diff options
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | kex.c | 10 | ||||
-rw-r--r-- | kex.h | 6 | ||||
-rw-r--r-- | myproposal.h | 4 | ||||
-rw-r--r-- | packet.c | 56 | ||||
-rw-r--r-- | packet.h | 4 | ||||
-rw-r--r-- | servconf.c | 22 | ||||
-rw-r--r-- | session.c | 5 | ||||
-rw-r--r-- | sshconnect2.c | 6 | ||||
-rw-r--r-- | sshd.c | 15 | ||||
-rw-r--r-- | sshd_config | 4 | ||||
-rw-r--r-- | sshd_config.5 | 10 |
12 files changed, 126 insertions, 27 deletions
@@ -6,6 +6,15 @@ | |||
6 | [auth-passwd.c] | 6 | [auth-passwd.c] |
7 | auth_usercheck(3) can return NULL, so check for that. Report from | 7 | auth_usercheck(3) can return NULL, so check for that. Report from |
8 | mpech@. ok markus@ | 8 | mpech@. ok markus@ |
9 | - markus@cvs.openbsd.org 2005/07/25 11:59:40 | ||
10 | [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] | ||
11 | [sshconnect2.c sshd.c sshd_config sshd_config.5] | ||
12 | add a new compression method that delays compression until the user | ||
13 | has been authenticated successfully and set compression to 'delayed' | ||
14 | for sshd. | ||
15 | this breaks older openssh clients (< 3.5) if they insist on | ||
16 | compression, so you have to re-enable compression in sshd_config. | ||
17 | ok djm@ | ||
9 | 18 | ||
10 | 20050725 | 19 | 20050725 |
11 | - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096. | 20 | - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096. |
@@ -2870,4 +2879,4 @@ | |||
2870 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 2879 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
2871 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 2880 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
2872 | 2881 | ||
2873 | $Id: ChangeLog,v 1.3856 2005/07/26 11:54:11 djm Exp $ | 2882 | $Id: ChangeLog,v 1.3857 2005/07/26 11:54:56 djm Exp $ |
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: kex.c,v 1.63 2005/07/17 07:17:55 djm Exp $"); | 26 | RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $"); |
27 | 27 | ||
28 | #include <openssl/crypto.h> | 28 | #include <openssl/crypto.h> |
29 | 29 | ||
@@ -275,10 +275,12 @@ choose_comp(Comp *comp, char *client, char *server) | |||
275 | char *name = match_list(client, server, NULL); | 275 | char *name = match_list(client, server, NULL); |
276 | if (name == NULL) | 276 | if (name == NULL) |
277 | fatal("no matching comp found: client %s server %s", client, server); | 277 | fatal("no matching comp found: client %s server %s", client, server); |
278 | if (strcmp(name, "zlib") == 0) { | 278 | if (strcmp(name, "zlib@openssh.com") == 0) { |
279 | comp->type = 1; | 279 | comp->type = COMP_DELAYED; |
280 | } else if (strcmp(name, "zlib") == 0) { | ||
281 | comp->type = COMP_ZLIB; | ||
280 | } else if (strcmp(name, "none") == 0) { | 282 | } else if (strcmp(name, "none") == 0) { |
281 | comp->type = 0; | 283 | comp->type = COMP_NONE; |
282 | } else { | 284 | } else { |
283 | fatal("unsupported comp %s", name); | 285 | fatal("unsupported comp %s", name); |
284 | } | 286 | } |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.h,v 1.36 2005/06/17 02:44:32 djm Exp $ */ | 1 | /* $OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
@@ -35,6 +35,10 @@ | |||
35 | #define KEX_DH14 "diffie-hellman-group14-sha1" | 35 | #define KEX_DH14 "diffie-hellman-group14-sha1" |
36 | #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" | 36 | #define KEX_DHGEX "diffie-hellman-group-exchange-sha1" |
37 | 37 | ||
38 | #define COMP_NONE 0 | ||
39 | #define COMP_ZLIB 1 | ||
40 | #define COMP_DELAYED 2 | ||
41 | |||
38 | enum kex_init_proposals { | 42 | enum kex_init_proposals { |
39 | PROPOSAL_KEX_ALGS, | 43 | PROPOSAL_KEX_ALGS, |
40 | PROPOSAL_SERVER_HOST_KEY_ALGS, | 44 | PROPOSAL_SERVER_HOST_KEY_ALGS, |
diff --git a/myproposal.h b/myproposal.h index 2edbe1624..d8cba1caf 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.17 2005/05/23 23:32:46 djm Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.18 2005/07/25 11:59:39 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -36,7 +36,7 @@ | |||
36 | "hmac-md5,hmac-sha1,hmac-ripemd160," \ | 36 | "hmac-md5,hmac-sha1,hmac-ripemd160," \ |
37 | "hmac-ripemd160@openssh.com," \ | 37 | "hmac-ripemd160@openssh.com," \ |
38 | "hmac-sha1-96,hmac-md5-96" | 38 | "hmac-sha1-96,hmac-md5-96" |
39 | #define KEX_DEFAULT_COMP "none,zlib" | 39 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" |
40 | #define KEX_DEFAULT_LANG "" | 40 | #define KEX_DEFAULT_LANG "" |
41 | 41 | ||
42 | 42 | ||
@@ -37,7 +37,7 @@ | |||
37 | */ | 37 | */ |
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | RCSID("$OpenBSD: packet.c,v 1.117 2005/06/17 02:44:32 djm Exp $"); | 40 | RCSID("$OpenBSD: packet.c,v 1.118 2005/07/25 11:59:39 markus Exp $"); |
41 | 41 | ||
42 | #include "openbsd-compat/sys-queue.h" | 42 | #include "openbsd-compat/sys-queue.h" |
43 | 43 | ||
@@ -116,6 +116,12 @@ static int initialized = 0; | |||
116 | /* Set to true if the connection is interactive. */ | 116 | /* Set to true if the connection is interactive. */ |
117 | static int interactive_mode = 0; | 117 | static int interactive_mode = 0; |
118 | 118 | ||
119 | /* Set to true if we are the server side. */ | ||
120 | static int server_side = 0; | ||
121 | |||
122 | /* Set to true if we are authenticated. */ | ||
123 | static int after_authentication = 0; | ||
124 | |||
119 | /* Session key information for Encryption and MAC */ | 125 | /* Session key information for Encryption and MAC */ |
120 | Newkeys *newkeys[MODE_MAX]; | 126 | Newkeys *newkeys[MODE_MAX]; |
121 | static struct packet_state { | 127 | static struct packet_state { |
@@ -624,7 +630,9 @@ set_newkeys(int mode) | |||
624 | /* Deleting the keys does not gain extra security */ | 630 | /* Deleting the keys does not gain extra security */ |
625 | /* memset(enc->iv, 0, enc->block_size); | 631 | /* memset(enc->iv, 0, enc->block_size); |
626 | memset(enc->key, 0, enc->key_len); */ | 632 | memset(enc->key, 0, enc->key_len); */ |
627 | if (comp->type != 0 && comp->enabled == 0) { | 633 | if ((comp->type == COMP_ZLIB || |
634 | (comp->type == COMP_DELAYED && after_authentication)) && | ||
635 | comp->enabled == 0) { | ||
628 | packet_init_compression(); | 636 | packet_init_compression(); |
629 | if (mode == MODE_OUT) | 637 | if (mode == MODE_OUT) |
630 | buffer_compress_init_send(6); | 638 | buffer_compress_init_send(6); |
@@ -645,6 +653,34 @@ set_newkeys(int mode) | |||
645 | } | 653 | } |
646 | 654 | ||
647 | /* | 655 | /* |
656 | * Delayed compression for SSH2 is enabled after authentication: | ||
657 | * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent, | ||
658 | * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received. | ||
659 | */ | ||
660 | static void | ||
661 | packet_enable_delayed_compress(void) | ||
662 | { | ||
663 | Comp *comp = NULL; | ||
664 | int mode; | ||
665 | |||
666 | /* | ||
667 | * Remember that we are past the authentication step, so rekeying | ||
668 | * with COMP_DELAYED will turn on compression immediately. | ||
669 | */ | ||
670 | after_authentication = 1; | ||
671 | for (mode = 0; mode < MODE_MAX; mode++) { | ||
672 | comp = &newkeys[mode]->comp; | ||
673 | if (comp && !comp->enabled && comp->type == COMP_DELAYED) { | ||
674 | if (mode == MODE_OUT) | ||
675 | buffer_compress_init_send(6); | ||
676 | else | ||
677 | buffer_compress_init_recv(); | ||
678 | comp->enabled = 1; | ||
679 | } | ||
680 | } | ||
681 | } | ||
682 | |||
683 | /* | ||
648 | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) | 684 | * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue) |
649 | */ | 685 | */ |
650 | static void | 686 | static void |
@@ -757,6 +793,8 @@ packet_send2_wrapped(void) | |||
757 | 793 | ||
758 | if (type == SSH2_MSG_NEWKEYS) | 794 | if (type == SSH2_MSG_NEWKEYS) |
759 | set_newkeys(MODE_OUT); | 795 | set_newkeys(MODE_OUT); |
796 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side) | ||
797 | packet_enable_delayed_compress(); | ||
760 | } | 798 | } |
761 | 799 | ||
762 | static void | 800 | static void |
@@ -1099,6 +1137,8 @@ packet_read_poll2(u_int32_t *seqnr_p) | |||
1099 | packet_disconnect("Invalid ssh2 packet type: %d", type); | 1137 | packet_disconnect("Invalid ssh2 packet type: %d", type); |
1100 | if (type == SSH2_MSG_NEWKEYS) | 1138 | if (type == SSH2_MSG_NEWKEYS) |
1101 | set_newkeys(MODE_IN); | 1139 | set_newkeys(MODE_IN); |
1140 | else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side) | ||
1141 | packet_enable_delayed_compress(); | ||
1102 | #ifdef PACKET_DEBUG | 1142 | #ifdef PACKET_DEBUG |
1103 | fprintf(stderr, "read/plain[%d]:\r\n", type); | 1143 | fprintf(stderr, "read/plain[%d]:\r\n", type); |
1104 | buffer_dump(&incoming_packet); | 1144 | buffer_dump(&incoming_packet); |
@@ -1524,3 +1564,15 @@ packet_set_rekey_limit(u_int32_t bytes) | |||
1524 | { | 1564 | { |
1525 | rekey_limit = bytes; | 1565 | rekey_limit = bytes; |
1526 | } | 1566 | } |
1567 | |||
1568 | void | ||
1569 | packet_set_server(void) | ||
1570 | { | ||
1571 | server_side = 1; | ||
1572 | } | ||
1573 | |||
1574 | void | ||
1575 | packet_set_authenticated(void) | ||
1576 | { | ||
1577 | after_authentication = 1; | ||
1578 | } | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.h,v 1.42 2005/06/17 02:44:33 djm Exp $ */ | 1 | /* $OpenBSD: packet.h,v 1.43 2005/07/25 11:59:40 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -30,6 +30,8 @@ u_int packet_get_protocol_flags(void); | |||
30 | void packet_start_compression(int); | 30 | void packet_start_compression(int); |
31 | void packet_set_interactive(int); | 31 | void packet_set_interactive(int); |
32 | int packet_is_interactive(void); | 32 | int packet_is_interactive(void); |
33 | void packet_set_server(void); | ||
34 | void packet_set_authenticated(void); | ||
33 | 35 | ||
34 | void packet_start(u_char); | 36 | void packet_start(u_char); |
35 | void packet_put_char(int ch); | 37 | void packet_put_char(int ch); |
diff --git a/servconf.c b/servconf.c index deec167be..7ef7b234e 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -10,7 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: servconf.c,v 1.142 2005/06/17 02:44:33 djm Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.143 2005/07/25 11:59:40 markus Exp $"); |
14 | 14 | ||
15 | #include "ssh.h" | 15 | #include "ssh.h" |
16 | #include "log.h" | 16 | #include "log.h" |
@@ -201,7 +201,7 @@ fill_default_server_options(ServerOptions *options) | |||
201 | if (options->use_login == -1) | 201 | if (options->use_login == -1) |
202 | options->use_login = 0; | 202 | options->use_login = 0; |
203 | if (options->compression == -1) | 203 | if (options->compression == -1) |
204 | options->compression = 1; | 204 | options->compression = COMP_DELAYED; |
205 | if (options->allow_tcp_forwarding == -1) | 205 | if (options->allow_tcp_forwarding == -1) |
206 | options->allow_tcp_forwarding = 1; | 206 | options->allow_tcp_forwarding = 1; |
207 | if (options->gateway_ports == -1) | 207 | if (options->gateway_ports == -1) |
@@ -725,7 +725,23 @@ parse_flag: | |||
725 | 725 | ||
726 | case sCompression: | 726 | case sCompression: |
727 | intptr = &options->compression; | 727 | intptr = &options->compression; |
728 | goto parse_flag; | 728 | arg = strdelim(&cp); |
729 | if (!arg || *arg == '\0') | ||
730 | fatal("%s line %d: missing yes/no/delayed " | ||
731 | "argument.", filename, linenum); | ||
732 | value = 0; /* silence compiler */ | ||
733 | if (strcmp(arg, "delayed") == 0) | ||
734 | value = COMP_DELAYED; | ||
735 | else if (strcmp(arg, "yes") == 0) | ||
736 | value = COMP_ZLIB; | ||
737 | else if (strcmp(arg, "no") == 0) | ||
738 | value = COMP_NONE; | ||
739 | else | ||
740 | fatal("%s line %d: Bad yes/no/delayed " | ||
741 | "argument: %s", filename, linenum, arg); | ||
742 | if (*intptr == -1) | ||
743 | *intptr = value; | ||
744 | break; | ||
729 | 745 | ||
730 | case sGatewayPorts: | 746 | case sGatewayPorts: |
731 | intptr = &options->gateway_ports; | 747 | intptr = &options->gateway_ports; |
@@ -33,7 +33,7 @@ | |||
33 | */ | 33 | */ |
34 | 34 | ||
35 | #include "includes.h" | 35 | #include "includes.h" |
36 | RCSID("$OpenBSD: session.c,v 1.185 2005/07/17 07:17:55 djm Exp $"); | 36 | RCSID("$OpenBSD: session.c,v 1.186 2005/07/25 11:59:40 markus Exp $"); |
37 | 37 | ||
38 | #include "ssh.h" | 38 | #include "ssh.h" |
39 | #include "ssh1.h" | 39 | #include "ssh1.h" |
@@ -56,6 +56,7 @@ RCSID("$OpenBSD: session.c,v 1.185 2005/07/17 07:17:55 djm Exp $"); | |||
56 | #include "serverloop.h" | 56 | #include "serverloop.h" |
57 | #include "canohost.h" | 57 | #include "canohost.h" |
58 | #include "session.h" | 58 | #include "session.h" |
59 | #include "kex.h" | ||
59 | #include "monitor_wrap.h" | 60 | #include "monitor_wrap.h" |
60 | 61 | ||
61 | #if defined(KRB5) && defined(USE_AFS) | 62 | #if defined(KRB5) && defined(USE_AFS) |
@@ -272,7 +273,7 @@ do_authenticated1(Authctxt *authctxt) | |||
272 | compression_level); | 273 | compression_level); |
273 | break; | 274 | break; |
274 | } | 275 | } |
275 | if (!options.compression) { | 276 | if (options.compression == COMP_NONE) { |
276 | debug2("compression disabled"); | 277 | debug2("compression disabled"); |
277 | break; | 278 | break; |
278 | } | 279 | } |
diff --git a/sshconnect2.c b/sshconnect2.c index 012ce2b42..baee664ea 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: sshconnect2.c,v 1.140 2005/07/17 07:17:55 djm Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $"); |
27 | 27 | ||
28 | #include "openbsd-compat/sys-queue.h" | 28 | #include "openbsd-compat/sys-queue.h" |
29 | 29 | ||
@@ -101,10 +101,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
101 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 101 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); |
102 | if (options.compression) { | 102 | if (options.compression) { |
103 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 103 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
104 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; | 104 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
105 | } else { | 105 | } else { |
106 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 106 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
107 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib"; | 107 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
108 | } | 108 | } |
109 | if (options.macs != NULL) { | 109 | if (options.macs != NULL) { |
110 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 110 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
@@ -42,7 +42,7 @@ | |||
42 | */ | 42 | */ |
43 | 43 | ||
44 | #include "includes.h" | 44 | #include "includes.h" |
45 | RCSID("$OpenBSD: sshd.c,v 1.311 2005/06/17 02:44:33 djm Exp $"); | 45 | RCSID("$OpenBSD: sshd.c,v 1.312 2005/07/25 11:59:40 markus Exp $"); |
46 | 46 | ||
47 | #include <openssl/dh.h> | 47 | #include <openssl/dh.h> |
48 | #include <openssl/bn.h> | 48 | #include <openssl/bn.h> |
@@ -671,6 +671,12 @@ privsep_postauth(Authctxt *authctxt) | |||
671 | 671 | ||
672 | /* It is safe now to apply the key state */ | 672 | /* It is safe now to apply the key state */ |
673 | monitor_apply_keystate(pmonitor); | 673 | monitor_apply_keystate(pmonitor); |
674 | |||
675 | /* | ||
676 | * Tell the packet layer that authentication was successful, since | ||
677 | * this information is not part of the key state. | ||
678 | */ | ||
679 | packet_set_authenticated(); | ||
674 | } | 680 | } |
675 | 681 | ||
676 | static char * | 682 | static char * |
@@ -1621,6 +1627,7 @@ main(int ac, char **av) | |||
1621 | * not have a key. | 1627 | * not have a key. |
1622 | */ | 1628 | */ |
1623 | packet_set_connection(sock_in, sock_out); | 1629 | packet_set_connection(sock_in, sock_out); |
1630 | packet_set_server(); | ||
1624 | 1631 | ||
1625 | /* Set SO_KEEPALIVE if requested. */ | 1632 | /* Set SO_KEEPALIVE if requested. */ |
1626 | if (options.tcp_keep_alive && packet_connection_is_on_socket() && | 1633 | if (options.tcp_keep_alive && packet_connection_is_on_socket() && |
@@ -1988,10 +1995,14 @@ do_ssh2_kex(void) | |||
1988 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 1995 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
1989 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; | 1996 | myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; |
1990 | } | 1997 | } |
1991 | if (!options.compression) { | 1998 | if (options.compression == COMP_NONE) { |
1992 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 1999 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
1993 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; | 2000 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; |
2001 | } else if (options.compression == COMP_DELAYED) { | ||
2002 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | ||
2003 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com"; | ||
1994 | } | 2004 | } |
2005 | |||
1995 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2006 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
1996 | 2007 | ||
1997 | /* start key exchange */ | 2008 | /* start key exchange */ |
diff --git a/sshd_config b/sshd_config index 2c3afb920..1440c05ff 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.71 2005/05/19 02:40:52 djm Exp $ | 1 | # $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -90,7 +90,7 @@ | |||
90 | #UseLogin no | 90 | #UseLogin no |
91 | #UsePrivilegeSeparation yes | 91 | #UsePrivilegeSeparation yes |
92 | #PermitUserEnvironment no | 92 | #PermitUserEnvironment no |
93 | #Compression yes | 93 | #Compression delayed |
94 | #ClientAliveInterval 0 | 94 | #ClientAliveInterval 0 |
95 | #ClientAliveCountMax 3 | 95 | #ClientAliveCountMax 3 |
96 | #UseDNS yes | 96 | #UseDNS yes |
diff --git a/sshd_config.5 b/sshd_config.5 index cec2a2382..048e8924e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.43 2005/05/23 23:32:46 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.44 2005/07/25 11:59:40 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -217,13 +217,15 @@ The default | |||
217 | is 0, indicating that these messages will not be sent to the client. | 217 | is 0, indicating that these messages will not be sent to the client. |
218 | This option applies to protocol version 2 only. | 218 | This option applies to protocol version 2 only. |
219 | .It Cm Compression | 219 | .It Cm Compression |
220 | Specifies whether compression is allowed. | 220 | Specifies whether compression is allowed, or delayed until |
221 | the user has authenticated successfully. | ||
221 | The argument must be | 222 | The argument must be |
222 | .Dq yes | 223 | .Dq yes , |
224 | .Dq delayed , | ||
223 | or | 225 | or |
224 | .Dq no . | 226 | .Dq no . |
225 | The default is | 227 | The default is |
226 | .Dq yes . | 228 | .Dq delayed . |
227 | .It Cm DenyGroups | 229 | .It Cm DenyGroups |
228 | This keyword can be followed by a list of group name patterns, separated | 230 | This keyword can be followed by a list of group name patterns, separated |
229 | by spaces. | 231 | by spaces. |