Update default values to match current openssh-portable (previously based on OpenSSH 7.4p1 from 2016).
Breaking changes:
- Remove
Cipherdefault (SSH protocol 1 only, deprecated in openssh-portable) - Remove
ChallengeResponseAuthenticationdefault (alias forKbdInteractiveAuthentication) - Remove
CompressionLeveldefault (unsupported in openssh-portable) - Remove
Protocoldefault (silently ignored in openssh-portable) - Remove
RhostsRSAAuthenticationdefault (SSH protocol 1 only, unsupported) - Remove
RSAAuthenticationdefault (SSH protocol 1 only, unsupported) - Remove
UsePrivilegedPortdefault (deprecated in openssh-portable) - Remove
IdentityFiledefault of~/.ssh/identity(SSH protocol 1 only) - Change
CheckHostIPdefault from"yes"to"no" - Change
UpdateHostKeysdefault from"no"to"yes" - Change
Ciphersdefault to remove CBC ciphers - Change
KexAlgorithmsdefault to add post-quantum algorithms and remove SHA1 variants - Change
HostKeyAlgorithmsdefault to add sk-, webauthn-, rsa-sha2-* and remove ssh-rsa - Change
HostbasedKeyTypesdefault (same asHostKeyAlgorithms) - Change
PubkeyAcceptedKeyTypesdefault (same asHostKeyAlgorithms) - Change
ForwardX11Timeoutdefault from"20m"to"1200"(same duration, now in seconds) - Rename
defaultProtocol2IdentitiestodefaultIdentityFiles - Remove
~/.ssh/id_dsafrom default identity files - Remove
ForwardAgentfrom strict yes/no validation (now also accepts a socket path) - Remove
CompressionLevelfrom uint validation
Other changes:
- Add
ControlPersistdefault ("no") - Add
RequestTTYdefault ("auto") - Add
SessionTypedefault ("default") - Add
CASignatureAlgorithmsdefault - Add
HostbasedAcceptedAlgorithmsdefault (new name forHostbasedKeyTypes) - Add
PubkeyAcceptedAlgorithmsdefault (new name forPubkeyAcceptedKeyTypes) - Add
~/.ssh/id_ecdsa_skand~/.ssh/id_ed25519_skto default identity files
-
Support
~as the user's home directory inIncludedirectives, matching the behavior described in ssh_config(5). Thanks to Neil Williams for the report (#31). -
Strip surrounding double quotes from parsed values. OpenSSH allows values like
IdentityFile "/path/to/file", but Get/GetAll previously returned the quotes as literal characters. Quotes are now stripped from the returned value while preserving the original text for faithful roundtripping via String() and MarshalText(). Thanks to Furkan Türkal for the report (#61). -
Default to a space before
#in end-of-line comments. When a Host or KV is created programmatically with an EOLComment, the output previously had no space before the#(e.g.Host foo#comment). A single space is now inserted by default. Thanks to Yonghui Cheng for the report (#50).
-
Implement Match support. Most of the Match spec is implemented, including
Match host,Match originalhost,Match user,Match localuser, andMatch all.Match execis not yet implemented. -
Add SECURITY.md
-
Add Dependabot configuration
- Remove .gitattributes file (which was used to test different line endings, and caused issues in some build environments). Store tests/dos-lines as CRLF in git directly instead.
-
Add go.mod file (although this project has no dependencies).
-
config: add UserSettings.ConfigFinder
-
Various updates to CI and build environment
-
config: add DecodeBytes to directly read a byte array.
-
Strip trailing whitespace from Host declarations and key/value pairs. Previously, if a Host declaration or a value had trailing whitespace, that whitespace would have been included as part of the value. This led to unexpected consequences. For example:
Host example # A comment
HostName example.com # Another comment
Prior to version 1.2, the value for Host would have been "example " and the value for HostName would have been "example.com ". Both of these are unintuitive.
Instead, we strip the trailing whitespace in the configuration, which leads to more intuitive behavior.
- Add fuzz tests.