Commit Graph

275 Commits

Author SHA1 Message Date
djm@openbsd.org
801c9f095e upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
2020-08-27 11:28:36 +10:00
djm@openbsd.org
734f2f83f5 upstream: mention that permitopen=/PermitOpen do no name to address
translation; prompted by bz3099

OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25 17:04:14 +11:00
naddy@openbsd.org
141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
dtucker@openbsd.org
bc2dc091e0 upstream: "Forward security" -> "Forward secrecy" since that's the
correct term. Add "MAC" since we use that acronym in other man pages.  ok
naddy@

OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
2019-12-20 14:25:08 +11:00
naddy@openbsd.org
e905f7260d upstream: cut obsolete lists of crypto algorithms from outline of
how SSH works ok markus@ jmc@

OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
2019-12-20 14:25:08 +11:00
jmc@openbsd.org
483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
djm@openbsd.org
2e71263b80 upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org
e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
naddy@openbsd.org
aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
dtucker@openbsd.org
01c98d9661 upstream: Switch authorized_keys example from ssh-dss to ssh-rsa
since the former is no longer enabled by default.  Pointed out by Daniel A.
Maierhofer, ok jmc

OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7
2018-07-26 13:54:30 +10:00
jmc@openbsd.org
f535ff922a upstream: spelling;
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-26 08:30:43 +10:00
djm@openbsd.org
87ddd676da upstream: allow bare port numbers to appear in PermitListen directives,
e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-19 13:00:50 +10:00
jmc@openbsd.org
6ff6fda705 upstream: tweak previous;
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-09 13:10:59 +10:00
djm@openbsd.org
803d896ef3 upstream: man bits for permitlisten authorized_keys option
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
2018-06-07 04:27:21 +10:00
Damien Miller
10479cc2a4 Many typo fixes from Karsten Weiss
Spotted using https://github.com/lucasdemarchi/codespell
2018-04-10 10:19:02 +10:00
jmc@openbsd.org
037fdc1dc2 upstream: sort expiry-time;
OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
2018-03-14 18:55:33 +11:00
djm@openbsd.org
abc0fa38c9 upstream: rename recently-added "valid-before" key restriction to
"expiry-time" as the former is confusing wrt similar terminology in X.509;
pointed out by jsing@

OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
2018-03-14 18:55:33 +11:00
djm@openbsd.org
bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
dtucker@openbsd.org
055e09e221 upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18
bumped the minimum from 768 to 1024, update man page accordingly.

OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
2018-03-04 12:48:08 +11:00
djm@openbsd.org
88c50a5ae2 upstream: stop loading DSA keys by default, remove sshd_config
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-16 13:35:28 +11:00
djm@openbsd.org
2b428f90ea upstream commit
I accidentially a word

OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a
2018-02-07 07:50:46 +11:00
dtucker@openbsd.org@openbsd.org
0208a48517 upstream commit
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.  ok djm@, man page help jmc@

OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
2017-11-03 16:20:41 +11:00
djm@openbsd.org
68af80e6fd upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25 12:26:21 +11:00
jmc@openbsd.org
e2004d4bb7 upstream commit
word fix;

Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5
2017-06-24 16:49:46 +10:00
djm@openbsd.org
6f8ca3b925 upstream commit
use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@

Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
2017-06-24 16:48:39 +10:00
djm@openbsd.org
acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
dtucker@openbsd.org
6ba9f89383 upstream commit
Small correction to the known_hosts section on when it is
updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
sdf.org

Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
2017-02-03 14:23:24 +11:00
djm@openbsd.org
fd6dcef203 upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.

The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.

Pointed out by Jann Horn of Project Zero; ok dtucker@

Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30 19:44:01 +11:00
djm@openbsd.org
83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org
ffe6549c2f upstream commit
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples.  ok jmc@

Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-23 13:28:30 +10:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org
deae7d52d5 upstream commit
mention internal DH-GEX fallback groups; bz#2302

Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
2016-02-08 21:58:29 +11:00
djm@openbsd.org
383f10fb84 upstream commit
Add a new authorized_keys option "restrict" that
 includes all current and future key restrictions (no-*-forwarding, etc). Also
 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
 This simplifies the task of setting up restricted keys and ensures they are
 maximally-restricted, regardless of any permissions we might implement in the
 future.

Example:

restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...

Idea from Jann Horn; ok markus@

Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
2015-11-16 11:31:41 +11:00
djm@openbsd.org
2bca8a43e7 upstream commit
more clarity on what AuthorizedKeysFile=none does; based
 on diff by Thiebaud Weksteen

Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-09-11 13:28:01 +10:00
djm@openbsd.org
933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
djm@openbsd.org
8d4d1bfddb upstream commit
mention that the user's shell from /etc/passwd is used
 for commands too; bz#1459 ok dtucker@
2015-05-10 11:35:07 +10:00
bentley@openbsd.org
da8af83d3f upstream commit
Reduce instances of `` '' in manuals.

troff displays these as typographic quotes, but nroff implementations
almost always print them literally, which rarely has the intended effect
with modern fonts, even in stock xterm.

These uses of `` '' can be replaced either with more semantic alternatives
or with Dq, which prints typographic quotes in a UTF-8 locale (but will
automatically fall back to `` '' in an ASCII locale).

improvements and ok schwarze@
2014-11-17 11:19:33 +11:00
sobrado@openbsd.org
f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller
72e6b5c9ed - djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@
2014-07-04 09:00:04 +10:00
Damien Miller
69cb24b735 - tedu@cvs.openbsd.org 2014/04/19 18:15:16
[sshd.8]
     remove some really old rsh references
2014-04-20 13:29:06 +10:00
Damien Miller
f2719b7c2b - tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c]
     remove libwrap support. ok deraadt djm mfriedl
2014-04-20 13:22:18 +10:00
Damien Miller
8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller
a7827c11b3 - jmc@cvs.openbsd.org 2013/12/06 15:29:07
[sshd.8]
     missing comma;
2013-12-07 11:24:30 +11:00
Damien Miller
5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller
6901032b05 - dtucker@cvs.openbsd.org 2013/04/07 09:40:27
[sshd.8]
     clarify -e text. suggested by & ok jmc@
2013-04-23 15:21:24 +10:00
Damien Miller
03d4d7e60b - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
[log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
     Add -E option to ssh and sshd to append debugging logs to a specified file
     instead of stderr or syslog.  ok markus@, man page help jmc@
2013-04-23 15:21:06 +10:00
Darren Tucker
427e409e99 - markus@cvs.openbsd.org 2012/10/04 13:21:50
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
     add umac128 variant; ok djm@ at n2k12
     (note: further Makefile work is required)
2012-10-05 11:02:39 +10:00
Damien Miller
b9902cf6f6 - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
[ssh.1 sshd.8]
     Remove mention of 'three' key files since there are now four.  From
     Steve.McClellan at radisys com.
2012-06-20 21:52:58 +10:00
Darren Tucker
fbcf827559 - (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32
     [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
     to match.  Feedback and ok djm@ markus@.
2012-05-19 19:37:01 +10:00