Commit Graph

126 Commits

Author SHA1 Message Date
Darren Tucker
7bd98e7f74 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 10:31:12 +11:00
Darren Tucker
98e5d9a0d3 - jmc@cvs.openbsd.org 2009/12/29 18:03:32
[sshd_config.5 ssh_config.5]
     sort previous;
2010-01-08 18:57:39 +11:00
Darren Tucker
535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker
78be8c54d6 - djm@cvs.openbsd.org 2009/11/10 02:56:22
[ssh_config.5]
     explain the constraints on LocalCommand some more so people don't
     try to abuse it.
2010-01-08 17:05:59 +11:00
Darren Tucker
34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
bad5076bb5 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
     disable protocol 1 by default (after a transition period of about 10 years)
     ok deraadt
2009-10-11 21:51:08 +11:00
Damien Miller
1991384764 - djm@cvs.openbsd.org 2009/02/22 23:50:57
[ssh_config.5 sshd_config.5]
     don't advertise experimental options
2009-02-23 10:53:58 +11:00
Damien Miller
e379e10837 - jmc@cvs.openbsd.org 2009/02/12 07:34:20
[ssh_config.5]
     kill trailing whitespace;
2009-02-14 16:34:39 +11:00
Damien Miller
85c6d8a991 - djm@cvs.openbsd.org 2009/02/12 03:46:17
[ssh_config.5]
     document RemoteForward usage with 0 listen port
2009-02-14 16:34:21 +11:00
Damien Miller
9aa72ba57a - naddy@cvs.openbsd.org 2009/01/24 17:10:22
[ssh_config.5 sshd_config.5]
     sync list of preferred ciphers; ok djm@
2009-01-28 16:34:00 +11:00
Damien Miller
01ed2272a1 - djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@
2008-11-05 16:20:46 +11:00
Damien Miller
a414cd3b19 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24
[ssh_config.5]
     correct and clarify VisualHostKey; ok jmc@
2008-11-03 19:25:21 +11:00
Damien Miller
de7532e1d4 - stevesk@cvs.openbsd.org 2008/10/10 16:43:27
[ssh_config.5]
     use 'Privileged ports can be forwarded only when logging in as root on
     the remote machine.' for RemoteForward just like ssh.1 -R.
     ok djm@ jmc@
2008-11-03 19:24:45 +11:00
Damien Miller
fa51b1626c - krw@cvs.openbsd.org 2008/08/02 04:29:51
[ssh_config.5]
     whitepsace -> whitespace. From Matthew Clarke via bugs@.
2008-11-03 19:17:33 +11:00
Damien Miller
1028824e5c - grunk@cvs.openbsd.org 2008/06/26 11:46:31
[readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c]
     Move SSH Fingerprint Visualization away from sharing the config option
     CheckHostIP to an own config option named VisualHostKey.
     While there, fix the behaviour that ssh would draw a random art picture
     on every newly seen host even when the option was not enabled.
     prodded by deraadt@, discussions,
     help and ok markus@ djm@ dtucker@
2008-06-30 00:04:03 +10:00
Darren Tucker
f09e825329 - jmc@cvs.openbsd.org 2008/06/12 19:10:09
[ssh_config.5 ssh-keygen.1]
     tweak the ascii art text; ok grunk
2008-06-13 05:18:03 +10:00
Darren Tucker
f6b01b758f - dtucker@cvs.openbsd.org 2008/06/12 16:35:31
[ssh_config.5 ssh.c]
     keyword expansion for localcommand.  ok djm@
2008-06-13 04:56:37 +10:00
Darren Tucker
dcc1ab5483 - grunk@cvs.openbsd.org 2008/06/11 23:03:56
[ssh_config.5]
     CheckHostIP set to ``fingerprint'' will display both hex and random art
     spotted by naddy@
2008-06-13 04:44:25 +10:00
Darren Tucker
9c16ac9263 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
      sshconnect.c]
     Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
     graphical hash visualization schemes known as "random art", and by
     Dan Kaminsky's musings on the subject during a BlackOp talk at the
     23C3 in Berlin.
     Scientific publication (original paper):
     "Hash Visualization: a New Technique to improve Real-World Security",
     Perrig A. and Song D., 1999, International Workshop on Cryptographic
     Techniques and E-Commerce (CrypTEC '99)
     http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
     The algorithm used here is a worm crawling over a discrete plane,
     leaving a trace (augmenting the field) everywhere it goes.
     Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
     makes the respective movement vector be ignored for this turn,
     thus switching to the other color of the chessboard.
     Graphs are not unambiguous for now, because circles in graphs can be
     walked in either direction.
     discussions with several people,
     help, corrections and ok markus@ djm@
2008-06-13 04:40:35 +10:00
Darren Tucker
c9807e825a - dtucker@cvs.openbsd.org 2008/06/10 18:21:24
[ssh_config.5]
     clarify that Host patterns are space-separated.  ok deraadt
2008-06-11 09:33:01 +10:00
Darren Tucker
63b31cb943 - jmc@cvs.openbsd.org 2007/10/29 07:48:19
[ssh_config.5]
     clean up after previous macro removal;
2007-12-02 23:09:30 +11:00
Darren Tucker
a93cadd3d4 - dtucker@cvs.openbsd.org 2007/10/29 06:51:59
[ssh_config.5]
     ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@
2007-12-02 23:05:09 +11:00
Damien Miller
cfb606cd5f - djm@cvs.openbsd.org 2007/09/21 03:05:23
[ssh_config.5]
     document KbdInteractiveAuthentication in ssh_config.5;
     patch from dkg AT fifthhorseman.net
2007-10-26 14:24:48 +10:00
Darren Tucker
fc5d188b34 - stevesk@cvs.openbsd.org 2007/08/15 12:13:41
[ssh_config.5]
     tun device forwarding now honours ExitOnForwardFailure; ok markus@
2007-08-15 22:20:22 +10:00
Damien Miller
5e7c30bdf1 - jmc@cvs.openbsd.org 2007/06/08 07:43:46
[ssh_config.5]
     put the MAC list into a display, like we do for ciphers,
     since groff has trouble handling wide lines;
2007-06-11 14:06:32 +10:00
Damien Miller
e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00
Darren Tucker
aa4d5eda10 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
     ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
     convert to new .Dd format;
     (We will need to teach mdoc2man.awk to understand this too.)
2007-06-05 18:27:13 +10:00
Darren Tucker
bf6b328f27 - jmc@cvs.openbsd.org 2007/01/10 13:23:22
[ssh_config.5]
     do not use a list for SYNOPSIS;
     this is actually part of a larger report sent by eric s. raymond
     and forwarded by brad, but i only read half of it. spotted by brad.
2007-02-19 22:08:17 +11:00
Damien Miller
858bb7dc7c - jmc@cvs.openbsd.org 2006/07/27 08:00:50
[ssh_config.5]
     avoid confusing wording in HashKnownHosts:
     originally spotted by alan amesbury;
     ok deraadt
2006-08-05 11:34:51 +10:00
Darren Tucker
e7d4b19f75 - markus@cvs.openbsd.org 2006/07/11 18:50:48
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
     channels.h readconf.c]
     add ExitOnForwardFailure: terminate the connection if ssh(1)
     cannot set up all requested dynamic, local, and remote port
     forwardings. ok djm, dtucker, stevesk, jmc
2006-07-12 22:17:10 +10:00
Damien Miller
991dba43e1 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
     more details and clarity for tun(4) device forwarding; ok and help
     jmc@
2006-07-10 20:16:27 +10:00
Damien Miller
3c6ed7bbd5 - jmc@cvs.openbsd.org 2006/05/29 16:10:03
[ssh_config.5]
     oops - previous was too long; split the list of auths up
2006-06-13 13:01:41 +10:00
Damien Miller
658f945538 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
[ssh_config.5]
     Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
2006-06-13 13:00:55 +10:00
Damien Miller
dfc6183f13 - djm@cvs.openbsd.org 2006/03/31 09:13:56
[ssh_config.5]
     remote user escape is %r not %h; spotted by jmc@
2006-03-31 23:14:57 +11:00
Damien Miller
c6437cf00a - jmc@cvs.openbsd.org 2006/03/31 09:09:30
[ssh_config.5]
     kill trailing whitespace;
2006-03-31 23:14:41 +11:00
Damien Miller
6b1d53c2b0 - djm@cvs.openbsd.org 2006/03/30 10:41:25
[ssh.c ssh_config.5]
     add percent escape chars to the IdentityFile option, bz #1159 based
     on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
2006-03-31 23:13:21 +11:00
Damien Miller
cc3e8ba3c2 - markus@cvs.openbsd.org 2006/03/14 16:32:48
[ssh_config.5 sshd_config.5]
     *AliveCountMax applies to protcol v2 only; ok dtucker, djm
2006-03-15 12:06:55 +11:00
Damien Miller
306d118f72 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
[misc.c ssh_config.5 sshd_config.5]
     Allow config directives to contain whitespace by surrounding them by double
     quotes.  mindrot #482, man page help from jmc@, ok djm@
2006-03-15 12:05:59 +11:00
Damien Miller
4aea974a1d - jmc@cvs.openbsd.org 2006/02/26 18:03:10
[ssh_config.5]
     comma;
2006-03-15 11:59:39 +11:00
Damien Miller
b5282c2f06 - jmc@cvs.openbsd.org 2006/02/26 17:17:18
[ssh_config.5]
     move PATTERNS to the end of the main body; requested by dtucker
2006-03-15 11:59:08 +11:00
Damien Miller
9cfbaecb64 - jmc@cvs.openbsd.org 2006/02/25 12:26:17
[ssh_config.5]
     document the possible values for KbdInteractiveDevices;
2006-03-15 11:57:55 +11:00
Damien Miller
45ee2b91e6 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
[ssh_config.5]
     some grammar/wording fixes;
2006-03-15 11:56:18 +11:00
Damien Miller
208f1ed6f1 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     more consistency fixes;
2006-03-15 11:56:03 +11:00
Damien Miller
1faa713323 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
[ssh-keysign.8 ssh_config.5 sshd_config.5]
     some consistency fixes;
2006-03-15 11:55:31 +11:00
Damien Miller
f54a4b9da5 - jmc@cvs.openbsd.org 2006/02/24 10:37:07
[ssh_config.5]
     tidy up the refs to PATTERNS;
2006-03-15 11:54:36 +11:00
Damien Miller
6def55171f - jmc@cvs.openbsd.org 2006/02/24 10:25:14
[ssh_config.5]
     add section on patterns;
     from dtucker + myself
2006-03-15 11:54:05 +11:00
Damien Miller
5c853b531f - jmc@cvs.openbsd.org 2006/02/19 20:12:25
[ssh_config.5]
     add some vertical space;
2006-03-15 11:37:02 +11:00
Damien Miller
20c2ec48c3 - jmc@cvs.openbsd.org 2006/02/12 10:49:44
[ssh_config.5]
     slight rewording; ok djm
2006-03-15 11:31:01 +11:00
Damien Miller
3ec54c7e58 - djm@cvs.openbsd.org 2006/02/12 06:45:34
[ssh.c ssh_config.5]
     add a %l expansion code to the ControlPath, which is filled in with the
     local hostname at runtime. Requested by henning@ to avoid some problems
     with /home on NFS; ok dtucker@
2006-03-15 11:30:13 +11:00