diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | monitor.c | 6 | ||||
-rw-r--r-- | packet.c | 4 | ||||
-rw-r--r-- | servconf.c | 75 | ||||
-rw-r--r-- | servconf.h | 5 | ||||
-rw-r--r-- | serverloop.c | 14 | ||||
-rw-r--r-- | sshd.c | 6 | ||||
-rw-r--r-- | sshd_config | 5 | ||||
-rw-r--r-- | sshd_config.5 | 32 |
9 files changed, 135 insertions, 17 deletions
@@ -28,6 +28,11 @@ | |||
28 | Add an optional second argument to RekeyLimit in the client to allow | 28 | Add an optional second argument to RekeyLimit in the client to allow |
29 | rekeying based on elapsed time in addition to amount of traffic. | 29 | rekeying based on elapsed time in addition to amount of traffic. |
30 | with djm@ jmc@, ok djm | 30 | with djm@ jmc@, ok djm |
31 | - dtucker@cvs.openbsd.org 2013/05/16 04:09:14 | ||
32 | [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config | ||
33 | sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing | ||
34 | rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man | ||
35 | page. | ||
31 | 36 | ||
32 | 20130510 | 37 | 20130510 |
33 | - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler | 38 | - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.122 2013/03/07 19:27:25 markus Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.123 2013/05/16 04:09:13 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -1810,6 +1810,10 @@ monitor_apply_keystate(struct monitor *pmonitor) | |||
1810 | if (options.compression) | 1810 | if (options.compression) |
1811 | mm_init_compression(pmonitor->m_zlib); | 1811 | mm_init_compression(pmonitor->m_zlib); |
1812 | 1812 | ||
1813 | if (options.rekey_limit || options.rekey_interval) | ||
1814 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
1815 | (time_t)options.rekey_interval); | ||
1816 | |||
1813 | /* Network I/O buffers */ | 1817 | /* Network I/O buffers */ |
1814 | /* XXX inefficient for large buffers, need: buffer_init_from_string */ | 1818 | /* XXX inefficient for large buffers, need: buffer_init_from_string */ |
1815 | buffer_clear(packet_get_input()); | 1819 | buffer_clear(packet_get_input()); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.184 2013/05/16 02:00:34 dtucker Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.185 2013/05/16 04:09:13 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1966,7 +1966,7 @@ packet_get_rekey_timeout(void) | |||
1966 | 1966 | ||
1967 | seconds = active_state->rekey_time + active_state->rekey_interval - | 1967 | seconds = active_state->rekey_time + active_state->rekey_interval - |
1968 | time(NULL); | 1968 | time(NULL); |
1969 | return (seconds < 0 ? 0 : seconds); | 1969 | return (seconds <= 0 ? 1 : seconds); |
1970 | } | 1970 | } |
1971 | 1971 | ||
1972 | void | 1972 | void |
diff --git a/servconf.c b/servconf.c index b2a60fd6c..4e3026b83 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.235 2013/05/16 04:09:14 dtucker Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -20,6 +20,7 @@ | |||
20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
22 | 22 | ||
23 | #include <ctype.h> | ||
23 | #include <netdb.h> | 24 | #include <netdb.h> |
24 | #include <pwd.h> | 25 | #include <pwd.h> |
25 | #include <stdio.h> | 26 | #include <stdio.h> |
@@ -110,6 +111,8 @@ initialize_server_options(ServerOptions *options) | |||
110 | options->permit_user_env = -1; | 111 | options->permit_user_env = -1; |
111 | options->use_login = -1; | 112 | options->use_login = -1; |
112 | options->compression = -1; | 113 | options->compression = -1; |
114 | options->rekey_limit = -1; | ||
115 | options->rekey_interval = -1; | ||
113 | options->allow_tcp_forwarding = -1; | 116 | options->allow_tcp_forwarding = -1; |
114 | options->allow_agent_forwarding = -1; | 117 | options->allow_agent_forwarding = -1; |
115 | options->num_allow_users = 0; | 118 | options->num_allow_users = 0; |
@@ -249,6 +252,10 @@ fill_default_server_options(ServerOptions *options) | |||
249 | options->use_login = 0; | 252 | options->use_login = 0; |
250 | if (options->compression == -1) | 253 | if (options->compression == -1) |
251 | options->compression = COMP_DELAYED; | 254 | options->compression = COMP_DELAYED; |
255 | if (options->rekey_limit == -1) | ||
256 | options->rekey_limit = 0; | ||
257 | if (options->rekey_interval == -1) | ||
258 | options->rekey_interval = 0; | ||
252 | if (options->allow_tcp_forwarding == -1) | 259 | if (options->allow_tcp_forwarding == -1) |
253 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 260 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
254 | if (options->allow_agent_forwarding == -1) | 261 | if (options->allow_agent_forwarding == -1) |
@@ -320,7 +327,7 @@ typedef enum { | |||
320 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 327 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
321 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 328 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
322 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 329 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
323 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 330 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
324 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 331 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
325 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 332 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
326 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 333 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
@@ -422,6 +429,7 @@ static struct { | |||
422 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 429 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
423 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 430 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
424 | { "compression", sCompression, SSHCFG_GLOBAL }, | 431 | { "compression", sCompression, SSHCFG_GLOBAL }, |
432 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
425 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 433 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
426 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 434 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
427 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 435 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
@@ -800,14 +808,14 @@ process_server_config_line(ServerOptions *options, char *line, | |||
800 | const char *filename, int linenum, int *activep, | 808 | const char *filename, int linenum, int *activep, |
801 | struct connection_info *connectinfo) | 809 | struct connection_info *connectinfo) |
802 | { | 810 | { |
803 | char *cp, **charptr, *arg, *p; | 811 | char *cp, **charptr, *arg, *p, *endofnumber; |
804 | int cmdline = 0, *intptr, value, value2, n; | 812 | int cmdline = 0, *intptr, value, value2, n, port, scale; |
805 | SyslogFacility *log_facility_ptr; | 813 | SyslogFacility *log_facility_ptr; |
806 | LogLevel *log_level_ptr; | 814 | LogLevel *log_level_ptr; |
807 | ServerOpCodes opcode; | 815 | ServerOpCodes opcode; |
808 | int port; | ||
809 | u_int i, flags = 0; | 816 | u_int i, flags = 0; |
810 | size_t len; | 817 | size_t len; |
818 | long long orig, val64; | ||
811 | const struct multistate *multistate_ptr; | 819 | const struct multistate *multistate_ptr; |
812 | 820 | ||
813 | cp = line; | 821 | cp = line; |
@@ -1118,6 +1126,59 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1118 | multistate_ptr = multistate_compression; | 1126 | multistate_ptr = multistate_compression; |
1119 | goto parse_multistate; | 1127 | goto parse_multistate; |
1120 | 1128 | ||
1129 | case sRekeyLimit: | ||
1130 | arg = strdelim(&cp); | ||
1131 | if (!arg || *arg == '\0') | ||
1132 | fatal("%.200s line %d: Missing argument.", filename, | ||
1133 | linenum); | ||
1134 | if (strcmp(arg, "default") == 0) { | ||
1135 | val64 = 0; | ||
1136 | } else { | ||
1137 | if (arg[0] < '0' || arg[0] > '9') | ||
1138 | fatal("%.200s line %d: Bad number.", filename, | ||
1139 | linenum); | ||
1140 | orig = val64 = strtoll(arg, &endofnumber, 10); | ||
1141 | if (arg == endofnumber) | ||
1142 | fatal("%.200s line %d: Bad number.", filename, | ||
1143 | linenum); | ||
1144 | switch (toupper(*endofnumber)) { | ||
1145 | case '\0': | ||
1146 | scale = 1; | ||
1147 | break; | ||
1148 | case 'K': | ||
1149 | scale = 1<<10; | ||
1150 | break; | ||
1151 | case 'M': | ||
1152 | scale = 1<<20; | ||
1153 | break; | ||
1154 | case 'G': | ||
1155 | scale = 1<<30; | ||
1156 | break; | ||
1157 | default: | ||
1158 | fatal("%.200s line %d: Invalid RekeyLimit " | ||
1159 | "suffix", filename, linenum); | ||
1160 | } | ||
1161 | val64 *= scale; | ||
1162 | /* detect integer wrap and too-large limits */ | ||
1163 | if ((val64 / scale) != orig || val64 > UINT_MAX) | ||
1164 | fatal("%.200s line %d: RekeyLimit too large", | ||
1165 | filename, linenum); | ||
1166 | if (val64 != 0 && val64 < 16) | ||
1167 | fatal("%.200s line %d: RekeyLimit too small", | ||
1168 | filename, linenum); | ||
1169 | } | ||
1170 | if (*activep && options->rekey_limit == -1) | ||
1171 | options->rekey_limit = (u_int32_t)val64; | ||
1172 | if (cp != NULL) { /* optional rekey interval present */ | ||
1173 | if (strcmp(cp, "none") == 0) { | ||
1174 | (void)strdelim(&cp); /* discard */ | ||
1175 | break; | ||
1176 | } | ||
1177 | intptr = &options->rekey_interval; | ||
1178 | goto parse_time; | ||
1179 | } | ||
1180 | break; | ||
1181 | |||
1121 | case sGatewayPorts: | 1182 | case sGatewayPorts: |
1122 | intptr = &options->gateway_ports; | 1183 | intptr = &options->gateway_ports; |
1123 | multistate_ptr = multistate_gatewayports; | 1184 | multistate_ptr = multistate_gatewayports; |
@@ -1718,6 +1779,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1718 | M_CP_INTOPT(max_authtries); | 1779 | M_CP_INTOPT(max_authtries); |
1719 | M_CP_INTOPT(ip_qos_interactive); | 1780 | M_CP_INTOPT(ip_qos_interactive); |
1720 | M_CP_INTOPT(ip_qos_bulk); | 1781 | M_CP_INTOPT(ip_qos_bulk); |
1782 | M_CP_INTOPT(rekey_limit); | ||
1783 | M_CP_INTOPT(rekey_interval); | ||
1721 | 1784 | ||
1722 | /* See comment in servconf.h */ | 1785 | /* See comment in servconf.h */ |
1723 | COPY_MATCH_STRING_OPTS(); | 1786 | COPY_MATCH_STRING_OPTS(); |
@@ -2006,5 +2069,7 @@ dump_config(ServerOptions *o) | |||
2006 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2069 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2007 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2070 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2008 | 2071 | ||
2072 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
2073 | |||
2009 | channel_print_adm_permitted_opens(); | 2074 | channel_print_adm_permitted_opens(); |
2010 | } | 2075 | } |
diff --git a/servconf.h b/servconf.h index 870c70982..fc051bd4b 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.107 2013/01/03 05:49:36 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.108 2013/05/16 04:09:14 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -176,6 +176,9 @@ typedef struct { | |||
176 | char *authorized_keys_command; | 176 | char *authorized_keys_command; |
177 | char *authorized_keys_command_user; | 177 | char *authorized_keys_command_user; |
178 | 178 | ||
179 | int64_t rekey_limit; | ||
180 | int rekey_interval; | ||
181 | |||
179 | char *version_addendum; /* Appended to SSH banner */ | 182 | char *version_addendum; /* Appended to SSH banner */ |
180 | 183 | ||
181 | u_int num_auth_methods; | 184 | u_int num_auth_methods; |
diff --git a/serverloop.c b/serverloop.c index e224bd08a..595899f61 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.165 2013/05/16 04:09:14 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -277,7 +277,7 @@ client_alive_check(void) | |||
277 | */ | 277 | */ |
278 | static void | 278 | static void |
279 | wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, | 279 | wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, |
280 | u_int *nallocp, u_int max_time_milliseconds) | 280 | u_int *nallocp, u_int64_t max_time_milliseconds) |
281 | { | 281 | { |
282 | struct timeval tv, *tvp; | 282 | struct timeval tv, *tvp; |
283 | int ret; | 283 | int ret; |
@@ -563,7 +563,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | |||
563 | int wait_status; /* Status returned by wait(). */ | 563 | int wait_status; /* Status returned by wait(). */ |
564 | pid_t wait_pid; /* pid returned by wait(). */ | 564 | pid_t wait_pid; /* pid returned by wait(). */ |
565 | int waiting_termination = 0; /* Have displayed waiting close message. */ | 565 | int waiting_termination = 0; /* Have displayed waiting close message. */ |
566 | u_int max_time_milliseconds; | 566 | u_int64_t max_time_milliseconds; |
567 | u_int previous_stdout_buffer_bytes; | 567 | u_int previous_stdout_buffer_bytes; |
568 | u_int stdout_buffer_bytes; | 568 | u_int stdout_buffer_bytes; |
569 | int type; | 569 | int type; |
@@ -826,6 +826,7 @@ server_loop2(Authctxt *authctxt) | |||
826 | { | 826 | { |
827 | fd_set *readset = NULL, *writeset = NULL; | 827 | fd_set *readset = NULL, *writeset = NULL; |
828 | int rekeying = 0, max_fd, nalloc = 0; | 828 | int rekeying = 0, max_fd, nalloc = 0; |
829 | u_int64_t rekey_timeout_ms = 0; | ||
829 | 830 | ||
830 | debug("Entering interactive session for SSH2."); | 831 | debug("Entering interactive session for SSH2."); |
831 | 832 | ||
@@ -854,8 +855,13 @@ server_loop2(Authctxt *authctxt) | |||
854 | 855 | ||
855 | if (!rekeying && packet_not_very_much_data_to_write()) | 856 | if (!rekeying && packet_not_very_much_data_to_write()) |
856 | channel_output_poll(); | 857 | channel_output_poll(); |
858 | if (options.rekey_interval > 0 && compat20 && !rekeying) | ||
859 | rekey_timeout_ms = packet_get_rekey_timeout() * 1000; | ||
860 | else | ||
861 | rekey_timeout_ms = 0; | ||
862 | |||
857 | wait_until_can_do_something(&readset, &writeset, &max_fd, | 863 | wait_until_can_do_something(&readset, &writeset, &max_fd, |
858 | &nalloc, 0); | 864 | &nalloc, rekey_timeout_ms); |
859 | 865 | ||
860 | if (received_sigterm) { | 866 | if (received_sigterm) { |
861 | logit("Exiting on signal %d", (int)received_sigterm); | 867 | logit("Exiting on signal %d", (int)received_sigterm); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.399 2013/04/07 02:10:33 dtucker Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.400 2013/05/16 04:09:14 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2364,6 +2364,10 @@ do_ssh2_kex(void) | |||
2364 | if (options.kex_algorithms != NULL) | 2364 | if (options.kex_algorithms != NULL) |
2365 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2365 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2366 | 2366 | ||
2367 | if (options.rekey_limit || options.rekey_interval) | ||
2368 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
2369 | (time_t)options.rekey_interval); | ||
2370 | |||
2367 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2371 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2368 | 2372 | ||
2369 | /* start key exchange */ | 2373 | /* start key exchange */ |
diff --git a/sshd_config b/sshd_config index 9cd2fddce..b786361d1 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ | 1 | # $OpenBSD: sshd_config,v 1.90 2013/05/16 04:09:14 dtucker Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -29,6 +29,9 @@ | |||
29 | #KeyRegenerationInterval 1h | 29 | #KeyRegenerationInterval 1h |
30 | #ServerKeyBits 1024 | 30 | #ServerKeyBits 1024 |
31 | 31 | ||
32 | # Ciphers and keying | ||
33 | #RekeyLimit default none | ||
34 | |||
32 | # Logging | 35 | # Logging |
33 | # obsoletes QuietMode and FascistLogging | 36 | # obsoletes QuietMode and FascistLogging |
34 | #SyslogFacility AUTH | 37 | #SyslogFacility AUTH |
diff --git a/sshd_config.5 b/sshd_config.5 index 590fb4088..9e0b3a5c0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.159 2013/05/16 04:09:14 dtucker Exp $ |
37 | .Dd $Mdocdate: April 19 2013 $ | 37 | .Dd $Mdocdate: May 16 2013 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -814,6 +814,7 @@ Available keywords are | |||
814 | .Cm PermitRootLogin , | 814 | .Cm PermitRootLogin , |
815 | .Cm PermitTunnel , | 815 | .Cm PermitTunnel , |
816 | .Cm PubkeyAuthentication , | 816 | .Cm PubkeyAuthentication , |
817 | .Cm RekeyLimit , | ||
817 | .Cm RhostsRSAAuthentication , | 818 | .Cm RhostsRSAAuthentication , |
818 | .Cm RSAAuthentication , | 819 | .Cm RSAAuthentication , |
819 | .Cm X11DisplayOffset , | 820 | .Cm X11DisplayOffset , |
@@ -1008,6 +1009,33 @@ Specifies whether public key authentication is allowed. | |||
1008 | The default is | 1009 | The default is |
1009 | .Dq yes . | 1010 | .Dq yes . |
1010 | Note that this option applies to protocol version 2 only. | 1011 | Note that this option applies to protocol version 2 only. |
1012 | .It Cm RekeyLimit | ||
1013 | Specifies the maximum amount of data that may be transmitted before the | ||
1014 | session key is renegotiated, optionally followed a maximum amount of | ||
1015 | time that may pass before the session key is renegotiated. | ||
1016 | The first argument is specified in bytes and may have a suffix of | ||
1017 | .Sq K , | ||
1018 | .Sq M , | ||
1019 | or | ||
1020 | .Sq G | ||
1021 | to indicate Kilobytes, Megabytes, or Gigabytes, respectively. | ||
1022 | The default is between | ||
1023 | .Sq 1G | ||
1024 | and | ||
1025 | .Sq 4G , | ||
1026 | depending on the cipher. | ||
1027 | The optional second value is specified in seconds and may use any of the | ||
1028 | units documented in the | ||
1029 | .Sx TIME FORMATS | ||
1030 | section of | ||
1031 | .Xr sshd_config 5 . | ||
1032 | The default value for | ||
1033 | .Cm RekeyLimit | ||
1034 | is | ||
1035 | .Dq default none , | ||
1036 | which means that rekeying is performed after the cipher's default amount | ||
1037 | of data has been sent or received and no time based rekeying is done. | ||
1038 | This option applies to protocol version 2 only. | ||
1011 | .It Cm RevokedKeys | 1039 | .It Cm RevokedKeys |
1012 | Specifies revoked public keys. | 1040 | Specifies revoked public keys. |
1013 | Keys listed in this file will be refused for public key authentication. | 1041 | Keys listed in this file will be refused for public key authentication. |