From: djm@openbsd.org Date: Sat, 15 Feb 2025 01:52:07 +0000 (+0000) Subject: upstream: add "Match version" support to ssh_config. Allows X-Git-Tag: V_10_0_P1~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9131ac64b0ebe66dc1de9d44bf8d1bd64a24c350;p=thirdparty%2Fopenssh-portable.git upstream: add "Match version" support to ssh_config. Allows matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*" ok markus@ OpenBSD-Commit-ID: c0cb504d0b9e43ccf12e68a544a7cd625e89758d --- diff --git a/readconf.c b/readconf.c index 10adaaaa8..c7630f6e5 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.396 2025/02/15 01:50:47 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.397 2025/02/15 01:52:07 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -70,6 +70,7 @@ #include "uidswap.h" #include "myproposal.h" #include "digest.h" +#include "version.h" /* Format of the configuration file: @@ -788,6 +789,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, strprefix(attrib, "user=", 1) != NULL || strprefix(attrib, "localuser=", 1) != NULL || strprefix(attrib, "localnetwork=", 1) != NULL || + strprefix(attrib, "version=", 1) != NULL || strprefix(attrib, "tagged=", 1) != NULL || strprefix(attrib, "command=", 1) != NULL || strprefix(attrib, "exec=", 1) != NULL) { @@ -840,6 +842,11 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, r = check_match_ifaddrs(arg) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; + } else if (strcasecmp(attrib, "version") == 0) { + criteria = xstrdup(SSH_RELEASE); + r = match_pattern_list(SSH_RELEASE, arg, 0) == 1; + if (r == (negate ? 1 : 0)) + this_result = result = 0; } else if (strcasecmp(attrib, "tagged") == 0) { criteria = xstrdup(options->tag == NULL ? "" : options->tag); diff --git a/servconf.c b/servconf.c index 61f758b7a..c5c1713c2 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.423 2025/02/10 23:16:51 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.424 2025/02/15 01:52:07 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -68,6 +68,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" +#include "version.h" #if !defined(SSHD_PAM_SERVICE) # define SSHD_PAM_SERVICE "sshd" @@ -1094,7 +1095,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, strprefix(attrib, "address=", 1) != NULL || strprefix(attrib, "localaddress=", 1) != NULL || strprefix(attrib, "localport=", 1) != NULL || - strprefix(attrib, "rdomain=", 1) != NULL) { + strprefix(attrib, "rdomain=", 1) != NULL || + strprefix(attrib, "version=", 1) != NULL) { arg = strchr(attrib, '='); *(arg++) = '\0'; } else { @@ -1224,8 +1226,16 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, if (match_pattern_list(ci->rdomain, arg, 0) != 1) result = 0; else - debug("user %.100s matched 'RDomain %.100s' at " - "line %d", ci->rdomain, arg, line); + debug("connection RDomain %.100s matched " + "'RDomain %.100s' at line %d", + ci->rdomain, arg, line); + } else if (strcasecmp(attrib, "version") == 0) { + if (match_pattern_list(SSH_RELEASE, arg, 0) != 1) + result = 0; + else + debug("version %.100s matched " + "'version %.100s' at line %d", + SSH_RELEASE, arg, line); } else { error("Unsupported Match attribute %s", oattrib); result = -1; diff --git a/ssh_config.5 b/ssh_config.5 index 6fff9c74a..0c6504599 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.409 2025/02/15 01:50:47 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.410 2025/02/15 01:52:07 djm Exp $ .Dd $Mdocdate: February 15 2025 $ .Dt SSH_CONFIG 5 .Os @@ -147,8 +147,9 @@ The available criteria keywords are: .Cm tagged , .Cm command , .Cm user , +.Cm localuser , and -.Cm localuser . +.Cm version . The .Cm all criteria must appear alone or immediately after @@ -244,6 +245,12 @@ for an SFTP session). The empty string will match the case where a command or tag has not been specified, i.e. .Sq Match tag \&"\&" +The +.Cm version +keyword matches against the version string of +.Xr ssh 1 , +for example +.Dq OpenSSH_10.0 . .Pp The .Cm user diff --git a/sshd_config.5 b/sshd_config.5 index c3d76bc62..c07717375 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.380 2024/12/06 16:24:27 djm Exp $ -.Dd $Mdocdate: December 6 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.381 2025/02/15 01:52:07 djm Exp $ +.Dd $Mdocdate: February 15 2025 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1245,6 +1245,7 @@ The available criteria are .Cm Host , .Cm LocalAddress , .Cm LocalPort , +.Cm Version , .Cm RDomain , and .Cm Address @@ -1270,6 +1271,13 @@ it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively. .Pp +The +.Cm Version +keyword matches against the version string of +.Xr sshd 8 , +for example +.Dq OpenSSH_10.0 . +.Pp Only a subset of keywords may be used on the lines following a .Cm Match keyword. diff --git a/version.h b/version.h index 8c7e37e7d..718735c99 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,7 @@ -/* $OpenBSD: version.h,v 1.103 2024/09/19 22:17:44 djm Exp $ */ +/* $OpenBSD: version.h,v 1.104 2025/02/15 01:52:07 djm Exp $ */ #define SSH_VERSION "OpenSSH_9.9" +#define SSH_RELEASE SSH_VERSION #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE