summaryrefslogtreecommitdiff
path: root/ssh_config.5
AgeCommit message (Collapse)Author
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:37:01Damien Miller
[ssh.1 ssh_config.5 sshd.8] Remove mentions of weird "addr/port" alternate address format for IPv6 addresses combinations. It hasn't worked for ages and we have supported the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-03 - djm@cvs.openbsd.org 2010/07/19 09:15:12Damien Miller
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5] add a "ControlPersist" option that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but further hacked on by wmertens AT cisco.com, apb AT cequrux.com, martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
2010-07-16 - djm@cvs.openbsd.org 2010/07/12 22:41:13Damien Miller
[ssh.c ssh_config.5] expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified hostnames: Host *.* Hostname %h Host * Hostname %h.example.org "I like it" markus@
2010-07-02 - jmc@cvs.openbsd.org 2010/06/26 00:57:07Damien Miller
[ssh_config.5] tweak previous;
2010-06-26 - djm@cvs.openbsd.org 2010/06/25 23:10:30Damien Miller
[ssh.c] log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts; "nice!" markus@
2010-04-18 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2010/04/16 06:45:01 [ssh_config.5] tweak previous; ok djm
2010-04-16 - djm@cvs.openbsd.org 2010/04/14 22:27:42Damien Miller
[ssh_config.5 sshconnect.c] expand %r => remote username in ssh_config:ProxyCommand; ok deraadt markus
2010-04-16 - jmc@cvs.openbsd.org 2010/03/27 14:26:55Damien Miller
[ssh_config.5] tweak previous; ok dtucker
2010-03-26 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13Darren Tucker
[ssh_config.5] Reformat default value of PreferredAuthentications entry (current formatting implies ", " is acceptable as a separator, which it's not. ok djm@
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 10:28:21Damien Miller
[ssh-add.1 ssh.1 ssh_config.5] mention loading of certificate files from [private]-cert.pub when they are present; feedback and ok jmc@
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-08 - jmc@cvs.openbsd.org 2009/12/29 18:03:32Darren Tucker
[sshd_config.5 ssh_config.5] sort previous;
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41Darren Tucker
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2010-01-08 - djm@cvs.openbsd.org 2009/11/10 02:56:22Darren Tucker
[ssh_config.5] explain the constraints on LocalCommand some more so people don't try to abuse it.
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:50:57Damien Miller
[ssh_config.5 sshd_config.5] don't advertise experimental options
2009-02-14 - jmc@cvs.openbsd.org 2009/02/12 07:34:20Damien Miller
[ssh_config.5] kill trailing whitespace;
2009-02-14 - djm@cvs.openbsd.org 2009/02/12 03:46:17Damien Miller
[ssh_config.5] document RemoteForward usage with 0 listen port
2009-01-28 - naddy@cvs.openbsd.org 2009/01/24 17:10:22Damien Miller
[ssh_config.5 sshd_config.5] sync list of preferred ciphers; ok djm@
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-11-03 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24Damien Miller
[ssh_config.5] correct and clarify VisualHostKey; ok jmc@
2008-11-03 - stevesk@cvs.openbsd.org 2008/10/10 16:43:27Damien Miller
[ssh_config.5] use 'Privileged ports can be forwarded only when logging in as root on the remote machine.' for RemoteForward just like ssh.1 -R. ok djm@ jmc@
2008-11-03 - krw@cvs.openbsd.org 2008/08/02 04:29:51Damien Miller
[ssh_config.5] whitepsace -> whitespace. From Matthew Clarke via bugs@.
2008-06-30 - grunk@cvs.openbsd.org 2008/06/26 11:46:31Damien Miller
[readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] Move SSH Fingerprint Visualization away from sharing the config option CheckHostIP to an own config option named VisualHostKey. While there, fix the behaviour that ssh would draw a random art picture on every newly seen host even when the option was not enabled. prodded by deraadt@, discussions, help and ok markus@ djm@ dtucker@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/12 19:10:09Darren Tucker
[ssh_config.5 ssh-keygen.1] tweak the ascii art text; ok grunk
2008-06-13 - dtucker@cvs.openbsd.org 2008/06/12 16:35:31Darren Tucker
[ssh_config.5 ssh.c] keyword expansion for localcommand. ok djm@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 23:03:56Darren Tucker
[ssh_config.5] CheckHostIP set to ``fingerprint'' will display both hex and random art spotted by naddy@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:01:35Darren Tucker
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c sshconnect.c] Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
2008-06-11 - dtucker@cvs.openbsd.org 2008/06/10 18:21:24Darren Tucker
[ssh_config.5] clarify that Host patterns are space-separated. ok deraadt
2007-12-02 - jmc@cvs.openbsd.org 2007/10/29 07:48:19Darren Tucker
[ssh_config.5] clean up after previous macro removal;
2007-12-02 - dtucker@cvs.openbsd.org 2007/10/29 06:51:59Darren Tucker
[ssh_config.5] ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@
2007-10-26 - djm@cvs.openbsd.org 2007/09/21 03:05:23Damien Miller
[ssh_config.5] document KbdInteractiveAuthentication in ssh_config.5; patch from dkg AT fifthhorseman.net
2007-08-15 - stevesk@cvs.openbsd.org 2007/08/15 12:13:41Darren Tucker
[ssh_config.5] tun device forwarding now honours ExitOnForwardFailure; ok markus@
2007-06-11 - jmc@cvs.openbsd.org 2007/06/08 07:43:46Damien Miller
[ssh_config.5] put the MAC list into a display, like we do for ciphers, since groff has trouble handling wide lines;
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-02-19 - jmc@cvs.openbsd.org 2007/01/10 13:23:22Darren Tucker
[ssh_config.5] do not use a list for SYNOPSIS; this is actually part of a larger report sent by eric s. raymond and forwarded by brad, but i only read half of it. spotted by brad.
2006-08-05 - jmc@cvs.openbsd.org 2006/07/27 08:00:50Damien Miller
[ssh_config.5] avoid confusing wording in HashKnownHosts: originally spotted by alan amesbury; ok deraadt
2006-07-12 - markus@cvs.openbsd.org 2006/07/11 18:50:48Darren Tucker
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c channels.h readconf.c] add ExitOnForwardFailure: terminate the connection if ssh(1) cannot set up all requested dynamic, local, and remote port forwardings. ok djm, dtucker, stevesk, jmc
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58Damien Miller
[ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@
2006-06-13 - jmc@cvs.openbsd.org 2006/05/29 16:10:03Damien Miller
[ssh_config.5] oops - previous was too long; split the list of auths up
2006-06-13 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08Damien Miller
[ssh_config.5] Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
2006-03-31 - djm@cvs.openbsd.org 2006/03/31 09:13:56Damien Miller
[ssh_config.5] remote user escape is %r not %h; spotted by jmc@
2006-03-31 - jmc@cvs.openbsd.org 2006/03/31 09:09:30Damien Miller
[ssh_config.5] kill trailing whitespace;
2006-03-31 - djm@cvs.openbsd.org 2006/03/30 10:41:25Damien Miller
[ssh.c ssh_config.5] add percent escape chars to the IdentityFile option, bz #1159 based on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
2006-03-15 - markus@cvs.openbsd.org 2006/03/14 16:32:48Damien Miller
[ssh_config.5 sshd_config.5] *AliveCountMax applies to protcol v2 only; ok dtucker, djm