From: djm@openbsd.org Date: Wed, 23 Jul 2025 05:07:19 +0000 (+0000) Subject: upstream: add a ssh_config RefuseConnection option that, when X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40fb2dc4ece76c8f0c624d90a17bc1bbf47f3729;p=thirdparty%2Fopenssh-portable.git upstream: add a ssh_config RefuseConnection option that, when encountered while processing an active section in a configuration file, terminates ssh(1) with an error message that contains the argument to the option. This may be useful for expressing reminders or warnings in config files, for example: Match host foo RefuseConnection "foo is deprecated, use splork instead" ok djg OpenBSD-Commit-ID: 5b0072fcd08ad3932ab21e27bbaa66b008d44237 --- diff --git a/readconf.c b/readconf.c index 97f34abff..b5a9f925f 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.400 2025/06/24 09:22:03 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.401 2025/07/23 05:07:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -180,7 +180,7 @@ typedef enum { oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout, - oVersionAddendum, + oVersionAddendum, oRefuseConnection, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -332,6 +332,7 @@ static struct { { "obscurekeystroketiming", oObscureKeystrokeTiming }, { "channeltimeout", oChannelTimeout }, { "versionaddendum", oVersionAddendum }, + { "refuseconnection", oRefuseConnection }, { NULL, oBadOption } }; @@ -2509,6 +2510,19 @@ parse_pubkey_algos: argv_consume(&ac); break; + case oRefuseConnection: + arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') { + error("%.200s line %d: Missing argument.", + filename, linenum); + goto out; + } + if (*activep) { + fatal("%.200s line %d: RefuseConnection: %s", + filename, linenum, arg); + } + break; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); diff --git a/ssh_config.5 b/ssh_config.5 index 894d73831..14115fff1 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.413 2025/03/03 06:53:09 dtucker Exp $ -.Dd $Mdocdate: March 3 2025 $ +.\" $OpenBSD: ssh_config.5,v 1.414 2025/07/23 05:07:19 djm Exp $ +.Dd $Mdocdate: July 23 2025 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1715,6 +1715,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol extension required for restricted .Xr ssh-agent 1 forwarding. +.It Cm RefuseConnection +Allows a connection to be refused by the configuration file. +If this option is specified, then +.Xr ssh 1 +will terminate immediately before attempting to connect to the remote +host, display an error message that contains the argument to this keyword +and return a non-zero exit status. +This option may be useful to express reminders or warnings to the user via +.Nm . .It Cm RekeyLimit Specifies the maximum amount of data that may be transmitted or received before the session key is renegotiated, optionally followed by a maximum