File openssh-10.0p1-susshi.patch of Package openssh
From 6cc269153f8d5b37a704f4742ef5987c9ef60f08 Mon Sep 17 00:00:00 2001
From: Oliver Rauscher <oliver.rauscher@rnetx.com>
Date: Mon, 28 Apr 2025 16:49:07 +0200
Subject: Patched version
---
pathnames.h | 2 +-
readconf.c | 26 ++++++++++++++++++++++++++
readconf.h | 4 ++++
scp.1 | 3 +++
scp.c | 2 +-
sftp.1 | 3 +++
sftp.c | 2 +-
ssh.1 | 46 ++++++++++++++++++++++++++++++++++++++++++++--
ssh.c | 37 +++++++++++++++++++++++++++++++++++++
ssh_config | 3 +++
ssh_config.5 | 16 ++++++++++++++++
11 files changed, 139 insertions(+), 5 deletions(-)
diff --git a/pathnames.h b/pathnames.h
index 1158bec..5f2c244 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -95,7 +95,7 @@
* volume where root is mapped to nobody, this may need to be world-readable.
*/
#define _PATH_SSH_USER_CONFFILE _PATH_SSH_USER_DIR "/config"
-
+#define _PATH_SSH_USER_CONFFILE_SUSSHI _PATH_SSH_USER_DIR "/susshi_config"
/*
* File containing a list of those rsa keys that permit logging in as this
* user. This file need not be readable by anyone but the user him/herself,
diff --git a/readconf.c b/readconf.c
index 7cbe7d2..541c8bf 100644
--- a/readconf.c
+++ b/readconf.c
@@ -159,6 +159,7 @@ typedef enum {
oTCPKeepAlive, oNumberOfPasswordPrompts,
oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
oPubkeyAuthentication,
+ oSusshiGateway, oSusshiUser, oSusshiProxy,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
@@ -325,6 +326,9 @@ static struct {
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
+ { "susshigateway", oSusshiGateway },
+ { "susshiproxy", oSusshiProxy },
+ { "susshiuser", oSusshiUser },
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
@@ -2508,6 +2512,19 @@ parse_pubkey_algos:
argv_consume(&ac);
break;
+ /* suSSHi options */
+ case oSusshiGateway:
+ charptr = &options->susshi_gateway;
+ goto parse_string;
+
+ case oSusshiProxy:
+ charptr = &options->susshi_proxy;
+ goto parse_string;
+
+ case oSusshiUser:
+ charptr = &options->susshi_user;
+ goto parse_string;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -2765,6 +2782,10 @@ initialize_options(Options * options)
options->channel_timeouts = NULL;
options->num_channel_timeouts = 0;
options->version_addendum = NULL;
+ /* suSSHi options */
+ options->susshi_user = NULL;
+ options->susshi_gateway = NULL;
+ options->susshi_proxy = NULL;
}
/*
@@ -3738,6 +3759,11 @@ dump_client_config(Options *o, const char *host)
dump_cfg_strarray_oneline(oChannelTimeout,
o->num_channel_timeouts, o->channel_timeouts);
+ /* suSSHi options */
+ dump_cfg_string(oSusshiGateway, o->susshi_gateway);
+ dump_cfg_string(oSusshiProxy, o->susshi_proxy);
+ dump_cfg_string(oSusshiUser, o->susshi_user);
+
/* Special cases */
/* PermitRemoteOpen */
diff --git a/readconf.h b/readconf.h
index cd49139..223416c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -186,6 +186,10 @@ typedef struct {
char *version_addendum;
+ char *susshi_gateway;
+ char *susshi_user;
+ char *susshi_proxy;
+
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
diff --git a/scp.1 b/scp.1
index aa2e2d8..0b5514a 100644
--- a/scp.1
+++ b/scp.1
@@ -252,6 +252,9 @@ For full details of the options listed below, and their possible values, see
.It StreamLocalBindUnlink
.It StrictHostKeyChecking
.It SyslogFacility
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It Tag
.It Tunnel
diff --git a/scp.c b/scp.c
index 57c242f..472c750 100644
--- a/scp.c
+++ b/scp.c
@@ -644,7 +644,7 @@ main(int argc, char **argv)
log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
/* Do this last because we want the user to be able to override it */
- addargs(&args, "-oForwardAgent=no");
+ /* addargs(&args, "-oForwardAgent=no"); */
if (iamremote)
mode = MODE_SCP;
diff --git a/sftp.1 b/sftp.1
index 651baaf..0d1e805 100644
--- a/sftp.1
+++ b/sftp.1
@@ -314,6 +314,9 @@ For full details of the options listed below, and their possible values, see
.It StreamLocalBindUnlink
.It StrictHostKeyChecking
.It SyslogFacility
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It Tag
.It Tunnel
diff --git a/sftp.c b/sftp.c
index bdedd14..7c9c00a 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2598,7 +2598,7 @@ main(int argc, char **argv)
}
/* Do this last because we want the user to be able to override it */
- addargs(&args, "-oForwardAgent no");
+ /* addargs(&args, "-oForwardAgent no"); */
if (!isatty(STDERR_FILENO))
showprogress = 0;
diff --git a/ssh.1 b/ssh.1
index 697f4e4..09f4f5f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -93,6 +93,43 @@ The user must prove
their identity to the remote machine using one of several methods
(see below).
.Pp
+.Sh SUSSHI INTEGRATION
+.Nm
+may be used in conjunction with a suSSHi gateway. In this case the
+destination points to the name or IP of a suSSHi gateway and the actual
+ssh target is encoded into the login_name. The login_name is then
+specified in the form gateway_user@target_user@target,
+which results in two forms for the ssh syntax:
+.Pp
+ ssh -l gateway_user@target_user@target susshi-gateway
+.Pp
+or simply
+.Pp
+ ssh gateway_user@target_user@target@susshi-gateway
+.Pp
+If a suSSHi proxy is used, a proxy realm must be added to the target
+so that suSSHi knows which configured proxy can be used to connect:
+.Pp
+ ssh -l gateway_user@target_user@target@proxyrealm susshi-gateway
+.Pp
+or simply
+.Pp
+ ssh gateway_user@target_user@target@proxyrealm@susshi_gateway
+.Pp
+Please take a look at the SusshiGateway, SusshiUser and SusshiProxy
+options described in the
+.Xr ssh_config 5
+man page.
+.Pp
+Please note that other client software also uses the user configuration file
+.Pa ~/.ssh/config
+and may encounter syntax errors when adding the Susshi* options.
+Therefore, you can alternatively include all hosts/options with special Susshi* options in a newly introduced configuration file
+.Pa ~/.ssh/susshi_config
+which is loaded before the default user configuration file
+.Pa ~/.ssh/config .
+.Pp
+.Sh DESCRIPTION (cont.)
If a
.Ar command
is specified,
@@ -239,8 +276,10 @@ If a configuration file is given on the command line,
the system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
will be ignored.
-The default for the per-user configuration file is
-.Pa ~/.ssh/config .
+The default for the per-user configuration files are
+.Pa ~/.ssh/config
+and alternatively
+.Pa ~/.ssh/susshi_config .
If set to
.Dq none ,
no configuration files will be read.
@@ -595,6 +634,9 @@ For full details of the options listed below, and their possible values, see
.It StreamLocalBindUnlink
.It StrictHostKeyChecking
.It SyslogFacility
+.It SusshiGateway
+.It SusshiProxy
+.It SusshiUser
.It TCPKeepAlive
.It Tag
.It Tunnel
diff --git a/ssh.c b/ssh.c
index dc4886d..48439a5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -576,6 +576,15 @@ process_config_files(const char *host_name, struct passwd *pw,
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
+ /* Alternate (suSSHi) config file */
+ r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
+ _PATH_SSH_USER_CONFFILE_SUSSHI);
+ if (r > 0 && (size_t)r < sizeof(buf))
+ (void)read_config_file(buf, pw, host, host_name, cmd,
+ &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
+ (final_pass ? SSHCONF_FINAL : 0), want_final_pass);
+
+ /* Standard user config file */
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
if (r > 0 && (size_t)r < sizeof(buf))
@@ -1240,6 +1249,34 @@ main(int ac, char **av)
if ((was_addr = is_addr(host)) == 0)
lowercase(host);
+ /*
+ * suSSHi Parameters
+ */
+ if (options.susshi_gateway != NULL) {
+ char *user, *hostname;
+
+ if ((options.proxy_command) || (options.jump_host))
+ fatal("The SusshiGateway option cannot be used simultaneously with ProxyCommand or JumpHost.");
+
+ if (options.susshi_user == NULL)
+ options.susshi_user = xstrdup(pw->pw_name);
+
+ user = xstrdup(options.user == NULL ? pw->pw_name : options.user);
+ hostname = xstrdup(options.hostname == NULL ? host : options.hostname);
+
+ if (options.susshi_proxy)
+ options.user = percent_expand("%u@%r@%h@%p", "u", options.susshi_user,
+ "r", user, "h", hostname, "p", options.susshi_proxy, (char *)NULL);
+ else
+ options.user = percent_expand("%u@%r@%h", "u", options.susshi_user,
+ "r", user, "h", hostname, (char *)NULL);
+
+ host = options.susshi_gateway;
+ debug3("expanding (suSSHi) User: %s", options.user);
+ free(hostname);
+ free(user);
+ }
+
/*
* Try to canonicalize if requested by configuration or the
* hostname is an address.
diff --git a/ssh_config b/ssh_config
index cc56635..427de81 100644
--- a/ssh_config
+++ b/ssh_config
@@ -44,3 +44,6 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+# SusshiGateway susshi.example.com
+# SusshiProxy my-proxy.cloud.example.com
+# SusshiUser automation
\ No newline at end of file
diff --git a/ssh_config.5 b/ssh_config.5
index 894d738..572c202 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -49,6 +49,9 @@ the following order:
.It
command-line options
.It
+user's alternative configuration file
+.Pq Pa ~/.ssh/susshi_config
+.It
user's configuration file
.Pq Pa ~/.ssh/config
.It
@@ -2037,6 +2040,19 @@ has confirmed that is what they really want to do, and
ssh will refuse to connect to hosts whose host key has changed.
The host keys of
known hosts will be verified automatically in all cases.
+.It Cm SusshiGateway
+Specifies the name or IP address of a suSSHi gateway. This option allows
+to continue using the normal ssh syntax for login_name (-l or <login_name>
+@destination) and destination ans still pass the name or IP address of a
+suSSHi gateway.
+.It Cm SusshiProxy
+Specifies a proxy realm used in conjunction with a suSSHi gateway. This
+option allows to continue using the normal ssh syntax for login_name
+(-l or <login_name>@destination) and destination and still pass a suSSHi proxy realm.
+.It Cm SusshiUser
+Specifies the name of a suSSHi gateway user. This option allows to continue
+using the normal ssh syntax for login_name (-l or <login_name>@destination)
+and destination and still pass a suSSHi login name.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr ssh 1 .
--
2.49.0
