Commit Graph

274 Commits

Author SHA1 Message Date
djm@openbsd.org
734f2f83f5 upstream: mention that permitopen=/PermitOpen do no name to address
translation; prompted by bz3099

OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25 17:04:14 +11:00
naddy@openbsd.org
141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
dtucker@openbsd.org
bc2dc091e0 upstream: "Forward security" -> "Forward secrecy" since that's the
correct term. Add "MAC" since we use that acronym in other man pages.  ok
naddy@

OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
2019-12-20 14:25:08 +11:00
naddy@openbsd.org
e905f7260d upstream: cut obsolete lists of crypto algorithms from outline of
how SSH works ok markus@ jmc@

OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
2019-12-20 14:25:08 +11:00
jmc@openbsd.org
483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
djm@openbsd.org
2e71263b80 upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org
e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
naddy@openbsd.org
aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
dtucker@openbsd.org
01c98d9661 upstream: Switch authorized_keys example from ssh-dss to ssh-rsa
since the former is no longer enabled by default.  Pointed out by Daniel A.
Maierhofer, ok jmc

OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7
2018-07-26 13:54:30 +10:00
jmc@openbsd.org
f535ff922a upstream: spelling;
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-26 08:30:43 +10:00
djm@openbsd.org
87ddd676da upstream: allow bare port numbers to appear in PermitListen directives,
e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-19 13:00:50 +10:00
jmc@openbsd.org
6ff6fda705 upstream: tweak previous;
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-09 13:10:59 +10:00
djm@openbsd.org
803d896ef3 upstream: man bits for permitlisten authorized_keys option
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
2018-06-07 04:27:21 +10:00
Damien Miller
10479cc2a4 Many typo fixes from Karsten Weiss
Spotted using https://github.com/lucasdemarchi/codespell
2018-04-10 10:19:02 +10:00
jmc@openbsd.org
037fdc1dc2 upstream: sort expiry-time;
OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
2018-03-14 18:55:33 +11:00
djm@openbsd.org
abc0fa38c9 upstream: rename recently-added "valid-before" key restriction to
"expiry-time" as the former is confusing wrt similar terminology in X.509;
pointed out by jsing@

OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
2018-03-14 18:55:33 +11:00
djm@openbsd.org
bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
dtucker@openbsd.org
055e09e221 upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18
bumped the minimum from 768 to 1024, update man page accordingly.

OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
2018-03-04 12:48:08 +11:00
djm@openbsd.org
88c50a5ae2 upstream: stop loading DSA keys by default, remove sshd_config
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-16 13:35:28 +11:00
djm@openbsd.org
2b428f90ea upstream commit
I accidentially a word

OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a
2018-02-07 07:50:46 +11:00
dtucker@openbsd.org@openbsd.org
0208a48517 upstream commit
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.  ok djm@, man page help jmc@

OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
2017-11-03 16:20:41 +11:00
djm@openbsd.org
68af80e6fd upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25 12:26:21 +11:00
jmc@openbsd.org
e2004d4bb7 upstream commit
word fix;

Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5
2017-06-24 16:49:46 +10:00
djm@openbsd.org
6f8ca3b925 upstream commit
use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@

Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
2017-06-24 16:48:39 +10:00
djm@openbsd.org
acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
dtucker@openbsd.org
6ba9f89383 upstream commit
Small correction to the known_hosts section on when it is
updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
sdf.org

Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
2017-02-03 14:23:24 +11:00
djm@openbsd.org
fd6dcef203 upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.

The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.

Pointed out by Jann Horn of Project Zero; ok dtucker@

Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30 19:44:01 +11:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org
ffe6549c2f upstream commit
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples.  ok jmc@

Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-23 13:28:30 +10:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org
deae7d52d5 upstream commit
mention internal DH-GEX fallback groups; bz#2302

Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
2016-02-08 21:58:29 +11:00
djm@openbsd.org
383f10fb84 upstream commit
Add a new authorized_keys option "restrict" that
 includes all current and future key restrictions (no-*-forwarding, etc). Also
 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
 This simplifies the task of setting up restricted keys and ensures they are
 maximally-restricted, regardless of any permissions we might implement in the
 future.

Example:

restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...

Idea from Jann Horn; ok markus@

Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
2015-11-16 11:31:41 +11:00
djm@openbsd.org
2bca8a43e7 upstream commit
more clarity on what AuthorizedKeysFile=none does; based
 on diff by Thiebaud Weksteen

Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-09-11 13:28:01 +10:00
djm@openbsd.org
933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
djm@openbsd.org
8d4d1bfddb upstream commit
mention that the user's shell from /etc/passwd is used
 for commands too; bz#1459 ok dtucker@
2015-05-10 11:35:07 +10:00
bentley@openbsd.org
da8af83d3f upstream commit
Reduce instances of `` '' in manuals.

troff displays these as typographic quotes, but nroff implementations
almost always print them literally, which rarely has the intended effect
with modern fonts, even in stock xterm.

These uses of `` '' can be replaced either with more semantic alternatives
or with Dq, which prints typographic quotes in a UTF-8 locale (but will
automatically fall back to `` '' in an ASCII locale).

improvements and ok schwarze@
2014-11-17 11:19:33 +11:00
sobrado@openbsd.org
f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller
72e6b5c9ed - djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@
2014-07-04 09:00:04 +10:00
Damien Miller
69cb24b735 - tedu@cvs.openbsd.org 2014/04/19 18:15:16
[sshd.8]
     remove some really old rsh references
2014-04-20 13:29:06 +10:00
Damien Miller
f2719b7c2b - tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
2014-04-20 13:22:18 +10:00
Damien Miller
8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller
a7827c11b3 - jmc@cvs.openbsd.org 2013/12/06 15:29:07
[sshd.8]
     missing comma;
2013-12-07 11:24:30 +11:00
Damien Miller
5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller
6901032b05 - dtucker@cvs.openbsd.org 2013/04/07 09:40:27
[sshd.8]
     clarify -e text. suggested by & ok jmc@
2013-04-23 15:21:24 +10:00
Damien Miller
03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Darren Tucker
427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Damien Miller
b9902cf6f6 - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
[ssh.1 sshd.8]
     Remove mention of 'three' key files since there are now four.  From
     Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
Darren Tucker
fbcf827559 - (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
     [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
     to match.  Feedback and ok djm@ markus@.
2012-05-19 19:37:01 +10:00
Darren Tucker
1338b9e067 - dtucker@cvs.openbsd.org 2011/09/23 00:22:04
[channels.c auth-options.c servconf.c channels.h sshd.8]
     Add wildcard support to PermitOpen, allowing things like "PermitOpen
     localhost:*".  bz #1857, ok djm markus.
2011-10-02 18:57:35 +11:00