summaryrefslogtreecommitdiff
path: root/ssh_config.5
AgeCommit message (Collapse)Author
2007-12-24* Document the non-default options we set as standard in ssh_config(5) andColin Watson
sshd_config(5) (closes: #327886, #345628).
2007-12-24* New upstream release (closes: #453367).Colin Watson
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
2007-08-15 - stevesk@cvs.openbsd.org 2007/08/15 12:13:41Darren Tucker
[ssh_config.5] tun device forwarding now honours ExitOnForwardFailure; ok markus@
2007-06-29* Document that HashKnownHosts may break tab-completion (closes: #430154).Colin Watson
2007-06-13* Document the SILENT loglevel in sftp-server(8), ssh_config(5), andColin Watson
sshd_config(5).
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-11 - jmc@cvs.openbsd.org 2007/06/08 07:43:46Damien Miller
[ssh_config.5] put the MAC list into a display, like we do for ciphers, since groff has trouble handling wide lines;
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-02-19 - jmc@cvs.openbsd.org 2007/01/10 13:23:22Darren Tucker
[ssh_config.5] do not use a list for SYNOPSIS; this is actually part of a larger report sent by eric s. raymond and forwarded by brad, but i only read half of it. spotted by brad.
2006-08-05 - jmc@cvs.openbsd.org 2006/07/27 08:00:50Damien Miller
[ssh_config.5] avoid confusing wording in HashKnownHosts: originally spotted by alan amesbury; ok deraadt
2006-07-12 - markus@cvs.openbsd.org 2006/07/11 18:50:48Darren Tucker
[clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c channels.h readconf.c] add ExitOnForwardFailure: terminate the connection if ssh(1) cannot set up all requested dynamic, local, and remote port forwardings. ok djm, dtucker, stevesk, jmc
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58Damien Miller
[ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@
2006-06-13 - jmc@cvs.openbsd.org 2006/05/29 16:10:03Damien Miller
[ssh_config.5] oops - previous was too long; split the list of auths up
2006-06-13 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08Damien Miller
[ssh_config.5] Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
2006-05-12* Update to current GSSAPI patch fromColin Watson
http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch (closes: #352042).
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-03-31 - djm@cvs.openbsd.org 2006/03/31 09:13:56Damien Miller
[ssh_config.5] remote user escape is %r not %h; spotted by jmc@
2006-03-31 - jmc@cvs.openbsd.org 2006/03/31 09:09:30Damien Miller
[ssh_config.5] kill trailing whitespace;
2006-03-31 - djm@cvs.openbsd.org 2006/03/30 10:41:25Damien Miller
[ssh.c ssh_config.5] add percent escape chars to the IdentityFile option, bz #1159 based on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
2006-03-15 - markus@cvs.openbsd.org 2006/03/14 16:32:48Damien Miller
[ssh_config.5 sshd_config.5] *AliveCountMax applies to protcol v2 only; ok dtucker, djm
2006-03-15 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29Damien Miller
[misc.c ssh_config.5 sshd_config.5] Allow config directives to contain whitespace by surrounding them by double quotes. mindrot #482, man page help from jmc@, ok djm@
2006-03-15 - jmc@cvs.openbsd.org 2006/02/26 18:03:10Damien Miller
[ssh_config.5] comma;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/26 17:17:18Damien Miller
[ssh_config.5] move PATTERNS to the end of the main body; requested by dtucker
2006-03-15 - jmc@cvs.openbsd.org 2006/02/25 12:26:17Damien Miller
[ssh_config.5] document the possible values for KbdInteractiveDevices;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 23:20:07Damien Miller
[ssh_config.5] some grammar/wording fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:31:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:22:16Damien Miller
[ssh-keysign.8 ssh_config.5 sshd_config.5] some consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 10:37:07Damien Miller
[ssh_config.5] tidy up the refs to PATTERNS;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 10:25:14Damien Miller
[ssh_config.5] add section on patterns; from dtucker + myself
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 20:12:25Damien Miller
[ssh_config.5] add some vertical space;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/12 10:49:44Damien Miller
[ssh_config.5] slight rewording; ok djm
2006-03-15 - djm@cvs.openbsd.org 2006/02/12 06:45:34Damien Miller
[ssh.c ssh_config.5] add a %l expansion code to the ControlPath, which is filled in with the local hostname at runtime. Requested by henning@ to avoid some problems with /home on NFS; ok dtucker@
2006-01-31 - jmc@cvs.openbsd.org 2006/01/20 11:21:45Damien Miller
[ssh_config.5] - word change, agreed w/ markus - consistency fixes
2006-01-20 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55Darren Tucker
[scp.1 ssh.1 ssh_config.5 sftp.1] Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 22:26:02Damien Miller
[ssh_config.5] refer to TCP forwarding, rather than TCP/IP forwarding;
2006-01-03 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2006/01/02 17:09:49 [ssh_config.5 sshd_config.5] some corrections from michael knudsen;
2005-12-24 - jmc@cvs.openbsd.org 2005/12/22 10:31:40Damien Miller
[ssh_config.5] put the description of "UsePrivilegedPort" in the correct place;
2005-12-20 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42Darren Tucker
[ssh_config.5] spelling: intented -> intended
2005-12-20 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05Darren Tucker
[ssh_config.5 session.c] spelling: fowarding, fowarded
2005-12-13 - jmc@cvs.openbsd.org 2005/12/08 21:37:50Damien Miller
[ssh_config.5] new sentence, new line;
2005-12-13 - reyk@cvs.openbsd.org 2005/12/08 18:34:11Damien Miller
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c] [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] two changes to the new ssh tunnel support. this breaks compatibility with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@
2005-12-13 - jmc@cvs.openbsd.org 2005/12/08 15:06:29Damien Miller
[ssh_config.5] keep options in order;
2005-12-13 - jmc@cvs.openbsd.org 2005/12/08 14:59:44Damien Miller
[ssh.1 ssh_config.5] make `!command' a little clearer; ok reyk
2005-12-13 - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller
[auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-11-05 - jmc@cvs.openbsd.org 2005/10/30 08:43:47Damien Miller
[ssh_config.5] remove trailing whitespace;
2005-11-05 - djm@cvs.openbsd.org 2005/10/30 01:23:19Damien Miller
[ssh_config.5] mention control socket fallback behaviour, reported by tryponraj AT gmail.com
2005-10-03 - djm@cvs.openbsd.org 2005/09/19 11:37:34Darren Tucker
[ssh_config.5 ssh.1] mention ability to specify bind_address for DynamicForward and -D options; bz#1077 spotted by Haruyama Seigo
2005-09-14Merge 4.2p1 to the trunk.Colin Watson
2005-07-14 - jmc@cvs.openbsd.org 2005/07/08 12:53:10Darren Tucker
[ssh_config.5] new sentence, new line;