summaryrefslogtreecommitdiff
path: root/servconf.h
AgeCommit message (Collapse)Author
2018-09-20upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
2018-07-10upstream: sshd: switch loginmsg to sshbuf API; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42
2018-07-03upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org
pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-06-09upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org
administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-07upstream: permitlisten option for authorized_keys; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
2018-06-07upstream: Add a PermitListen directive to control which server-sidedjm@openbsd.org
addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
2018-04-13upstream: Defend against user enumeration timing attacks. Thisdtucker@openbsd.org
establishes a minimum time for each failed authentication attempt (5ms) and adds a per-user constant derived from a host secret (0-4ms). Based on work by joona.kannisto at tut.fi, ok markus@ djm@. OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca
2017-10-25upstream commitdjm@openbsd.org
add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25upstream commitdjm@openbsd.org
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25upstream commitdjm@openbsd.org
Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4 Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
2017-10-20upstream commitDamien Miller
Apply missing commit 1.127 to servconf.h Upstream-ID: f14c4bac74a2b7cf1e3cff6bea5c447f192a7d15
2017-10-03upstream commitdjm@openbsd.org
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@ Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
2017-09-12upstream commitdjm@openbsd.org
refactor channels.c Move static state to a "struct ssh_channels" that is allocated at runtime and tracked as a member of struct ssh. Explicitly pass "struct ssh" to all channels functions. Replace use of the legacy packet APIs in channels.c. Rework sshd_config PermitOpen handling: previously the configuration parser would call directly into the channels layer. After the refactor this is not possible, as the channels structures are allocated at connection time and aren't available when the configuration is parsed. The server config parser now tracks PermitOpen itself and explicitly configures the channels code later. ok markus@ Upstream-ID: 11828f161656b965cc306576422613614bea2d8f
2017-06-24upstream commitdjm@openbsd.org
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-08-23upstream commitdjm@openbsd.org
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23upstream commitnaddy@openbsd.org
Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. ok markus@ Upstream-ID: 9402f82886de917779db12f8ee3f03d4decc244d
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-05-22upstream commitdjm@openbsd.org
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-04-29upstream commitdtucker@openbsd.org
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
2015-01-13upstream commitdjm@openbsd.org
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-04 - djm@cvs.openbsd.org 2014/07/03 22:40:43Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config.5] Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
2014-02-04 - djm@cvs.openbsd.org 2014/01/29 06:18:35Damien Miller
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] remove experimental, never-enabled JPAKE code; ok markus@
2013-12-05 - djm@cvs.openbsd.org 2013/12/05 01:16:41Damien Miller
[servconf.c servconf.h] bz#2161 - fix AuthorizedKeysCommand inside a Match block and rearrange things so the same error is harder to make next time; with and ok dtucker@
2013-10-30 - djm@cvs.openbsd.org 2013/10/29 09:48:02Damien Miller
[servconf.c servconf.h session.c sshd_config sshd_config.5] shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
2013-07-20 - markus@cvs.openbsd.org 2013/07/19 07:37:48Damien Miller
[auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] [servconf.h session.c sshd.c sshd_config.5] add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
2013-05-16 - dtucker@cvs.openbsd.org 2013/05/16 04:09:14Darren Tucker
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 05:49:36Damien Miller
[servconf.h] add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
2012-11-04 - djm@cvs.openbsd.org 2012/11/04 11:09:15Damien Miller
[auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
2012-10-31 - djm@cvs.openbsd.org 2012/10/30 21:29:55Damien Miller
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
2012-07-31 - djm@cvs.openbsd.org 2012/07/10 02:19:15Damien Miller
[servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.
2012-06-20 - markus@cvs.openbsd.org 2012/06/19 18:25:28Damien Miller
[servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March)
2012-05-19- (dtucker) OpenBSD CVS SyncDarren Tucker
- dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
2012-04-22 - djm@cvs.openbsd.org 2012/04/12 02:42:32Damien Miller
[servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
2011-05-29OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
2011-05-20 - djm@cvs.openbsd.org 2011/05/20 03:25:45Damien Miller
[monitor.c monitor_wrap.c servconf.c servconf.h] use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@
2011-05-15 - djm@cvs.openbsd.org 2011/05/11 04:47:06Damien Miller
[auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
2010-11-20 - djm@cvs.openbsd.org 2010/11/13 23:27:51Damien Miller
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-09-24 - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
2010-05-10 - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-01-13 - djm@cvs.openbsd.org 2010/01/13 03:48:13Darren Tucker
[servconf.c servconf.h sshd.c] avoid run-time failures when specifying hostkeys via a relative path by prepending the cwd in these cases; bz#1290; ok dtucker@
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@