Commit Graph

256 Commits

Author SHA1 Message Date
djm@openbsd.org
f17ee61cad upstream commit
correct env var name

Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
2017-06-24 17:28:48 +10:00
jmc@openbsd.org
40962198e3 upstream commit
spelling;

Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
2017-06-24 17:28:48 +10:00
djm@openbsd.org
8f57495927 upstream commit
refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2017-06-24 16:56:11 +10:00
djm@openbsd.org
54cd41a466 upstream commit
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717

Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
2017-05-17 11:25:22 +10:00
djm@openbsd.org
acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
djm@openbsd.org
66705948c0 upstream commit
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@

(note: this doesn't remove the !privsep code paths, though that will
happen eventually).

Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
2017-03-15 11:09:18 +11:00
djm@openbsd.org
68bc8cfa76 upstream commit
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@

Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-02-04 10:08:15 +11:00
jmc@openbsd.org
a1187bd3ef upstream commit
keep the tokens list sorted;

Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
2017-01-30 11:05:18 +11:00
dtucker@openbsd.org
0999533014 upstream commit
Re-add '%k' token for AuthorizedKeysCommand which was
lost during the re-org in rev 1.235.  bz#2656, from jboning at gmail.com.

Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
2017-01-30 11:05:18 +11:00
djm@openbsd.org
7844f357cd upstream commit
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.

This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@

Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30 19:44:01 +11:00
markus@openbsd.org
f0ddedee46 upstream commit
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm

Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-11-24 16:07:26 +11:00
jmc@openbsd.org
aae4dbd4c0 upstream commit
tidy up the formatting in this file. more specifically,
replace .Dq, which looks appalling, with .Cm, where appropriate;

Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
2016-10-10 14:27:12 +11:00
djm@openbsd.org
4577adead6 upstream commit
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.

remove a few server-side pre-auth compression bits that escaped

adjust wording of Compression directive in sshd_config(5)

pointed out by naddy@ ok markus@

Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-29 06:54:50 +10:00
jmc@openbsd.org
de6a175a99 upstream commit
organise the token stuff into a separate section; ok
markus for an earlier version of the diff ok/tweaks djm

Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
2016-09-24 05:39:37 +10:00
djm@openbsd.org
16277fc45f upstream commit
mention curve25519-sha256 KEX

Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
2016-09-24 05:39:37 +10:00
djm@openbsd.org
bfa9d969ab upstream commit
add a way for principals command to get see key ID and serial
too

Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
2016-09-21 11:41:22 +10:00
djm@openbsd.org
e7907c1cb9 upstream commit
add %-escapes to AuthorizedPrincipalsCommand to match those
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
few more to provide access to the certificate's CA key; 'looks ok' dtucker@

Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
2016-09-14 15:43:23 +10:00
jmc@openbsd.org
f219fc8f03 upstream commit
sort; from matthew martin

Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
2016-09-12 13:39:30 +10:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org
ffe6549c2f upstream commit
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples.  ok jmc@

Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-23 13:28:30 +10:00
jca@openbsd.org
42d47adc5a upstream commit
Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.

This makes the IPv6 example consistent with IPv4, and removes a dubious
mention of a 6bone subnet.

ok sthen@ millert@

Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
2016-08-14 11:19:14 +10:00
jmc@openbsd.org
32d921c323 upstream commit
tweak previous;

Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
2016-07-22 13:36:40 +10:00
dtucker@openbsd.org
d7eabc86fa upstream commit
Allow wildcard for PermitOpen hosts as well as ports.
bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com.  ok
markus@

Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
2016-07-22 13:36:40 +10:00
jmc@openbsd.org
ad23a75509 upstream commit
grammar fix;

Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
2016-06-24 13:35:28 +10:00
djm@openbsd.org
b64faeb5ed upstream commit
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication

bz#2398 from Jakub Jelen; ok dtucker@

Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
2016-06-24 13:35:28 +10:00
markus@openbsd.org
1a75d14daf upstream commit
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@

Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-05-19 17:48:35 +10:00
jmc@openbsd.org
ee1e0a16ff upstream commit
cidr permitted for {allow,deny}users; from lars nooden ok djm

Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
2016-04-28 19:55:28 +10:00
djm@openbsd.org
0235a5fa67 upstream commit
UseDNS affects ssh hostname processing in authorized_keys,
 not known_hosts; bz#2554 reported by jjelen AT redhat.com

Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
2016-03-18 04:53:50 +11:00
djm@openbsd.org
3a13cb543d upstream commit
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
 in *KeyTypes options yet. Remove them from the lists of algorithms for now.
 committing on behalf of markus@ ok djm@

Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
2016-02-18 09:24:41 +11:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org
e7901efa9b upstream commit
Replace list of ciphers and MACs adjacent to -1/-2 flag
 descriptions in ssh(1) with a strong recommendation not to use protocol 1.
 Add a similar warning to the Protocol option descriptions in ssh_config(5)
 and sshd_config(5);

prompted by and ok mmcc@

Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-17 16:37:55 +11:00
djm@openbsd.org
e4c918a6c7 upstream commit
sync crypto algorithm lists in ssh_config(5) and
 sshd_config(5) with current reality. bz#2527

Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
2016-02-11 13:58:57 +11:00
djm@openbsd.org
cac3b6665f upstream commit
better description for MaxSessions; bz#2531

Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
2016-02-08 21:58:28 +11:00
djm@openbsd.org
9fd04681a1 upstream commit
Support "none" as an argument for sshd_config
 ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
 global default. bz#2486 ok dtucker@

Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-11-16 11:31:37 +11:00
djm@openbsd.org
b6b9108f5b upstream commit
list a couple more options usable in Match blocks;
 bz#2489

Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
2015-11-16 11:31:36 +11:00
sobrado@openbsd.org
bdcb73fb76 upstream commit
UsePrivilegeSeparation defaults to sandbox now.

ok djm@

Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
2015-10-08 04:01:05 +11:00
djm@openbsd.org
2bca8a43e7 upstream commit
more clarity on what AuthorizedKeysFile=none does; based
 on diff by Thiebaud Weksteen

Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-09-11 13:28:01 +10:00
jmc@openbsd.org
1f8d3d629c upstream commit
match myproposal.h order; from brian conway (i snuck in a
 tweak while here)

ok dtucker

Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
2015-08-19 10:47:16 +10:00
deraadt@openbsd.org
1dc8d93ce6 upstream commit
add prohibit-password as a synonymn for without-password,
 since the without-password is causing too many questions.  Harden it to ban
 all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
 djm, ok markus

Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-11 18:57:29 +10:00
deraadt@openbsd.org
f4373ed1e8 upstream commit
change default: PermitRootLogin without-password matching
 install script changes coming as well ok djm markus

Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-08-02 19:59:25 +10:00
djm@openbsd.org
f9eca249d4 upstream commit
Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-30 12:32:16 +10:00
djm@openbsd.org
c63c9a691d upstream commit
mention that the default of UseDNS=no implies that
 hostnames cannot be used for host matching in sshd_config and
 authorized_keys; bz#2045, ok dtucker@

Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
2015-07-20 10:32:25 +10:00
markus@openbsd.org
3a1638dda1 upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
 server and PubkeyAcceptedKeyTypes to the client side, so it still can be
 tested or turned back on; feedback and ok djm@

Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15 15:38:02 +10:00
djm@openbsd.org
933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
djm@openbsd.org
732d61f417 upstream commit
typo: accidental repetition; bz#2386

Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
2015-06-05 15:18:02 +10:00
djm@openbsd.org
d7c31da4d4 upstream commit
add knob to relax GSSAPI host credential check for
 multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
 (kerberos/GSSAPI is not compiled by default on OpenBSD)

Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-22 20:02:17 +10:00
djm@openbsd.org
bcc50d8161 upstream commit
add AuthorizedPrincipalsCommand that allows getting
 authorized_principals from a subprocess rather than a file, which is quite
 useful in deployments with large userbases

feedback and ok markus@

Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21 16:45:46 +10:00
djm@openbsd.org
24232a3e5a upstream commit
support arguments to AuthorizedKeysCommand

bz#2081 loosely based on patch by Sami Hartikainen
feedback and ok markus@

Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-05-21 16:44:56 +10:00
dtucker@openbsd.org
531a57a389 upstream commit
Allow ListenAddress, Port and AddressFamily in any
 order.  bz#68, ok djm@, jmc@ (for the man page bit).
2015-04-29 18:20:32 +10:00
jmc@openbsd.org
c1d5bcf1aa upstream commit
enviroment -> environment: apologies to darren for not
 spotting that first time round...
2015-04-29 18:20:14 +10:00