diff options
author | Colin Watson <cjwatson@debian.org> | 2012-09-07 00:20:47 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2012-09-07 00:20:47 +0100 |
commit | eab78da6a54225de06271d9c8da650f04a55ed88 (patch) | |
tree | aa258ca77515939f6d89317ff67fbcb0bca08b24 /sshd_config.0 | |
parent | a26f5de49df59322fde07f7be91b3e3969c9c238 (diff) | |
parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) |
* New upstream release (http://www.openssh.com/txt/release-6.1).
- Enable pre-auth sandboxing by default for new installs.
- Allow "PermitOpen none" to refuse all port-forwarding requests
(closes: #543683).
Diffstat (limited to 'sshd_config.0')
-rw-r--r-- | sshd_config.0 | 51 |
1 files changed, 29 insertions, 22 deletions
diff --git a/sshd_config.0 b/sshd_config.0 index 9022f8760..d9c87b7a0 100644 --- a/sshd_config.0 +++ b/sshd_config.0 | |||
@@ -102,14 +102,14 @@ DESCRIPTION | |||
102 | AuthorizedPrincipalsFile is taken to be an absolute path or one | 102 | AuthorizedPrincipalsFile is taken to be an absolute path or one |
103 | relative to the user's home directory. | 103 | relative to the user's home directory. |
104 | 104 | ||
105 | The default is not to use a principals file - in this case, the | 105 | The default is ``none'', i.e. not to use a principals file - in |
106 | username of the user must appear in a certificate's principals | 106 | this case, the username of the user must appear in a |
107 | list for it to be accepted. Note that AuthorizedPrincipalsFile | 107 | certificate's principals list for it to be accepted. Note that |
108 | is only used when authentication proceeds using a CA listed in | 108 | AuthorizedPrincipalsFile is only used when authentication |
109 | TrustedUserCAKeys and is not consulted for certification | 109 | proceeds using a CA listed in TrustedUserCAKeys and is not |
110 | authorities trusted via ~/.ssh/authorized_keys, though the | 110 | consulted for certification authorities trusted via |
111 | principals= key option offers a similar facility (see sshd(8) for | 111 | ~/.ssh/authorized_keys, though the principals= key option offers |
112 | details). | 112 | a similar facility (see sshd(8) for details). |
113 | 113 | ||
114 | Banner The contents of the specified file are sent to the remote user | 114 | Banner The contents of the specified file are sent to the remote user |
115 | before authentication is allowed. If the argument is ``none'' | 115 | before authentication is allowed. If the argument is ``none'' |
@@ -376,9 +376,8 @@ DESCRIPTION | |||
376 | separated. The default is: | 376 | separated. The default is: |
377 | 377 | ||
378 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 378 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
379 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96, | 379 | hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, |
380 | hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, | 380 | hmac-sha1-96,hmac-md5-96 |
381 | hmac-sha2-512-96 | ||
382 | 381 | ||
383 | Match Introduces a conditional block. If all of the criteria on the | 382 | Match Introduces a conditional block. If all of the criteria on the |
384 | Match line are satisfied, the keywords on the following lines | 383 | Match line are satisfied, the keywords on the following lines |
@@ -386,10 +385,11 @@ DESCRIPTION | |||
386 | until either another Match line or the end of the file. | 385 | until either another Match line or the end of the file. |
387 | 386 | ||
388 | The arguments to Match are one or more criteria-pattern pairs. | 387 | The arguments to Match are one or more criteria-pattern pairs. |
389 | The available criteria are User, Group, Host, and Address. The | 388 | The available criteria are User, Group, Host, LocalAddress, |
390 | match patterns may consist of single entries or comma-separated | 389 | LocalPort, and Address. The match patterns may consist of single |
391 | lists and may use the wildcard and negation operators described | 390 | entries or comma-separated lists and may use the wildcard and |
392 | in the PATTERNS section of ssh_config(5). | 391 | negation operators described in the PATTERNS section of |
392 | ssh_config(5). | ||
393 | 393 | ||
394 | The patterns in an Address criteria may additionally contain | 394 | The patterns in an Address criteria may additionally contain |
395 | addresses to match in CIDR address/masklen format, e.g. | 395 | addresses to match in CIDR address/masklen format, e.g. |
@@ -400,10 +400,11 @@ DESCRIPTION | |||
400 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. | 400 | example, ``192.0.2.0/33'' and ``192.0.2.0/8'' respectively. |
401 | 401 | ||
402 | Only a subset of keywords may be used on the lines following a | 402 | Only a subset of keywords may be used on the lines following a |
403 | Match keyword. Available keywords are AllowAgentForwarding, | 403 | Match keyword. Available keywords are AcceptEnv, |
404 | AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile, | 404 | AllowAgentForwarding, AllowGroups, AllowTcpForwarding, |
405 | Banner, ChrootDirectory, ForceCommand, GatewayPorts, | 405 | AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner, |
406 | GSSAPIAuthentication, HostbasedAuthentication, | 406 | ChrootDirectory, DenyGroups, DenyUsers, ForceCommand, |
407 | GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, | ||
407 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, | 408 | HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, |
408 | KerberosAuthentication, MaxAuthTries, MaxSessions, | 409 | KerberosAuthentication, MaxAuthTries, MaxSessions, |
409 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, | 410 | PasswordAuthentication, PermitEmptyPasswords, PermitOpen, |
@@ -454,8 +455,9 @@ DESCRIPTION | |||
454 | 455 | ||
455 | Multiple forwards may be specified by separating them with | 456 | Multiple forwards may be specified by separating them with |
456 | whitespace. An argument of ``any'' can be used to remove all | 457 | whitespace. An argument of ``any'' can be used to remove all |
457 | restrictions and permit any forwarding requests. By default all | 458 | restrictions and permit any forwarding requests. An argument of |
458 | port forwarding requests are permitted. | 459 | ``none'' can be used to prohibit all forwarding requests. By |
460 | default all port forwarding requests are permitted. | ||
459 | 461 | ||
460 | PermitRootLogin | 462 | PermitRootLogin |
461 | Specifies whether root can log in using ssh(1). The argument | 463 | Specifies whether root can log in using ssh(1). The argument |
@@ -632,6 +634,11 @@ DESCRIPTION | |||
632 | ``sandbox'' then the pre-authentication unprivileged process is | 634 | ``sandbox'' then the pre-authentication unprivileged process is |
633 | subject to additional restrictions. | 635 | subject to additional restrictions. |
634 | 636 | ||
637 | VersionAddendum | ||
638 | Optionally specifies additional text to append to the SSH | ||
639 | protocol banner sent by the server upon connection. The default | ||
640 | is ``none''. | ||
641 | |||
635 | X11DisplayOffset | 642 | X11DisplayOffset |
636 | Specifies the first display number available for sshd(8)'s X11 | 643 | Specifies the first display number available for sshd(8)'s X11 |
637 | forwarding. This prevents sshd from interfering with real X11 | 644 | forwarding. This prevents sshd from interfering with real X11 |
@@ -715,4 +722,4 @@ AUTHORS | |||
715 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 722 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
716 | for privilege separation. | 723 | for privilege separation. |
717 | 724 | ||
718 | OpenBSD 5.0 September 9, 2011 OpenBSD 5.0 | 725 | OpenBSD 5.2 June 29, 2012 OpenBSD 5.2 |