diff options
author | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
commit | c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch) | |
tree | b72c0867348e7e7914d64af6fc5e25c728922e03 /sshd.8 | |
parent | 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff) | |
parent | 70847d299887abb96f8703ca99db6d817b78960e (diff) |
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 39 |
1 files changed, 22 insertions, 17 deletions
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd $Mdocdate: August 16 2007 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -58,8 +58,11 @@ | |||
58 | .Nm | 58 | .Nm |
59 | (OpenSSH Daemon) is the daemon program for | 59 | (OpenSSH Daemon) is the daemon program for |
60 | .Xr ssh 1 . | 60 | .Xr ssh 1 . |
61 | Together these programs replace rlogin and rsh, and | 61 | Together these programs replace |
62 | provide secure encrypted communications between two untrusted hosts | 62 | .Xr rlogin 1 |
63 | and | ||
64 | .Xr rsh 1 , | ||
65 | and provide secure encrypted communications between two untrusted hosts | ||
63 | over an insecure network. | 66 | over an insecure network. |
64 | .Pp | 67 | .Pp |
65 | .Nm | 68 | .Nm |
@@ -117,7 +120,7 @@ Maximum is 3. | |||
117 | When this option is specified, | 120 | When this option is specified, |
118 | .Nm | 121 | .Nm |
119 | will send the output to the standard error instead of the system log. | 122 | will send the output to the standard error instead of the system log. |
120 | .It Fl f Ar configuration_file | 123 | .It Fl f Ar config_file |
121 | Specifies the name of the configuration file. | 124 | Specifies the name of the configuration file. |
122 | The default is | 125 | The default is |
123 | .Pa /etc/ssh/sshd_config . | 126 | .Pa /etc/ssh/sshd_config . |
@@ -276,7 +279,7 @@ The client selects the encryption algorithm | |||
276 | to use from those offered by the server. | 279 | to use from those offered by the server. |
277 | Additionally, session integrity is provided | 280 | Additionally, session integrity is provided |
278 | through a cryptographic message authentication code | 281 | through a cryptographic message authentication code |
279 | (hmac-sha1 or hmac-md5). | 282 | (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). |
280 | .Pp | 283 | .Pp |
281 | Finally, the server and the client enter an authentication dialog. | 284 | Finally, the server and the client enter an authentication dialog. |
282 | The client tries to authenticate itself using | 285 | The client tries to authenticate itself using |
@@ -302,8 +305,9 @@ on Tru64, | |||
302 | a leading | 305 | a leading |
303 | .Ql \&*LOCKED\&* | 306 | .Ql \&*LOCKED\&* |
304 | on FreeBSD and a leading | 307 | on FreeBSD and a leading |
305 | .Ql \&!! | 308 | .Ql \&! |
306 | on Linux). If there is a requirement to disable password authentication | 309 | on most Linuxes). |
310 | If there is a requirement to disable password authentication | ||
307 | for the account while allowing still public-key, then the passwd field | 311 | for the account while allowing still public-key, then the passwd field |
308 | should be set to something other than these values (eg | 312 | should be set to something other than these values (eg |
309 | .Ql NP | 313 | .Ql NP |
@@ -761,15 +765,6 @@ This file is used in exactly the same way as | |||
761 | but allows host-based authentication without permitting login with | 765 | but allows host-based authentication without permitting login with |
762 | rlogin/rsh. | 766 | rlogin/rsh. |
763 | .Pp | 767 | .Pp |
764 | .It /etc/ssh/ssh_known_hosts | ||
765 | Systemwide list of known host keys. | ||
766 | This file should be prepared by the | ||
767 | system administrator to contain the public host keys of all machines in the | ||
768 | organization. | ||
769 | The format of this file is described above. | ||
770 | This file should be writable only by root/the owner and | ||
771 | should be world-readable. | ||
772 | .Pp | ||
773 | .It /etc/ssh/ssh_host_key | 768 | .It /etc/ssh/ssh_host_key |
774 | .It /etc/ssh/ssh_host_dsa_key | 769 | .It /etc/ssh/ssh_host_dsa_key |
775 | .It /etc/ssh/ssh_host_rsa_key | 770 | .It /etc/ssh/ssh_host_rsa_key |
@@ -793,6 +788,15 @@ the user so their contents can be copied to known hosts files. | |||
793 | These files are created using | 788 | These files are created using |
794 | .Xr ssh-keygen 1 . | 789 | .Xr ssh-keygen 1 . |
795 | .Pp | 790 | .Pp |
791 | .It /etc/ssh/ssh_known_hosts | ||
792 | Systemwide list of known host keys. | ||
793 | This file should be prepared by the | ||
794 | system administrator to contain the public host keys of all machines in the | ||
795 | organization. | ||
796 | The format of this file is described above. | ||
797 | This file should be writable only by root/the owner and | ||
798 | should be world-readable. | ||
799 | .Pp | ||
796 | .It /etc/ssh/sshd_config | 800 | .It /etc/ssh/sshd_config |
797 | Contains configuration data for | 801 | Contains configuration data for |
798 | .Nm sshd . | 802 | .Nm sshd . |
@@ -829,6 +833,7 @@ The content of this file is not sensitive; it can be world-readable. | |||
829 | .Xr ssh-add 1 , | 833 | .Xr ssh-add 1 , |
830 | .Xr ssh-agent 1 , | 834 | .Xr ssh-agent 1 , |
831 | .Xr ssh-keygen 1 , | 835 | .Xr ssh-keygen 1 , |
836 | .Xr ssh-keyscan 1 , | ||
832 | .Xr chroot 2 , | 837 | .Xr chroot 2 , |
833 | .Xr hosts_access 5 , | 838 | .Xr hosts_access 5 , |
834 | .Xr login.conf 5 , | 839 | .Xr login.conf 5 , |