summaryrefslogtreecommitdiff
path: root/ssh_config.5
AgeCommit message (Collapse)Author
2011-01-24* New upstream release (http://www.openssh.org/txt/release-5.7):Colin Watson
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
2011-01-24merge 5.7p1Colin Watson
2011-01-24import openssh-5.6p1-gsskex-all-20110101.patchColin Watson
2010-12-26 - djm@cvs.openbsd.org 2010/12/08 04:02:47Damien Miller
[ssh_config.5 sshd_config.5] explain that IPQoS arguments are separated by whitespace; iirc requested by jmc@ a while back
2010-12-01 - djm@cvs.openbsd.org 2010/11/29 23:45:51Damien Miller
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c] [sshconnect.h sshconnect2.c] automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys that are preferred by default; with markus@
2010-11-20 - jmc@cvs.openbsd.org 2010/11/15 07:40:14Damien Miller
[ssh_config.5] libary -> library;
2010-11-20 - djm@cvs.openbsd.org 2010/11/13 23:27:51Damien Miller
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-05 - jmc@cvs.openbsd.org 2010/10/28 18:33:28Damien Miller
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] knock out some "-*- nroff -*-" lines;
2010-09-24 - jmc@cvs.openbsd.org 2010/09/22 08:30:08Damien Miller
[ssh.1 ssh_config.5] ssh.1: add kexalgorithms to the -o list ssh_config.5: format the kexalgorithms in a more consistent (prettier!) way ok djm
2010-09-24 - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-08-23* New upstream release (http://www.openssh.com/txt/release-5.6):Colin Watson
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
2010-08-23merge 5.6p1Colin Watson
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:37:01Damien Miller
[ssh.1 ssh_config.5 sshd.8] Remove mentions of weird "addr/port" alternate address format for IPv6 addresses combinations. It hasn't worked for ages and we have supported the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-03 - djm@cvs.openbsd.org 2010/07/19 09:15:12Damien Miller
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5] add a "ControlPersist" option that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but further hacked on by wmertens AT cisco.com, apb AT cequrux.com, martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
2010-07-16 - djm@cvs.openbsd.org 2010/07/12 22:41:13Damien Miller
[ssh.c ssh_config.5] expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified hostnames: Host *.* Hostname %h Host * Hostname %h.example.org "I like it" markus@
2010-07-02 - jmc@cvs.openbsd.org 2010/06/26 00:57:07Damien Miller
[ssh_config.5] tweak previous;
2010-06-26 - djm@cvs.openbsd.org 2010/06/25 23:10:30Damien Miller
[ssh.c] log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts; "nice!" markus@
2010-04-18 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2010/04/16 06:45:01 [ssh_config.5] tweak previous; ok djm
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-16merge 5.5p1Colin Watson
2010-04-16 - djm@cvs.openbsd.org 2010/04/14 22:27:42Damien Miller
[ssh_config.5 sshconnect.c] expand %r => remote username in ssh_config:ProxyCommand; ok deraadt markus
2010-04-16 - jmc@cvs.openbsd.org 2010/03/27 14:26:55Damien Miller
[ssh_config.5] tweak previous; ok dtucker
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-31merge 5.4p1Colin Watson
2010-03-26 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13Darren Tucker
[ssh_config.5] Reformat default value of PreferredAuthentications entry (current formatting implies ", " is acceptable as a separator, which it's not. ok djm@
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 10:28:21Damien Miller
[ssh-add.1 ssh.1 ssh_config.5] mention loading of certificate files from [private]-cert.pub when they are present; feedback and ok jmc@
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-08 - jmc@cvs.openbsd.org 2009/12/29 18:03:32Darren Tucker
[sshd_config.5 ssh_config.5] sort previous;
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41Darren Tucker
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2010-01-08 - djm@cvs.openbsd.org 2009/11/10 02:56:22Darren Tucker
[ssh_config.5] explain the constraints on LocalCommand some more so people don't try to abuse it.
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2010-01-01* New upstream release (closes: #536182). Yes, I know 5.3p1 has been outColin Watson
for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
2010-01-01import openssh-5.2p1-gsskex-all-20090726.patchColin Watson
2009-12-29import openssh-5.1p1-gsskex-cjwatson-20080722.patchColin Watson
2009-12-29import openssh-4.7p1-gsskex-20070927.patchColin Watson
2009-12-29import openssh-4.6p1-gsskex-20070312.patchColin Watson
2009-12-29import openssh-4.3p2-gsskex-20060223.patchColin Watson
2009-12-29import openssh-4.2p1-gsskex-20050926-2.patchColin Watson
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:50:57Damien Miller
[ssh_config.5 sshd_config.5] don't advertise experimental options
2009-02-14 - jmc@cvs.openbsd.org 2009/02/12 07:34:20Damien Miller
[ssh_config.5] kill trailing whitespace;
2009-02-14 - djm@cvs.openbsd.org 2009/02/12 03:46:17Damien Miller
[ssh_config.5] document RemoteForward usage with 0 listen port
2009-01-28 - naddy@cvs.openbsd.org 2009/01/24 17:10:22Damien Miller
[ssh_config.5 sshd_config.5] sync list of preferred ciphers; ok djm@
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-11-03 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24Damien Miller
[ssh_config.5] correct and clarify VisualHostKey; ok jmc@