* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /sshd_config.5
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 14 insertions, 7 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index d5f19ea3d..15bd8d988 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.102 2009/02/22 23:59:25 djm Exp $
-.Dd $Mdocdate: July 2 2008 $
+.Dd $Mdocdate: February 22 2009 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -267,9 +267,9 @@ and
 .Dq cast128-cbc .
 The default is:
 .Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
+aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes192-ctr,aes256-ctr
+aes256-cbc,arcfour
 .Ed
 .It Cm ClientAliveCountMax
 Sets the number of client alive messages (see below) which may be
@@ -402,7 +402,7 @@ The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
 .It Cm GSSAPIKeyExchange
-Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange 
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 doesn't rely on ssh keys to verify host identity.
 The default is
 .Dq no .
@@ -430,6 +430,11 @@ Note that this option applies only to protocol version 2 GSSAPI connections,
 and setting it to 
 .Dq no
 may only work with recent Kerberos GSSAPI libraries.
+.It Cm GSSAPIStoreCredentialsOnRekey
+Controls whether the user's GSSAPI credentials should be updated following a 
+successful connection rekeying. This option can be used to accepted renewed 
+or updated credentials from a compatible client. The default is
+.Dq no .
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
@@ -643,6 +648,7 @@ Only a subset of keywords may be used on the lines following a
 .Cm Match
 keyword.
 Available keywords are
+.Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
@@ -655,12 +661,13 @@ Available keywords are
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
+.Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,
-.Cm X11Forwarding ,
+.Cm X11Forwarding
 and
 .Cm X11UseLocalHost .
 .It Cm MaxAuthTries
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /sshd_config.5
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index d5f19ea3d..15bd8d988 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,8 +34,8 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.102 2009/02/22 23:59:25 djm Exp $
38	.Dd $Mdocdate: July 2 2008 $	38	.Dd $Mdocdate: February 22 2009 $
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -267,9 +267,9 @@ and
267	.Dq cast128-cbc .	267	.Dq cast128-cbc .
268	The default is:	268	The default is:
269	.Bd -literal -offset 3n	269	.Bd -literal -offset 3n
270	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,	270	aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
271	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,	271	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
272	aes192-ctr,aes256-ctr	272	aes256-cbc,arcfour
273	.Ed	273	.Ed
274	.It Cm ClientAliveCountMax	274	.It Cm ClientAliveCountMax
275	Sets the number of client alive messages (see below) which may be	275	Sets the number of client alive messages (see below) which may be
@@ -402,7 +402,7 @@ The default is
402	.Dq no .	402	.Dq no .
403	Note that this option applies to protocol version 2 only.	403	Note that this option applies to protocol version 2 only.
404	.It Cm GSSAPIKeyExchange	404	.It Cm GSSAPIKeyExchange
405	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange	405	Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
406	doesn't rely on ssh keys to verify host identity.	406	doesn't rely on ssh keys to verify host identity.
407	The default is	407	The default is
408	.Dq no .	408	.Dq no .
@@ -430,6 +430,11 @@ Note that this option applies only to protocol version 2 GSSAPI connections,
430	and setting it to	430	and setting it to
431	.Dq no	431	.Dq no
432	may only work with recent Kerberos GSSAPI libraries.	432	may only work with recent Kerberos GSSAPI libraries.
		433	.It Cm GSSAPIStoreCredentialsOnRekey
		434	Controls whether the user's GSSAPI credentials should be updated following a
		435	successful connection rekeying. This option can be used to accepted renewed
		436	or updated credentials from a compatible client. The default is
		437	.Dq no .
433	.It Cm HostbasedAuthentication	438	.It Cm HostbasedAuthentication
434	Specifies whether rhosts or /etc/hosts.equiv authentication together	439	Specifies whether rhosts or /etc/hosts.equiv authentication together
435	with successful public key client host authentication is allowed	440	with successful public key client host authentication is allowed
@@ -643,6 +648,7 @@ Only a subset of keywords may be used on the lines following a
643	.Cm Match	648	.Cm Match
644	keyword.	649	keyword.
645	Available keywords are	650	Available keywords are
		651	.Cm AllowAgentForwarding ,
646	.Cm AllowTcpForwarding ,	652	.Cm AllowTcpForwarding ,
647	.Cm Banner ,	653	.Cm Banner ,
648	.Cm ChrootDirectory ,	654	.Cm ChrootDirectory ,
@@ -655,12 +661,13 @@ Available keywords are
655	.Cm MaxAuthTries ,	661	.Cm MaxAuthTries ,
656	.Cm MaxSessions ,	662	.Cm MaxSessions ,
657	.Cm PasswordAuthentication ,	663	.Cm PasswordAuthentication ,
		664	.Cm PermitEmptyPasswords ,
658	.Cm PermitOpen ,	665	.Cm PermitOpen ,
659	.Cm PermitRootLogin ,	666	.Cm PermitRootLogin ,
660	.Cm RhostsRSAAuthentication ,	667	.Cm RhostsRSAAuthentication ,
661	.Cm RSAAuthentication ,	668	.Cm RSAAuthentication ,
662	.Cm X11DisplayOffset ,	669	.Cm X11DisplayOffset ,
663	.Cm X11Forwarding ,	670	.Cm X11Forwarding
664	and	671	and
665	.Cm X11UseLocalHost .	672	.Cm X11UseLocalHost .
666	.It Cm MaxAuthTries	673	.It Cm MaxAuthTries