in olde rcp/scp protocol mode, when rejecting a path from the server
as not matching the glob that the client sent, log (at debug level) the
received pathname as well as the list of possible expected paths expanded
from the glob. bz2966

rename remote_glob() -> sftp_glob() to match other API

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

add defence-in-depth checks for some unreachable integer overflows
reported by Yair Mizrahi @ JFrog; feedback/ok millert@

Explicitly ignore return from waitpid here too.

Explictly ignore return codes where we don't check them. From Dmitry
Belyavskiy via github PR#238, ok djm@

scp: when copying local->remote, check that source file exists before
opening SFTP connection to the server. Based on GHPR#370
ok dtucker, markus

Check return values of dup2. Spotted by Coverity, ok djm@

Switch scp from using pipes to a socketpair for communication with
it's ssh sub-processes. We no longer need to reserve two descriptors
to ensure that we don't end up using fd 0-2 unexpectedly, that is
handled by sanitise_stdfd() in main().
Based on an original diff from djm@. OK deraadt@ djm@

add -X to usage();

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

when scp(1) is using the SFTP protocol for transport (the default),
better match scp/rcp's handling of globs that don't match the globbed
characters but do match literally (e.g. trying to transfer "foo.[1]").

Previously scp(1) in SFTP mode would not match these pathnames but
legacy scp/rcp mode would.

Reported by Michael Yagliyan in bz3488; ok dtucker@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

don't leak argument list; bz3404, reported by Balu Gajjala
ok dtucker@

and we go back to testing sftp-scp after the 8.9 release...

revert for imminent OpenSSH release, which wil ship with scp in RCP mode.

> revision 1.106
> date: 2021/10/15 14:46:46; author: deraadt; state: Exp; lines: +13 -9; commitid: w5n9B2RE38tFfggl;
> openbsd 7.0 release shipped with the (hopefully last) scp that uses RCP
> protocol for copying. Let's get back to testing the SFTP protocol.

This will be put back once the OpenSSH release is done.

better match legacy scp behaviour: show un-expanded paths in error
messages. Spotted by and ok tb@

when transferring multiple files in SFTP mode, create the destination
directory if it doesn't already exist to match olde-scp(1) behaviour.
noticed by deraadt@ ok markus@

fix some corner-case bugs in scp sftp-mode handling of ~-prefixed
paths; spotted by jsg; feedback jsg & deraadt, ok jsg & markus

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

openbsd 7.0 release shipped with the (hopefully last) scp that uses RCP
protocol for copying. Let's get back to testing the SFTP protocol.

fix missing -s in SYNOPSYS and usage() as well as a capitalisation
mistake; spotted by jmc@

Switch scp back to use the old protocol by default, ahead of release.
We'll wait a little longer for people to pick up sftp-server(8) that
supports the extension that scp needs for ~user paths to continue
working in SFTP protocol mode. Discussed with deraadt@

better error message for ~user failures when the sftp-server
lacks the expand-path extension; ok deraadt@

make some more scp-in-SFTP mode better match Unix idioms

suggested by deraadt@

allow log_stderr==2 to prefix log messages with argv[0]

use this to make scp's SFTP mode error messages more scp-like

prompted by and ok deraadt@

when using SFTP protocol, continue transferring files after a
transfer error occurs. This matches original scp/rcp behaviour.
ok dtucker@

Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.

Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.

ok deraadt, after baking in snaps for a while without incident

scp: tweak man page and error message for -3 by default

Now that the -3 option is enabled by default, flip the documentation
and error message logic from "requires -3" to "blocked by -R".

ok djm@

scp: do not spawn ssh with two -s flags for remote-to-remote copies

Do not add another "-s" to the argument vector every time an SFTP
connection is initiated. Instead, introduce a subsystem flag to
do_cmd() and add "-s" when the flag is set.

ok djm@

Prepare for a future where scp(1) uses the SFTP protocol by default.
Replace recently added -M option to select the protocol with -O (olde)
and -s (SFTP) flags, and label the -s flag with a clear warning that it
will be removed in the near future (so no, don't use it in scripts!).

prompted by/feedback from deraadt@

make scp -3 the default for remote-to-remote copies. It provides a
much better and more intuitive user experience and doesn't require
exposing credentials to the source host.

thanks naddy@ for catching the missing argument in usage()

"Yes please!" - markus@
"makes a lot of sense" - deraadt@
"the right thing to do" - dtucker@

make scp in SFTP mode try to use relative paths as much as possible.
Previosuly, it would try to make relative and ~/-rooted paths absolute
before requesting transfers.

prompted by and much discussion deraadt@
ok markus@

SFTP protocol extension to allow the server to expand ~-prefixed
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.

prompted by and much discussion deraadt@
ok markus@

when scp is in SFTP mode, try to deal better with ~ prefixed
paths. ~user paths aren't supported, but ~/ paths will be accepted
and prefixed with the SFTP server starting directory (more to come)

prompted by and discussed with deraadt@
ok markus@

on fatal errors, make scp wait for ssh connection before exiting
avoids LogLevel=verbose (or greater) messages from ssh appearing
after scp has returned exited and control has returned to the
shell; ok markus@

(this was originally committed as r1.223 along with unrelated stuff that
I rolled back in r1.224)

rever r1.223 - I accidentally committed unrelated changes

on fatal errors, make scp wait for ssh connection before exiting
avoids LogLevel=verbose (or greater) messages from ssh appearing
after scp has returned exited and control has returned to the
shell; ok markus@

Fix prototype mismatch for do_cmd. ok djm@

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

make scp(1) in SFTP mode output better match original scp(1) by
suppressing "Retrieving [path]" lines that were emitted to support
the interactive sftp(1) client. ok markus@

use sftp_client crossloading to implement scp -3

feedback/ok markus@

prepare for scp -3 implemented via sftp

Allow for different (but POSIX compliant) behaviour of basename(3) and
prevent a use-after-free in that case in the new sftp-compat code.

POSIX allows basename(3) to either return a pointer to static storage
or modify the passed string and return a pointer to that. OpenBSD does
the former and works as is, but on other platforms "filename" points
into "tmp" which was just freed. This makes the freeing of tmp
consistent with the other variable in the loop.

Pinpointed by the -portable Valgrind regress test. ok djm@ deraadt@

support for using the SFTP protocol for file transfers in scp, via a
new "-M sftp" option. Marked as experimental for now.

Some corner-cases exist, in particular there is no attempt to
provide bug-compatibility with scp's weird "double shell" quoting
rules.

Mostly by Jakub Jelen in GHPR#194 with some tweaks by me. ok markus@
Thanks jmc@ for improving the scp.1 bits.

allow spaces to appear in usernames for local to remote, and scp -3
remote to remote copies. with & ok dtucker bz#1164

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

allow -A to explicitly enable agent forwarding in scp and sftp. The
default remains to not forward an agent, even when ssh_config enables
it. ok jmc dtucker markus

Fix error message on close(2) and add printf format attributes.
From Christos Zoulas, OK markus@

another case where a utimes() failure could make scp send a
desynchronising error; reminded by Aymeric Vincent
ok deraadt markus

when receving a file in sink(), be careful to send at most a single
error response after the file has been opened. Otherwise the source()
and sink() can become desyncronised. Reported by Daniel Goujot,
Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.

ok deraadt@ markus@

run the 2nd ssh with BatchMode for scp -3

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

Fix potential truncation warning. ok deraadt.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when checking that filenames sent by the server side match what the
client requested, be prepared to handle shell-style brace alternations,
e.g. "{foo,bar}".

"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@

add -T to usage();

check in scp client that filenames sent during remote->local directory
copies satisfy the wildcard specified by the user.

This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.

For this reason, this also adds a new -T flag to disable the check.

reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@

Have progressmeter force an update at the beginning and end of each
transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@

Sanitize scp filenames via snmprintf. To do this we move the
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@

Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)
to match ssh(1)'s interface.

ok djm

disallow empty incoming filename or ones that refer to the current
directory; based on report/patch from Harry Sintonen

Apply umask to all incoming files and directories not just files.
This makes sure it gets applied to directories too, and prevents
a race where files get chmodded after creation. bz#2839, ok djm@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

Disable RemoteCommand and RequestTTY in the ssh session started by
scp. sftp is already doing this. From Camden Narzt via github;
ok dtucker

Add helper function for uri handing in scp where a missing path
simply means ".". Also fix exit code and add warnings when an
invalid uri is encountered. OK otto@

Add URI support to ssh, sftp and scp. For example ssh://user@host
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

remove options -12 from usage();

exterminate the -1 flag from scp

ok markus@

Avoid relying on implementation-specific behavior when detecting
whether the timestamp or file size overflowed. If time_t and
off_t are not either 32-bit or 64-bit scp will exit with an error.
OK djm@

Avoid potential signed int overflow when parsing the file size.
Use strtoul() instead of parsing manually. OK djm@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

Improve accuracy of reported transfer speeds by waiting for the ack from
the other end. Pointed out by mmcc@, ok deraadt@ markus@

pledge "stdio rpath wpath cpath fattr tty proc exec" except for the
-p option (which sadly has insane semantics...)
ok semarie dtucker

0 -> NULL when comparing with a char*.

ok dtucker@, djm@.

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

when copying local->remote fails during read, don't send uninitialised
heap to the remote end. Reported by Jann Horn

unsigned casts for ctype macros where neccessary
ok guenther millert markus

improved time_t overflow check suggested by guenther@

make this -Wsign-compare clean after time_t conversion

Handle time_t values as long long's when formatting them and when
parsing them from remote servers.
Improve error checking in parsing of 'T' lines.

ok dtucker@ deraadt@

use MAXPATHLEN for buffer size instead of fixed value. ok markus

Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.

bye, bye xfree(); ok markus@

Fix some "unused result" warnings found via clang and -portable. ok markus@

suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus

scp.1: grammer fix
scp.c: add -3 to usage()

add a new -3 option to scp: Copies between two remote hosts are
transferred through the local host. Without this option the data
is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)

Pass through ssh command-line flags and options when doing remote-remote
transfers, e.g. to enable agent forwarding which is particularly useful
in this case; bz#1837 ok dtucker@

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

Fix a longstanding problem where if you suspend scp at the
password/passphrase prompt the terminal mode is not restored.
OK djm@

When passing user-controlled options with arguments to other programs,
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.

Based on a diff by halex@
ok halex@ djm@ deraadt@

spelling in comment; ok djm@

Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@

If scp -p encounters a pre-epoch timestamp, use the epoch which is
as close as we can get given that it's used unsigned. Add a little
debugging while there. bz #828, ok djm@

factor out network read/write into an atomicio()-like function, and use it
to handle short reads, apply bandwidth limits and update counters.
make network IO non-blocking, so a small trickle of reads/writes has a
chance of updating the progress meter; bz #799
ok dtucker@

the ellipsis is not an optional argument; while here, sync the usage
and synopsis of commands

lots of good ideas by jmc@

ok jmc@

don't ftruncate() non-regular files; bz#1236 reported by wood AT xmission.com;
ok dtucker@

Encode filename with strnvis if the name contains a newline (which can't
be represented in the scp protocol), from bz #891. ok markus@

make scp try to skip FIFOs rather than blocking when nothing is listening.
depends on the platform supporting sane O_NONBLOCK semantics for open
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
bz #856; report by cjwatson AT debian.org; ok markus@

fix detection of whether we should show progress meter or not: scp
tested isatty(stderr) but wrote the progress meter to stdout. This patch
makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
of dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <sys/time.h> out of includes.h

move #include <string.h> out of includes.h

move #include <time.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

duplicate argv at the start of main() because it gets modified later;
pointed out by deraadt@ ok markus@

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

fix leak; coverity via Kylene Jo Hall

xasprintification; ok deraadt@

minimal lint cleanup (unused crud, and some size_t); ok djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@

RCSID() can die

Try to display errormessage even if remout == -1

ok djm@, markus@

branches: 1.135.2;
move #include <ctype.h> out of includes.h; ok djm@

move #include <sys/stat.h> out of includes.h; ok markus@

move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

move #include <dirent.h> out of includes.h; ok markus@

"scp a b c" shouldn't clobber "c" when it is not a directory, report and
fix from biorn@; ok markus@

fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

avoid close(-1), as in rcp; ok cloder

ensure that stdio fds are attached; ok deraadt@

branches: 1.125.2;
Silence bogus -Wuninitialized warnings; ok djm@

make this -Wsign-compare clean; ok avsm@ markus@

If copying multiple files to a target file (which normally fails, as it
must be a target directory), kill the spawned ssh child before exiting.
This stops it trying to authenticate and spewing lots of output.
deraadt@ ok

Switch atomicio to use a simpler interface; it now returns a size_t
(containing number of bytes read/written), and indicates error by
returning 0. EOF is signalled by errno==EPIPE.
Typical use now becomes:

if (atomicio(read, ..., len) != len)
err(1,"read");

ok deraadt@, cloder@, djm@

since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror build

copy argv[] element instead of smashing the one that ps will see; ok otto

branches: 1.119.2;
Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@

scratch that do { } while (0) wrapper in this case

branches: 1.117.2;
use atomicio instead of homegrown equivalents or read/write.
markus@ ok

Prevent scp from skipping the file following a double-error.
bz #863, ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

limit trust between local and remote rcp/scp process,
noticed by lcamtuf; ok deraadt@, djm@

branches: 1.113.2;
from portable: rename clashing variable limit-> limit_rate; ok markus@

unexpand and delete whitespace at EOL; ok markus@

When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@

scp and sftp: add options list and sort options. options list requested
by deraadt@
sshd: use same format as ssh
ssh: remove wrong option from list
sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)

ok deraadt@ markus@

error handling for remote-remote copy; #638; report Harald Koenig;
ok millert, fgs, henning, deraadt

branches: 1.108.2;
userid is unsigned, but well, force it anyways; andrushock@korovino.net

deal with typing of write vs read in atomicio

Typo.

Ok markus@.

kill ssh process upon receipt of signal, bz #241.
based on patch from esb AT hawaii.edu; ok markus@

ansify; ok markus@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

branches: 1.102.2;
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

call okname() only when using system(3) for remote-remote copy;
fixes bugs #483, #472; ok deraadt@, mouring@

scp -12; Sam Smith and others; ok provos@, deraadt@

bandwidth limitation patch (scp -l) from niels@; ok todd@, deraadt@

Don't ftruncate after write error, creating sparse files of incorrect length
mindrot bug #403, reported by rusr@cup.hp.com; ok markus@

sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
based on a patch from Niels; ok fries@ lebel@ fgs@ millert@

use roundup() similar to rcp/util.c and avoid problems with strange
filesystem block sizes, noted by tjr@freebsd.org; ok djm@

allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@

Remove unnecessary fflush(stderr) calls, stderr is unbuffered by default.
ok markus@

check exit status from ssh, and exit(1) if ssh fails; bug#369; binder@arago.de

branches: 1.91.2;
KNF done automatically while reading....

make usage like man page

remove FallBackToRsh

branches: 1.88.2;
Fixes potental double // within path.
http://bugzilla.mindrot.org/show_bug.cgi?id=76

stretch banners

make it compile with more strict prototype checking

branches: 1.85.2;
skip filenames containing \n; report jdamery@chiark.greenend.org.uk
and matthew@debian.org

add ClearAllForwardings ssh option and set it in scp and sftp; ok markus@

add -Fssh_config option; ok markus@

don't forward agent for non third-party copies; ok markus@

clear the malloc'd buffer, otherwise source() will leak malloc'd memory; ok theo@

don't need main prototype (also sync with rcp); ok markus@

use alarm vs. setitimer for portable; ok markus@

shorten lines

Missing -o in scp usage()

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

slightly better care

no stdio or exit() in signal handlers.

you cannot vfprintf(fp, fmt, ap) twice, from portable, via drahn@

pass -v to ssh; from slade@shore.net

ftruncate() instead of open()+O_TRUNC like rcp.c does
allows scp /path/to/file localhost:/path/to/file

Use addargs() in sftp plus some clean up of addargs(). OK Markus

Move colon() and cleanhost() to misc.c where I should I have put it in
the first place

branches: 1.68.2;
scp > 2GB; niles@scyld.com; ok deraadt@, djm@

IPv6 support for sftp (which I bungled in my last patch) which is
borrowed from scp.c. Thanks to Markus@ for pointing it out.

'T' handling rcp/scp sync; ok markus@

remove trailing / from source paths; fixes pr#1756

usage more like rcp and add missing -B to usage; ok markus@

start to sync scp closer to rcp; ok markus@

alpha fixes, from simonb@wasabisystems.com

use %lld in printf, ok millert@/deraadt@; report from ssh@client.fi

make copyright lines the same format

np is changed by recursion; vinschen@redhat.com

fix memory leak; ok markus@

revert a small change to allow -r option to work again; ok deraadt@

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

memory leak fix, and snprintf throughout

unsigned long long -> %llu, not %qu. markus ok

alpha happiness

unexpand and remove end-of-line whitespace; ok markus@

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

getopt() returns -1 not EOF; stevesk@pobox.com

use shared fatal(); from stevesk@pobox.com

replace 'unsigned bla' with 'u_bla' everywhere. also, replace 'char unsigned'
with u_char.

allow + in usernames; request from Florian.Weimer@RUS.Uni-Stuttgart.DE

unused; from stevesk@pobox.com

when copying 0-sized files, do not re-print ETA time at completion

branches: 1.43.2;
replace atomicio(read,...) with read(); ok deraadt@

remove spaces from arguments; from djm@mindrot.org

support 'scp -o' with help from mouring@pconline.com

utime() to utimes(); mouring@pconline.com

typo

cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

cleanup and fix -S support; stevesk@sweden.hp.com

off_t in sink, to fix files > 2GB, i think, test is still running ;-)

knf

-S prog support; tv@debian.org

close can fail on AFS, report error; from Greg Hudson <ghudson@mit.edu>

OpenBSD tag

typo

branches: 1.30.2;
more atomicio

fix very rare EAGAIN/EINTR issues; based on work by djm

after completion, replace the progress bar ETA counter with a final elapsed time; my idea, aaron wrote the patch

whitespace cleanup

-pedantic: signed vs. unsigned, void*-arithm, etc

allow '.' in usernames; from jedgar@fxp.org

document -4, -6, and 'ssh -L 2022/::1/22'

ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features:
sshd allows multiple ListenAddress and Port options. note that libwrap is
not IPv6-ready. (based on patches from <kick@kyoto.wide.ad.jp> and
fujiwara@rcac.tdi.co.jp)

move atomicio into it's own file. wrap all socket write()s which were doing
write(sock, buf, len) != len, with atomicio() calls.

progress meter overflow fix from damien@ibs.com.au

KNF, final part 3

much more KNF

KNF part 1

syslog changes:
* Unified Logmessage for all auth-types, for success and for failed
* Standard connections get only ONE line in the LOG when level==LOG:
Auth-attempts are logged only, if authentication is:
a) successfull or
b) with passwd or
c) we had more than AUTH_FAIL_LOG failues
* many log() became verbose()
* old behaviour with level=VERBOSE

foregroundproc() in scp

fix overflow reported by damien@ibs.com.au: off_t totalsize, ok niels,aaron

Calculation fix in progressmeter() for ETA > 1hr; pasto on my part.

Print out the progress meter for 0 length files, too; deraadt@

- Fix the progress meter for receiving files, too.
- Add a check for totalbytes <= 0 in progressmeter(), so we don't / 0.
- Reset statbytes when we issue progressmeter(1), just to be safe.

Show filenames in the progress meter while transferring.

it is incredible what some people try to do in signal handlers

errno trashing considered harmfull

Wall

isatty() fixes for the progress meter; markus.friedl@informatik.uni-erlangen.de

- Add -q option to shutup the progressmeter; markus friedl
- Describe -q in man page (needs conversion to mdoc still).
- Cleanup usage string.
- Correct a typo; espie@

do not bother with dinosaur pacification

Put our ftp(1) progress meter into scp(1).

we have setsid

update krb4/AFS support to ssh-1.2.27-afs-kerberos-pl1 level, clean up unused variables, update manpages

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

rename remote_glob() -> sftp_glob() to match other API

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

add defence-in-depth checks for some unreachable integer overflows
reported by Yair Mizrahi @ JFrog; feedback/ok millert@

Explicitly ignore return from waitpid here too.

Explictly ignore return codes where we don't check them. From Dmitry
Belyavskiy via github PR#238, ok djm@

scp: when copying local->remote, check that source file exists before
opening SFTP connection to the server. Based on GHPR#370
ok dtucker, markus

Check return values of dup2. Spotted by Coverity, ok djm@

Switch scp from using pipes to a socketpair for communication with
it's ssh sub-processes. We no longer need to reserve two descriptors
to ensure that we don't end up using fd 0-2 unexpectedly, that is
handled by sanitise_stdfd() in main().
Based on an original diff from djm@. OK deraadt@ djm@

add -X to usage();

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

when scp(1) is using the SFTP protocol for transport (the default),
better match scp/rcp's handling of globs that don't match the globbed
characters but do match literally (e.g. trying to transfer "foo.[1]").

Previously scp(1) in SFTP mode would not match these pathnames but
legacy scp/rcp mode would.

Reported by Michael Yagliyan in bz3488; ok dtucker@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

don't leak argument list; bz3404, reported by Balu Gajjala
ok dtucker@

and we go back to testing sftp-scp after the 8.9 release...

revert for imminent OpenSSH release, which wil ship with scp in RCP mode.

> revision 1.106
> date: 2021/10/15 14:46:46; author: deraadt; state: Exp; lines: +13 -9; commitid: w5n9B2RE38tFfggl;
> openbsd 7.0 release shipped with the (hopefully last) scp that uses RCP
> protocol for copying. Let's get back to testing the SFTP protocol.

This will be put back once the OpenSSH release is done.

better match legacy scp behaviour: show un-expanded paths in error
messages. Spotted by and ok tb@

when transferring multiple files in SFTP mode, create the destination
directory if it doesn't already exist to match olde-scp(1) behaviour.
noticed by deraadt@ ok markus@

fix some corner-case bugs in scp sftp-mode handling of ~-prefixed
paths; spotted by jsg; feedback jsg & deraadt, ok jsg & markus

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

openbsd 7.0 release shipped with the (hopefully last) scp that uses RCP
protocol for copying. Let's get back to testing the SFTP protocol.

fix missing -s in SYNOPSYS and usage() as well as a capitalisation
mistake; spotted by jmc@

Switch scp back to use the old protocol by default, ahead of release.
We'll wait a little longer for people to pick up sftp-server(8) that
supports the extension that scp needs for ~user paths to continue
working in SFTP protocol mode. Discussed with deraadt@

better error message for ~user failures when the sftp-server
lacks the expand-path extension; ok deraadt@

make some more scp-in-SFTP mode better match Unix idioms

suggested by deraadt@

allow log_stderr==2 to prefix log messages with argv[0]

use this to make scp's SFTP mode error messages more scp-like

prompted by and ok deraadt@

when using SFTP protocol, continue transferring files after a
transfer error occurs. This matches original scp/rcp behaviour.
ok dtucker@

Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.

Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.

ok deraadt, after baking in snaps for a while without incident

scp: tweak man page and error message for -3 by default

Now that the -3 option is enabled by default, flip the documentation
and error message logic from "requires -3" to "blocked by -R".

ok djm@

scp: do not spawn ssh with two -s flags for remote-to-remote copies

Do not add another "-s" to the argument vector every time an SFTP
connection is initiated. Instead, introduce a subsystem flag to
do_cmd() and add "-s" when the flag is set.

ok djm@

Prepare for a future where scp(1) uses the SFTP protocol by default.
Replace recently added -M option to select the protocol with -O (olde)
and -s (SFTP) flags, and label the -s flag with a clear warning that it
will be removed in the near future (so no, don't use it in scripts!).

prompted by/feedback from deraadt@

make scp -3 the default for remote-to-remote copies. It provides a
much better and more intuitive user experience and doesn't require
exposing credentials to the source host.

thanks naddy@ for catching the missing argument in usage()

"Yes please!" - markus@
"makes a lot of sense" - deraadt@
"the right thing to do" - dtucker@

make scp in SFTP mode try to use relative paths as much as possible.
Previosuly, it would try to make relative and ~/-rooted paths absolute
before requesting transfers.

prompted by and much discussion deraadt@
ok markus@

SFTP protocol extension to allow the server to expand ~-prefixed
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.

prompted by and much discussion deraadt@
ok markus@

when scp is in SFTP mode, try to deal better with ~ prefixed
paths. ~user paths aren't supported, but ~/ paths will be accepted
and prefixed with the SFTP server starting directory (more to come)

prompted by and discussed with deraadt@
ok markus@

on fatal errors, make scp wait for ssh connection before exiting
avoids LogLevel=verbose (or greater) messages from ssh appearing
after scp has returned exited and control has returned to the
shell; ok markus@

(this was originally committed as r1.223 along with unrelated stuff that
I rolled back in r1.224)

rever r1.223 - I accidentally committed unrelated changes

on fatal errors, make scp wait for ssh connection before exiting
avoids LogLevel=verbose (or greater) messages from ssh appearing
after scp has returned exited and control has returned to the
shell; ok markus@

Fix prototype mismatch for do_cmd. ok djm@

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

make scp(1) in SFTP mode output better match original scp(1) by
suppressing "Retrieving [path]" lines that were emitted to support
the interactive sftp(1) client. ok markus@

use sftp_client crossloading to implement scp -3

feedback/ok markus@

prepare for scp -3 implemented via sftp

Allow for different (but POSIX compliant) behaviour of basename(3) and
prevent a use-after-free in that case in the new sftp-compat code.

POSIX allows basename(3) to either return a pointer to static storage
or modify the passed string and return a pointer to that. OpenBSD does
the former and works as is, but on other platforms "filename" points
into "tmp" which was just freed. This makes the freeing of tmp
consistent with the other variable in the loop.

Pinpointed by the -portable Valgrind regress test. ok djm@ deraadt@

support for using the SFTP protocol for file transfers in scp, via a
new "-M sftp" option. Marked as experimental for now.

Some corner-cases exist, in particular there is no attempt to
provide bug-compatibility with scp's weird "double shell" quoting
rules.

Mostly by Jakub Jelen in GHPR#194 with some tweaks by me. ok markus@
Thanks jmc@ for improving the scp.1 bits.

allow spaces to appear in usernames for local to remote, and scp -3
remote to remote copies. with & ok dtucker bz#1164

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

allow -A to explicitly enable agent forwarding in scp and sftp. The
default remains to not forward an agent, even when ssh_config enables
it. ok jmc dtucker markus

Fix error message on close(2) and add printf format attributes.
From Christos Zoulas, OK markus@

another case where a utimes() failure could make scp send a
desynchronising error; reminded by Aymeric Vincent
ok deraadt markus

when receving a file in sink(), be careful to send at most a single
error response after the file has been opened. Otherwise the source()
and sink() can become desyncronised. Reported by Daniel Goujot,
Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.

ok deraadt@ markus@

run the 2nd ssh with BatchMode for scp -3

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

Fix potential truncation warning. ok deraadt.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when checking that filenames sent by the server side match what the
client requested, be prepared to handle shell-style brace alternations,
e.g. "{foo,bar}".

"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@

add -T to usage();

check in scp client that filenames sent during remote->local directory
copies satisfy the wildcard specified by the user.

This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.

For this reason, this also adds a new -T flag to disable the check.

reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@

Have progressmeter force an update at the beginning and end of each
transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@

Sanitize scp filenames via snmprintf. To do this we move the
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@

Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)
to match ssh(1)'s interface.

ok djm

disallow empty incoming filename or ones that refer to the current
directory; based on report/patch from Harry Sintonen

Apply umask to all incoming files and directories not just files.
This makes sure it gets applied to directories too, and prevents
a race where files get chmodded after creation. bz#2839, ok djm@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

Disable RemoteCommand and RequestTTY in the ssh session started by
scp. sftp is already doing this. From Camden Narzt via github;
ok dtucker

Add helper function for uri handing in scp where a missing path
simply means ".". Also fix exit code and add warnings when an
invalid uri is encountered. OK otto@

Add URI support to ssh, sftp and scp. For example ssh://user@host
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

remove options -12 from usage();

exterminate the -1 flag from scp

ok markus@

Avoid relying on implementation-specific behavior when detecting
whether the timestamp or file size overflowed. If time_t and
off_t are not either 32-bit or 64-bit scp will exit with an error.
OK djm@

Avoid potential signed int overflow when parsing the file size.
Use strtoul() instead of parsing manually. OK djm@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

Improve accuracy of reported transfer speeds by waiting for the ack from
the other end. Pointed out by mmcc@, ok deraadt@ markus@

pledge "stdio rpath wpath cpath fattr tty proc exec" except for the
-p option (which sadly has insane semantics...)
ok semarie dtucker

0 -> NULL when comparing with a char*.

ok dtucker@, djm@.

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

when copying local->remote fails during read, don't send uninitialised
heap to the remote end. Reported by Jann Horn

unsigned casts for ctype macros where neccessary
ok guenther millert markus

improved time_t overflow check suggested by guenther@

make this -Wsign-compare clean after time_t conversion

Handle time_t values as long long's when formatting them and when
parsing them from remote servers.
Improve error checking in parsing of 'T' lines.

ok dtucker@ deraadt@

use MAXPATHLEN for buffer size instead of fixed value. ok markus

Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.

bye, bye xfree(); ok markus@

Fix some "unused result" warnings found via clang and -portable. ok markus@

suppress adding '--' to remote commandlines when the first argument
does not start with '-'. saves breakage on some difficult-to-upgrade
embedded/router platforms; feedback & ok dtucker ok markus

scp.1: grammer fix
scp.c: add -3 to usage()

add a new -3 option to scp: Copies between two remote hosts are
transferred through the local host. Without this option the data
is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)

Pass through ssh command-line flags and options when doing remote-remote
transfers, e.g. to enable agent forwarding which is particularly useful
in this case; bz#1837 ok dtucker@

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

Fix a longstanding problem where if you suspend scp at the
password/passphrase prompt the terminal mode is not restored.
OK djm@

When passing user-controlled options with arguments to other programs,
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.

Based on a diff by halex@
ok halex@ djm@ deraadt@

spelling in comment; ok djm@

Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@

If scp -p encounters a pre-epoch timestamp, use the epoch which is
as close as we can get given that it's used unsigned. Add a little
debugging while there. bz #828, ok djm@

factor out network read/write into an atomicio()-like function, and use it
to handle short reads, apply bandwidth limits and update counters.
make network IO non-blocking, so a small trickle of reads/writes has a
chance of updating the progress meter; bz #799
ok dtucker@

the ellipsis is not an optional argument; while here, sync the usage
and synopsis of commands

lots of good ideas by jmc@

ok jmc@

don't ftruncate() non-regular files; bz#1236 reported by wood AT xmission.com;
ok dtucker@

Encode filename with strnvis if the name contains a newline (which can't
be represented in the scp protocol), from bz #891. ok markus@

make scp try to skip FIFOs rather than blocking when nothing is listening.
depends on the platform supporting sane O_NONBLOCK semantics for open
on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
bz #856; report by cjwatson AT debian.org; ok markus@

fix detection of whether we should show progress meter or not: scp
tested isatty(stderr) but wrote the progress meter to stdout. This patch
makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
of dtucker@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <sys/time.h> out of includes.h

move #include <string.h> out of includes.h

move #include <time.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

duplicate argv at the start of main() because it gets modified later;
pointed out by deraadt@ ok markus@

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

fix leak; coverity via Kylene Jo Hall

xasprintification; ok deraadt@

minimal lint cleanup (unused crud, and some size_t); ok djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@

RCSID() can die

Try to display errormessage even if remout == -1

ok djm@, markus@

branches: 1.135.2;
move #include <ctype.h> out of includes.h; ok djm@

move #include <sys/stat.h> out of includes.h; ok markus@

move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

move #include <dirent.h> out of includes.h; ok markus@

"scp a b c" shouldn't clobber "c" when it is not a directory, report and
fix from biorn@; ok markus@

fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

avoid close(-1), as in rcp; ok cloder

ensure that stdio fds are attached; ok deraadt@

branches: 1.125.2;
Silence bogus -Wuninitialized warnings; ok djm@

make this -Wsign-compare clean; ok avsm@ markus@

If copying multiple files to a target file (which normally fails, as it
must be a target directory), kill the spawned ssh child before exiting.
This stops it trying to authenticate and spewing lots of output.
deraadt@ ok

Switch atomicio to use a simpler interface; it now returns a size_t
(containing number of bytes read/written), and indicates error by
returning 0. EOF is signalled by errno==EPIPE.
Typical use now becomes:

if (atomicio(read, ..., len) != len)
err(1,"read");

ok deraadt@, cloder@, djm@

since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror build

copy argv[] element instead of smashing the one that ps will see; ok otto

branches: 1.119.2;
Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@

scratch that do { } while (0) wrapper in this case

branches: 1.117.2;
use atomicio instead of homegrown equivalents or read/write.
markus@ ok

Prevent scp from skipping the file following a double-error.
bz #863, ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

limit trust between local and remote rcp/scp process,
noticed by lcamtuf; ok deraadt@, djm@

branches: 1.113.2;
from portable: rename clashing variable limit-> limit_rate; ok markus@

unexpand and delete whitespace at EOL; ok markus@

When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@

scp and sftp: add options list and sort options. options list requested
by deraadt@
sshd: use same format as ssh
ssh: remove wrong option from list
sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)

ok deraadt@ markus@

error handling for remote-remote copy; #638; report Harald Koenig;
ok millert, fgs, henning, deraadt

branches: 1.108.2;
userid is unsigned, but well, force it anyways; andrushock@korovino.net

deal with typing of write vs read in atomicio

Typo.

Ok markus@.

kill ssh process upon receipt of signal, bz #241.
based on patch from esb AT hawaii.edu; ok markus@

ansify; ok markus@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

branches: 1.102.2;
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

call okname() only when using system(3) for remote-remote copy;
fixes bugs #483, #472; ok deraadt@, mouring@

scp -12; Sam Smith and others; ok provos@, deraadt@

bandwidth limitation patch (scp -l) from niels@; ok todd@, deraadt@

Don't ftruncate after write error, creating sparse files of incorrect length
mindrot bug #403, reported by rusr@cup.hp.com; ok markus@

sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

1) include stalling time in total time
2) truncate filenames to 45 instead of 20 characters
3) print rate instead of progress bar, no more stars
4) scale output to tty width
based on a patch from Niels; ok fries@ lebel@ fgs@ millert@

use roundup() similar to rcp/util.c and avoid problems with strange
filesystem block sizes, noted by tjr@freebsd.org; ok djm@

allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@

Remove unnecessary fflush(stderr) calls, stderr is unbuffered by default.
ok markus@

check exit status from ssh, and exit(1) if ssh fails; bug#369; binder@arago.de

branches: 1.91.2;
KNF done automatically while reading....

make usage like man page

remove FallBackToRsh

branches: 1.88.2;
Fixes potental double // within path.
http://bugzilla.mindrot.org/show_bug.cgi?id=76

stretch banners

make it compile with more strict prototype checking

branches: 1.85.2;
skip filenames containing \n; report jdamery@chiark.greenend.org.uk
and matthew@debian.org

add ClearAllForwardings ssh option and set it in scp and sftp; ok markus@

add -Fssh_config option; ok markus@

don't forward agent for non third-party copies; ok markus@

clear the malloc'd buffer, otherwise source() will leak malloc'd memory; ok theo@

don't need main prototype (also sync with rcp); ok markus@

use alarm vs. setitimer for portable; ok markus@

shorten lines

Missing -o in scp usage()

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

slightly better care

no stdio or exit() in signal handlers.

you cannot vfprintf(fp, fmt, ap) twice, from portable, via drahn@

pass -v to ssh; from slade@shore.net

ftruncate() instead of open()+O_TRUNC like rcp.c does
allows scp /path/to/file localhost:/path/to/file

Use addargs() in sftp plus some clean up of addargs(). OK Markus

Move colon() and cleanhost() to misc.c where I should I have put it in
the first place

branches: 1.68.2;
scp > 2GB; niles@scyld.com; ok deraadt@, djm@

IPv6 support for sftp (which I bungled in my last patch) which is
borrowed from scp.c. Thanks to Markus@ for pointing it out.

'T' handling rcp/scp sync; ok markus@