| Age | Commit message (Collapse) | Author |
|---|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2020-02-19
Patch-Name: debian-config.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: openbsd-docs.patch
|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09
Patch-Name: user-group-modes.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2020-02-21
Patch-Name: gssapi.patch
|
|
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query. Man page help jmc@, ok djm@.
OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
|
|
authenticator".
The polysemous use of "key" was too confusing. Input from markus@.
ok jmc@
OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
|
|
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
|
|
djm
OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
|
|
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
|
|
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
|
|
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
|
|
dtucker
OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
|
|
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
|
|
kn@
OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
|
|
not applied to any ProxyJump/-J hosts. This has confused a few people...
OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
|
|
various -o lists; ok djm
OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
|
|
algorithms ok markus@
OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b
|
|
change the multiplexing state, not just new sessions.
mention that confirmation is checked via ssh-askpass
OpenBSD-Commit-ID: 0f1b45551ebb9cc5c9a4fe54ad3b23ce90f1f5c2
|
|
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages
We have not shipped ssh(1) the setuid bit since 2002. If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.
ok markus@ jmc@ djm@
OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
|
|
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
|
|
environment variables for the remote session (subject to the server accepting
them)
refactor SendEnv to remove the arbitrary limit of variable names.
ok markus@
OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
|
|
and that users should specify an explicit Tunnel directive if they don't want
this. bz#2365.
OpenBSD-Commit-ID: 1a8d9c67ae213ead180481900dbbb3e04864560d
|
|
Include keyword is for configuration files only. bz#2840, patch from Jakub
Jelen
OpenBSD-Commit-ID: 32d052b4a7a7f22df35fe3f71c368c02b02cacb0
|
|
OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
|
|
command-line argument to ssh(1) that directs it to bind its outgoing
connection to the address of the specified network interface.
BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.
Based on patch by Mike Manning in bz#2820, ok dtucker@
OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
|
|
Private keys in PEM format have been encrypted by AES-128 for
a while (not 3DES). bz#2788 reported by Calum Mackay
OpenBSD-Commit-ID: bd33da7acbbb3c882f0a0ee56007a35ce0d8a11a
|
|
tweak the uri text, specifically removing some markup to
make it a bit more readable;
issue reported by - and diff ok - millert
OpenBSD-Commit-ID: 8b56a20208040b2d0633536fd926e992de37ef3f
|
|
Expose devices allocated for tun/tap forwarding.
At the client, the device may be obtained from a new %T expansion
for LocalCommand.
At the server, the allocated devices will be listed in a
SSH_TUNNEL variable exposed to the environment of any user sessions
started after the tunnel forwarding was established.
ok markus
Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
|
|
Add URI support to ssh, sftp and scp. For example
ssh://user@host or sftp://user@host/path. The connection parameters
described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
the ssh fingerprint format in the draft uses md5 with no way to specify the
hash function type. OK djm@
Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
|
|
mention SSH_USER_AUTH in the list of environment
variables
Upstream-ID: 1083397c3ee54b4933121ab058c70a0fc6383691
|
|
Add 'reverse' dynamic forwarding which combines dynamic
forwarding (-D) with remote forwarding (-R) where the remote-forwarded port
expects SOCKS-requests.
The SSH server code is unchanged and the parsing happens at the SSH
clients side. Thus the full SOCKS-request is sent over the forwarded
channel and the client parses c->output. Parsing happens in
channel_before_prepare_select(), _before_ the select bitmask is
computed in the pre[] handlers, but after network input processing
in the post[] handlers.
help and ok djm@
Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
|
|
in description of public key authentication, mention that
the server will send debug messages to the client for some error conditions
after authentication has completed. bz#2709 ok dtucker
Upstream-ID: 750127dbd58c5a2672c2d28bc35fe221fcc8d1dd
|
|
Add RemoteCommand option to specify a command in the
ssh config file instead of giving it on the client's command line. This
command will be executed on the remote host. The feature allows to automate
tasks using ssh config. OK markus@
Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
|
|
remove superfluous protocol 2 mentions; ok jmc@
Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
|
|
restore mistakenly deleted description of the
ConnectionAttempts option ok markus@
Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
|
|
more protocol 1 stuff to go; ok djm
Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
|
|
remove now obsolete protocol1 options from the -o
lists;
Upstream-ID: 828e478a440bc5f9947672c392420510a362b3dd
|
|
remove SSHv1 configuration options and man pages bits
ok markus@
Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
|
|
- add proxyjump to the options list - formatting fixes -
update usage()
ok djm
Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
|
|
Add a ProxyJump ssh_config(5) option and corresponding -J
ssh(1) command-line flag to allow simplified indirection through a SSH
bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
|
|
sort the -o list;
Upstream-ID: 1a97465ede8790b4d47cb618269978e07f41f8ac
|
|
tweak previous;
Upstream-ID: 92979f1a0b63e041a0e5b08c9ed0ba9b683a3698
|
|
Allow ExitOnForwardFailure and ClearAllForwardings to be
overridden when using ssh -W (but still default to yes in that case).
bz#2577, ok djm@.
Upstream-ID: 4b20c419e93ca11a861c81c284090cfabc8c54d4
|
|
IdentityAgent for specifying specific agent sockets; ok
djm@
Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1
|
|
Include directive for ssh_config(5); feedback & ok markus@
Upstream-ID: ae3b76e2e343322b9f74acde6f1e1c5f027d5fff
|
|
since these pages now clearly tell folks to avoid v1,
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
are v2 only);
ok/tweaks djm ok markus
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
no need to state that protocol 2 is the default twice;
Upstream-ID: b1e4c36b0c2e12e338e5b66e2978f2ac953b95eb
|
|
Replace list of ciphers and MACs adjacent to -1/-2 flag
descriptions in ssh(1) with a strong recommendation not to use protocol 1.
Add a similar warning to the Protocol option descriptions in ssh_config(5)
and sshd_config(5);
prompted by and ok mmcc@
Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
|
|
Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a
private key that is used during authentication will be added to ssh-agent if
it is running (with confirmation enabled if set to 'confirm').
Initial version from Joachim Schipper many years ago.
ok markus@
Upstream-ID: a680db2248e8064ec55f8be72d539458c987d5f4
|
