summaryrefslogtreecommitdiff
path: root/servconf.c
AgeCommit message (Collapse)Author
2012-07-31 - djm@cvs.openbsd.org 2012/07/10 02:19:15Damien Miller
[servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.
2012-06-20 - markus@cvs.openbsd.org 2012/06/19 18:25:28Damien Miller
[servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March)
2012-05-19- (dtucker) OpenBSD CVS SyncDarren Tucker
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
2012-04-22 - djm@cvs.openbsd.org 2012/04/12 02:42:32Damien Miller
[servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
2012-04-22 - dtucker@cvs.openbsd.org 2012/03/29 23:54:36Damien Miller
[channels.c channels.h servconf.c] Add PermitOpen none option based on patch from Loganaden Velvindron (bz #1949). ok djm@
2011-10-02 - dtucker@cvs.openbsd.org 2011/09/23 00:22:04Darren Tucker
[channels.c auth-options.c servconf.c channels.h sshd.8] Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857, ok djm markus.
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
2011-06-23 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/06/22 21:47:28 [servconf.c] reuse the multistate option arrays to pretty-print options for "sshd -T"
2011-06-20 - djm@cvs.openbsd.org 2011/06/17 21:47:35Damien Miller
[servconf.c] factor out multi-choice option parsing into a parse_multistate label and some support structures; ok dtucker@
2011-05-29OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
2011-05-20 - djm@cvs.openbsd.org 2011/05/20 03:25:45Damien Miller
[monitor.c monitor_wrap.c servconf.c servconf.h] use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@
2011-05-20 - dtucker@cvs.openbsd.org 2011/05/20 02:00:19Damien Miller
[servconf.c] Add comment documenting what should be after the preauth check. ok djm
2011-05-20 - djm@cvs.openbsd.org 2011/05/20 00:55:02Damien Miller
[servconf.c] the options TrustedUserCAKeys, RevokedKeysFile, AuthorizedKeysFile and AuthorizedPrincipalsFile were not being correctly applied in Match blocks, despite being overridable there; ok dtucker@
2011-05-20 - (djm) [servconf.c] remove leftover droppings of AuthorizedKeysFile2Damien Miller
2011-05-15 - djm@cvs.openbsd.org 2011/05/11 04:47:06Damien Miller
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
2011-05-05 - stevesk@cvs.openbsd.org 2011/03/29 18:54:17Damien Miller
[misc.c misc.h servconf.c] print ipqos friendly string for sshd -T; ok markus # sshd -Tf sshd_config|grep ipqos ipqos lowdelay throughput
2010-11-20 - djm@cvs.openbsd.org 2010/11/13 23:27:51Damien Miller
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-11 - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys onDamien Miller
platforms that don't support ECC. Fixes some spurious warnings reported by tim@
2010-10-07 - djm@cvs.openbsd.org 2010/09/30 11:04:51Damien Miller
[servconf.c] prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block; patch from rein AT basefarm.no
2010-09-24 - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
2010-09-10 - naddy@cvs.openbsd.org 2010/09/01 15:21:35Damien Miller
[servconf.c] pick up ECDSA host key by default; ok djm@
2010-06-26 - djm@cvs.openbsd.org 2010/06/22 04:22:59Damien Miller
[servconf.c sshd_config.5] expose some more sshd_config options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-05-10 - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
2010-03-26 - djm@cvs.openbsd.org 2010/03/25 23:38:28Damien Miller
[servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@
2010-03-22 - markus@cvs.openbsd.org 2010/03/12 11:37:40Damien Miller
[servconf.c] do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd()
2010-03-22 - djm@cvs.openbsd.org 2010/03/12 01:06:25Damien Miller
[servconf.c] unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-01-13 - djm@cvs.openbsd.org 2010/01/13 03:48:13Darren Tucker
[servconf.c servconf.h sshd.c] avoid run-time failures when specifying hostkeys via a relative path by prepending the cwd in these cases; bz#1290; ok dtucker@
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/10 03:51:17Darren Tucker
[servconf.c] Add ChrootDirectory to sshd.c test-mode output
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]Darren Tucker
Remove hacks add for RoutingDomain in preparation for its removal.
2010-01-08 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] MakeDarren Tucker
RoutingDomain an unsupported option on platforms that don't have it.
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41Darren Tucker
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/25 19:40:21Darren Tucker
[readconf.c servconf.c misc.h ssh-keyscan.c misc.c] validate routing domain is in range 0-RT_TABLEID_MAX. 'Looks right' deraadt@
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2009-06-21 - (dtucker) [servconf.c sshd.c] More whitespace sync.Darren Tucker
2009-06-21 - jj@cvs.openbsd.org 2009/04/14 21:10:54Darren Tucker
[servconf.c] Fixed a few the-the misspellings in comments. Skipped a bunch in binutils,gcc and so on. ok jmc@
2009-01-28 - djm@cvs.openbsd.org 2009/01/22 10:02:34Damien Miller
[clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] [serverloop.c ssh-keyscan.c ssh.c sshd.c] make a2port() return -1 when it encounters an invalid port number rather than 0, which it will now treat as valid (needed for future work) adjust current consumers of a2port() to check its return value is <= 0, which in turn required some things to be converted from u_short => int make use of int vs. u_short consistent in some other places too feedback & ok markus@
2009-01-28 - stevesk@cvs.openbsd.org 2008/12/09 03:20:42Damien Miller
[channels.c servconf.c] channel_print_adm_permitted_opens() should deal with all the printing for that config option. suggested by markus@; ok markus@ djm@ dtucker@
2008-11-11 - stevesk@cvs.openbsd.org 2008/11/11 02:58:09Darren Tucker
[servconf.c] USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing kerberosgetafstoken. ok dtucker@ (Id sync only, we still want the ifdef in portable)
2008-11-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- jmc@cvs.openbsd.org 2008/11/05 11:22:54 [servconf.c] passord -> password; fixes user/5975 from Rene Maroufi
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-11-05 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2008/11/03 08:59:41 [servconf.c] include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov
2008-11-03 - djm@cvs.openbsd.org 2008/10/09 03:50:54Damien Miller
[servconf.c sshd_config.5] support setting PermitEmptyPasswords in a Match block requested in PR3891; ok dtucker@
2008-07-23 - (djm) [servconf.c] Print UsePAM option in config test mode (when itDamien Miller
has been compiled in); report from nix-corp AT esperi.org.uk ok dtucker@
2008-07-23 - djm@cvs.openbsd.org 2008/07/23 07:36:55Damien Miller
[servconf.c] do not try to print options that have been compile-time disabled in config test mode (sshd -T); report from nix-corp AT esperi.org.uk ok dtucker@
2008-07-04 - djm@cvs.openbsd.org 2008/07/04 03:44:59Darren Tucker
[servconf.c groupaccess.h groupaccess.c] support negation of groups in "Match group" block (bz#1315); ok dtucker@
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker
[sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@