[openssh-commits] [openssh] 02/02: upstream: add a ssh_config RefuseConnection option that, when
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jul 23 15:26:56 AEST 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 40fb2dc4ece76c8f0c624d90a17bc1bbf47f3729
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Jul 23 05:07:19 2025 +0000
upstream: add a ssh_config RefuseConnection option that, when
encountered while processing an active section in a configuration file,
terminates ssh(1) with an error message that contains the argument to the
option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
ok djg
OpenBSD-Commit-ID: 5b0072fcd08ad3932ab21e27bbaa66b008d44237
---
readconf.c | 18 ++++++++++++++++--
ssh_config.5 | 13 +++++++++++--
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
index 97f34abff..b5a9f925f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.400 2025/06/24 09:22:03 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.401 2025/07/23 05:07:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -180,7 +180,7 @@ typedef enum {
oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
- oVersionAddendum,
+ oVersionAddendum, oRefuseConnection,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -332,6 +332,7 @@ static struct {
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
{ "versionaddendum", oVersionAddendum },
+ { "refuseconnection", oRefuseConnection },
{ NULL, oBadOption }
};
@@ -2509,6 +2510,19 @@ parse_pubkey_algos:
argv_consume(&ac);
break;
+ case oRefuseConnection:
+ arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') {
+ error("%.200s line %d: Missing argument.",
+ filename, linenum);
+ goto out;
+ }
+ if (*activep) {
+ fatal("%.200s line %d: RefuseConnection: %s",
+ filename, linenum, arg);
+ }
+ break;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
diff --git a/ssh_config.5 b/ssh_config.5
index 894d73831..14115fff1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.413 2025/03/03 06:53:09 dtucker Exp $
-.Dd $Mdocdate: March 3 2025 $
+.\" $OpenBSD: ssh_config.5,v 1.414 2025/07/23 05:07:19 djm Exp $
+.Dd $Mdocdate: July 23 2025 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -1715,6 +1715,15 @@ disabling or enabling the OpenSSH host-bound authentication protocol
extension required for restricted
.Xr ssh-agent 1
forwarding.
+.It Cm RefuseConnection
+Allows a connection to be refused by the configuration file.
+If this option is specified, then
+.Xr ssh 1
+will terminate immediately before attempting to connect to the remote
+host, display an error message that contains the argument to this keyword
+and return a non-zero exit status.
+This option may be useful to express reminders or warnings to the user via
+.Nm .
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list