Age | Commit message (Collapse) | Author |
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: openbsd-docs.patch
|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2017-10-04
Patch-Name: user-group-modes.patch
|
|
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.
The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.
help and ok djm@
Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
|
|
in description of public key authentication, mention that
the server will send debug messages to the client for some error conditions
after authentication has completed. bz#2709 ok dtucker
Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
|
|
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line. This
command will be executed on the remote host. The feature allows to automate
tasks using ssh config. OK markus@
Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
|
|
remove superfluous protocol 2 mentions; ok jmc@
Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
|
|
restore mistakenly deleted description of the
ConnectionAttempts option ok markus@
Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
|
|
more protocol 1 stuff to go; ok djm
Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
|
|
remove now obsolete protocol1 options from the -o
lists;
Upstream-ID: 828e478a440bc5f9947672c392420510a362b3dd
|
|
remove SSHv1 configuration options and man pages bits
ok markus@
Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
|
|
- add proxyjump to the options list - formatting fixes -
update usage()
ok djm
Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
|
|
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
|
|
sort the -o list;
Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
|
|
tweak previous;
Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
|
|
Allow ExitOnForwardFailure and ClearAllForwardings to be
overridden when using ssh -W (but still default to yes in that case).
bz#2577, ok djm@.
Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
|
|
IdentityAgent for specifying specific agent sockets; ok
djm@
Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
|
|
Include directive for ssh_config(5); feedback & ok markus@
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
since these pages now clearly tell folks to avoid v1,
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
are v2 only);
ok/tweaks djm ok markus
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
no need to state that protocol 2 is the default twice;
Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
|
|
Replace list of ciphers and MACs adjacent to -1/-2 flag
descriptions in ssh(1) with a strong recommendation not to use protocol 1.
Add a similar warning to the Protocol option descriptions in ssh_config(5)
and sshd_config(5);
prompted by and ok mmcc@
Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
|
|
Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
private key that is used during authentication will be added to ssh-agent if
it is running (with confirmation enabled if set to 'confirm').
Initial version from Joachim Schipper many years ago.
ok markus@
Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
|
|
1. rlogin and rsh are long gone 2. protocol version isn't
of core relevance here, and v1 is going away
ok markus@, deraadt@
Upstream-ID: 8b46bc94cf1ca7c8c1a75b1c958b2bb38d7579c8
|
|
some certificatefile tweaks; ok djm
Upstream-ID: 0e5a7852c28c05fc193419cc7e50e64c1c535af0
|
|
add ssh_config CertificateFile option to explicitly list
a certificate; patch from Meghana Bhat on bz#2436; ok markus@
Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
|
|
mention -Q key-plain and -Q key-cert; bz#2455 pointed out
by Jakub Jelen
Upstream-ID: c8f1f8169332e4fa73ac96b0043e3b84e01d4896
|
|
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
Noticed by jmc@
Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
|
|
Better desciption of Unix domain socket forwarding.
bz#2423; ok jmc@
Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
mention ssh-keygen -E for comparing legacy MD5
fingerprints; bz#2332
Upstream-ID: 079a3669549041dbf10dbc072d9563f0dc3b2859
|
|
Clarify pseudo-terminal request behaviour and use
"pseudo-terminal" consistently. bz#1716, ok jmc@ "I like it" deraadt@.
|
|
Allow "ssh -Q protocol-version" to list supported SSH
protocol versions. Useful for detecting builds without SSH v.1 support; idea
and ok markus@
|
|
Add a ssh_config HostbasedKeyType option to control which
host public key types are tried during hostbased authentication.
This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.
bz#2211 based on patch by Iain Morgan; ok markus@
|
|
correct description of UpdateHostKeys in ssh_config.5 and
add it to -o lists for ssh, scp and sftp; pointed out by jmc@
|
|
add fingerprinthash to the options list;
|
|
Add FingerprintHash option to control algorithm used for
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
base64.
Feedback and ok naddy@ markus@
|
|
tweak previous;
|
|
Tweak config reparsing with host canonicalisation
Make the second pass through the config files always run when
hostname canonicalisation is enabled.
Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.
Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"
Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).
bz#2267 bz#2286; ok markus
|
|
improve capitalization for the Ed25519 public-key
signature system.
ok djm@
|
|
- millert@cvs.openbsd.org 2014/07/24 22:57:10
[ssh.1]
Mention UNIX-domain socket forwarding too. OK jmc@ deraadt@
|
|
[ssh.1]
add the streamlocal* options to ssh's -o list; millert says they're
irrelevant for scp/sftp;
ok markus millert
|
|
[ssh.1]
document that -g will only work in the multiplexed case if applied to
the mux master
|
|
[ssh.1]
delete .xr to hosts.equiv. there's still an unfortunate amount of
documentation referring to rhosts equivalency in here.
|
|
[ssh.1]
old descriptions of des and blowfish are old. maybe ok deraadt
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
add missing mentions of ed25519; ok djm@
|
|
[ssh.1 ssh.c]
- put -Q in the right place
- Ar was a poor choice for the arguments to -Q. i've chosen an
admittedly equally poor Cm, at least consistent with the rest
of the docs. also no need for multiple instances
- zap a now redundant Nm
- usage() sync
|
|
[ssh.1 ssh.c]
improve -Q usage and such. One usage change is that the option is now
case-sensitive
ok dtucker markus djm
|
|
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
|
|
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
s/canonicalise/canonicalize/ for consistency with existing spelling,
e.g. authorized_keys; pointed out by naddy@
|
|
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
[sshconnect.c sshconnect.h]
Implement client-side hostname canonicalisation to allow an explicit
search path of domain suffixes to use to convert unqualified host names
to fully-qualified ones for host key matching.
This is particularly useful for host certificates, which would otherwise
need to list unqualified names alongside fully-qualified ones (and this
causes a number of problems).
"looks fine" markus@
|