upstream: Add support for configuration tags to ssh(1).

This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.

ok markus

OpenBSD-Commit-ID: dc08358e70e702b59ac3e591827e5a96141b06a3

diff --git a/readconf.c b/readconf.c
index 28f6acce39bf3018f5ec3606786cc3e963b3231d..5418ace8b647c28612f698d03fe21527ed1dbe7f 100644 (file)
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.378 2023/07/17 04:04:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.379 2023/07/17 04:08:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -144,7 +144,7 @@ static int process_config_line_depth(Options *options, struct passwd *pw,
 
 typedef enum {
        oBadOption,
-       oHost, oMatch, oInclude,
+       oHost, oMatch, oInclude, oTag,
        oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
        oGatewayPorts, oExitOnForwardFailure,
        oPasswordAuthentication,
@@ -257,6 +257,7 @@ static struct {
        { "user", oUser },
        { "host", oHost },
        { "match", oMatch },
+       { "tag", oTag },
        { "escapechar", oEscapeChar },
        { "globalknownhostsfile", oGlobalKnownHostsFile },
        { "userknownhostsfile", oUserKnownHostsFile },
@@ -745,6 +746,10 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
                                goto out;
                        }
                        r = check_match_ifaddrs(arg) == 1;
+               } else if (strcasecmp(attrib, "tagged") == 0) {
+                       criteria = xstrdup(options->tag == NULL ? "" :
+                           options->tag);
+                       r = match_pattern_list(criteria, arg, 0) == 1;
                        if (r == (negate ? 1 : 0))
                                this_result = result = 0;
                } else if (strcasecmp(attrib, "exec") == 0) {
@@ -1365,6 +1370,10 @@ parse_char_array:
                charptr = &options->hostname;
                goto parse_string;
 
+       case oTag:
+               charptr = &options->tag;
+               goto parse_string;
+
        case oHostKeyAlias:
                charptr = &options->host_key_alias;
                goto parse_string;
@@ -2512,6 +2521,7 @@ initialize_options(Options * options)
        options->known_hosts_command = NULL;
        options->required_rsa_size = -1;
        options->enable_escape_commandline = -1;
+       options->tag = NULL;
 }
 
 /*
@@ -3431,6 +3441,7 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
        dump_cfg_string(oXAuthLocation, o->xauth_location);
        dump_cfg_string(oKnownHostsCommand, o->known_hosts_command);
+       dump_cfg_string(oTag, o->tag);
 
        /* Forwards */
        dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);

diff --git a/readconf.h b/readconf.h
index 2ce1b4c332e505a5d52f181de251a37c5317fb23..dfe5bab0a3ca6a5e7104a62ec3e33f5499192566 100644 (file)
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.150 2023/01/13 02:58:20 dtucker Exp $ */
+/* $OpenBSD: readconf.h,v 1.151 2023/07/17 04:08:31 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -70,6 +70,7 @@ typedef struct {
        char   *kex_algorithms; /* SSH2 kex methods in order of preference. */
        char   *ca_sign_algorithms;     /* Allowed CA signature algorithms */
        char   *hostname;       /* Real host to connect. */
+       char   *tag;            /* Configuration tag name. */
        char   *host_key_alias; /* hostname alias for .ssh/known_hosts */
        char   *proxy_command;  /* Proxy command for connecting the host. */
        char   *user;           /* User to log in as. */

diff --git a/ssh.1 b/ssh.1
index 3d89c7d7f35c693875167fb10c601ec25db34933..4935a6ff53c8f132a3e695bfb6f95260f7ec5016 100644 (file)
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $
-.Dd $Mdocdate: June 21 2023 $
+.\" $OpenBSD: ssh.1,v 1.435 2023/07/17 04:08:31 djm Exp $
+.Dd $Mdocdate: July 17 2023 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Op Fl O Ar ctl_cmd
 .Op Fl o Ar option
 .Op Fl p Ar port
+.Op Fl P Ar tag
 .Op Fl Q Ar query_option
 .Op Fl R Ar address
 .Op Fl S Ar ctl_path
@@ -593,6 +594,16 @@ For full details of the options listed below, and their possible values, see
 .It XAuthLocation
 .El
 .Pp
+.It Fl P Ar tag
+Specify a tag name that may be used to select configuration in
+.Xr ssh_config 5 .
+Refer to the
+.Cm Tag
+and
+.Cm Match
+keywords in
+.Xr ssh_config 5
+for more information.
 .It Fl p Ar port
 Port to connect to on the remote host.
 This can be specified on a

diff --git a/ssh.c b/ssh.c
index 83c509ccf0a40c49d05c8586f0f6d7ee61c39162..d1182426385affbd7e80164dc468182672999dd4 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.590 2023/07/04 03:59:21 dlg Exp $ */
+/* $OpenBSD: ssh.c,v 1.591 2023/07/17 04:08:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -708,7 +708,7 @@ main(int ac, char **av)
 
  again:
        while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-           "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
+           "AB:CD:E:F:GI:J:KL:MNO:P:Q:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */
                switch (opt) {
                case '1':
                        fatal("SSH protocol v.1 is no longer supported");
@@ -772,7 +772,9 @@ main(int ac, char **av)
                        else
                                fatal("Invalid multiplex command.");
                        break;
-               case 'P':       /* deprecated */
+               case 'P':
+                       if (options.tag == NULL)
+                               options.tag = xstrdup(optarg);
                        break;
                case 'Q':
                        cp = NULL;

diff --git a/ssh_config.5 b/ssh_config.5
index 3d18fb2a24c60fb454b015d97cee5eb3fbc3be8f..0c2327e0bead8be83494610e2bafa8ff2040a620 100644 (file)
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.381 2023/07/17 04:04:36 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.382 2023/07/17 04:08:31 djm Exp $
 .Dd $Mdocdate: July 17 2023 $
 .Dt SSH_CONFIG 5
 .Os
@@ -144,6 +144,7 @@ The available criteria keywords are:
 .Cm localnetwork ,
 .Cm host ,
 .Cm originalhost ,
+.Cm Tag ,
 .Cm user ,
 and
 .Cm localuser .
@@ -223,6 +224,15 @@ The
 .Cm originalhost
 keyword matches against the hostname as it was specified on the command-line.
 The
+.Cm tagged
+keyword matches a tag name specified by a prior
+.Cm Tag
+directive or on the
+.Xr ssh 1
+command-line using the
+.Fl P
+flag.
+The
 .Cm user
 keyword matches against the target username on the remote host.
 The
@@ -1886,6 +1896,10 @@ To disable TCP keepalive messages, the value should be set to
 See also
 .Cm ServerAliveInterval
 for protocol-level keepalives.
+.It Cm Tag
+Specify a configuration tag name that may be later used by a
+.Cm Match
+directive to select a block of configuation.
 .It Cm Tunnel
 Request
 .Xr tun 4