Commit Graph

256 Commits

Author SHA1 Message Date
Damien Miller
1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller
15f5b560b1 - jmc@cvs.openbsd.org 2010/02/26 22:09:28
[ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
2010-03-03 10:25:21 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller
d400da5ba8 - jmc@cvs.openbsd.org 2010/02/11 13:23:29
[ssh.1]
     libarary -> library;
2010-02-12 09:26:23 +11:00
Damien Miller
a761844455 - markus@cvs.openbsd.org 2010/02/10 23:20:38
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
     pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00
Damien Miller
048dc93617 - jmc@cvs.openbsd.org 2010/02/08 22:03:05
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
     tweak previous; ok markus
2010-02-12 09:22:04 +11:00
Damien Miller
7ea845e48d - markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
2010-02-12 09:21:02 +11:00
Darren Tucker
7ad8dd21da - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
[ssh_config channels.c ssh.1 channels.h ssh.c]
     Add a 'netcat mode' (ssh -W).  This connects stdio on the client to a
     single port forward on the server.  This allows, for example, using ssh as
     a ProxyCommand to route connections via intermediate servers.
     bz #1618, man page help from jmc@, ok markus@
2010-01-12 19:40:27 +11:00
Darren Tucker
7bd98e7f74 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 10:31:12 +11:00
Darren Tucker
535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker
34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker
98c9aec30e - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
[ssh-agent.1 ssh-add.1 ssh.1]
     write UNIX-domain in a more consistent way; while here, replace a
     few remaining ".Tn UNIX" macros with ".Ux" ones.
     pointed out by ratchov@, thanks!
     ok jmc@
2009-10-24 11:42:44 +11:00
Darren Tucker
ae69e1d010 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
[ssh.1 ssh-agent.1 ssh-add.1]
     use the UNIX-related macros (.At and .Ux) where appropriate.
     ok jmc@
2009-10-24 11:41:34 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
3a6a51f387 - jmc@cvs.openbsd.org 2009/03/19 15:15:09
[ssh.1]
     for "Ciphers", just point the reader to the keyword in ssh_config(5), just
     as we do for "MACs": this stops us getting out of sync when the lists
     change;
     fixes documentation/6102, submitted by Peter J. Philipp
     alternative fix proposed by djm
     ok markus
2009-06-21 17:48:52 +10:00
Damien Miller
65fa4cab4c - djm@cvs.openbsd.org 2009/02/12 03:44:25
[ssh.1]
     consistency: Dq => Ql
2009-02-14 16:34:05 +11:00
Damien Miller
e2f4cc5016 - djm@cvs.openbsd.org 2009/02/12 03:42:09
[ssh.1]
     document -R0:... usage
2009-02-14 16:33:49 +11:00
Darren Tucker
63917bd0da - tobias@cvs.openbsd.org 2008/11/09 12:34:47
[session.c ssh.1]
     typo fixed (overriden -> overridden)
     ok espie, jmc
2008-11-11 16:33:48 +11:00
Damien Miller
0164cb8a87 - stevesk@cvs.openbsd.org 2008/11/05 03:23:09
[clientloop.c ssh.1]
     add dynamic forward escape command line; ok djm@
2008-11-05 16:30:31 +11:00
Damien Miller
e272a5bb29 - djm@cvs.openbsd.org 2008/10/08 23:34:03
[ssh.1 ssh.c]
     Add -y option to force logging via syslog rather than stderr.
     Useful for daemonised ssh connection (ssh -f). Patch originally from
     and ok'd by markus@
2008-11-03 19:22:37 +11:00
Darren Tucker
9a2a60986b - djm@cvs.openbsd.org 2008/07/02 13:47:39
[ssh.1 ssh.c]
     When forking after authentication ("ssh -f") with ExitOnForwardFailure
     enabled, delay the fork until after replies for any -R forwards have
     been seen. Allows for robust detection of -R forward failure when
     using -f (similar to bz#92); ok dtucker@
2008-07-04 12:53:50 +10:00
Damien Miller
8639920a9b - jmc@cvs.openbsd.org 2008/06/26 21:11:46
[ssh.1]
     add VisualHostKey to the list of options listed in -o;
2008-06-30 00:04:31 +10:00
Damien Miller
1028824e5c - grunk@cvs.openbsd.org 2008/06/26 11:46:31
[readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c]
     Move SSH Fingerprint Visualization away from sharing the config option
     CheckHostIP to an own config option named VisualHostKey.
     While there, fix the behaviour that ssh would draw a random art picture
     on every newly seen host even when the option was not enabled.
     prodded by deraadt@, discussions,
     help and ok markus@ djm@ dtucker@
2008-06-30 00:04:03 +10:00
Darren Tucker
f6bffb1391 - grunk@cvs.openbsd.org 2008/06/13 20:13:26
[ssh.1]
     Explain the use of SSH fpr visualization using random art, and cite the
     original scientific paper inspiring that technique.
     Much help with English and nroff by jmc@, thanks.
2008-06-14 09:04:26 +10:00
Damien Miller
5447eb2454 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
     bump Mdocdate for pages committed in "febuary", necessary because
     of a typo in rcs.c;
2008-03-27 10:50:21 +11:00
Damien Miller
520e61552a - mcbride@cvs.openbsd.org 2008/02/09 12:15:43
[ssh.1 sshd.8]
     Document the correct permissions for the ~/.ssh/ directory.
     ok jmc
2008-02-10 22:46:22 +11:00
Damien Miller
eb602474fc - djm@cvs.openbsd.org 2008/01/19 19:13:28
[ssh.1]
     satisfy the pedants: -q does not suppress all diagnostic messages (e.g.
     some commandline parsing warnings go unconditionally to stdout).
2008-02-10 22:21:28 +11:00
Darren Tucker
0409e15078 - jmc@cvs.openbsd.org 2007/06/12 13:43:55
[ssh.1]
     add -K to SYNOPSIS;
2007-06-13 00:00:58 +10:00
Darren Tucker
415bddc1bd - djm@cvs.openbsd.org 2007/06/12 11:15:17
[ssh.c ssh.1]
     Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
     GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
     and is useful for hosts with /home on Kerberised NFS; bz #1312
     patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
2007-06-12 23:43:16 +10:00
Damien Miller
e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00
Darren Tucker
aa4d5eda10 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
     ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
     convert to new .Dd format;
     (We will need to teach mdoc2man.awk to understand this too.)
2007-06-05 18:27:13 +10:00
Damien Miller
c0367fb0d2 - markus@cvs.openbsd.org 2006/12/11 21:25:46
[ssh-keygen.1 ssh.1]
     add rfc 4716 (public key format); ok jmc
2007-01-05 16:25:46 +11:00
Damien Miller
3975ee2c3c - (djm) OpenBSD CVS Sync
- otto@cvs.openbsd.org 2006/10/28 18:08:10
     [ssh.1]
     correct/expand example of usage of -w; ok jmc@ stevesk@
2006-11-05 05:31:33 +11:00
Darren Tucker
ffe88e15af - ray@cvs.openbsd.org 2006/09/25 04:55:38
[ssh-keyscan.1 ssh.1]
     Change "a SSH" to "an SSH".  Hurray, I'm not the only one who
     pronounces "SSH" as "ess-ess-aich".
     OK jmc@ and stevesk@.
2006-10-18 07:53:06 +10:00
Darren Tucker
e7d4b19f75 - markus@cvs.openbsd.org 2006/07/11 18:50:48
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
     channels.h readconf.c]
     add ExitOnForwardFailure: terminate the connection if ssh(1)
     cannot set up all requested dynamic, local, and remote port
     forwardings. ok djm, dtucker, stevesk, jmc
2006-07-12 22:17:10 +10:00
Damien Miller
57e8ad3f5e - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
[clientloop.c ssh.1]
     use -KR[bind_address:]port here; ok djm@
2006-07-10 20:20:52 +10:00
Damien Miller
991dba43e1 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
     more details and clarity for tun(4) device forwarding; ok and help
     jmc@
2006-07-10 20:16:27 +10:00
Damien Miller
fbc94c857a - jmc@cvs.openbsd.org 2006/05/29 16:13:23
[ssh.1]
     add GSSAPI to the list of authentication methods supported;
2006-06-13 13:03:16 +10:00
Damien Miller
a1b3d636ab - jakob@cvs.openbsd.org 2006/03/22 21:16:24
[ssh.1]
     simplify SSHFP example; ok jmc@
2006-03-26 00:07:02 +11:00
Damien Miller
3e96d74274 - djm@cvs.openbsd.org 2006/03/16 04:24:42
[ssh.1]
     Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
     that OpenSSH supports
2006-03-25 23:39:29 +11:00
Damien Miller
208f1ed6f1 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     more consistency fixes;
2006-03-15 11:56:03 +11:00
Damien Miller
39a93a3305 - jmc@cvs.openbsd.org 2006/02/15 16:53:20
[ssh.1]
     remove the IETF draft references and replace them with some updated RFCs;
2006-03-15 11:34:45 +11:00
Damien Miller
e93eaaa0d1 - jmc@cvs.openbsd.org 2006/02/06 21:44:47
[ssh.1]
     make this a little less ambiguous...
2006-03-15 11:05:59 +11:00
Damien Miller
9f67a21de6 - msf@cvs.openbsd.org 2006/02/06 15:54:07
[ssh.1]
     - typo fix
     ok jmc@
2006-03-15 11:05:35 +11:00
Damien Miller
b5dd55cccc - jmc@cvs.openbsd.org 2006/01/30 13:37:49
[ssh.1]
     remove an incorrect sentence;
     reported by roumen petrov;
     ok djm markus
2006-01-31 21:47:58 +11:00
Damien Miller
bbc59094b9 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
[ssh.1]
     add a section on verifying host keys in dns;
     written with a lot of help from jakob;
     feedback dtucker/markus;
     ok markus
2006-01-31 21:46:51 +11:00
Darren Tucker
62388b2b63 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
[scp.1 ssh.1 ssh_config.5 sftp.1]
     Document RekeyLimit.  Based on patch from jan.iven at cern.ch from mindrot
     #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
2006-01-20 11:31:47 +11:00
Darren Tucker
248dd13c46 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
[ssh.1]
     add a section on ssh-based vpn, based on reyk's README.tun;
2006-01-20 11:30:58 +11:00
Darren Tucker
94299ec251 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
[ssh.1]
     correction from deraadt
2006-01-20 11:30:14 +11:00
Damien Miller
4a8dc9e297 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
[ssh.1]
     back out a sentence - AUTHENTICATION already documents this;
2006-01-14 10:10:31 +11:00