summaryrefslogtreecommitdiff
path: root/ssh.1
AgeCommit message (Collapse)Author
2007-12-24* New upstream release (closes: #453367).Colin Watson
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
2007-06-13* Clarify that 'ssh -q -q' still prints errors caused by bad argumentsColin Watson
(i.e. before the logging system is initialised).
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-13 - jmc@cvs.openbsd.org 2007/06/12 13:43:55Darren Tucker
[ssh.1] add -K to SYNOPSIS;
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 11:15:17Darren Tucker
[ssh.c ssh.1] Add "-K" flag for ssh to set GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) and is useful for hosts with /home on Kerberised NFS; bz #1312 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-01-05 - markus@cvs.openbsd.org 2006/12/11 21:25:46Damien Miller
[ssh-keygen.1 ssh.1] add rfc 4716 (public key format); ok jmc
2006-12-06* Add ssh -K option, the converse of -k, to enable GSSAPI credentialColin Watson
delegation (closes: #401483).
2006-11-05 - (djm) OpenBSD CVS SyncDamien Miller
- otto@cvs.openbsd.org 2006/10/28 18:08:10 [ssh.1] correct/expand example of usage of -w; ok jmc@ stevesk@
2006-10-18 - ray@cvs.openbsd.org 2006/09/25 04:55:38Darren Tucker
[ssh-keyscan.1 ssh.1] Change "a SSH" to "an SSH". Hurray, I'm not the only one who pronounces "SSH" as "ess-ess-aich". OK jmc@ and stevesk@.
2006-07-12 - markus@cvs.openbsd.org 2006/07/11 18:50:48Darren Tucker
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c channels.h readconf.c] add ExitOnForwardFailure: terminate the connection if ssh(1) cannot set up all requested dynamic, local, and remote port forwardings. ok djm, dtucker, stevesk, jmc
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55Damien Miller
[clientloop.c ssh.1] use -KR[bind_address:]port here; ok djm@
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58Damien Miller
[ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@
2006-06-13 - jmc@cvs.openbsd.org 2006/05/29 16:13:23Damien Miller
[ssh.1] add GSSAPI to the list of authentication methods supported;
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-03-26 - jakob@cvs.openbsd.org 2006/03/22 21:16:24Damien Miller
[ssh.1] simplify SSHFP example; ok jmc@
2006-03-25 - djm@cvs.openbsd.org 2006/03/16 04:24:42Damien Miller
[ssh.1] Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs that OpenSSH supports
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:31:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/15 16:53:20Damien Miller
[ssh.1] remove the IETF draft references and replace them with some updated RFCs;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/06 21:44:47Damien Miller
[ssh.1] make this a little less ambiguous...
2006-03-15 - msf@cvs.openbsd.org 2006/02/06 15:54:07Damien Miller
[ssh.1] - typo fix ok jmc@
2006-01-31 - jmc@cvs.openbsd.org 2006/01/30 13:37:49Damien Miller
[ssh.1] remove an incorrect sentence; reported by roumen petrov; ok djm markus
2006-01-31 - jmc@cvs.openbsd.org 2006/01/26 08:47:56Damien Miller
[ssh.1] add a section on verifying host keys in dns; written with a lot of help from jakob; feedback dtucker/markus; ok markus
2006-01-20 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55Darren Tucker
[scp.1 ssh.1 ssh_config.5 sftp.1] Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
2006-01-20 - jmc@cvs.openbsd.org 2006/01/18 10:53:29Darren Tucker
[ssh.1] add a section on ssh-based vpn, based on reyk's README.tun;
2006-01-20 - jmc@cvs.openbsd.org 2006/01/15 17:37:05Darren Tucker
[ssh.1] correction from deraadt
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 22:34:12Damien Miller
[ssh.1] back out a sentence - AUTHENTICATION already documents this;
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 18:48:48Damien Miller
[ssh.1] refer to `TCP' rather than `TCP/IP' in the context of connection forwarding; ok markus
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 14:44:12Damien Miller
[ssh.1] split sections on tcp and x11 forwarding into two sections. add an example in the tcp section, based on sth i wrote for ssh faq; help + ok: djm markus dtucker
2006-01-14 - jmc@cvs.openbsd.org 2006/01/06 13:29:10Damien Miller
[ssh.1] final round of whacking FILES for duplicate info, and some consistency fixes; ok djm
2006-01-14 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2006/01/06 13:27:32 [ssh.1] weed out some duplicate info in the known_hosts FILES entries; ok djm
2006-01-06 - jmc@cvs.openbsd.org 2006/01/04 19:50:09Damien Miller
[ssh.1] -.Xr gzip 1 ,
2006-01-06 - jmc@cvs.openbsd.org 2006/01/04 19:40:24Damien Miller
[ssh.1] +.Xr ssh-keyscan 1 ,
2006-01-06 - jmc@cvs.openbsd.org 2006/01/04 18:45:01Damien Miller
[ssh.1] remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
2006-01-06 - jmc@cvs.openbsd.org 2006/01/04 18:42:46Damien Miller
[ssh.1] chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES entries; ok markus
2006-01-06 - jmc@cvs.openbsd.org 2006/01/03 16:55:18Damien Miller
[ssh.1] tweak the description of ~/.ssh/environment
2006-01-06 - jmc@cvs.openbsd.org 2006/01/03 16:52:36Damien Miller
[ssh.1] put FILES in some sort of order: sort by pathname
2006-01-06 - jmc@cvs.openbsd.org 2006/01/03 16:35:30Damien Miller
[ssh.1] use a larger width for the ENVIRONMENT list;
2006-01-06 - jmc@cvs.openbsd.org 2006/01/03 16:31:10Damien Miller
[ssh.1] move FILES to a -compact list, and make each files an item in that list. this avoids nastly line wrap when we have long pathnames, and treats each file as a separate item; remove the .Pa too, since it is useless.
2006-01-02 - jmc@cvs.openbsd.org 2006/01/02 12:31:06Damien Miller
[ssh.1] start to cut some duplicate info from FILES; help/ok djm
2006-01-02 - jmc@cvs.openbsd.org 2005/12/31 13:45:19Damien Miller
[ssh.1] .Nm does not require an argument;
2006-01-02 - jmc@cvs.openbsd.org 2005/12/31 13:44:04Damien Miller
[ssh.1] clean up ENVIRONMENT a little;
2006-01-02 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2005/12/31 10:46:17 [ssh.1] merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER AUTHENTICATION" sections into "AUTHENTICATION"; some rewording done to make the text read better, plus some improvements from djm; ok djm
2005-12-31 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45Damien Miller
[ssh.1] document -MM; ok djm@
2005-12-24 - jmc@cvs.openbsd.org 2005/12/23 23:46:23Damien Miller
[ssh.1] less mark up for -c;
2005-12-24 - jmc@cvs.openbsd.org 2005/12/23 14:55:53Damien Miller
[ssh.1] - sync the description of -e w/ synopsis - simplify the description of -I - note that -I is only available if support compiled in, and that it isn't by default feedback/ok djm@
2005-12-24 - jmc@cvs.openbsd.org 2005/12/22 11:23:42Damien Miller
[ssh.1] expand the description of -w somewhat; help/ok reyk
2005-12-24 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26Damien Miller
[sshd.8] clarify precedence of -p, Port, ListenAddress; ok and help jmc@
2005-12-24 - jmc@cvs.openbsd.org 2005/12/21 11:57:25Damien Miller
[ssh.1] options now described `above', rather than `later';