summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-01-01 23:53:30 +0000
committerColin Watson <cjwatson@debian.org>2010-01-01 23:53:30 +0000
commitdf03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree1aab079441dff9615274769b19f2d734ddf508dd /ssh_config.5
parent6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out
for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.548
1 files changed, 34 insertions, 14 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 1b8b8da5d..76e451079 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.111 2008/06/26 11:46:31 grunk Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.119 2009/02/22 23:50:57 djm Exp $
38.Dd $Mdocdate: June 26 2008 $ 38.Dd $Mdocdate: February 22 2009 $
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -119,7 +119,7 @@ Restricts the following declarations (up to the next
119.Cm Host 119.Cm Host
120keyword) to be only for those hosts that match one of the patterns 120keyword) to be only for those hosts that match one of the patterns
121given after the keyword. 121given after the keyword.
122If more than one pattern is provided, they should be separated by whitepsace. 122If more than one pattern is provided, they should be separated by whitespace.
123A single 123A single
124.Ql * 124.Ql *
125as a pattern can be used to provide global 125as a pattern can be used to provide global
@@ -224,9 +224,9 @@ and
224.Dq cast128-cbc . 224.Dq cast128-cbc .
225The default is: 225The default is:
226.Bd -literal -offset 3n 226.Bd -literal -offset 3n
227aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, 227aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
228arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, 228aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
229aes192-ctr,aes256-ctr 229aes256-cbc,arcfour
230.Ed 230.Ed
231.It Cm ClearAllForwardings 231.It Cm ClearAllForwardings
232Specifies that all local, remote, and dynamic port forwardings 232Specifies that all local, remote, and dynamic port forwardings
@@ -505,18 +505,28 @@ GSSAPI key exchange the server need not have a host key.
505The default is 505The default is
506.Dq no . 506.Dq no .
507Note that this option applies to protocol version 2 only. 507Note that this option applies to protocol version 2 only.
508.It Cm GSSAPIClientIdentity
509If set, specifies the GSSAPI client identity that ssh should use when
510connecting to the server. The default is unset, which means that the default
511identity will be used.
508.It Cm GSSAPIDelegateCredentials 512.It Cm GSSAPIDelegateCredentials
509Forward (delegate) credentials to the server. 513Forward (delegate) credentials to the server.
510The default is 514The default is
511.Dq no . 515.Dq no .
512Note that this option applies to protocol version 2 only. 516Note that this option applies to protocol version 2 connections using GSSAPI.
517.It Cm GSSAPIRenewalForcesRekey
518If set to
519.Dq yes
520then renewal of the client's GSSAPI credentials will force the rekeying of the
521ssh connection. With a compatible server, this can delegate the renewed
522credentials to a session on the server.
523The default is
524.Dq no .
513.It Cm GSSAPITrustDns 525.It Cm GSSAPITrustDns
514Set to 526Set to
515.Dq yes 527.Dq yes to indicate that the DNS is trusted to securely canonicalize
516to indicate that the DNS is trusted to securely canonicalize
517the name of the host being connected to. If 528the name of the host being connected to. If
518.Dq no , 529.Dq no, the hostname entered on the
519the hostname entered on the
520command line will be passed untouched to the GSSAPI library. 530command line will be passed untouched to the GSSAPI library.
521The default is 531The default is
522.Dq no . 532.Dq no .
@@ -852,7 +862,15 @@ and
852.Ar host Ns / Ns Ar hostport . 862.Ar host Ns / Ns Ar hostport .
853Multiple forwardings may be specified, and additional 863Multiple forwardings may be specified, and additional
854forwardings can be given on the command line. 864forwardings can be given on the command line.
855Only the superuser can forward privileged ports. 865Privileged ports can be forwarded only when
866logging in as root on the remote machine.
867.Pp
868If the
869.Ar port
870argument is
871.Ql 0 ,
872the listen port will be dynamically allocated on the server and reported
873to the client at run time.
856.Pp 874.Pp
857If the 875If the
858.Ar bind_address 876.Ar bind_address
@@ -1138,10 +1156,12 @@ in
1138If this flag is set to 1156If this flag is set to
1139.Dq yes , 1157.Dq yes ,
1140an ASCII art representation of the remote host key fingerprint is 1158an ASCII art representation of the remote host key fingerprint is
1141printed additionally to the hex fingerprint string. 1159printed in addition to the hex fingerprint string at login and
1160for unknown host keys.
1142If this flag is set to 1161If this flag is set to
1143.Dq no , 1162.Dq no ,
1144only the hex fingerprint string will be printed. 1163no fingerprint strings are printed at login and
1164only the hex fingerprint string will be printed for unknown host keys.
1145The default is 1165The default is
1146.Dq no . 1166.Dq no .
1147.It Cm XAuthLocation 1167.It Cm XAuthLocation