summaryrefslogtreecommitdiff
path: root/ssh_config.5
AgeCommit message (Collapse)Author
2014-12-05upstream commitdjm@openbsd.org
add RevokedHostKeys option for the client Allow textfile or KRL-based revocation of hostkeys.
2014-11-11upstream commitdjm@openbsd.org
mux-related manual tweaks mention ControlPersist=0 is the same as ControlPersist=yes recommend that ControlPath sockets be placed in a og-w directory
2014-10-20upstream commitjmc@openbsd.org
tweak previous;
2014-10-13upstream commitdjm@openbsd.org
Tweak config reparsing with host canonicalisation Make the second pass through the config files always run when hostname canonicalisation is enabled. Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T" Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2267 bz#2286; ok markus
2014-10-13upstream commitsobrado@openbsd.org
improve capitalization for the Ed25519 public-key signature system. ok djm@
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-09 - djm@cvs.openbsd.org 2014/07/07 08:19:12Damien Miller
[ssh_config.5] mention that ProxyCommand is executed using shell "exec" to avoid a lingering process; bz#1977
2014-07-03 - jmc@cvs.openbsd.org 2014/07/03 07:45:27Damien Miller
[ssh_config.5] escape %C since groff thinks it part of an Rs/Re block;
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 06:39:19Damien Miller
[ssh.c ssh_config.5] Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a has of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding sockaddr_un's miserly pathname limits for mux control paths. bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 05:32:36Damien Miller
[ssh_config.5] mention '%%' escape sequence in HostName directives and how it may be used to specify IPv6 link-local addresses
2014-04-20 - naddy@cvs.openbsd.org 2014/03/28 05:17:11Damien Miller
[ssh_config.5 sshd_config.5] sync available and default algorithms, improve algorithm list formatting help from jmc@ and schwarze@, ok deraadt@
2014-02-24 - djm@cvs.openbsd.org 2014/02/23 20:11:36Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5] reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes the hostname. This allows users to write configurations that always refer to canonical hostnames, e.g. CanonicalizeHostname yes CanonicalDomains int.example.org example.org CanonicalizeFallbackLocal no Host *.int.example.org Compression off Host *.example.org User djm ok markus@
2014-01-19 - djm@cvs.openbsd.org 2014/01/19 04:48:08Darren Tucker
[ssh_config.5] fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
2013-12-18 - naddy@cvs.openbsd.org 2013/12/07 11:58:46Damien Miller
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1] [ssh_config.5 sshd.8 sshd_config.5] add missing mentions of ed25519; ok djm@
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
2013-12-05 - jmc@cvs.openbsd.org 2013/11/21 08:05:09Damien Miller
[ssh_config.5 sshd_config.5] no need for .Pp before displays;
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-11-04 - markus@cvs.openbsd.org 2013/11/02 22:39:19Damien Miller
[ssh_config.5 sshd_config.5] the default kex is now curve25519-sha256@libssh.org
2013-10-24 - dtucker@cvs.openbsd.org 2013/10/24 00:51:48Damien Miller
[readconf.c servconf.c ssh_config.5 sshd_config.5] Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@
2013-10-23 - jmc@cvs.openbsd.org 2013/10/20 18:00:13Damien Miller
[ssh_config.5] tweak the "exec" description, as worded by djm;
2013-10-23 - djm@cvs.openbsd.org 2013/10/20 06:19:28Damien Miller
[readconf.c ssh_config.5] rename "command" subclause of the recently-added "Match" keyword to "exec"; it's shorter, clearer in intent and we might want to add the ability to match against the command being executed at the remote end in the future.
2013-10-23 - djm@cvs.openbsd.org 2013/10/20 04:39:28Damien Miller
[ssh_config.5] document % expansions performed by "Match command ..."
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:58:01Damien Miller
[ssh.c ssh_config.5] one I missed in previous: s/isation/ization/
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 22:49:39Damien Miller
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5] s/canonicalise/canonicalize/ for consistency with existing spelling, e.g. authorized_keys; pointed out by naddy@
2013-10-17 - jmc@cvs.openbsd.org 2013/10/16 06:42:25Damien Miller
[ssh_config.5] tweak previous;
2013-10-17 - djm@cvs.openbsd.org 2013/10/16 02:31:47Damien Miller
[readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5] [sshconnect.c sshconnect.h] Implement client-side hostname canonicalisation to allow an explicit search path of domain suffixes to use to convert unqualified host names to fully-qualified ones for host key matching. This is particularly useful for host certificates, which would otherwise need to list unqualified names alongside fully-qualified ones (and this causes a number of problems). "looks fine" markus@
2013-10-17 - jmc@cvs.openbsd.org 2013/10/15 14:10:25Damien Miller
[ssh.1 ssh_config.5] tweak previous;
2013-10-15 - djm@cvs.openbsd.org 2013/10/14 22:22:05Damien Miller
[readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5] add a "Match" keyword to ssh_config that allows matching on hostname, user and result of arbitrary commands. "nice work" markus@
2013-08-21 - jmc@cvs.openbsd.org 2013/08/20 06:56:07Damien Miller
[ssh.1 ssh_config.5] some proxyusefdpass tweaks;
2013-08-21 - djm@cvs.openbsd.org 2013/08/20 00:11:38Damien Miller
[readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@
2013-07-18 - jmc@cvs.openbsd.org 2013/06/27 14:05:37Damien Miller
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm
2013-07-18 - djm@cvs.openbsd.org 2013/06/21 00:37:49Damien Miller
[ssh_config.5] explicitly mention that IdentitiesOnly can be used with IdentityFile to control which keys are offered from an agent.
2013-05-16 - jmc@cvs.openbsd.org 2013/05/16 06:28:45Darren Tucker
[ssh_config.5] put IgnoreUnknown in the right place;
2013-05-16 - djm@cvs.openbsd.org 2013/05/16 04:27:50Darren Tucker
[ssh_config.5 readconf.h readconf.c] add the ability to ignore specific unrecognised ssh_config options; bz#866; ok markus@
2013-05-16 - dtucker@cvs.openbsd.org 2013/05/16 02:00:34Darren Tucker
[ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c ssh_config.5 packet.h] Add an optional second argument to RekeyLimit in the client to allow rekeying based on elapsed time in addition to amount of traffic. with djm@ jmc@, ok djm
2013-01-09 - markus@cvs.openbsd.org 2013/01/08 18:49:04Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
2012-12-03 - djm@cvs.openbsd.org 2012/12/02 20:26:11Damien Miller
[ssh_config.5 sshconnect2.c] Make IdentitiesOnly apply to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. ok markus@
2012-10-05 - markus@cvs.openbsd.org 2012/10/04 13:21:50Darren Tucker
[myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c] add umac128 variant; ok djm@ at n2k12 (note: further Makefile work is required)
2012-07-02 - naddy@cvs.openbsd.org 2012/06/29 13:57:25Darren Tucker
[ssh_config.5 sshd_config.5] match the documented MAC order of preference to the actual one; ok dtucker@
2012-06-30 - dtucker@cvs.openbsd.org 2012/06/28 05:07:45Damien Miller
[mac.c myproposal.h ssh_config.5 sshd_config.5] Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
2012-06-20 - dtucker@cvs.openbsd.org 2012/06/18 11:49:58Damien Miller
[ssh_config.5] RSA instead of DSA twice. From Steve.McClellan at radisys com
2011-09-22 - djm@cvs.openbsd.org 2011/09/09 00:43:00Damien Miller
[ssh_config.5 sshd_config.5] fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-08-06 - djm@cvs.openbsd.org 2011/08/02 01:22:11Damien Miller
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt Patch from mdb AT juniper.net; feedback and ok markus@
2011-06-20 - djm@cvs.openbsd.org 2011/06/04 00:10:26Damien Miller
[ssh_config.5] explain IdentifyFile's semantics a little better, prompted by bz#1898 ok dtucker jmc
2011-05-29 - djm@cvs.openbsd.org 2011/05/24 07:15:47Damien Miller
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c] Remove undocumented legacy options UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus
2011-05-15 - jmc@cvs.openbsd.org 2011/05/07 23:19:39Damien Miller
[ssh_config.5] - tweak previous - come consistency fixes ok djm
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:34:32Damien Miller
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5] Add a RequestTTY ssh_config option to allow configuration-based control over tty allocation (like -t/-T); ok markus@
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:31:38Damien Miller
[readconf.c ssh_config.5] support negated Host matching, e.g. Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org" ok markus@
2011-05-15 - djm@cvs.openbsd.org 2011/05/06 21:18:02Damien Miller
[ssh.c ssh_config.5] add a %L expansion (short-form of the local host name) for ControlPath; sync some more expansions with LocalCommand; ok markus@