summaryrefslogtreecommitdiff
path: root/ssh.1
AgeCommit message (Collapse)Author
2017-10-04ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2017-10-04Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2017-10-04Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2017-10-04 Patch-Name: user-group-modes.patch
2017-09-22upstream commitmarkus@openbsd.org
Add 'reverse' dynamic forwarding which combines dynamic forwarding (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@ Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-06-10upstream commitdjm@openbsd.org
in description of public key authentication, mention that the server will send debug messages to the client for some error conditions after authentication has completed. bz#2709 ok dtucker Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
2017-05-31upstream commitbluhm@openbsd.org
Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
2017-05-08upstream commitnaddy@openbsd.org
remove superfluous protocol 2 mentions; ok jmc@ Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08upstream commitnaddy@openbsd.org
restore mistakenly deleted description of the ConnectionAttempts option ok markus@ Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
2017-05-08upstream commitjmc@openbsd.org
more protocol 1 stuff to go; ok djm Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
2017-05-08upstream commitjmc@openbsd.org
remove now obsolete protocol1 options from the -o lists; Upstream-ID: 828e478a440bc5f9947672c392420510a362b3dd
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
2016-07-17upstream commitjmc@openbsd.org
- add proxyjump to the options list - formatting fixes - update usage() ok djm Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
2016-07-15upstream commitdjm@openbsd.org
Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-07-08upstream commitjmc@openbsd.org
sort the -o list; Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
2016-06-08upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
2016-06-08upstream commitdtucker@openbsd.org
Allow ExitOnForwardFailure and ClearAllForwardings to be overridden when using ssh -W (but still default to yes in that case). bz#2577, ok djm@. Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
2016-05-05upstream commitmarkus@openbsd.org
IdentityAgent for specifying specific agent sockets; ok djm@ Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
2016-04-15upstream commitdjm@openbsd.org
Include directive for ssh_config(5); feedback & ok markus@ Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
2016-02-18upstream commitjmc@openbsd.org
since these pages now clearly tell folks to avoid v1, normalise the docs from a v2 perspective (i.e. stop pointing out which bits are v2 only); ok/tweaks djm ok markus Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-17upstream commitjmc@openbsd.org
no need to state that protocol 2 is the default twice; Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
2016-02-17upstream commitdjm@openbsd.org
Replace list of ciphers and MACs adjacent to -1/-2 flag descriptions in ssh(1) with a strong recommendation not to use protocol 1. Add a similar warning to the Protocol option descriptions in ssh_config(5) and sshd_config(5); prompted by and ok mmcc@ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2015-11-16upstream commitjcs@openbsd.org
Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). Initial version from Joachim Schipper many years ago. ok markus@ Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
2015-11-09upstream commitmmcc@openbsd.org
1. rlogin and rsh are long gone 2. protocol version isn't of core relevance here, and v1 is going away ok markus@, deraadt@ Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
2015-10-06upstream commitjmc@openbsd.org
some certificatefile tweaks; ok djm Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
2015-10-06upstream commitdjm@openbsd.org
add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
2015-09-16upstream commitdjm@openbsd.org
mention -Q key-plain and -Q key-cert; bz#2455 pointed out by Jakub Jelen Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
2015-07-21upstream commitmillert@openbsd.org
Move .Pp before .Bl, not after to quiet mandoc -Tlint. Noticed by jmc@ Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
2015-07-21upstream commitmillert@openbsd.org
Better desciption of Unix domain socket forwarding. bz#2423; ok jmc@ Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-05-22upstream commitdjm@openbsd.org
mention ssh-keygen -E for comparing legacy MD5 fingerprints; bz#2332 Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
2015-05-08upstream commitdtucker@openbsd.org
Clarify pseudo-terminal request behaviour and use "pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
2015-03-04upstream commitdjm@openbsd.org
Allow "ssh -Q protocol-version" to list supported SSH protocol versions. Useful for detecting builds without SSH v.1 support; idea and ok markus@
2015-01-30upstream commitdjm@openbsd.org
Add a ssh_config HostbasedKeyType option to control which host public key types are tried during hostbased authentication. This may be used to prevent too many keys being sent to the server, and blowing past its MaxAuthTries limit. bz#2211 based on patch by Iain Morgan; ok markus@
2015-01-27upstream commitdjm@openbsd.org
correct description of UpdateHostKeys in ssh_config.5 and add it to -o lists for ssh, scp and sftp; pointed out by jmc@
2015-01-09upstream commitjmc@openbsd.org
add fingerprinthash to the options list;
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-10-20upstream commitjmc@openbsd.org
tweak previous;
2014-10-13upstream commitdjm@openbsd.org
Tweak config reparsing with host canonicalisation Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
2014-10-13upstream commitsobrado@openbsd.org
improve capitalization for the Ed25519 public-key signature system. ok djm@
2014-07-30 - OpenBSD CVS SyncDamien Miller
- millert@cvs.openbsd.org 2014/07/24 22:57:10 [ssh.1] Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
2014-07-18 - jmc@cvs.openbsd.org 2014/07/16 14:48:57Damien Miller
[ssh.1] add the streamlocal* options to ssh's -o list; millert says they're irrelevant for scp/sftp; ok markus millert
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 05:38:17Damien Miller
[ssh.1] document that -g will only work in the multiplexed case if applied to the mux master
2014-04-20 - tedu@cvs.openbsd.org 2014/04/19 18:42:19Damien Miller
[ssh.1] delete .xr to hosts.equiv. there's still an unfortunate amount of documentation referring to rhosts equivalency in here.
2014-04-20 - tedu@cvs.openbsd.org 2014/03/17 19:44:10Damien Miller
[ssh.1] old descriptions of des and blowfish are old. maybe ok deraadt
2013-12-18 - naddy@cvs.openbsd.org 2013/12/07 11:58:46Damien Miller
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] [ssh_config.5 sshd.8 sshd_config.5] add missing mentions of ed25519; ok djm@
2013-12-05 - jmc@cvs.openbsd.org 2013/11/26 12:14:54Damien Miller
[ssh.1 ssh.c] - put -Q in the right place - Ar was a poor choice for the arguments to -Q. i've chosen an admittedly equally poor Cm, at least consistent with the rest of the docs. also no need for multiple instances - zap a now redundant Nm - usage() sync
2013-12-05 - deraadt@cvs.openbsd.org 2013/11/25 18:04:21Damien Miller
[ssh.1 ssh.c] improve -Q usage and such. One usage change is that the option is now case-sensitive ok dtucker markus djm
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:49:39Damien Miller
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 02:31:47Damien Miller
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@