summaryrefslogtreecommitdiff
path: root/ssh.1
AgeCommit message (Collapse)Author
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 10:28:21Damien Miller
[ssh-add.1 ssh.1 ssh_config.5] mention loading of certificate files from [private]-cert.pub when they are present; feedback and ok jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 08:31:20Damien Miller
[ssh.1] document certificate authentication; help/ok djm
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 06:50:35Damien Miller
[ssh.1 sshd.8] tweak previous;
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:19:29Damien Miller
[ssh.1 sshd.8] move section on CA and revoked keys from ssh.1 to sshd.8's known hosts format section and rework it a bit; requested by jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 12:51:25Damien Miller
[ssh.1 sshd_config.5] tweak previous;
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-03-03 - jmc@cvs.openbsd.org 2010/02/26 22:09:28Damien Miller
[ssh-keygen.1 ssh.1 sshd.8] tweak previous;
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-12 - jmc@cvs.openbsd.org 2010/02/11 13:23:29Damien Miller
[ssh.1] libarary -> library;
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - jmc@cvs.openbsd.org 2010/02/08 22:03:05Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] tweak previous; ok markus
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-01-12 - dtucker@cvs.openbsd.org 2010/01/11 01:39:46Darren Tucker
[ssh_config channels.c ssh.1 channels.h ssh.c] Add a 'netcat mode' (ssh -W). This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz #1618, man page help from jmc@, ok markus@
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41Darren Tucker
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2009-10-24 - sobrado@cvs.openbsd.org 2009/10/22 15:02:12Darren Tucker
[ssh-agent.1 ssh-add.1 ssh.1] write UNIX-domain in a more consistent way; while here, replace a few remaining ".Tn UNIX" macros with ".Ux" ones. pointed out by ratchov@, thanks! ok jmc@
2009-10-24 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53Darren Tucker
[ssh.1 ssh-agent.1 ssh-add.1] use the UNIX-related macros (.At and .Ux) where appropriate. ok jmc@
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-06-21 - jmc@cvs.openbsd.org 2009/03/19 15:15:09Darren Tucker
[ssh.1] for "Ciphers", just point the reader to the keyword in ssh_config(5), just as we do for "MACs": this stops us getting out of sync when the lists change; fixes documentation/6102, submitted by Peter J. Philipp alternative fix proposed by djm ok markus
2009-02-14 - djm@cvs.openbsd.org 2009/02/12 03:44:25Damien Miller
[ssh.1] consistency: Dq => Ql
2009-02-14 - djm@cvs.openbsd.org 2009/02/12 03:42:09Damien Miller
[ssh.1] document -R0:... usage
2008-11-11 - tobias@cvs.openbsd.org 2008/11/09 12:34:47Darren Tucker
[session.c ssh.1] typo fixed (overriden -> overridden) ok espie, jmc
2008-11-05 - stevesk@cvs.openbsd.org 2008/11/05 03:23:09Damien Miller
[clientloop.c ssh.1] add dynamic forward escape command line; ok djm@
2008-11-03 - djm@cvs.openbsd.org 2008/10/08 23:34:03Damien Miller
[ssh.1 ssh.c] Add -y option to force logging via syslog rather than stderr. Useful for daemonised ssh connection (ssh -f). Patch originally from and ok'd by markus@
2008-07-04 - djm@cvs.openbsd.org 2008/07/02 13:47:39Darren Tucker
[ssh.1 ssh.c] When forking after authentication ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f (similar to bz#92); ok dtucker@
2008-06-30 - jmc@cvs.openbsd.org 2008/06/26 21:11:46Damien Miller
[ssh.1] add VisualHostKey to the list of options listed in -o;
2008-06-30 - grunk@cvs.openbsd.org 2008/06/26 11:46:31Damien Miller
[readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] Move SSH Fingerprint Visualization away from sharing the config option CheckHostIP to an own config option named VisualHostKey. While there, fix the behaviour that ssh would draw a random art picture on every newly seen host even when the option was not enabled. prodded by deraadt@, discussions, help and ok markus@ djm@ dtucker@
2008-06-14 - grunk@cvs.openbsd.org 2008/06/13 20:13:26Darren Tucker
[ssh.1] Explain the use of SSH fpr visualization using random art, and cite the original scientific paper inspiring that technique. Much help with English and nroff by jmc@, thanks.
2008-03-27 - jmc@cvs.openbsd.org 2008/02/11 07:58:28Damien Miller
[ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c;
2008-02-10 - mcbride@cvs.openbsd.org 2008/02/09 12:15:43Damien Miller
[ssh.1 sshd.8] Document the correct permissions for the ~/.ssh/ directory. ok jmc
2008-02-10 - djm@cvs.openbsd.org 2008/01/19 19:13:28Damien Miller
[ssh.1] satisfy the pedants: -q does not suppress all diagnostic messages (e.g. some commandline parsing warnings go unconditionally to stdout).
2007-06-13 - jmc@cvs.openbsd.org 2007/06/12 13:43:55Darren Tucker
[ssh.1] add -K to SYNOPSIS;
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 11:15:17Darren Tucker
[ssh.c ssh.1] Add "-K" flag for ssh to set GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) and is useful for hosts with /home on Kerberised NFS; bz #1312 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-01-05 - markus@cvs.openbsd.org 2006/12/11 21:25:46Damien Miller
[ssh-keygen.1 ssh.1] add rfc 4716 (public key format); ok jmc
2006-11-05 - (djm) OpenBSD CVS SyncDamien Miller
- otto@cvs.openbsd.org 2006/10/28 18:08:10 [ssh.1] correct/expand example of usage of -w; ok jmc@ stevesk@
2006-10-18 - ray@cvs.openbsd.org 2006/09/25 04:55:38Darren Tucker
[ssh-keyscan.1 ssh.1] Change "a SSH" to "an SSH". Hurray, I'm not the only one who pronounces "SSH" as "ess-ess-aich". OK jmc@ and stevesk@.
2006-07-12 - markus@cvs.openbsd.org 2006/07/11 18:50:48Darren Tucker
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c channels.h readconf.c] add ExitOnForwardFailure: terminate the connection if ssh(1) cannot set up all requested dynamic, local, and remote port forwardings. ok djm, dtucker, stevesk, jmc
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55Damien Miller
[clientloop.c ssh.1] use -KR[bind_address:]port here; ok djm@
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58Damien Miller
[ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@
2006-06-13 - jmc@cvs.openbsd.org 2006/05/29 16:13:23Damien Miller
[ssh.1] add GSSAPI to the list of authentication methods supported;
2006-03-26 - jakob@cvs.openbsd.org 2006/03/22 21:16:24Damien Miller
[ssh.1] simplify SSHFP example; ok jmc@
2006-03-25 - djm@cvs.openbsd.org 2006/03/16 04:24:42Damien Miller
[ssh.1] Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs that OpenSSH supports
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:31:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/15 16:53:20Damien Miller
[ssh.1] remove the IETF draft references and replace them with some updated RFCs;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/06 21:44:47Damien Miller
[ssh.1] make this a little less ambiguous...
2006-03-15 - msf@cvs.openbsd.org 2006/02/06 15:54:07Damien Miller
[ssh.1] - typo fix ok jmc@
2006-01-31 - jmc@cvs.openbsd.org 2006/01/30 13:37:49Damien Miller
[ssh.1] remove an incorrect sentence; reported by roumen petrov; ok djm markus