diff options
author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /sshd_config.0 | |
parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 51 |
1 files changed, 38 insertions, 13 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 9e73c5906..a9162f18d 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -93,14 +93,14 @@ DESCRIPTION | |||
93 | login.conf(5)) The default is ``yes''. | 93 | login.conf(5)) The default is ``yes''. |
94 | 94 | ||
95 | ChrootDirectory | 95 | ChrootDirectory |
96 | Specifies a path to chroot(2) to after authentication. This | 96 | Specifies the pathname of a directory to chroot(2) to after au- |
97 | path, and all its components, must be root-owned directories that | 97 | thentication. All components of the pathname must be root-owned |
98 | are not writable by any other user or group. After the chroot, | 98 | directories that are not writable by any other user or group. |
99 | sshd(8) changes the working directory to the user's home directo- | 99 | After the chroot, sshd(8) changes the working directory to the |
100 | ry. | 100 | user's home directory. |
101 | 101 | ||
102 | The path may contain the following tokens that are expanded at | 102 | The pathname may contain the following tokens that are expanded |
103 | runtime once the connecting user has been authenticated: %% is | 103 | at runtime once the connecting user has been authenticated: %% is |
104 | replaced by a literal '%', %h is replaced by the home directory | 104 | replaced by a literal '%', %h is replaced by the home directory |
105 | of the user being authenticated, and %u is replaced by the user- | 105 | of the user being authenticated, and %u is replaced by the user- |
106 | name of that user. | 106 | name of that user. |
@@ -235,6 +235,12 @@ DESCRIPTION | |||
235 | resolve the name from the TCP connection itself. The default is | 235 | resolve the name from the TCP connection itself. The default is |
236 | ``no''. | 236 | ``no''. |
237 | 237 | ||
238 | HostCertificate | ||
239 | Specifies a file containing a public host certificate. The cer- | ||
240 | tificate's public key must match a private host key already spec- | ||
241 | ified by HostKey. The default behaviour of sshd(8) is not to | ||
242 | load any certificates. | ||
243 | |||
238 | HostKey | 244 | HostKey |
239 | Specifies a file containing a private host key used by SSH. The | 245 | Specifies a file containing a private host key used by SSH. The |
240 | default is /etc/ssh/ssh_host_key for protocol version 1, and | 246 | default is /etc/ssh/ssh_host_key for protocol version 1, and |
@@ -346,8 +352,8 @@ DESCRIPTION | |||
346 | KbdInteractiveAuthentication, KerberosAuthentication, | 352 | KbdInteractiveAuthentication, KerberosAuthentication, |
347 | MaxAuthTries, MaxSessions, PasswordAuthentication, | 353 | MaxAuthTries, MaxSessions, PasswordAuthentication, |
348 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, | 354 | PermitEmptyPasswords, PermitOpen, PermitRootLogin, |
349 | RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset, | 355 | PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication, |
350 | X11Forwarding and X11UseLocalHost. | 356 | X11DisplayOffset, X11Forwarding and X11UseLocalHost. |
351 | 357 | ||
352 | MaxAuthTries | 358 | MaxAuthTries |
353 | Specifies the maximum number of authentication attempts permitted | 359 | Specifies the maximum number of authentication attempts permitted |
@@ -445,7 +451,7 @@ DESCRIPTION | |||
445 | Protocol | 451 | Protocol |
446 | Specifies the protocol versions sshd(8) supports. The possible | 452 | Specifies the protocol versions sshd(8) supports. The possible |
447 | values are `1' and `2'. Multiple versions must be comma-separat- | 453 | values are `1' and `2'. Multiple versions must be comma-separat- |
448 | ed. The default is ``2,1''. Note that the order of the protocol | 454 | ed. The default is `2'. Note that the order of the protocol |
449 | list does not indicate preference, because the client selects | 455 | list does not indicate preference, because the client selects |
450 | among multiple protocol versions offered by the server. Specify- | 456 | among multiple protocol versions offered by the server. Specify- |
451 | ing ``2,1'' is identical to ``1,2''. | 457 | ing ``2,1'' is identical to ``1,2''. |
@@ -455,6 +461,12 @@ DESCRIPTION | |||
455 | fault is ``yes''. Note that this option applies to protocol ver- | 461 | fault is ``yes''. Note that this option applies to protocol ver- |
456 | sion 2 only. | 462 | sion 2 only. |
457 | 463 | ||
464 | RevokedKeys | ||
465 | Specifies a list of revoked public keys. Keys listed in this | ||
466 | file will be refused for public key authentication. Note that if | ||
467 | this file is not readable, then public key authentication will be | ||
468 | refused for all users. | ||
469 | |||
458 | RhostsRSAAuthentication | 470 | RhostsRSAAuthentication |
459 | Specifies whether rhosts or /etc/hosts.equiv authentication to- | 471 | Specifies whether rhosts or /etc/hosts.equiv authentication to- |
460 | gether with successful RSA host authentication is allowed. The | 472 | gether with successful RSA host authentication is allowed. The |
@@ -475,7 +487,8 @@ DESCRIPTION | |||
475 | of the user's files and home directory before accepting login. | 487 | of the user's files and home directory before accepting login. |
476 | This is normally desirable because novices sometimes accidentally | 488 | This is normally desirable because novices sometimes accidentally |
477 | leave their directory or files world-writable. The default is | 489 | leave their directory or files world-writable. The default is |
478 | ``yes''. | 490 | ``yes''. Note that this does not apply to ChrootDirectory, whose |
491 | permissions and ownership are checked unconditionally. | ||
479 | 492 | ||
480 | Subsystem | 493 | Subsystem |
481 | Configures an external subsystem (e.g. file transfer daemon). | 494 | Configures an external subsystem (e.g. file transfer daemon). |
@@ -515,6 +528,18 @@ DESCRIPTION | |||
515 | To disable TCP keepalive messages, the value should be set to | 528 | To disable TCP keepalive messages, the value should be set to |
516 | ``no''. | 529 | ``no''. |
517 | 530 | ||
531 | TrustedUserCAKeys | ||
532 | Specifies a file containing public keys of certificate authori- | ||
533 | ties that are trusted to sign user certificates for authentica- | ||
534 | tion. Keys are listed one per line; empty lines and comments | ||
535 | starting with `#' are allowed. If a certificate is presented for | ||
536 | authentication and has its signing CA key listed in this file, | ||
537 | then it may be used for authentication for any user listed in the | ||
538 | certificate's principals list. Note that certificates that lack | ||
539 | a list of principals will not be permitted for authentication us- | ||
540 | ing TrustedUserCAKeys. For more details on certificates, see the | ||
541 | CERTIFICATES section in ssh-keygen(1). | ||
542 | |||
518 | UseDNS Specifies whether sshd(8) should look up the remote host name and | 543 | UseDNS Specifies whether sshd(8) should look up the remote host name and |
519 | check that the resolved host name for the remote IP address maps | 544 | check that the resolved host name for the remote IP address maps |
520 | back to the very same IP address. The default is ``yes''. | 545 | back to the very same IP address. The default is ``yes''. |
@@ -631,4 +656,4 @@ AUTHORS | |||
631 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 656 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
632 | for privilege separation. | 657 | for privilege separation. |
633 | 658 | ||
634 | OpenBSD 4.6 April 21, 2009 10 | 659 | OpenBSD 4.6 March 4, 2010 10 |