Commit Graph

114 Commits

Author SHA1 Message Date
Darren Tucker 1477ea162c - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
[sshd_config.5]
     Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
2009-10-07 08:36:05 +11:00
Damien Miller 9c7bf8dfc8 downgrade mention of login.conf to be an example and mention PAM as
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
2009-08-28 10:27:08 +10:00
Darren Tucker 51dbe503bf - stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
     clarify we cd to user's home after chroot; ok markus@ on
     earlier version; tweaks and ok jmc@
2009-06-21 17:56:51 +10:00
Darren Tucker f92077f05c - jmc@cvs.openbsd.org 2009/04/18 18:39:10
[sshd_config.5]
     tweak previous; ok stevesk
2009-06-21 17:56:25 +10:00
Darren Tucker 00fcd719a5 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17
[sshd_config.5]
     clarify that even internal-sftp needs /dev/log for logging to work; ok
     markus@
2009-06-21 17:56:00 +10:00
Darren Tucker af501cfce4 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44
[sshd_config.5]
     fix possessive; ok djm@
2009-06-21 17:53:04 +10:00
Damien Miller 0296ae85ec - djm@cvs.openbsd.org 2009/02/22 23:59:25
[sshd_config.5]
     missing period
2009-02-23 11:00:24 +11:00
Damien Miller 1991384764 - djm@cvs.openbsd.org 2009/02/22 23:50:57
[ssh_config.5 sshd_config.5]
     don't advertise experimental options
2009-02-23 10:53:58 +11:00
Damien Miller 9aa72ba57a - naddy@cvs.openbsd.org 2009/01/24 17:10:22
[ssh_config.5 sshd_config.5]
     sync list of preferred ciphers; ok djm@
2009-01-28 16:34:00 +11:00
Damien Miller 17819015f0 - okan@cvs.openbsd.org 2008/12/30 00:46:56
[sshd_config.5]
     add AllowAgentForwarding to available Match keywords list
     ok djm
2009-01-28 16:20:17 +11:00
Damien Miller 01ed2272a1 - djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@
2008-11-05 16:20:46 +11:00
Damien Miller 51bde6000a - djm@cvs.openbsd.org 2008/10/09 03:50:54
[servconf.c sshd_config.5]
     support setting PermitEmptyPasswords in a Match block
     requested in PR3891; ok dtucker@
2008-11-03 19:23:10 +11:00
Darren Tucker 7499b0cca0 - djm@cvs.openbsd.org 2008/07/02 02:24:18
[sshd_config sshd_config.5 sshd.8 servconf.c]
     increase default size of ssh protocol 1 ephemeral key from 768 to 1024
     bits; prodded by & ok dtucker@ ok deraadt@
2008-07-02 22:35:43 +10:00
Damien Miller 307c1d10a7 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40
[servconf.c sshd_config.5]
     Allow MaxAuthTries within a Match block.  ok djm@
2008-06-16 07:56:20 +10:00
Damien Miller c62a5af29a - dtucker@cvs.openbsd.org 2008/06/15 16:55:38
[sshd_config.5]
     MaxSessions is allowed in a Match block too
2008-06-16 07:55:46 +10:00
Darren Tucker 6a2a400f7a - jmc@cvs.openbsd.org 2008/06/10 07:12:00
[sshd_config.5]
     tweak previous;
2008-06-10 23:03:04 +10:00
Darren Tucker b06cc4abf8 - djm@cvs.openbsd.org 2008/06/10 04:17:46
[sshd_config.5]
     better reference for pattern-list
2008-06-10 22:59:53 +10:00
Darren Tucker 7a3935de2f - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
     [servconf.c match.h sshd_config.5]
     support CIDR address matching in sshd_config "Match address" blocks, with
     full support for negation and fall-back to classic wildcard matching.
     For example:
     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
         PasswordAuthentication yes
     addrmatch.c code mostly lifted from flowd's addr.c
     feedback and ok dtucker@
2008-06-10 22:59:10 +10:00
Damien Miller 7207f64a23 - djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
2008-05-19 15:34:50 +10:00
Damien Miller e989019303 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
[sshd_config.5]
     sort;
2008-05-19 14:59:02 +10:00
Damien Miller 4f755cdc05 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@
2008-05-19 14:57:41 +10:00
Damien Miller 25434de460 - djm@cvs.openbsd.org 2008/04/05 02:46:02
[sshd_config.5]
     HostbasedAuthentication is supported under Match too
2008-05-19 14:29:08 +10:00
Damien Miller 56f41ddc54 - djm@cvs.openbsd.org 2008/04/04 06:44:26
[sshd_config.5]
     oops, some unrelated stuff crept into that commit - backout.
     spotted by jmc@
2008-05-19 14:28:19 +10:00
Damien Miller 797e3d117f - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/04/04 05:14:38
     [sshd_config.5]
     ChrootDirectory is supported in Match blocks (in fact, it is most useful
     there). Spotted by Minstrel AT minstrel.org.uk
2008-05-19 14:27:42 +10:00
Damien Miller a1b48ccf2d - djm@cvs.openbsd.org 2008/03/25 11:58:02
[session.c sshd_config.5]
     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
     from dtucker@ ok deraadt@ djm@
2008-03-27 11:02:02 +11:00
Damien Miller 5447eb2454 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
     bump Mdocdate for pages committed in "febuary", necessary because
     of a typo in rcs.c;
2008-03-27 10:50:21 +11:00
Damien Miller cdb6e65175 - djm@cvs.openbsd.org 2008/02/10 09:55:37
[sshd_config.5]
     mantion that "internal-sftp" is useful with ForceCommand too
2008-02-10 22:47:24 +11:00
Damien Miller 70433b5d73 - jmc@cvs.openbsd.org 2008/02/09 08:04:31
[sshd_config.5]
     missing `)';
2008-02-10 22:45:13 +11:00
Damien Miller d8cb1f184f - djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
     [sshd_config.5]
     add sshd_config ChrootDirectory option to chroot(2) users to a directory
     and tweak internal sftp server to work with it (no special files in
     chroot required). ok markus@
2008-02-10 22:40:12 +11:00
Darren Tucker 15f94271be - dtucker@cvs.openbsd.org 2008/01/01 09:27:33
[sshd_config.5 servconf.c]
     Allow PermitRootLogin in a Match block.  Allows for, eg, permitting root
     only from the local network.  ok markus@, man page bit ok jmc@
2008-01-01 20:36:56 +11:00
Damien Miller 4890e53977 - djm@cvs.openbsd.org 2007/08/23 03:22:16
[auth2-none.c sshd_config sshd_config.5]
     Support "Banner=none" to disable displaying of the pre-login banner;
     ok dtucker@ deraadt@
2007-09-17 11:57:38 +10:00
Damien Miller 22b7b49331 - jmc@cvs.openbsd.org 2007/06/08 07:48:09
[sshd_config.5]
     oops, here too: put the MAC list into a display, like we do for
     ciphers, since groff has trouble with wide lines;
2007-06-11 14:07:12 +10:00
Damien Miller e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00
Darren Tucker aa4d5eda10 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
     ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
     convert to new .Dd format;
     (We will need to teach mdoc2man.awk to understand this too.)
2007-06-05 18:27:13 +10:00
Damien Miller 5737e363c5 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
     [sshd_config.5]
     sort the `match' keywords;
2007-03-06 21:21:18 +11:00
Darren Tucker 1d75f22c5d - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
[auth2.c sshd_config.5 servconf.c]
     Remove ChallengeResponseAuthentication support inside a Match
     block as its interaction with KbdInteractive makes it difficult to
     support.  Also, relocate the CR/kbdint option special-case code into
     servconf.  "please commit" djm@, ok markus@ for the relocation.
2007-03-01 21:31:28 +11:00
Darren Tucker 1629c07c07 - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
     Teach Match how handle config directives that are used before
     authentication.  This allows configurations such as permitting password
     authentication from the local net only while requiring pubkey from
     offsite.  ok djm@, man page bits ok jmc@
2007-02-19 22:25:37 +11:00
Damien Miller d94fc72bcd - jmc@cvs.openbsd.org 2007/01/02 09:57:25
[sshd_config.5]
     do not use lists for SYNOPSIS;
     from eric s. raymond via brad
2007-01-05 16:29:30 +11:00
Damien Miller b594f38bae - (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
     [sshd_config.5]
     Document HostbasedUsesNameFromPacketOnly.  Corrections from jmc@,
     ok jmc@ djm@
2006-08-30 11:06:34 +10:00
Damien Miller 565ca3f600 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
[servconf.c servconf.h sshd_config.5]
     Add ability to match groups to Match keyword in sshd_config.  Feedback
     djm@, stevesk@, ok stevesk@.
2006-08-19 00:23:15 +10:00
Damien Miller a765cf4b66 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
[channels.c channels.h servconf.c servconf.h sshd_config.5]
     Make PermitOpen take a list of permitted ports and act more like most
     other keywords (ie the first match is the effective setting). This
     also makes it easier to override a previously set PermitOpen. ok djm@
2006-07-24 14:08:13 +10:00
Damien Miller e275443f66 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
     Add ForceCommand keyword to sshd_config, equivalent to the "command="
     key option, man page entry and example in sshd_config.
     Feedback & ok djm@, man page corrections & ok jmc@
2006-07-24 14:06:47 +10:00
Damien Miller d1de9950e5 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
[servconf.c sshd_config.5]
     Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
     Match.  ok djm@
2006-07-24 14:05:48 +10:00
Damien Miller 8c23403b51 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
[sshd_config.5]
     Clarify description of Match, with minor correction from jmc@
2006-07-24 14:05:08 +10:00
Damien Miller 393821ad72 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
[ssh-agent.1 sshd_config.5]
     mark up angle brackets;
2006-07-24 14:04:53 +10:00
Damien Miller 65bc2c4028 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
[sshd_config.5]
     tweak; ok dtucker
2006-07-24 14:04:16 +10:00
Damien Miller 9b439df18a - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
     Add PermitOpen directive to sshd_config which is equivalent to the
     "permitopen" key option.  Allows server admin to allow TCP port
     forwarding only two specific host/port pairs.  Useful when combined
     with Match.
     If permitopen is used in both sshd_config and a key option, both
     must allow a given connection before it will be permitted.
     Note that users can still use external forwarders such as netcat,
     so to be those must be controlled too for the limits to be effective.
     Feedback & ok djm@, man page corrections & ok jmc@.
2006-07-24 14:04:00 +10:00
Damien Miller d04f357ac2 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
[sshd_config.5]
      - new sentence, new line
      - s/The the/The/
      - kill a bad comma
2006-07-24 13:46:50 +10:00
Darren Tucker 4515047e47 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
     Add support for conditional directives to sshd_config via a "Match"
     keyword, which works similarly to the "Host" directive in ssh_config.
     Lines after a Match line override the default set in the main section
     if the condition on the Match line is true, eg
     AllowTcpForwarding yes
     Match User anoncvs
             AllowTcpForwarding no
     will allow port forwarding by all users except "anoncvs".
     Currently only a very small subset of directives are supported.
     ok djm@
2006-07-12 22:34:17 +10:00
Damien Miller 917f9b6b6e - djm@cvs.openbsd.org 2006/07/06 10:47:05
[servconf.c servconf.h session.c sshd_config.5]
     support arguments to Subsystem commands; ok markus@
2006-07-10 20:36:47 +10:00