Commit Graph

220 Commits

Author SHA1 Message Date
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
afdae61635 - jmc@cvs.openbsd.org 2010/08/08 19:36:30
[ssh-keysign.8 ssh.1 sshd.8]
     use the same template for all FILES sections; i.e. -compact/.Pp where we
     have multiple items, and .Pa for path names;
2010-08-31 22:31:14 +10:00
Damien Miller
7fa96602e5 - djm@cvs.openbsd.org 2010/08/04 05:37:01
[ssh.1 ssh_config.5 sshd.8]
     Remove mentions of weird "addr/port" alternate address format for IPv6
     addresses combinations. It hasn't worked for ages and we have supported
     the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-05 13:03:13 +10:00
Damien Miller
30da3447d2 - djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.

     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.

     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.

     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.

     These options are useful for role accounts, disjoint account namespaces
     and "user@realm"-style naming policies in certificates.

     feedback and ok markus@
2010-05-10 11:58:03 +10:00
Damien Miller
98339054f9 - jmc@cvs.openbsd.org 2010/03/05 06:50:35
[ssh.1 sshd.8]
     tweak previous;
2010-03-05 21:30:35 +11:00
Damien Miller
a7dab8bfe5 - djm@cvs.openbsd.org 2010/03/04 23:19:29
[ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
2010-03-05 10:42:05 +11:00
Damien Miller
cd38c9c555 - djm@cvs.openbsd.org 2010/03/03 22:49:50
[sshd.8]
     the authorized_keys option for CA keys is "cert-authority", not
     "from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 21:51:37 +11:00
Damien Miller
15f5b560b1 - jmc@cvs.openbsd.org 2010/02/26 22:09:28
[ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
2010-03-03 10:25:21 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller
74d9825c0f - djm@cvs.openbsd.org 2010/01/30 21:08:33
[sshd.8]
     debug output goes to stderr, not "the system log"; ok markus dtucker
2010-02-02 17:01:46 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
5837b51aec - sobrado@cvs.openbsd.org 2009/03/26 08:38:39
[sftp-server.8 sshd.8 ssh-agent.1]
     fix a few typographical errors found by spell(1).
     ok dtucker@, jmc@
2009-06-21 17:52:27 +10:00
Damien Miller
49b78d4fbc - jmc@cvs.openbsd.org 2008/10/03 13:08:12
[sshd.8]
     do not give an example of how to chmod files: we can presume the user
     knows that. removes an ambiguity in the permission of authorized_keys;
     ok deraadt
2008-11-03 19:21:21 +11:00
Darren Tucker
7499b0cca0 - djm@cvs.openbsd.org 2008/07/02 02:24:18
[sshd_config sshd_config.5 sshd.8 servconf.c]
     increase default size of ssh protocol 1 ephemeral key from 768 to 1024
     bits; prodded by & ok dtucker@ ok deraadt@
2008-07-02 22:35:43 +10:00
Darren Tucker
1199673393 - jmc@cvs.openbsd.org 2008/06/11 07:30:37
[sshd.8]
     kill trailing whitespace;
2008-06-13 04:32:00 +10:00
Darren Tucker
896ad5a4e4 - djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
     support CIDR address matching in .ssh/authorized_keys from="..." stanzas
     ok and extensive testing dtucker@
2008-06-11 09:34:46 +10:00
Darren Tucker
e7f3f75651 - jmc@cvs.openbsd.org 2008/06/10 08:17:40
[sshd.8 sshd.c]
     - update usage()
     - fix SYNOPSIS, and sort options
     - some minor additional fixes
2008-06-10 23:06:01 +10:00
Darren Tucker
e7140f20cb - dtucker@cvs.openbsd.org 2008/06/10 04:50:25
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
     Add extended test mode (-T) and connection parameters for test mode (-C).
     -T causes sshd to write its effective configuration to stdout and exit.
     -C causes any relevant Match rules to be applied before output.  The
     combination allows tesing of the parser and config files.  ok deraadt djm
2008-06-10 23:01:51 +10:00
Damien Miller
13ba9c2439 - jmc@cvs.openbsd.org 2008/03/27 22:37:57
[sshd.8]
     remove trailing whitespace;
2008-04-03 20:52:51 +11:00
Damien Miller
95e80955f2 - djm@cvs.openbsd.org 2008/03/26 21:28:14
[auth-options.c auth-options.h session.c sshd.8]
     add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
2008-03-27 11:03:05 +11:00
Damien Miller
5447eb2454 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
     bump Mdocdate for pages committed in "febuary", necessary because
     of a typo in rcs.c;
2008-03-27 10:50:21 +11:00
Damien Miller
520e61552a - mcbride@cvs.openbsd.org 2008/02/09 12:15:43
[ssh.1 sshd.8]
     Document the correct permissions for the ~/.ssh/ directory.
     ok jmc
2008-02-10 22:46:22 +11:00
Darren Tucker
1a9176bf22 - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
accounts and that's what the code looks for, so make man page and code
   agree.  Pointed out by Roumen Petrov.
2007-08-17 09:42:32 +10:00
Damien Miller
e45796f7b4 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
     must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
     compared to hmac-md5. Represents a different approach to message
     authentication to that of HMAC that may be beneficial if HMAC based on
     one of its underlying hash algorithms is found to be vulnerable to a
     new attack.  http://www.ietf.org/rfc/rfc4418.txt
     in conjunction with and OK djm@
2007-06-11 14:01:42 +10:00
Darren Tucker
aa4d5eda10 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
     ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
     convert to new .Dd format;
     (We will need to teach mdoc2man.awk to understand this too.)
2007-06-05 18:27:13 +10:00
Darren Tucker
04354b97dc - jmc@cvs.openbsd.org 2007/03/20 15:57:15
[sshd.8]
     - let synopsis and description agree for -f
     - sort FILES
     - +.Xr ssh-keyscan 1 ,
     from Igor Sobrado
2007-03-21 20:46:54 +11:00
Damien Miller
5d43d49014 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
[sshd.8]
     Add more detail about what permissions are and aren't accepted for
     authorized_keys files.  Corrections jmc@, ok djm@, "looks good" jmc@
2006-08-30 11:07:00 +10:00
Damien Miller
e275443f66 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
     Add ForceCommand keyword to sshd_config, equivalent to the "command="
     key option, man page entry and example in sshd_config.
     Feedback & ok djm@, man page corrections & ok jmc@
2006-07-24 14:06:47 +10:00
Darren Tucker
1131847684 - jmc@cvs.openbsd.org 2006/07/10 16:04:21
[sshd.8]
     s/and and/and/
2006-07-12 22:07:59 +10:00
Darren Tucker
da34553561 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
[misc.c misc.h sshd.8 sshconnect.c]
     Add port identifier to known_hosts for non-default ports, based originally
     on a patch from Devin Nate in bz#910.
     For any connection using the default port or using a HostKeyAlias the
     format is unchanged, otherwise the host name or address is enclosed
     within square brackets in the same format as sshd's ListenAddress.
     Tested by many, ok markus@.
2006-07-10 23:04:19 +10:00
Damien Miller
208f1ed6f1 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     more consistency fixes;
2006-03-15 11:56:03 +11:00
Damien Miller
c7d5b5e466 - jmc@cvs.openbsd.org 2006/02/24 10:39:52
[sshd.8]
     signpost to PATTERNS section;
2006-03-15 11:55:08 +11:00
Damien Miller
edd0375d82 - jmc@cvs.openbsd.org 2006/02/19 20:05:00
[sshd.8]
     grammar;
2006-03-15 11:36:45 +11:00
Damien Miller
445121fe8d - jmc@cvs.openbsd.org 2006/02/19 20:02:17
[sshd.8]
     sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
2006-03-15 11:36:18 +11:00
Damien Miller
fd725cf585 - jmc@cvs.openbsd.org 2006/02/19 19:52:10
[sshd.8]
     move the sshrc stuff out of FILES, and into its own section:
     FILES is not a good place to document how stuff works;
2006-03-15 11:35:54 +11:00
Damien Miller
adc35b9583 - jmc@cvs.openbsd.org 2006/02/16 09:05:34
[sshd.8]
     sync some of the FILES entries w/ ssh.1;
2006-03-15 11:35:27 +11:00
Damien Miller
bc1936ad87 - jmc@cvs.openbsd.org 2006/02/15 16:55:33
[sshd.8]
     remove ietf draft references; RFC list now maintained in ssh.1;
2006-03-15 11:35:05 +11:00
Damien Miller
d8702e865d - jmc@cvs.openbsd.org 2006/02/13 11:27:25
[sshd.8]
     sort FILES and use a -compact list;
2006-03-15 11:33:56 +11:00
Damien Miller
c8f61cf199 - jmc@cvs.openbsd.org 2006/02/13 11:08:43
[sshd.8]
     - avoid nasty line split
     - `*' does not need to be escaped
2006-03-15 11:33:25 +11:00
Damien Miller
cc00f5e259 - jmc@cvs.openbsd.org 2006/02/13 11:02:26
[sshd.8]
     turn this into an example ssh_known_hosts file; ok djm
2006-03-15 11:33:00 +11:00
Damien Miller
9a7f201d45 - jmc@cvs.openbsd.org 2006/02/13 10:21:25
[sshd.8]
     small tweaks for the ssh_known_hosts section;
2006-03-15 11:32:42 +11:00
Damien Miller
7d2ef02f1c - jmc@cvs.openbsd.org 2006/02/13 10:16:39
[sshd.8]
     no need to subsection the authorized_keys examples - instead, convert
     this to look like an actual file. also use proto 2 keys, and use IETF
     example addresses;
2006-03-15 11:32:06 +11:00
Damien Miller
31bdc52325 - jmc@cvs.openbsd.org 2006/02/12 17:57:19
[sshd.8]
     sort the list of options permissable w/ authorized_keys;
     ok djm dtucker
2006-03-15 11:31:44 +11:00
Damien Miller
dcfea27f1b - jmc@cvs.openbsd.org 2006/02/12 10:52:41
[sshd.8]
     rework the description of authorized_keys a little;
2006-03-15 11:31:22 +11:00
Damien Miller
c47d7e9e19 - jmc@cvs.openbsd.org 2006/02/09 10:10:47
[sshd.8]
     - move some text into a CAVEATS section
     - merge the COMMAND EXECUTION... section into AUTHENTICATION
2006-03-15 11:27:20 +11:00
Damien Miller
2ac05779f7 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
[sshd.8]
     small tweak;
2006-02-01 22:05:42 +11:00
Damien Miller
8bbdf90f33 - (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2006/02/01 09:06:50
     [sshd.8]
     - merge sections on protocols 1 and 2 into a single section
     - remove configuration file section
     ok markus
2006-02-01 22:05:25 +11:00
Damien Miller
7602cba59d - jmc@cvs.openbsd.org 2006/01/25 09:07:22
[sshd.8]
     move subsections to full sections;
2006-01-31 21:46:20 +11:00
Damien Miller
99cc4a8f1e - jmc@cvs.openbsd.org 2006/01/25 09:04:34
[sshd.8]
     move the options description up the page, and a few additional tweaks
     whilst in here;
     ok markus
2006-01-31 21:45:53 +11:00
Damien Miller
7c24b81699 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
[sshd.8]
     refer to TCP forwarding, rather than TCP/IP forwarding;
2006-01-14 10:09:56 +11:00