure, oPasswordAuthentication, @@ -241,6 +241,7 @@ static struct { { "user", oUser }, { "host", oHost }, { "match", oMatch }, + { "tag", oTag }, { "escapechar", oEscapeChar }, { "globalknownhostsfile", oGlobalKnownHostsFile }, { "userknownhostsfile", oUserKnownHostsFile }, @@ -729,6 +730,10 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, goto out; } r = check_match_ifaddrs(arg) == 1; + } else if (strcasecmp(attrib, "tagged") == 0) { + criteria = xstrdup(options->tag == NULL ? "" : + options->tag); + r = match_pattern_list(criteria, arg, 0) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; } else if (strcasecmp(attrib, "exec") == 0) { @@ -1349,6 +1354,10 @@ parse_char_array: charptr = &options->hostname; goto parse_string; + case oTag: + charptr = &options->tag; + goto parse_string; + case oHostKeyAlias: charptr = &options->host_key_alias; goto parse_string; @@ -2496,6 +2505,7 @@ initialize_options(Options * options) options->known_hosts_command = NULL; options->required_rsa_size = -1; options->enable_escape_commandline = -1; + options->tag = NULL; } /* @@ -3408,6 +3418,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); dump_cfg_string(oXAuthLocation, o->xauth_location); dump_cfg_string(oKnownHostsCommand, o->known_hosts_command); + dump_cfg_string(oTag, o->tag); /* Forwards */ dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards); diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 2ce1b4c332e..dfe5bab0a3c 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.150 2023/01/13 02:58:20 dtucker Exp $ */ +/* $OpenBSD: readconf.h,v 1.151 2023/07/17 04:08:31 djm Exp $ */ /* * Author: Tatu Ylonen @@ -70,6 +70,7 @@ typedef struct { char *kex_algorithms; /* SSH2 kex methods in order of preference. */ char *ca_sign_algorithms; /* Allowed CA signature algorithms */ char *hostname; /* Real host to connect. */ + char *tag; /* Configuration tag name. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ char *user; /* User to log in as. */ diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 3d89c7d7f35..4935a6ff53c 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $ -.Dd $Mdocdate: June 21 2023 $ +.\" $OpenBSD: ssh.1,v 1.435 2023/07/17 04:08:31 djm Exp $ +.Dd $Mdocdate: July 17 2023 $ .Dt SSH 1 .Os .Sh NAME @@ -59,6 +59,7 @@ .Op Fl O Ar ctl_cmd .Op Fl o Ar option .Op Fl p Ar port +.Op Fl P Ar tag .Op Fl Q Ar query_option .Op Fl R Ar address .Op Fl S Ar ctl_path @@ -593,6 +594,16 @@ For full details of the options listed below, and their possible values, see .It XAuthLocation .El .Pp +.It Fl P Ar tag +Specify a tag name that may be used to select configuration in +.Xr ssh_config 5 . +Refer to the +.Cm Tag +and +.Cm Match +keywords in +.Xr ssh_config 5 +for more information. .It Fl p Ar port Port to connect to on the remote host. This can be specified on a diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 3f90b6dd9a9..99866c86bf0 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.590 2023/07/04 03:59:21 dlg Exp $ */ +/* $OpenBSD: ssh.c,v 1.591 2023/07/17 04:08:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -682,7 +682,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ + "AB:CD:E:F:GI:J:KL:MNO:P:Q:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ switch (opt) { case '1': fatal("SSH protocol v.1 is no longer supported"); @@ -746,7 +746,9 @@ main(int ac, char **av) else fatal("Invalid multiplex command."); break; - case 'P': /* deprecated */ + case 'P': + if (options.tag == NULL) + options.tag = xstrdup(optarg); break; case 'Q': cp = NULL; diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 65ba886ec42..dd97fc875f4 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.381 2023/07/17 04:04:36 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.382 2023/07/17 04:08:31 djm Exp $ .Dd $Mdocdate: July 17 2023 $ .Dt SSH_CONFIG 5 .Os @@ -144,6 +144,7 @@ The available criteria keywords are: .Cm localnetwork , .Cm host , .Cm originalhost , +.Cm Tag , .Cm user , and .Cm localuser . @@ -223,6 +224,15 @@ The .Cm originalhost keyword matches against the hostname as it was specified on the command-line. The +.Cm tagged +keyword matches a tag name specified by a prior +.Cm Tag +directive or on the +.Xr ssh 1 +command-line using the +.Fl P +flag. +The .Cm user keyword matches against the target username on the remote host. The @@ -1887,6 +1897,10 @@ To disable TCP keepalive messages, the value should be set to See also .Cm ServerAliveInterval for protocol-level keepalives. +.It Cm Tag +Specify a configuration tag name that may be later used by a +.Cm Match +directive to select a block of configuation. .It Cm Tunnel Request .Xr tun 4 -- 2.20.1