diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:33:15 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:30 +0100 |
commit | f0b009aea83e9ff3a50be30f51012099a5143c16 (patch) | |
tree | 3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /ssh_config.0 | |
parent | 47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff) | |
parent | 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff) |
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7):
- sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
- ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
remote TCP port may be forwarded to a local Unix domain socket and
vice versa or both ends may be a Unix domain socket (closes: #236718).
- ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
key types.
- sftp(1): Allow resumption of interrupted uploads.
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
the same as the one sent during initial key exchange.
- sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
when GatewayPorts=no; allows client to choose address family.
- sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option.
- ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
expands to a unique identifer based on a hash of the tuple of (local
host, remote user, hostname, port). Helps avoid exceeding miserly
pathname limits for Unix domain sockets in multiplexing control paths.
- sshd(8): Make the "Too many authentication failures" message include
the user, source address, port and protocol in a format similar to the
authentication success / failure messages.
- Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly (closes:
#734553).
- Use prctl() to prevent sftp-server from accessing
/proc/self/{mem,maps}.
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze.
* Replace patch to disable OpenSSL version check with an updated version
of Kurt Roeckx's patch from #732940 to just avoid checking the status
field.
Diffstat (limited to 'ssh_config.0')
-rw-r--r-- | ssh_config.0 | 117 |
1 files changed, 79 insertions, 38 deletions
diff --git a/ssh_config.0 b/ssh_config.0 index 6fbd10d61..c40ce5f08 100644 --- a/ssh_config.0 +++ b/ssh_config.0 | |||
@@ -1,4 +1,4 @@ | |||
1 | SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) | 1 | SSH_CONFIG(5) File Formats Manual SSH_CONFIG(5) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | ssh_config - OpenSSH SSH client configuration files | 4 | ssh_config - OpenSSH SSH client configuration files |
@@ -176,19 +176,30 @@ DESCRIPTION | |||
176 | preference. Multiple ciphers must be comma-separated. The | 176 | preference. Multiple ciphers must be comma-separated. The |
177 | supported ciphers are: | 177 | supported ciphers are: |
178 | 178 | ||
179 | ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', | 179 | 3des-cbc |
180 | ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', | 180 | aes128-cbc |
181 | ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', | 181 | aes192-cbc |
182 | ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', | 182 | aes256-cbc |
183 | ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''. | 183 | aes128-ctr |
184 | aes192-ctr | ||
185 | aes256-ctr | ||
186 | aes128-gcm@openssh.com | ||
187 | aes256-gcm@openssh.com | ||
188 | arcfour | ||
189 | arcfour128 | ||
190 | arcfour256 | ||
191 | blowfish-cbc | ||
192 | cast128-cbc | ||
193 | chacha20-poly1305@openssh.com | ||
184 | 194 | ||
185 | The default is: | 195 | The default is: |
186 | 196 | ||
187 | aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, | 197 | aes128-ctr,aes192-ctr,aes256-ctr, |
188 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, | 198 | aes128-gcm@openssh.com,aes256-gcm@openssh.com, |
189 | chacha20-poly1305@openssh.com, | 199 | chacha20-poly1305@openssh.com, |
190 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, | 200 | arcfour256,arcfour128, |
191 | aes256-cbc,arcfour | 201 | aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, |
202 | aes192-cbc,aes256-cbc,arcfour | ||
192 | 203 | ||
193 | The list of available ciphers may also be obtained using the -Q | 204 | The list of available ciphers may also be obtained using the -Q |
194 | option of ssh(1). | 205 | option of ssh(1). |
@@ -261,10 +272,12 @@ DESCRIPTION | |||
261 | any domain name), `%h' will be substituted by the target host | 272 | any domain name), `%h' will be substituted by the target host |
262 | name, `%n' will be substituted by the original target host name | 273 | name, `%n' will be substituted by the original target host name |
263 | specified on the command line, `%p' the destination port, `%r' by | 274 | specified on the command line, `%p' the destination port, `%r' by |
264 | the remote login username, and `%u' by the username of the user | 275 | the remote login username, `%u' by the username of the user |
265 | running ssh(1). It is recommended that any ControlPath used for | 276 | running ssh(1), and `%C' by a hash of the concatenation: |
266 | opportunistic connection sharing include at least %h, %p, and %r. | 277 | %l%h%p%r. It is recommended that any ControlPath used for |
267 | This ensures that shared connections are uniquely identified. | 278 | opportunistic connection sharing include at least %h, %p, and %r |
279 | (or alternatively %C). This ensures that shared connections are | ||
280 | uniquely identified. | ||
268 | 281 | ||
269 | ControlPersist | 282 | ControlPersist |
270 | When used in conjunction with ControlMaster, specifies that the | 283 | When used in conjunction with ControlMaster, specifies that the |
@@ -437,10 +450,13 @@ DESCRIPTION | |||
437 | specify nicknames or abbreviations for hosts. If the hostname | 450 | specify nicknames or abbreviations for hosts. If the hostname |
438 | contains the character sequence `%h', then this will be replaced | 451 | contains the character sequence `%h', then this will be replaced |
439 | with the host name specified on the command line (this is useful | 452 | with the host name specified on the command line (this is useful |
440 | for manipulating unqualified names). The default is the name | 453 | for manipulating unqualified names). The character sequence `%%' |
441 | given on the command line. Numeric IP addresses are also | 454 | will be replaced by a single `%' character, which may be used |
442 | permitted (both on the command line and in HostName | 455 | when specifying IPv6 link-local addresses. |
443 | specifications). | 456 | |
457 | The default is the name given on the command line. Numeric IP | ||
458 | addresses are also permitted (both on the command line and in | ||
459 | HostName specifications). | ||
444 | 460 | ||
445 | IdentitiesOnly | 461 | IdentitiesOnly |
446 | Specifies that ssh(1) should only use the authentication identity | 462 | Specifies that ssh(1) should only use the authentication identity |
@@ -517,8 +533,8 @@ DESCRIPTION | |||
517 | curve25519-sha256@libssh.org, | 533 | curve25519-sha256@libssh.org, |
518 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, | 534 | ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, |
519 | diffie-hellman-group-exchange-sha256, | 535 | diffie-hellman-group-exchange-sha256, |
520 | diffie-hellman-group-exchange-sha1, | ||
521 | diffie-hellman-group14-sha1, | 536 | diffie-hellman-group14-sha1, |
537 | diffie-hellman-group-exchange-sha1, | ||
522 | diffie-hellman-group1-sha1 | 538 | diffie-hellman-group1-sha1 |
523 | 539 | ||
524 | LocalCommand | 540 | LocalCommand |
@@ -529,7 +545,8 @@ DESCRIPTION | |||
529 | performed: `%d' (local user's home directory), `%h' (remote host | 545 | performed: `%d' (local user's home directory), `%h' (remote host |
530 | name), `%l' (local host name), `%n' (host name as provided on the | 546 | name), `%l' (local host name), `%n' (host name as provided on the |
531 | command line), `%p' (remote port), `%r' (remote user name) or | 547 | command line), `%p' (remote port), `%r' (remote user name) or |
532 | `%u' (local user name). | 548 | `%u' (local user name) or `%C' by a hash of the concatenation: |
549 | %l%h%p%r. | ||
533 | 550 | ||
534 | The command is run synchronously and does not have access to the | 551 | The command is run synchronously and does not have access to the |
535 | session of the ssh(1) that spawned it. It should not be used for | 552 | session of the ssh(1) that spawned it. It should not be used for |
@@ -568,13 +585,14 @@ DESCRIPTION | |||
568 | calculate the MAC after encryption (encrypt-then-mac). These are | 585 | calculate the MAC after encryption (encrypt-then-mac). These are |
569 | considered safer and their use recommended. The default is: | 586 | considered safer and their use recommended. The default is: |
570 | 587 | ||
571 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, | ||
572 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, | 588 | umac-64-etm@openssh.com,umac-128-etm@openssh.com, |
573 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, | 589 | hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, |
574 | hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, | 590 | umac-64@openssh.com,umac-128@openssh.com, |
575 | hmac-md5-96-etm@openssh.com, | 591 | hmac-sha2-256,hmac-sha2-512, |
576 | hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, | 592 | hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com, |
577 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, | 593 | hmac-ripemd160-etm@openssh.com, |
594 | hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com, | ||
595 | hmac-md5,hmac-sha1,hmac-ripemd160, | ||
578 | hmac-sha1-96,hmac-md5-96 | 596 | hmac-sha1-96,hmac-md5-96 |
579 | 597 | ||
580 | NoHostAuthenticationForLocalhost | 598 | NoHostAuthenticationForLocalhost |
@@ -628,17 +646,19 @@ DESCRIPTION | |||
628 | ProxyCommand | 646 | ProxyCommand |
629 | Specifies the command to use to connect to the server. The | 647 | Specifies the command to use to connect to the server. The |
630 | command string extends to the end of the line, and is executed | 648 | command string extends to the end of the line, and is executed |
631 | with the user's shell. In the command string, any occurrence of | 649 | using the user's shell `exec' directive to avoid a lingering |
632 | `%h' will be substituted by the host name to connect, `%p' by the | 650 | shell process. |
633 | port, and `%r' by the remote user name. The command can be | 651 | |
634 | basically anything, and should read from its standard input and | 652 | In the command string, any occurrence of `%h' will be substituted |
635 | write to its standard output. It should eventually connect an | 653 | by the host name to connect, `%p' by the port, and `%r' by the |
636 | sshd(8) server running on some machine, or execute sshd -i | 654 | remote user name. The command can be basically anything, and |
637 | somewhere. Host key management will be done using the HostName | 655 | should read from its standard input and write to its standard |
638 | of the host being connected (defaulting to the name typed by the | 656 | output. It should eventually connect an sshd(8) server running |
639 | user). Setting the command to ``none'' disables this option | 657 | on some machine, or execute sshd -i somewhere. Host key |
640 | entirely. Note that CheckHostIP is not available for connects | 658 | management will be done using the HostName of the host being |
641 | with a proxy command. | 659 | connected (defaulting to the name typed by the user). Setting |
660 | the command to ``none'' disables this option entirely. Note that | ||
661 | CheckHostIP is not available for connects with a proxy command. | ||
642 | 662 | ||
643 | This directive is useful in conjunction with nc(1) and its proxy | 663 | This directive is useful in conjunction with nc(1) and its proxy |
644 | support. For example, the following directive would connect via | 664 | support. For example, the following directive would connect via |
@@ -751,6 +771,27 @@ DESCRIPTION | |||
751 | default is 0, indicating that these messages will not be sent to | 771 | default is 0, indicating that these messages will not be sent to |
752 | the server. This option applies to protocol version 2 only. | 772 | the server. This option applies to protocol version 2 only. |
753 | 773 | ||
774 | StreamLocalBindMask | ||
775 | Sets the octal file creation mode mask (umask) used when creating | ||
776 | a Unix-domain socket file for local or remote port forwarding. | ||
777 | This option is only used for port forwarding to a Unix-domain | ||
778 | socket file. | ||
779 | |||
780 | The default value is 0177, which creates a Unix-domain socket | ||
781 | file that is readable and writable only by the owner. Note that | ||
782 | not all operating systems honor the file mode on Unix-domain | ||
783 | socket files. | ||
784 | |||
785 | StreamLocalBindUnlink | ||
786 | Specifies whether to remove an existing Unix-domain socket file | ||
787 | for local or remote port forwarding before creating a new one. | ||
788 | If the socket file already exists and StreamLocalBindUnlink is | ||
789 | not enabled, ssh will be unable to forward the port to the Unix- | ||
790 | domain socket file. This option is only used for port forwarding | ||
791 | to a Unix-domain socket file. | ||
792 | |||
793 | The argument must be ``yes'' or ``no''. The default is ``no''. | ||
794 | |||
754 | StrictHostKeyChecking | 795 | StrictHostKeyChecking |
755 | If this flag is set to ``yes'', ssh(1) will never automatically | 796 | If this flag is set to ``yes'', ssh(1) will never automatically |
756 | add host keys to the ~/.ssh/known_hosts file, and refuses to | 797 | add host keys to the ~/.ssh/known_hosts file, and refuses to |
@@ -886,4 +927,4 @@ AUTHORS | |||
886 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 927 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
887 | versions 1.5 and 2.0. | 928 | versions 1.5 and 2.0. |
888 | 929 | ||
889 | OpenBSD 5.5 February 23, 2014 OpenBSD 5.5 | 930 | OpenBSD 5.6 July 15, 2014 OpenBSD 5.6 |