upstream: add "Match version" support to ssh_config. Allows

matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*"

ok markus@

OpenBSD-Commit-ID: c0cb504d0b9e43ccf12e68a544a7cd625e89758d

diff --git a/readconf.c b/readconf.c
index 10adaaaa8c37617fe28ac63e1bb22ca0f52b8041..c7630f6e5ed09b3e05a39cf5c68cbbdd93a69c38 100644 (file)
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.396 2025/02/15 01:50:47 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.397 2025/02/15 01:52:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -70,6 +70,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "version.h"
 
 /* Format of the configuration file:
 
@@ -788,6 +789,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
                    strprefix(attrib, "user=", 1) != NULL ||
                    strprefix(attrib, "localuser=", 1) != NULL ||
                    strprefix(attrib, "localnetwork=", 1) != NULL ||
+                   strprefix(attrib, "version=", 1) != NULL ||
                    strprefix(attrib, "tagged=", 1) != NULL ||
                    strprefix(attrib, "command=", 1) != NULL ||
                    strprefix(attrib, "exec=", 1) != NULL) {
@@ -840,6 +842,11 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
                        r = check_match_ifaddrs(arg) == 1;
                        if (r == (negate ? 1 : 0))
                                this_result = result = 0;
+               } else if (strcasecmp(attrib, "version") == 0) {
+                       criteria = xstrdup(SSH_RELEASE);
+                       r = match_pattern_list(SSH_RELEASE, arg, 0) == 1;
+                       if (r == (negate ? 1 : 0))
+                               this_result = result = 0;
                } else if (strcasecmp(attrib, "tagged") == 0) {
                        criteria = xstrdup(options->tag == NULL ? "" :
                            options->tag);

diff --git a/servconf.c b/servconf.c
index 61f758b7a4f5e38f6096d5dde53970d4e50a77a1..c5c1713c295725a7eecfd022efe9eff2165a65ab 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.423 2025/02/10 23:16:51 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.424 2025/02/15 01:52:07 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -68,6 +68,7 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "version.h"
 
 #if !defined(SSHD_PAM_SERVICE)
 # define SSHD_PAM_SERVICE              "sshd"
@@ -1094,7 +1095,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
                    strprefix(attrib, "address=", 1) != NULL ||
                    strprefix(attrib, "localaddress=", 1) != NULL ||
                    strprefix(attrib, "localport=", 1) != NULL ||
-                   strprefix(attrib, "rdomain=", 1) != NULL) {
+                   strprefix(attrib, "rdomain=", 1) != NULL ||
+                   strprefix(attrib, "version=", 1) != NULL) {
                        arg = strchr(attrib, '=');
                        *(arg++) = '\0';
                } else {
@@ -1224,8 +1226,16 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
                        if (match_pattern_list(ci->rdomain, arg, 0) != 1)
                                result = 0;
                        else
-                               debug("user %.100s matched 'RDomain %.100s' at "
-                                   "line %d", ci->rdomain, arg, line);
+                               debug("connection RDomain %.100s matched "
+                                   "'RDomain %.100s' at line %d",
+                                   ci->rdomain, arg, line);
+               } else if (strcasecmp(attrib, "version") == 0) {
+                       if (match_pattern_list(SSH_RELEASE, arg, 0) != 1)
+                               result = 0;
+                       else
+                               debug("version %.100s matched "
+                                   "'version %.100s' at line %d",
+                                   SSH_RELEASE, arg, line);
                } else {
                        error("Unsupported Match attribute %s", oattrib);
                        result = -1;

diff --git a/ssh_config.5 b/ssh_config.5
index 6fff9c74ad933c6d84a1e32f3b57e8c0e72fce3b..0c6504599b6b09c4565b6c3c8569b41e43c2b24e 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.409 2025/02/15 01:50:47 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.410 2025/02/15 01:52:07 djm Exp $
 .Dd $Mdocdate: February 15 2025 $
 .Dt SSH_CONFIG 5
 .Os
@@ -147,8 +147,9 @@ The available criteria keywords are:
 .Cm tagged ,
 .Cm command ,
 .Cm user ,
+.Cm localuser ,
 and
-.Cm localuser .
+.Cm version .
 The
 .Cm all
 criteria must appear alone or immediately after
@@ -244,6 +245,12 @@ for an SFTP session).
 The empty string will match the case where a command or tag has not been
 specified, i.e.
 .Sq Match tag \&"\&"
+The
+.Cm version
+keyword matches against the version string of
+.Xr ssh 1 ,
+for example
+.Dq OpenSSH_10.0 .
 .Pp
 The
 .Cm user

diff --git a/sshd_config.5 b/sshd_config.5
index c3d76bc624348428c77a5d918be9d52e7c166933..c07717375d90c2a01c2c2cebedac8cc272c3caa8 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.380 2024/12/06 16:24:27 djm Exp $
-.Dd $Mdocdate: December 6 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.381 2025/02/15 01:52:07 djm Exp $
+.Dd $Mdocdate: February 15 2025 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1245,6 +1245,7 @@ The available criteria are
 .Cm Host ,
 .Cm LocalAddress ,
 .Cm LocalPort ,
+.Cm Version ,
 .Cm RDomain ,
 and
 .Cm Address
@@ -1270,6 +1271,13 @@ it is an error to specify a mask length that is too long for the address
 or one with bits set in this host portion of the address.
 For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
 .Pp
+The
+.Cm Version
+keyword matches against the version string of
+.Xr sshd 8 ,
+for example
+.Dq OpenSSH_10.0 .
+.Pp
 Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.

diff --git a/version.h b/version.h
index 8c7e37e7da931f34f7dd6cbae4103e894d28f16c..718735c995cbadd1b26364d0d58ddde7e856ca5a 100644 (file)
--- a/version.h
+++ b/version.h
@@ -1,6 +1,7 @@
-/* $OpenBSD: version.h,v 1.103 2024/09/19 22:17:44 djm Exp $ */
+/* $OpenBSD: version.h,v 1.104 2025/02/15 01:52:07 djm Exp $ */
 
 #define SSH_VERSION    "OpenSSH_9.9"
+#define SSH_RELEASE    SSH_VERSION
 
 #define SSH_PORTABLE   "p1"
 #define SSH_RELEASE    SSH_VERSION SSH_PORTABLE