- djm@cvs.openbsd.org 2008/04/04 06:44:26

[sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@
author: Damien Miller <djm@mindrot.org> 2008-05-19 14:28:19 +1000
committer: Damien Miller <djm@mindrot.org> 2008-05-19 14:28:19 +1000
commit: 56f41ddc5472ef04f20c59ec94a74825b8439898 (patch)
tree: 185e28de74dae3d74aad899ebda0a9a4089fe108
parent: 797e3d117f8b4cfed5f066ef88f28826eb8f8b41 (diff)
2 files changed, 7 insertions, 36 deletions
diff --git a/ChangeLog b/ChangeLog
index dd8602954..f0ecbe21a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,10 @@
     [sshd_config.5]
     ChrootDirectory is supported in Match blocks (in fact, it is most useful
     there). Spotted by Minstrel AT minstrel.org.uk
+   - djm@cvs.openbsd.org 2008/04/04 06:44:26
+     [sshd_config.5]
+     oops, some unrelated stuff crept into that commit - backout.
+     spotted by jmc@
 20080403
 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@@ -3864,4 +3868,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $
+$Id: ChangeLog,v 1.4907 2008/05/19 04:28:19 djm Exp $
diff --git a/sshd_config.5 b/sshd_config.5
index be3869713..601b56402 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $
-.Dd $Mdocdate: April 4 2008 $
+.Dd $Mdocdate: May 19 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -210,29 +210,6 @@ in-process sftp server is used (see
 .Cm Subsystem
 for details).
 .Pp
-Please note that there are many ways to misconfigure a chroot environment
-in ways that compromise security.
-These include:
-.Pp
-.Bl -dash -offset indent -compact
-.It
-Making unsafe setuid binaries available;
-.It
-Having missing or incorrect configuration files in the chroot's
-.Pa /etc
-directory;
-.It
-Hard-linking files between the chroot and outside;
-.It
-Leaving unnecessary
-.Pa /dev
-nodes accessible inside the chroot (especially those for physical drives);
-.It
-Executing scripts or binaries inside the chroot from outside, either
-directly or through facilities such as
-.Xr cron 8 .
-.El
-.Pp
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers
@@ -363,11 +340,6 @@ Specifying a command of
 will force the use of an in-process sftp server that requires no support
 files when used with
 .Cm ChrootDirectory .
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
@@ -830,11 +802,6 @@ server.
 This may simplify configurations using
 .Cm ChrootDirectory
 to force a different filesystem root on clients.
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
 .Pp
 By default no subsystems are defined.
 Note that this option applies to protocol version 2 only.
author	Damien Miller <djm@mindrot.org>	2008-05-19 14:28:19 +1000
committer	Damien Miller <djm@mindrot.org>	2008-05-19 14:28:19 +1000
commit	56f41ddc5472ef04f20c59ec94a74825b8439898 (patch)
tree	185e28de74dae3d74aad899ebda0a9a4089fe108
parent	797e3d117f8b4cfed5f066ef88f28826eb8f8b41 (diff)

diff --git a/ChangeLog b/ChangeLog index dd8602954..f0ecbe21a 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -4,6 +4,10 @@
4	[sshd_config.5]	4	[sshd_config.5]
5	ChrootDirectory is supported in Match blocks (in fact, it is most useful	5	ChrootDirectory is supported in Match blocks (in fact, it is most useful
6	there). Spotted by Minstrel AT minstrel.org.uk	6	there). Spotted by Minstrel AT minstrel.org.uk
		7	- djm@cvs.openbsd.org 2008/04/04 06:44:26
		8	[sshd_config.5]
		9	oops, some unrelated stuff crept into that commit - backout.
		10	spotted by jmc@
7		11
8	20080403	12	20080403
9	- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-	13	- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
@@ -3864,4 +3868,4 @@
3864	OpenServer 6 and add osr5bigcrypt support so when someone migrates	3868	OpenServer 6 and add osr5bigcrypt support so when someone migrates
3865	passwords between UnixWare and OpenServer they will still work. OK dtucker@	3869	passwords between UnixWare and OpenServer they will still work. OK dtucker@
3866		3870
3867	$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $	3871	$Id: ChangeLog,v 1.4907 2008/05/19 04:28:19 djm Exp $


diff --git a/sshd_config.5 b/sshd_config.5 index be3869713..601b56402 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $
38	.Dd $Mdocdate: April 4 2008 $	38	.Dd $Mdocdate: May 19 2008 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -210,29 +210,6 @@ in-process sftp server is used (see
210	.Cm Subsystem	210	.Cm Subsystem
211	for details).	211	for details).
212	.Pp	212	.Pp
213	Please note that there are many ways to misconfigure a chroot environment
214	in ways that compromise security.
215	These include:
216	.Pp
217	.Bl -dash -offset indent -compact
218	.It
219	Making unsafe setuid binaries available;
220	.It
221	Having missing or incorrect configuration files in the chroot's
222	.Pa /etc
223	directory;
224	.It
225	Hard-linking files between the chroot and outside;
226	.It
227	Leaving unnecessary
228	.Pa /dev
229	nodes accessible inside the chroot (especially those for physical drives);
230	.It
231	Executing scripts or binaries inside the chroot from outside, either
232	directly or through facilities such as
233	.Xr cron 8 .
234	.El
235	.Pp
236	The default is not to	213	The default is not to
237	.Xr chroot 2 .	214	.Xr chroot 2 .
238	.It Cm Ciphers	215	.It Cm Ciphers
@@ -363,11 +340,6 @@ Specifying a command of
363	will force the use of an in-process sftp server that requires no support	340	will force the use of an in-process sftp server that requires no support
364	files when used with	341	files when used with
365	.Cm ChrootDirectory .	342	.Cm ChrootDirectory .
366	Note that
367	.Dq internal-sftp
368	is only supported when
369	.Cm UsePrivilegeSeparation
370	is enabled.
371	.It Cm GatewayPorts	343	.It Cm GatewayPorts
372	Specifies whether remote hosts are allowed to connect to ports	344	Specifies whether remote hosts are allowed to connect to ports
373	forwarded for the client.	345	forwarded for the client.
@@ -830,11 +802,6 @@ server.
830	This may simplify configurations using	802	This may simplify configurations using
831	.Cm ChrootDirectory	803	.Cm ChrootDirectory
832	to force a different filesystem root on clients.	804	to force a different filesystem root on clients.
833	Note that
834	.Dq internal-sftp
835	is only supported when
836	.Cm UsePrivilegeSeparation
837	is enabled.
838	.Pp	805	.Pp
839	By default no subsystems are defined.	806	By default no subsystems are defined.
840	Note that this option applies to protocol version 2 only.	807	Note that this option applies to protocol version 2 only.