Commit Graph

120 Commits

Author SHA1 Message Date
Damien Miller
393821ad72 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
[ssh-agent.1 sshd_config.5]
     mark up angle brackets;
2006-07-24 14:04:53 +10:00
Damien Miller
65bc2c4028 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
[sshd_config.5]
     tweak; ok dtucker
2006-07-24 14:04:16 +10:00
Damien Miller
9b439df18a - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
     Add PermitOpen directive to sshd_config which is equivalent to the
     "permitopen" key option.  Allows server admin to allow TCP port
     forwarding only two specific host/port pairs.  Useful when combined
     with Match.
     If permitopen is used in both sshd_config and a key option, both
     must allow a given connection before it will be permitted.
     Note that users can still use external forwarders such as netcat,
     so to be those must be controlled too for the limits to be effective.
     Feedback & ok djm@, man page corrections & ok jmc@.
2006-07-24 14:04:00 +10:00
Damien Miller
d04f357ac2 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
[sshd_config.5]
      - new sentence, new line
      - s/The the/The/
      - kill a bad comma
2006-07-24 13:46:50 +10:00
Darren Tucker
4515047e47 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
     Add support for conditional directives to sshd_config via a "Match"
     keyword, which works similarly to the "Host" directive in ssh_config.
     Lines after a Match line override the default set in the main section
     if the condition on the Match line is true, eg
     AllowTcpForwarding yes
     Match User anoncvs
             AllowTcpForwarding no
     will allow port forwarding by all users except "anoncvs".
     Currently only a very small subset of directives are supported.
     ok djm@
2006-07-12 22:34:17 +10:00
Damien Miller
917f9b6b6e - djm@cvs.openbsd.org 2006/07/06 10:47:05
[servconf.c servconf.h session.c sshd_config.5]
     support arguments to Subsystem commands; ok markus@
2006-07-10 20:36:47 +10:00
Damien Miller
991dba43e1 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
     more details and clarity for tun(4) device forwarding; ok and help
     jmc@
2006-07-10 20:16:27 +10:00
Damien Miller
cc3e8ba3c2 - markus@cvs.openbsd.org 2006/03/14 16:32:48
[ssh_config.5 sshd_config.5]
     *AliveCountMax applies to protcol v2 only; ok dtucker, djm
2006-03-15 12:06:55 +11:00
Damien Miller
306d118f72 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
[misc.c ssh_config.5 sshd_config.5]
     Allow config directives to contain whitespace by surrounding them by double
     quotes.  mindrot #482, man page help from jmc@, ok djm@
2006-03-15 12:05:59 +11:00
Damien Miller
e3beba231a - jmc@cvs.openbsd.org 2006/02/26 18:01:13
[sshd_config.5]
     subsection is pointless here;
2006-03-15 11:59:25 +11:00
Damien Miller
ac73e51390 - jmc@cvs.openbsd.org 2006/02/25 12:28:34
[sshd_config.5]
     document the order in which allow/deny directives are processed;
     help/ok dtucker
2006-03-15 11:58:49 +11:00
Damien Miller
f4f22b54c0 - jmc@cvs.openbsd.org 2006/02/24 23:51:17
[sshd_config.5]
     oops - bits i missed;
2006-03-15 11:57:25 +11:00
Damien Miller
5b0d63f894 - jmc@cvs.openbsd.org 2006/02/24 23:43:57
[sshd_config.5]
     some grammar/wording fixes;
2006-03-15 11:56:56 +11:00
Damien Miller
208f1ed6f1 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     more consistency fixes;
2006-03-15 11:56:03 +11:00
Damien Miller
1faa713323 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
[ssh-keysign.8 ssh_config.5 sshd_config.5]
     some consistency fixes;
2006-03-15 11:55:31 +11:00
Damien Miller
0c2079d81f - jmc@cvs.openbsd.org 2006/02/24 10:33:54
[sshd_config.5]
     signpost to PATTERNS;
2006-03-15 11:54:21 +11:00
Darren Tucker
a4904f7bf1 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
reality.  Pointed out by tryponraj at gmail.com.
2006-02-23 21:35:30 +11:00
Damien Miller
b797770da2 - (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2006/01/02 17:09:49
     [ssh_config.5 sshd_config.5]
     some corrections from michael knudsen;
2006-01-03 18:47:31 +11:00
Damien Miller
7b58e80036 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
     [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
     two changes to the new ssh tunnel support. this breaks compatibility
     with the initial commit but is required for a portable approach.
     - make the tunnel id u_int and platform friendly, use predefined types.
     - support configuration of layer 2 (ethernet) or layer 3
     (point-to-point, default) modes. configuration is done using the
     Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
     restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
     in sshd_config(5).
     ok djm@, man page bits by jmc@
2005-12-13 19:33:19 +11:00
Damien Miller
d27b947178 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
     [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
     [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
     [sshconnect.h sshd.8 sshd_config sshd_config.5]
     Add support for tun(4) forwarding over OpenSSH, based on an idea and
     initial channel code bits by markus@. This is a simple and easy way to
     use OpenSSH for ad hoc virtual private network connections, e.g.
     administrative tunnels or secure wireless access. It's based on a new
     ssh channel and works similar to the existing TCP forwarding support,
     except that it depends on the tun(4) network interface on both ends of
     the connection for layer 2 or layer 3 tunneling. This diff also adds
     support for LocalCommand in the ssh(1) client.

     ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-12-13 19:29:02 +11:00
Darren Tucker
e2dd2d5baa - djm@cvs.openbsd.org 2005/09/21 23:36:54
[sshd_config.5]
     aquire -> acquire, from stevesk@
2005-10-03 18:19:06 +10:00
Damien Miller
9786e6e2a0 - markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
     [sshconnect2.c sshd.c sshd_config sshd_config.5]
     add a new compression method that delays compression until the user
     has been authenticated successfully and set compression to 'delayed'
     for sshd.
     this breaks older openssh clients (< 3.5) if they insist on
     compression, so you have to re-enable compression in sshd_config.
     ok djm@
2005-07-26 21:54:56 +10:00
Damien Miller
3710f278ae - djm@cvs.openbsd.org 2005/05/23 23:32:46
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
     add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
     ok markus@
2005-05-26 12:19:17 +10:00
Damien Miller
1594ad5a78 - djm@cvs.openbsd.org 2005/05/19 02:39:55
[sshd_config.5]
     sort config options, from grunk AT pestilenz.org; ok jmc@
2005-05-26 12:12:19 +10:00
Damien Miller
167ea5d026 - djm@cvs.openbsd.org 2005/04/21 06:17:50
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
     [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
     variable, so don't say that we do (bz #623); ok deraadt@
2005-05-26 12:04:02 +10:00
Darren Tucker
83d5a9866d - jmc@cvs.openbsd.org 2005/03/18 17:05:00
[sshd_config.5]
     typo;
2005-03-31 21:33:50 +10:00
Damien Miller
f91ee4c3de - djm@cvs.openbsd.org 2005/03/01 10:09:52
[auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
     [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
     [sshd_config.5]
     bz#413: allow optional specification of bind address for port forwardings.
     Patch originally by Dan Astorian, but worked on by several people
     Adds GatewayPorts=clientspecified option on server to allow remote
     forwards to bind to client-specified ports.
2005-03-01 21:24:33 +11:00
Darren Tucker
9dca099aec - (dtucker) [sshd_config.5] Bug #701: remove warning about
keyboard-interactive since this is no longer the case.
2005-02-01 19:16:45 +11:00
Darren Tucker
b3509014ce - jmc@cvs.openbsd.org 2005/01/08 00:41:19
[sshd_config.5]
     `login'(n) -> `log in'(v);
2005-01-20 11:01:46 +11:00
Darren Tucker
0f38323222 - djm@cvs.openbsd.org 2004/12/23 23:11:00
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
     bz #898: support AddressFamily in sshd_config. from
     peak@argo.troja.mff.cuni.cz; ok deraadt@
2005-01-20 10:57:56 +11:00
Darren Tucker
7cc5c23817 - jaredy@cvs.openbsd.org 2004/09/15 03:25:41
[sshd_config.5]
     mention PrintLastLog only prints last login time for interactive
     sessions, like PrintMotd mentions.
     From Michael Knudsen, with wording changed slightly to match the
     PrintMotd description.
     ok djm
2004-11-05 20:06:59 +11:00
Damien Miller
26213e556b - jmc@cvs.openbsd.org 2004/06/26 09:14:40
[sshd_config.5]
     new sentence, new line;
2004-06-30 22:39:34 +10:00
Damien Miller
05202ffe21 - dtucker@cvs.openbsd.org 2004/06/13 14:01:42
[ssh.1 ssh_config.5 sshd_config.5]
     List supported ciphers in man pages, tidy up ssh -c;
     "looks fine" jmc@, ok markus@
2004-06-15 10:30:39 +10:00
Darren Tucker
89413dbafa - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
2004-05-24 10:36:23 +10:00
Darren Tucker
1dcff9a3a8 - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to
UsePAM section.  Parts from djm@ and jmc@.
2004-05-13 16:51:40 +10:00
Darren Tucker
b2a601cc99 - jmc@cvs.openbsd.org 2004/04/28 07:02:56
[sshd_config.5]
     remove unnecessary .Pp;
2004-05-02 22:13:20 +10:00
Darren Tucker
1e0c9bf9fb - djm@cvs.openbsd.org 2004/04/28 05:17:10
[ssh_config.5 sshd_config.5]
     manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
2004-05-02 22:12:48 +10:00
Darren Tucker
46bc075474 - djm@cvs.openbsd.org 2004/04/27 09:46:37
[readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c
     ssh_config.5 sshd_config.5]
     bz #815: implement ability to pass specified environment variables from
     the client to the server; ok markus@
2004-05-02 22:11:30 +10:00
Darren Tucker
96cc26b614 - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning
from bug #701 (text from jfh at cise.ufl.edu).
2004-04-14 13:04:35 +10:00
Damien Miller
8448e66770 - dtucker@cvs.openbsd.org 2004/03/08 10:18:57
[sshd_config.5]
     Document KerberosGetAFSToken;  ok markus@
2004-03-08 23:13:15 +11:00
Damien Miller
05a75b6e5b - jmc@cvs.openbsd.org 2004/02/17 19:35:21
[sshd_config.5]
     remove cruft left over from RhostsAuthentication removal;
     ok markus@
2004-02-18 14:31:23 +11:00
Damien Miller
12c150e7e0 - markus@cvs.openbsd.org 2003/12/09 21:53:37
[readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1]
     [ssh_config.5 sshconnect.c sshd.c sshd_config.5]
     rename keepalive to tcpkeepalive; the old name causes too much
     confusion; ok djm, dtucker; with help from jmc@
2003-12-17 16:31:10 +11:00
Damien Miller
a8e06cef35 - djm@cvs.openbsd.org 2003/11/21 11:57:03
[everything]
     unexpand and delete whitespace at EOL; ok markus@
     (done locally and RCS IDs synced)
2003-11-21 23:48:55 +11:00
Darren Tucker
6c0c0705e3 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ 2003-10-09 14:13:53 +10:00
Damien Miller
9b7b03b270 - markus@cvs.openbsd.org 2003/09/01 09:50:04
[sshd_config.5]
     gss kex is not supported; sxw@inf.ed.ac.uk
2003-09-02 22:57:05 +10:00
Damien Miller
1a0c0b9621 - markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
     [sshconnect1.c sshd.c sshd_config sshd_config.5]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-09-02 22:51:17 +10:00
Darren Tucker
0efd155c3c - markus@cvs.openbsd.org 2003/08/22 10:56:09
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
     support GSS API user authentication; patches from Simon Wilkinson,
     stripped down and tested by Jakob and myself.
2003-08-26 11:49:55 +10:00
Darren Tucker
ec960f2c93 - markus@cvs.openbsd.org 2003/08/13 08:46:31
[auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
     fgsch@, miod@, henning@, jakob@ and others
2003-08-13 20:37:05 +10:00
Darren Tucker
6aaa58c470 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/07/22 13:35:22
     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
     test+ok henning@
 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.

I hope I got this right....
2003-08-02 22:24:49 +10:00
Darren Tucker
91cf261bd5 20030622
- (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2003/06/20 05:47:58
     [sshd_config.5]
     sync description of protocol 2 cipher proposal; ok markus
2003-06-22 20:46:53 +10:00
Damien Miller
f1ce505daf - jmc@cvs.openbsd.org 2003/06/10 09:12:11
[scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
     [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
     - section reorder
     - COMPATIBILITY merge
     - macro cleanup
     - kill whitespace at EOL
     - new sentence, new line
     ssh pages ok markus@
2003-06-11 22:04:39 +10:00
Damien Miller
3a961dc0d3 - (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34
     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
     [sshd_config.5]
     deprecate VerifyReverseMapping since it's dangerous if combined
     with IP based access control as noted by Mike Harding; replace with
     a UseDNS option, UseDNS is on by default and includes the
     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
     ok deraadt@, djm@
 - (djm) Fix portable-specific uses of verify_reverse_mapping too
2003-06-03 10:25:48 +10:00
Damien Miller
fbf486b4a6 - jmc@cvs.openbsd.org 2003/05/20 12:09:31
[ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
     new sentence, new line
2003-05-23 18:44:23 +10:00
Damien Miller
2e193e29f0 Put in alphabetical order 2003-05-14 15:13:03 +10:00
Damien Miller
4e448a31ae - (djm) Add new UsePAM configuration directive to allow runtime control
over usage of PAM. This allows non-root use of sshd when built with
   --with-pam
2003-05-14 15:11:48 +10:00
Damien Miller
049245d260 - mouring@cvs.openbsd.org 2003/04/30 01:16:20
[sshd.8 sshd_config.5]
     Escape ?, * and ! in .Ql for nroff compatibility.  OpenSSH Portable
     Bug #550 and * escaping suggested by jmc@.
2003-05-14 13:44:42 +10:00
Damien Miller
495dca3518 - (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2003/03/28 10:11:43
     [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
     [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
     - killed whitespace
     - new sentence new line
     - .Bk for arguments
     ok markus@
2003-04-01 21:42:14 +10:00
Damien Miller
5a93add673 - (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2003/01/23 08:58:47
     [sshd_config.5]
     typos; ok millert@
2003-01-24 11:34:52 +11:00
Damien Miller
101c4a7bc9 - stevesk@cvs.openbsd.org 2002/09/16 20:12:11
[sshd_config.5]
     more details on X11Forwarding security issues and threats; ok markus@
2002-09-19 11:51:21 +10:00
Damien Miller
c13486300d - (djm) OpenBSD CVS Sync
- stevesk@cvs.openbsd.org 2002/09/04 18:52:42
     [servconf.c sshd.8 sshd_config.5]
     default LoginGraceTime to 2m; 1m may be too short for slow systems.
     ok markus@
2002-09-05 14:35:14 +10:00
Damien Miller
05913badf3 - stevesk@cvs.openbsd.org 2002/08/29 22:54:10
[ssh_config.5 sshd_config.5]
     state XAuthLocation is a full pathname
2002-09-04 16:51:03 +10:00
Damien Miller
f771ab75f0 - stevesk@cvs.openbsd.org 2002/08/21 19:38:06
[servconf.c sshd.8 sshd_config sshd_config.5]
     change LoginGraceTime default to 1 minute; ok mouring@ markus@
2002-09-04 16:25:52 +10:00
Ben Lindstrom
bd9bf38b00 - stevesk@cvs.openbsd.org 2002/08/12 17:30:35
[ssh.1 sshd.8 sshd_config.5]
     more PermitUserEnvironment; ok markus@
2002-08-20 18:54:20 +00:00
Ben Lindstrom
15b6120e63 - stevesk@cvs.openbsd.org 2002/08/09 17:41:12
[sshd_config.5]
     proxy vs. fake display
2002-08-20 18:44:24 +00:00
Ben Lindstrom
1f8cf4f4fb - stevesk@cvs.openbsd.org 2002/08/09 17:21:42
[sshd_config.5]
     use Op for mdoc conformance; from esr@golux.thyrsus.com
     ok aaron@
2002-08-20 18:43:27 +00:00
Ben Lindstrom
5d860f02ca - markus@cvs.openbsd.org 2002/07/30 17:03:55
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
     add PermitUserEnvironment (off by default!); from dot@dotat.at;
     ok provos, deraadt
2002-08-01 01:28:38 +00:00
Ben Lindstrom
9c44554a41 - stevesk@cvs.openbsd.org 2002/07/09 17:46:25
[sshd_config.5]
     clarify no preference ordering in protocol list; ok markus@
2002-07-11 03:59:18 +00:00
Damien Miller
136d4418e3 - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
<nalin@redhat.com>
2002-06-26 23:05:16 +10:00
Ben Lindstrom
959de99aa0 - stevesk@cvs.openbsd.org 2002/06/22 16:45:29
[ssh-agent.1 sshd.8 sshd_config.5]
     use process ID vs. pid/PID/process identifier
2002-06-23 00:35:25 +00:00
Ben Lindstrom
9f04903c50 - stevesk@cvs.openbsd.org 2002/06/20 19:56:07
[ssh.1 sshd.8]
     move configuration file options from ssh.1/sshd.8 to
     ssh_config.5/sshd_config.5; ok deraadt@ millert@
2002-06-21 00:59:05 +00:00