Commit Graph

116 Commits

Author SHA1 Message Date
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
bad5076bb5 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
     disable protocol 1 by default (after a transition period of about 10 years)
     ok deraadt
2009-10-11 21:51:08 +11:00
Darren Tucker
1477ea162c - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
[sshd_config.5]
     Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
2009-10-07 08:36:05 +11:00
Damien Miller
9c7bf8dfc8 downgrade mention of login.conf to be an example and mention PAM as
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
2009-08-28 10:27:08 +10:00
Darren Tucker
51dbe503bf - stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
     clarify we cd to user's home after chroot; ok markus@ on
     earlier version; tweaks and ok jmc@
2009-06-21 17:56:51 +10:00
Darren Tucker
f92077f05c - jmc@cvs.openbsd.org 2009/04/18 18:39:10
[sshd_config.5]
     tweak previous; ok stevesk
2009-06-21 17:56:25 +10:00
Darren Tucker
00fcd719a5 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17
[sshd_config.5]
     clarify that even internal-sftp needs /dev/log for logging to work; ok
     markus@
2009-06-21 17:56:00 +10:00
Darren Tucker
af501cfce4 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44
[sshd_config.5]
     fix possessive; ok djm@
2009-06-21 17:53:04 +10:00
Damien Miller
0296ae85ec - djm@cvs.openbsd.org 2009/02/22 23:59:25
[sshd_config.5]
     missing period
2009-02-23 11:00:24 +11:00
Damien Miller
1991384764 - djm@cvs.openbsd.org 2009/02/22 23:50:57
[ssh_config.5 sshd_config.5]
     don't advertise experimental options
2009-02-23 10:53:58 +11:00
Damien Miller
9aa72ba57a - naddy@cvs.openbsd.org 2009/01/24 17:10:22
[ssh_config.5 sshd_config.5]
     sync list of preferred ciphers; ok djm@
2009-01-28 16:34:00 +11:00
Damien Miller
17819015f0 - okan@cvs.openbsd.org 2008/12/30 00:46:56
[sshd_config.5]
     add AllowAgentForwarding to available Match keywords list
     ok djm
2009-01-28 16:20:17 +11:00
Damien Miller
01ed2272a1 - djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@
2008-11-05 16:20:46 +11:00
Damien Miller
51bde6000a - djm@cvs.openbsd.org 2008/10/09 03:50:54
[servconf.c sshd_config.5]
     support setting PermitEmptyPasswords in a Match block
     requested in PR3891; ok dtucker@
2008-11-03 19:23:10 +11:00
Darren Tucker
7499b0cca0 - djm@cvs.openbsd.org 2008/07/02 02:24:18
[sshd_config sshd_config.5 sshd.8 servconf.c]
     increase default size of ssh protocol 1 ephemeral key from 768 to 1024
     bits; prodded by & ok dtucker@ ok deraadt@
2008-07-02 22:35:43 +10:00
Damien Miller
307c1d10a7 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40
[servconf.c sshd_config.5]
     Allow MaxAuthTries within a Match block.  ok djm@
2008-06-16 07:56:20 +10:00
Damien Miller
c62a5af29a - dtucker@cvs.openbsd.org 2008/06/15 16:55:38
[sshd_config.5]
     MaxSessions is allowed in a Match block too
2008-06-16 07:55:46 +10:00
Darren Tucker
6a2a400f7a - jmc@cvs.openbsd.org 2008/06/10 07:12:00
[sshd_config.5]
     tweak previous;
2008-06-10 23:03:04 +10:00
Darren Tucker
b06cc4abf8 - djm@cvs.openbsd.org 2008/06/10 04:17:46
[sshd_config.5]
     better reference for pattern-list
2008-06-10 22:59:53 +10:00
Darren Tucker
7a3935de2f - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
     [servconf.c match.h sshd_config.5]
     support CIDR address matching in sshd_config "Match address" blocks, with
     full support for negation and fall-back to classic wildcard matching.
     For example:
     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
         PasswordAuthentication yes
     addrmatch.c code mostly lifted from flowd's addr.c
     feedback and ok dtucker@
2008-06-10 22:59:10 +10:00
Damien Miller
7207f64a23 - djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
2008-05-19 15:34:50 +10:00
Damien Miller
e989019303 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
[sshd_config.5]
     sort;
2008-05-19 14:59:02 +10:00
Damien Miller
4f755cdc05 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@
2008-05-19 14:57:41 +10:00
Damien Miller
25434de460 - djm@cvs.openbsd.org 2008/04/05 02:46:02
[sshd_config.5]
     HostbasedAuthentication is supported under Match too
2008-05-19 14:29:08 +10:00
Damien Miller
56f41ddc54 - djm@cvs.openbsd.org 2008/04/04 06:44:26
[sshd_config.5]
     oops, some unrelated stuff crept into that commit - backout.
     spotted by jmc@
2008-05-19 14:28:19 +10:00
Damien Miller
797e3d117f - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/04/04 05:14:38
     [sshd_config.5]
     ChrootDirectory is supported in Match blocks (in fact, it is most useful
     there). Spotted by Minstrel AT minstrel.org.uk
2008-05-19 14:27:42 +10:00
Damien Miller
a1b48ccf2d - djm@cvs.openbsd.org 2008/03/25 11:58:02
[session.c sshd_config.5]
     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
     from dtucker@ ok deraadt@ djm@
2008-03-27 11:02:02 +11:00
Damien Miller
5447eb2454 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
     bump Mdocdate for pages committed in "febuary", necessary because
     of a typo in rcs.c;
2008-03-27 10:50:21 +11:00
Damien Miller
cdb6e65175 - djm@cvs.openbsd.org 2008/02/10 09:55:37
[sshd_config.5]
     mantion that "internal-sftp" is useful with ForceCommand too
2008-02-10 22:47:24 +11:00
Damien Miller
70433b5d73 - jmc@cvs.openbsd.org 2008/02/09 08:04:31
[sshd_config.5]
     missing `)';
2008-02-10 22:45:13 +11:00
Damien Miller
d8cb1f184f - djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
     [sshd_config.5]
     add sshd_config ChrootDirectory option to chroot(2) users to a directory
     and tweak internal sftp server to work with it (no special files in
     chroot required). ok markus@
2008-02-10 22:40:12 +11:00
Darren Tucker
15f94271be - dtucker@cvs.openbsd.org 2008/01/01 09:27:33
[sshd_config.5 servconf.c]
     Allow PermitRootLogin in a Match block.  Allows for, eg, permitting root
     only from the local network.  ok markus@, man page bit ok jmc@
2008-01-01 20:36:56 +11:00
Damien Miller
4890e53977 - djm@cvs.openbsd.org 2007/08/23 03:22:16
[auth2-none.c sshd_config sshd_config.5]
     Support "Banner=none" to disable displaying of the pre-login banner;
     ok dtucker@ deraadt@
2007-09-17 11:57:38 +10:00
Damien Miller
22b7b49331 - jmc@cvs.openbsd.org 2007/06/08 07:48:09
[sshd_config.5]
     oops, here too: put the MAC list into a display, like we do for
     ciphers, since groff has trouble with wide lines;
2007-06-11 14:07:12 +10:00
Damien Miller
e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00
Darren Tucker
aa4d5eda10 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
     ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
     convert to new .Dd format;
     (We will need to teach mdoc2man.awk to understand this too.)
2007-06-05 18:27:13 +10:00
Damien Miller
5737e363c5 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
     [sshd_config.5]
     sort the `match' keywords;
2007-03-06 21:21:18 +11:00
Darren Tucker
1d75f22c5d - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
[auth2.c sshd_config.5 servconf.c]
     Remove ChallengeResponseAuthentication support inside a Match
     block as its interaction with KbdInteractive makes it difficult to
     support.  Also, relocate the CR/kbdint option special-case code into
     servconf.  "please commit" djm@, ok markus@ for the relocation.
2007-03-01 21:31:28 +11:00
Darren Tucker
1629c07c07 - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
     Teach Match how handle config directives that are used before
     authentication.  This allows configurations such as permitting password
     authentication from the local net only while requiring pubkey from
     offsite.  ok djm@, man page bits ok jmc@
2007-02-19 22:25:37 +11:00
Damien Miller
d94fc72bcd - jmc@cvs.openbsd.org 2007/01/02 09:57:25
[sshd_config.5]
     do not use lists for SYNOPSIS;
     from eric s. raymond via brad
2007-01-05 16:29:30 +11:00
Damien Miller
b594f38bae - (djm) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
     [sshd_config.5]
     Document HostbasedUsesNameFromPacketOnly.  Corrections from jmc@,
     ok jmc@ djm@
2006-08-30 11:06:34 +10:00
Damien Miller
565ca3f600 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
[servconf.c servconf.h sshd_config.5]
     Add ability to match groups to Match keyword in sshd_config.  Feedback
     djm@, stevesk@, ok stevesk@.
2006-08-19 00:23:15 +10:00
Damien Miller
a765cf4b66 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
[channels.c channels.h servconf.c servconf.h sshd_config.5]
     Make PermitOpen take a list of permitted ports and act more like most
     other keywords (ie the first match is the effective setting). This
     also makes it easier to override a previously set PermitOpen. ok djm@
2006-07-24 14:08:13 +10:00
Damien Miller
e275443f66 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
     Add ForceCommand keyword to sshd_config, equivalent to the "command="
     key option, man page entry and example in sshd_config.
     Feedback & ok djm@, man page corrections & ok jmc@
2006-07-24 14:06:47 +10:00
Damien Miller
d1de9950e5 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
[servconf.c sshd_config.5]
     Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
     Match.  ok djm@
2006-07-24 14:05:48 +10:00
Damien Miller
8c23403b51 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
[sshd_config.5]
     Clarify description of Match, with minor correction from jmc@
2006-07-24 14:05:08 +10:00
Damien Miller
393821ad72 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
[ssh-agent.1 sshd_config.5]
     mark up angle brackets;
2006-07-24 14:04:53 +10:00
Damien Miller
65bc2c4028 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
[sshd_config.5]
     tweak; ok dtucker
2006-07-24 14:04:16 +10:00
Damien Miller
9b439df18a - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
[channels.c channels.h servconf.c sshd_config.5]
     Add PermitOpen directive to sshd_config which is equivalent to the
     "permitopen" key option.  Allows server admin to allow TCP port
     forwarding only two specific host/port pairs.  Useful when combined
     with Match.
     If permitopen is used in both sshd_config and a key option, both
     must allow a given connection before it will be permitted.
     Note that users can still use external forwarders such as netcat,
     so to be those must be controlled too for the limits to be effective.
     Feedback & ok djm@, man page corrections & ok jmc@.
2006-07-24 14:04:00 +10:00
Damien Miller
d04f357ac2 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
[sshd_config.5]
      - new sentence, new line
      - s/The the/The/
      - kill a bad comma
2006-07-24 13:46:50 +10:00