diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /sshd_config.5 | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index e7a5f0a08..e73624154 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.131 2010/12/08 04:02:47 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $ |
37 | .Dd $Mdocdate: December 8 2010 $ | 37 | .Dd $Mdocdate: August 2 2011 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -195,8 +195,9 @@ After expansion, | |||
195 | .Cm AuthorizedKeysFile | 195 | .Cm AuthorizedKeysFile |
196 | is taken to be an absolute path or one relative to the user's home | 196 | is taken to be an absolute path or one relative to the user's home |
197 | directory. | 197 | directory. |
198 | Multiple files may be listed, separated by whitespace. | ||
198 | The default is | 199 | The default is |
199 | .Dq .ssh/authorized_keys . | 200 | .Dq .ssh/authorized_keys .ssh/authorized_keys2 . |
200 | .It Cm AuthorizedPrincipalsFile | 201 | .It Cm AuthorizedPrincipalsFile |
201 | Specifies a file that lists principal names that are accepted for | 202 | Specifies a file that lists principal names that are accepted for |
202 | certificate authentication. | 203 | certificate authentication. |
@@ -713,7 +714,9 @@ Multiple algorithms must be comma-separated. | |||
713 | The default is: | 714 | The default is: |
714 | .Bd -literal -offset indent | 715 | .Bd -literal -offset indent |
715 | hmac-md5,hmac-sha1,umac-64@openssh.com, | 716 | hmac-md5,hmac-sha1,umac-64@openssh.com, |
716 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96 | 717 | hmac-ripemd160,hmac-sha1-96,hmac-md5-96, |
718 | hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, | ||
719 | hmac-sha2-512-96 | ||
717 | .Ed | 720 | .Ed |
718 | .It Cm Match | 721 | .It Cm Match |
719 | Introduces a conditional block. | 722 | Introduces a conditional block. |
@@ -1146,6 +1149,12 @@ The goal of privilege separation is to prevent privilege | |||
1146 | escalation by containing any corruption within the unprivileged processes. | 1149 | escalation by containing any corruption within the unprivileged processes. |
1147 | The default is | 1150 | The default is |
1148 | .Dq yes . | 1151 | .Dq yes . |
1152 | If | ||
1153 | .Cm UsePrivilegeSeparation | ||
1154 | is set to | ||
1155 | .Dq sandbox | ||
1156 | then the pre-authentication unprivileged process is subject to additional | ||
1157 | restrictions. | ||
1149 | .It Cm X11DisplayOffset | 1158 | .It Cm X11DisplayOffset |
1150 | Specifies the first display number available for | 1159 | Specifies the first display number available for |
1151 | .Xr sshd 8 Ns 's | 1160 | .Xr sshd 8 Ns 's |