Age | Commit message (Collapse) | Author |
|
[ssh-keygen.1 ssh.1 sshd.8]
tweak previous;
|
|
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
|
[sshd.8]
debug output goes to stderr, not "the system log"; ok markus dtucker
|
|
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
some tweaks now that protocol 1 is not offered by default; ok markus
|
|
[sftp-server.8 sshd.8 ssh-agent.1]
fix a few typographical errors found by spell(1).
ok dtucker@, jmc@
|
|
[sshd.8]
do not give an example of how to chmod files: we can presume the user
knows that. removes an ambiguity in the permission of authorized_keys;
ok deraadt
|
|
[sshd_config sshd_config.5 sshd.8 servconf.c]
increase default size of ssh protocol 1 ephemeral key from 768 to 1024
bits; prodded by & ok dtucker@ ok deraadt@
|
|
[sshd.8]
kill trailing whitespace;
|
|
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
|
|
[sshd.8 sshd.c]
- update usage()
- fix SYNOPSIS, and sort options
- some minor additional fixes
|
|
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
Add extended test mode (-T) and connection parameters for test mode (-C).
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm
|
|
[sshd.8]
remove trailing whitespace;
|
|
[auth-options.c auth-options.h session.c sshd.8]
add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
|
|
[ssh.1 sshd.8 sshd_config.5]
bump Mdocdate for pages committed in "febuary", necessary because
of a typo in rcs.c;
|
|
[ssh.1 sshd.8]
Document the correct permissions for the ~/.ssh/ directory.
ok jmc
|
|
accounts and that's what the code looks for, so make man page and code
agree. Pointed out by Roumen Petrov.
|
|
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
|
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
|
|
[sshd.8]
- let synopsis and description agree for -f
- sort FILES
- +.Xr ssh-keyscan 1 ,
from Igor Sobrado
|
|
[sshd.8]
Add more detail about what permissions are and aren't accepted for
authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
|
|
[sshd.8]
s/and and/and/
|
|
[misc.c misc.h sshd.8 sshconnect.c]
Add port identifier to known_hosts for non-default ports, based originally
on a patch from Devin Nate in bz#910.
For any connection using the default port or using a HostKeyAlias the
format is unchanged, otherwise the host name or address is enclosed
within square brackets in the same format as sshd's ListenAddress.
Tested by many, ok markus@.
|
|
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
more consistency fixes;
|
|
[sshd.8]
signpost to PATTERNS section;
|
|
[sshd.8]
grammar;
|
|
[sshd.8]
sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
|
|
[sshd.8]
move the sshrc stuff out of FILES, and into its own section:
FILES is not a good place to document how stuff works;
|
|
[sshd.8]
sync some of the FILES entries w/ ssh.1;
|
|
[sshd.8]
remove ietf draft references; RFC list now maintained in ssh.1;
|
|
[sshd.8]
sort FILES and use a -compact list;
|
|
[sshd.8]
- avoid nasty line split
- `*' does not need to be escaped
|
|
[sshd.8]
turn this into an example ssh_known_hosts file; ok djm
|
|
[sshd.8]
small tweaks for the ssh_known_hosts section;
|
|
[sshd.8]
no need to subsection the authorized_keys examples - instead, convert
this to look like an actual file. also use proto 2 keys, and use IETF
example addresses;
|
|
[sshd.8]
sort the list of options permissable w/ authorized_keys;
ok djm dtucker
|
|
[sshd.8]
rework the description of authorized_keys a little;
|
|
[sshd.8]
- move some text into a CAVEATS section
- merge the COMMAND EXECUTION... section into AUTHENTICATION
|
|
[sshd.8]
small tweak;
|
|
- jmc@cvs.openbsd.org 2006/02/01 09:06:50
[sshd.8]
- merge sections on protocols 1 and 2 into a single section
- remove configuration file section
ok markus
|
|
[sshd.8]
move subsections to full sections;
|
|
[sshd.8]
move the options description up the page, and a few additional tweaks
whilst in here;
ok markus
|
|
[sshd.8]
refer to TCP forwarding, rather than TCP/IP forwarding;
|
|
[sshd.8]
clarify precedence of -p, Port, ListenAddress; ok and help jmc@
|
|
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
[misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
[serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
[sshconnect.h sshd.8 sshd_config sshd_config.5]
Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
|
|
for UnixWare.
|
|
"*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
senthilkumar_sen at hotpop.com.
|
|
[ssh-keygen.1 ssh-keygen.c sshd.8]
increase default rsa/dsa key length from 1024 to 2048 bits;
ok markus@ deraadt@
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
[sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
variable, so don't say that we do (bz #623); ok deraadt@
|
|
[sshd.8]
new sentence, new line;
whitespace;
|