diff options
author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /sshd_config.5 | |
parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 45 |
1 files changed, 39 insertions, 6 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 522ac103f..39ef781ff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.106 2009/04/21 15:13:17 stevesk Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $ |
38 | .Dd $Mdocdate: April 21 2009 $ | 38 | .Dd $Mdocdate: March 4 2010 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -208,16 +208,16 @@ PAM). | |||
208 | The default is | 208 | The default is |
209 | .Dq yes . | 209 | .Dq yes . |
210 | .It Cm ChrootDirectory | 210 | .It Cm ChrootDirectory |
211 | Specifies a path to | 211 | Specifies the pathname of a directory to |
212 | .Xr chroot 2 | 212 | .Xr chroot 2 |
213 | to after authentication. | 213 | to after authentication. |
214 | This path, and all its components, must be root-owned directories that are | 214 | All components of the pathname must be root-owned directories that are |
215 | not writable by any other user or group. | 215 | not writable by any other user or group. |
216 | After the chroot, | 216 | After the chroot, |
217 | .Xr sshd 8 | 217 | .Xr sshd 8 |
218 | changes the working directory to the user's home directory. | 218 | changes the working directory to the user's home directory. |
219 | .Pp | 219 | .Pp |
220 | The path may contain the following tokens that are expanded at runtime once | 220 | The pathname may contain the following tokens that are expanded at runtime once |
221 | the connecting user has been authenticated: %% is replaced by a literal '%', | 221 | the connecting user has been authenticated: %% is replaced by a literal '%', |
222 | %h is replaced by the home directory of the user being authenticated, and | 222 | %h is replaced by the home directory of the user being authenticated, and |
223 | %u is replaced by the username of that user. | 223 | %u is replaced by the username of that user. |
@@ -470,6 +470,14 @@ uses the name supplied by the client rather than | |||
470 | attempting to resolve the name from the TCP connection itself. | 470 | attempting to resolve the name from the TCP connection itself. |
471 | The default is | 471 | The default is |
472 | .Dq no . | 472 | .Dq no . |
473 | .It Cm HostCertificate | ||
474 | Specifies a file containing a public host certificate. | ||
475 | The certificate's public key must match a private host key already specified | ||
476 | by | ||
477 | .Cm HostKey . | ||
478 | The default behaviour of | ||
479 | .Xr sshd 8 | ||
480 | is not to load any certificates. | ||
473 | .It Cm HostKey | 481 | .It Cm HostKey |
474 | Specifies a file containing a private host key | 482 | Specifies a file containing a private host key |
475 | used by SSH. | 483 | used by SSH. |
@@ -673,6 +681,7 @@ Available keywords are | |||
673 | .Cm PermitEmptyPasswords , | 681 | .Cm PermitEmptyPasswords , |
674 | .Cm PermitOpen , | 682 | .Cm PermitOpen , |
675 | .Cm PermitRootLogin , | 683 | .Cm PermitRootLogin , |
684 | .Cm PubkeyAuthentication , | ||
676 | .Cm RhostsRSAAuthentication , | 685 | .Cm RhostsRSAAuthentication , |
677 | .Cm RSAAuthentication , | 686 | .Cm RSAAuthentication , |
678 | .Cm X11DisplayOffset , | 687 | .Cm X11DisplayOffset , |
@@ -865,7 +874,7 @@ and | |||
865 | .Sq 2 . | 874 | .Sq 2 . |
866 | Multiple versions must be comma-separated. | 875 | Multiple versions must be comma-separated. |
867 | The default is | 876 | The default is |
868 | .Dq 2,1 . | 877 | .Sq 2 . |
869 | Note that the order of the protocol list does not indicate preference, | 878 | Note that the order of the protocol list does not indicate preference, |
870 | because the client selects among multiple protocol versions offered | 879 | because the client selects among multiple protocol versions offered |
871 | by the server. | 880 | by the server. |
@@ -878,6 +887,11 @@ Specifies whether public key authentication is allowed. | |||
878 | The default is | 887 | The default is |
879 | .Dq yes . | 888 | .Dq yes . |
880 | Note that this option applies to protocol version 2 only. | 889 | Note that this option applies to protocol version 2 only. |
890 | .It Cm RevokedKeys | ||
891 | Specifies a list of revoked public keys. | ||
892 | Keys listed in this file will be refused for public key authentication. | ||
893 | Note that if this file is not readable, then public key authentication will | ||
894 | be refused for all users. | ||
881 | .It Cm RhostsRSAAuthentication | 895 | .It Cm RhostsRSAAuthentication |
882 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 896 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
883 | with successful RSA host authentication is allowed. | 897 | with successful RSA host authentication is allowed. |
@@ -901,6 +915,9 @@ This is normally desirable because novices sometimes accidentally leave their | |||
901 | directory or files world-writable. | 915 | directory or files world-writable. |
902 | The default is | 916 | The default is |
903 | .Dq yes . | 917 | .Dq yes . |
918 | Note that this does not apply to | ||
919 | .Cm ChrootDirectory , | ||
920 | whose permissions and ownership are checked unconditionally. | ||
904 | .It Cm Subsystem | 921 | .It Cm Subsystem |
905 | Configures an external subsystem (e.g. file transfer daemon). | 922 | Configures an external subsystem (e.g. file transfer daemon). |
906 | Arguments should be a subsystem name and a command (with optional arguments) | 923 | Arguments should be a subsystem name and a command (with optional arguments) |
@@ -953,6 +970,22 @@ To disable TCP keepalive messages, the value should be set to | |||
953 | .Pp | 970 | .Pp |
954 | This option was formerly called | 971 | This option was formerly called |
955 | .Cm KeepAlive . | 972 | .Cm KeepAlive . |
973 | .It Cm TrustedUserCAKeys | ||
974 | Specifies a file containing public keys of certificate authorities that are | ||
975 | trusted to sign user certificates for authentication. | ||
976 | Keys are listed one per line; empty lines and comments starting with | ||
977 | .Ql # | ||
978 | are allowed. | ||
979 | If a certificate is presented for authentication and has its signing CA key | ||
980 | listed in this file, then it may be used for authentication for any user | ||
981 | listed in the certificate's principals list. | ||
982 | Note that certificates that lack a list of principals will not be permitted | ||
983 | for authentication using | ||
984 | .Cm TrustedUserCAKeys . | ||
985 | For more details on certificates, see the | ||
986 | .Sx CERTIFICATES | ||
987 | section in | ||
988 | .Xr ssh-keygen 1 . | ||
956 | .It Cm UseDNS | 989 | .It Cm UseDNS |
957 | Specifies whether | 990 | Specifies whether |
958 | .Xr sshd 8 | 991 | .Xr sshd 8 |