summaryrefslogtreecommitdiff
path: root/ssh_config.5
AgeCommit message (Collapse)Author
2020-02-07upstream: Add ssh -Q key-sig for all key and signature types.dtucker@openbsd.org
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as an alias for the corresponding query. Man page help jmc@, ok djm@. OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-01upstream: spelling fix;jmc@openbsd.org
OpenBSD-Commit-ID: 3c079523c4b161725a4b15dd06348186da912402
2020-01-31upstream: document changed default for UpdateHostKeysdjm@openbsd.org
OpenBSD-Commit-ID: 25c390b21d142f78ac0106241d13441c4265fd2c
2020-01-28upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,djm@openbsd.org
based on patch by veegish AT cyberstorm.mu OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
2020-01-26upstream: clarify that BatchMode applies to all interactive promptsdjm@openbsd.org
(e.g. host key confirmation) and not just password prompts. OpenBSD-Commit-ID: 97b001883d89d3fb1620d2e6b747c14a26aa9818
2020-01-25upstream: group14-sha1 is no longer a default algorithmtedu@openbsd.org
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25upstream: reword HashKnownHosts description a little more; somedjm@openbsd.org
people found the wording confusing (bz#2560) OpenBSD-Commit-ID: ac30896598694f07d498828690aecd424c496988
2020-01-25upstream: weaken the language for what HashKnownHosts provides withdjm@openbsd.org
regards to known_hosts name privacy, it's not practical for this option to offer any guarantee that hostnames cannot be recovered from a disclosed known_hosts file (e.g. by brute force). OpenBSD-Commit-ID: 13f1e3285f8acf7244e9770074296bcf446c6972
2020-01-22upstream: document the default value of the ControlPersist option;naddy@openbsd.org
ok dtucker@ djm@ OpenBSD-Commit-ID: 0788e7f2b5a9d4e36d3d2ab378f73329320fef66
2019-12-30upstream: Replace the term "security key" with "(FIDO)naddy@openbsd.org
authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-21upstream: Allow forwarding a different agent socket to the pathdjm@openbsd.org
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. Patch by Eric Chiang, manpage by me; ok markus@ OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
2019-12-20upstream: Document that security key-hosted keys can act as hostnaddy@openbsd.org
keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@ OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-11upstream: tweak the Nd lines for a bit of consistency; ok markusjmc@openbsd.org
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-11-20upstream: document '$' environment variable expansion fornaddy@openbsd.org
SecurityKeyProvider; ok djm@ OpenBSD-Commit-ID: 76db507ebd336a573e1cd4146cc40019332c5799
2019-11-20upstream: more missing mentions of ed25519-sk; ok djm@naddy@openbsd.org
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-18upstream: mention ed25519-sk key/cert types here too; prompted bydjm@openbsd.org
jmc@ OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-08upstream: Fill in missing man page bits for U2F security key support:naddy@openbsd.org
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-09-13upstream: clarify that IdentitiesOnly also applies to the defaultdjm@openbsd.org
~/.ssh/id_* keys; bz#3062 OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa
2019-09-13upstream: allow %n to be expanded in ProxyCommand stringsdjm@openbsd.org
From Zachary Harmany via github.com/openssh/openssh-portable/pull/118 ok dtucker@ OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6
2019-09-13upstream: clarify that ConnectTimeout applies both to the TCPdjm@openbsd.org
connection and to the protocol handshake/KEX. From Jean-Charles Longuet via Github PR140 OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf
2019-09-08upstream: Allow prepending a list of algorithms to the default setnaddy@openbsd.org
by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-05upstream: Call comma-separated lists as such to clarify semantics.naddy@openbsd.org
Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list, respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting these semantics. Fix instances missed in first commit. ok jmc@ kn@ OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417
2019-08-29upstream: Call comma-separated lists as such to clarify semanticskn@openbsd.org
Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting this semantics (those that provide a list of available elements via "ssh -Q ..."). Input and OK jmc OpenBSD-Commit-ID: 4fdd175b0e5f5cb10ab3f26ccc38a93bb6515d57
2019-08-09upstream: Change description of TCPKeepAlive from "inactive" todtucker@openbsd.org
"unresponsive" to clarify what it checks for. Patch from jblaine at kickflop.net via github pr#129, ok djm@. OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9
2019-08-02upstream: typo; from Christian Hessedjm@openbsd.org
OpenBSD-Commit-ID: 82f6de7438ea7ee5a14f44fdf5058ed57688fdc3
2019-06-14upstream: Hostname->HostName cleanup; from lauri tirkkonen okjmc@openbsd.org
dtucker OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
2019-06-14upstream: deraadt noticed some inconsistency in the way we denotejmc@openbsd.org
the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent (effectively reversing my commit of yesterday); ok deraadt markus djm OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667
2019-06-14upstream: consistent lettering for "HostName" keyword; from laurijmc@openbsd.org
tirkkonen OpenBSD-Commit-ID: 0c267a1257ed7482b13ef550837b6496e657d563
2019-05-17upstream: Delete some .Sx macros that were used in a wrong way.schwarze@openbsd.org
Part of a patch from Stephen Gregoratto <dev at sgregoratto dot me>. OpenBSD-Commit-ID: 15501ed13c595f135e7610b1a5d8345ccdb513b7
2019-03-01upstream: mention PKCS11Provide=none, reword a little and removedjm@openbsd.org
mention of RSA keys only (since we support ECDSA now and might support others in the future). Inspired by Jakub Jelen via bz#2974 OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5
2019-02-24upstream: openssh-7.9 accidentally reused the server's algorithm listsdjm@openbsd.org
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT vault24.org via bz#2697; ok dtucker OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
2019-02-22upstream: sync the description of ~/.ssh/config with djm's updatedjmc@openbsd.org
description in ssh.1; issue pointed out by andreas kahari ok dtucker djm OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c
2019-01-22upstream: Mention that configuration for the destination host isdjm@openbsd.org
not applied to any ProxyJump/-J hosts. This has confused a few people... OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
2018-12-07upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f
2018-11-23upstream: add a ssh_config "Match final" predicatedjm@openbsd.org
Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 ok markus OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
2018-10-03upstream: Allow ssh_config IdentityAgent directive to acceptdjm@openbsd.org
environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-09-21upstream: Allow ssh_config ForwardX11Timeout=0 to disable thedjm@openbsd.org
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
2018-09-21upstream: Treat connections with ProxyJump specified the same as onesdjm@openbsd.org
with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). Patch from Sven Wegener via bz#2896 OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
2018-09-21upstream: reorder CASignatureAlgorithms, and add them to thejmc@openbsd.org
various -o lists; ok djm OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
2018-09-20upstream: add CASignatureAlgorithms option for the client, allowingdjm@openbsd.org
it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-26upstream: Point to glob in section 7 for the actual list of specialkn@openbsd.org
characters instead the C API in section 3. OK millert jmc nicm, "the right idea" deraadt OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6
2018-07-19upstream: Deprecate UsePrivilegedPort now that support for runningdtucker@openbsd.org
ssh(1) setuid has been removed, remove supporting code and clean up references to it in the man pages We have not shipped ssh(1) the setuid bit since 2002. If ayone really needs to make connections from a low port number this can be implemented via a small setuid ProxyCommand. ok markus@ jmc@ djm@ OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-06-11upstream: sort previous;jmc@openbsd.org
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-09upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-04upstream: add missing punctuation after %i in ssh_config.5, andjmc@openbsd.org
make the grammatical format in sshd_config.5 match that in ssh_config.5; OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95