Commit Graph

82 Commits

Author SHA1 Message Date
Darren Tucker
7499b0cca0 - djm@cvs.openbsd.org 2008/07/02 02:24:18
[sshd_config sshd_config.5 sshd.8 servconf.c]
     increase default size of ssh protocol 1 ephemeral key from 768 to 1024
     bits; prodded by & ok dtucker@ ok deraadt@
2008-07-02 22:35:43 +10:00
Damien Miller
7207f64a23 - djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
2008-05-19 15:34:50 +10:00
Damien Miller
ba3a6599a2 - pyr@cvs.openbsd.org 2008/05/07 06:43:35
[sshd_config]
     push the sshd_config bits in, spotted by ajacoutot@
2008-05-19 14:58:22 +10:00
Damien Miller
d8cb1f184f - djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
     [sshd_config.5]
     add sshd_config ChrootDirectory option to chroot(2) users to a directory
     and tweak internal sftp server to work with it (no special files in
     chroot required). ok markus@
2008-02-10 22:40:12 +11:00
Damien Miller
4890e53977 - djm@cvs.openbsd.org 2007/08/23 03:22:16
[auth2-none.c sshd_config sshd_config.5]
     Support "Banner=none" to disable displaying of the pre-login banner;
     ok dtucker@ deraadt@
2007-09-17 11:57:38 +10:00
Darren Tucker
506ed88cef - djm@cvs.openbsd.org 2007/03/19 01:01:29
[sshd_config]
     Disable the legacy SSH protocol 1 for new installations via
     a configuration override. In the future, we will change the
     server's default itself so users who need the legacy protocol
     will need to turn it on explicitly
2007-03-21 20:42:24 +11:00
Damien Miller
e275443f66 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
     Add ForceCommand keyword to sshd_config, equivalent to the "command="
     key option, man page entry and example in sshd_config.
     Feedback & ok djm@, man page corrections & ok jmc@
2006-07-24 14:06:47 +10:00
Darren Tucker
a4904f7bf1 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
reality.  Pointed out by tryponraj at gmail.com.
2006-02-23 21:35:30 +11:00
Damien Miller
d27b947178 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
     [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
     [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
     [sshconnect.h sshd.8 sshd_config sshd_config.5]
     Add support for tun(4) forwarding over OpenSSH, based on an idea and
     initial channel code bits by markus@. This is a simple and easy way to
     use OpenSSH for ad hoc virtual private network connections, e.g.
     administrative tunnels or secure wireless access. It's based on a new
     ssh channel and works similar to the existing TCP forwarding support,
     except that it depends on the tun(4) network interface on both ends of
     the connection for layer 2 or layer 3 tunneling. This diff also adds
     support for LocalCommand in the ssh(1) client.

     ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-12-13 19:29:02 +11:00
Damien Miller
9786e6e2a0 - markus@cvs.openbsd.org 2005/07/25 11:59:40
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
     [sshconnect2.c sshd.c sshd_config sshd_config.5]
     add a new compression method that delays compression until the user
     has been authenticated successfully and set compression to 'delayed'
     for sshd.
     this breaks older openssh clients (< 3.5) if they insist on
     compression, so you have to re-enable compression in sshd_config.
     ok djm@
2005-07-26 21:54:56 +10:00
Damien Miller
06b75ad56b - djm@cvs.openbsd.org 2005/05/19 02:40:52
[sshd_config]
     whitespace nit, from grunk AT pestilenz.org
2005-05-26 12:12:37 +10:00
Darren Tucker
0f38323222 - djm@cvs.openbsd.org 2004/12/23 23:11:00
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
     bz #898: support AddressFamily in sshd_config. from
     peak@argo.troja.mff.cuni.cz; ok deraadt@
2005-01-20 10:57:56 +11:00
Darren Tucker
89413dbafa - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
     Add MaxAuthTries sshd config option; ok markus@
2004-05-24 10:36:23 +10:00
Damien Miller
701d0514ee - (djm) Explain consequences of UsePAM=yes a little better in sshd_config;
ok dtucker@
2004-05-23 11:47:58 +10:00
Darren Tucker
0b3b97512f - millert@cvs.openbsd.org 2003/12/29 16:39:50
[sshd_config]
     KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
2003-12-31 11:38:32 +11:00
Darren Tucker
22ef508754 - jakob@cvs.openbsd.org 2003/12/23 16:12:10
[servconf.c servconf.h session.c sshd_config]
     implement KerberosGetAFSToken server option. ok markus@, beck@
2003-12-31 11:37:34 +11:00
Damien Miller
418a386f2b - (djm) Clarify UsePAM consequences a little more 2003-11-06 20:27:51 +11:00
Darren Tucker
a49d36e7b9 - markus@cvs.openbsd.org 2003/09/29 20:19:57
[servconf.c sshd_config]
     GSSAPICleanupCreds -> GSSAPICleanupCredentials
2003-10-02 16:20:54 +10:00
Tim Rice
d4d1815cae [sshd_config] UsePAM defaults to no. 2003-09-25 19:04:34 -07:00
Damien Miller
1a0c0b9621 - markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
     [sshconnect1.c sshd.c sshd_config sshd_config.5]
     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-09-02 22:51:17 +10:00
Darren Tucker
0efd155c3c - markus@cvs.openbsd.org 2003/08/22 10:56:09
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
     support GSS API user authentication; patches from Simon Wilkinson,
     stripped down and tested by Jakob and myself.
2003-08-26 11:49:55 +10:00
Darren Tucker
ec960f2c93 - markus@cvs.openbsd.org 2003/08/13 08:46:31
[auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
     fgsch@, miod@, henning@, jakob@ and others
2003-08-13 20:37:05 +10:00
Darren Tucker
c20c60bc99 - markus@cvs.openbsd.org 2003/07/23 07:42:43
[sshd_config]
     remove AFS; itojun@
2003-08-02 22:31:45 +10:00
Darren Tucker
b8dae8ece0 20030622
- (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2003/06/20 05:48:21
     [sshd_config]
     sync some implemented options; ok markus@
2003-06-22 20:48:45 +10:00
Damien Miller
3a961dc0d3 - (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34
     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
     [sshd_config.5]
     deprecate VerifyReverseMapping since it's dangerous if combined
     with IP based access control as noted by Mike Harding; replace with
     a UseDNS option, UseDNS is on by default and includes the
     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
     ok deraadt@, djm@
 - (djm) Fix portable-specific uses of verify_reverse_mapping too
2003-06-03 10:25:48 +10:00
Damien Miller
e3e71247c3 clarify 2003-05-16 12:00:44 +10:00
Damien Miller
2aa0ab463f - jakob@cvs.openbsd.org 2003/05/15 01:48:10
[readconf.c readconf.h servconf.c servconf.h]
     always parse kerberos options. ok djm@ markus@
 - (djm) Always parse UsePAM
2003-05-15 12:05:28 +10:00
Damien Miller
d681d2602c - (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/09/25 11:17:16
     [sshd_config]
     sync LoginGraceTime with default
2002-09-27 13:21:57 +10:00
Damien Miller
f771ab75f0 - stevesk@cvs.openbsd.org 2002/08/21 19:38:06
[servconf.c sshd.8 sshd_config sshd_config.5]
     change LoginGraceTime default to 1 minute; ok mouring@ markus@
2002-09-04 16:25:52 +10:00
Ben Lindstrom
5d860f02ca - markus@cvs.openbsd.org 2002/07/30 17:03:55
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
     add PermitUserEnvironment (off by default!); from dot@dotat.at;
     ok provos, deraadt
2002-08-01 01:28:38 +00:00
Kevin Steves
bdf3e89f1a 20020628
- (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
   options should contain default value.  from solar.
2002-06-27 16:59:50 +00:00
Ben Lindstrom
1b8d730b7d - markus@cvs.openbsd.org 2002/06/20 23:37:12
[sshd_config]
     add Compression
2002-06-21 01:11:36 +00:00
Ben Lindstrom
9721e92ba8 - stevesk@cvs.openbsd.org 2002/06/20 20:03:34
[ssh_config sshd_config]
     refer to config file man page
2002-06-21 01:06:03 +00:00
Ben Lindstrom
fb62a69488 - markus@cvs.openbsd.org 2002/05/15 21:56:38
[servconf.c sshd.8 sshd_config]
     re-enable privsep and disable setuid for post-3.2.2
2002-06-06 19:47:11 +00:00
Ben Lindstrom
c5c15dde32 - markus@cvs.openbsd.org 2002/05/15 21:02:53
[servconf.c sshd.8 sshd_config]
     disable privsep and enable setuid for the 3.2.2 release
2002-05-15 21:37:34 +00:00
Ben Lindstrom
bb2ce36d4d - deraadt@cvs.openbsd.org 2002/05/04 02:39:35
[servconf.c sshd.8 sshd_config]
     enable privsep by default; provos ok
(historical)
2002-05-15 21:35:43 +00:00
Damien Miller
d7de14b6ad - markus@cvs.openbsd.org 2002/04/22 16:16:53
[servconf.c sshd.8 sshd_config]
     do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@
2002-04-23 21:04:51 +10:00
Damien Miller
7a8558d3ea - stevesk@cvs.openbsd.org 2002/04/21 16:19:27
[sshd.8 sshd_config]
     document default AFSTokenPassing no; ok deraadt@
2002-04-23 20:51:15 +10:00
Ben Lindstrom
fa1336ff47 - markus@cvs.openbsd.org 2002/03/21 20:51:12
[sshd_config]
     add privsep (off)
2002-03-22 03:40:58 +00:00
Ben Lindstrom
351e919690 - (bal) Update sshd_config CVSID 2002-02-26 17:49:55 +00:00
Damien Miller
95ca7e9f1f - deraadt@cvs.openbsd.org 2002/02/19 02:50:59
[sshd_config]
     stategy is not an english word
2002-02-19 15:29:02 +11:00
Damien Miller
05eda437a6 - (djm) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2002/02/09 17:37:34
     [pathnames.h session.c ssh.1 sshd.8 sshd_config ssh-keyscan.1]
     move ssh config files to /etc/ssh
 - (djm) Adjust portable Makefile.in tnd ssh-rand-helper.c o match
2002-02-10 18:32:28 +11:00
Damien Miller
c5d8635d6a - markus@cvs.openbsd.org 2002/01/29 14:32:03
[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c servconf.c servconf.h session.c sshd.8 sshd_config]
     s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
2002-02-05 12:13:41 +11:00
Damien Miller
95c249ff47 - stevesk@cvs.openbsd.org 2002/01/27 14:57:46
[channels.c servconf.c servconf.h session.c sshd.8 sshd_config]
     add X11UseLocalhost; ok markus@
2002-02-05 12:11:34 +11:00
Tim Rice
1e2c600892 [configure.ac] fix logic on when ssh-rand-helper is installed.
[sshd_config] put back in line that tells what PATH was compiled into sshd.
2002-01-30 22:14:03 -08:00
Damien Miller
2bec5c1543 - stevesk@cvs.openbsd.org 2002/01/16 17:40:23
[sshd_config]
     The stategy now used for options in the default sshd_config shipped
     with OpenSSH is to specify options with their default value where
     possible, but leave them commented.  Uncommented options change a
     default value.  Subsystem is currently the only default option
     changed.  ok markus@
2002-01-22 23:32:07 +11:00
Damien Miller
9f0f5c64bc - deraadt@cvs.openbsd.org 2001/12/19 07:18:56
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
     [auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
     [cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
     [match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
     [servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
     [sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
     [sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
     [ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
     basic KNF done while i was looking for something else
2001-12-21 14:45:46 +11:00
Ben Lindstrom
15da033b34 - mouring@cvs.openbsd.org 2001/09/20 20:57:51
[sshd_config]
     CheckMail removed.  OKed stevesk@
2001-09-20 23:15:44 +00:00
Ben Lindstrom
f96704d4ef - markus@cvs.openbsd.org 2001/06/22 21:55:49
[auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config
      ssh-keygen.1]
     merge authorized_keys2 into authorized_keys.
     authorized_keys2 is used for backward compat.
     (just append authorized_keys2 to authorized_keys).
2001-06-25 04:17:12 +00:00
Ben Lindstrom
c4b7225b8d - markus@cvs.openbsd.org 2001/05/31 13:08:04
[sshd_config]
     group options and add some more comments
2001-06-09 01:09:51 +00:00