summaryrefslogtreecommitdiff
path: root/sshd.8
AgeCommit message (Collapse)Author
2007-12-24* New upstream release (closes: #453367).Colin Watson
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
2007-12-23Import OpenSSH 4.7p1.Colin Watson
2007-08-17 - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote lockedDarren Tucker
accounts and that's what the code looks for, so make man page and code agree. Pointed out by Roumen Petrov.
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-03-21 - jmc@cvs.openbsd.org 2007/03/20 15:57:15Darren Tucker
[sshd.8] - let synopsis and description agree for -f - sort FILES - +.Xr ssh-keyscan 1 , from Igor Sobrado
2006-08-30 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57Damien Miller
[sshd.8] Add more detail about what permissions are and aren't accepted for authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
2006-07-12 - jmc@cvs.openbsd.org 2006/07/10 16:04:21Darren Tucker
[sshd.8] s/and and/and/
2006-07-10 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51Darren Tucker
[misc.c misc.h sshd.8 sshconnect.c] Add port identifier to known_hosts for non-default ports, based originally on a patch from Devin Nate in bz#910. For any connection using the default port or using a HostKeyAlias the format is unchanged, otherwise the host name or address is enclosed within square brackets in the same format as sshd's ListenAddress. Tested by many, ok markus@.
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:31:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 10:39:52Damien Miller
[sshd.8] signpost to PATTERNS section;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 20:05:00Damien Miller
[sshd.8] grammar;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 20:02:17Damien Miller
[sshd.8] sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 19:52:10Damien Miller
[sshd.8] move the sshrc stuff out of FILES, and into its own section: FILES is not a good place to document how stuff works;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/16 09:05:34Damien Miller
[sshd.8] sync some of the FILES entries w/ ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/15 16:55:33Damien Miller
[sshd.8] remove ietf draft references; RFC list now maintained in ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:27:25Damien Miller
[sshd.8] sort FILES and use a -compact list;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:08:43Damien Miller
[sshd.8] - avoid nasty line split - `*' does not need to be escaped
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:02:26Damien Miller
[sshd.8] turn this into an example ssh_known_hosts file; ok djm
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 10:21:25Damien Miller
[sshd.8] small tweaks for the ssh_known_hosts section;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 10:16:39Damien Miller
[sshd.8] no need to subsection the authorized_keys examples - instead, convert this to look like an actual file. also use proto 2 keys, and use IETF example addresses;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/12 17:57:19Damien Miller
[sshd.8] sort the list of options permissable w/ authorized_keys; ok djm dtucker
2006-03-15 - jmc@cvs.openbsd.org 2006/02/12 10:52:41Damien Miller
[sshd.8] rework the description of authorized_keys a little;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/09 10:10:47Damien Miller
[sshd.8] - move some text into a CAVEATS section - merge the COMMAND EXECUTION... section into AUTHENTICATION
2006-02-01 - jmc@cvs.openbsd.org 2006/02/01 09:11:41Damien Miller
[sshd.8] small tweak;
2006-02-01 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2006/02/01 09:06:50 [sshd.8] - merge sections on protocols 1 and 2 into a single section - remove configuration file section ok markus
2006-01-31 - jmc@cvs.openbsd.org 2006/01/25 09:07:22Damien Miller
[sshd.8] move subsections to full sections;
2006-01-31 - jmc@cvs.openbsd.org 2006/01/25 09:04:34Damien Miller
[sshd.8] move the options description up the page, and a few additional tweaks whilst in here; ok markus
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 22:20:00Damien Miller
[sshd.8] refer to TCP forwarding, rather than TCP/IP forwarding;
2005-12-24 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26Damien Miller
[sshd.8] clarify precedence of -p, Port, ListenAddress; ok and help jmc@
2005-12-13 - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller
[auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-11-28 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)Tim Rice
for UnixWare.
2005-10-05 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prependedDarren Tucker
"*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and senthilkumar_sen at hotpop.com.
2005-09-14Merge 4.2p1 to the trunk.Colin Watson
2005-06-16 - djm@cvs.openbsd.org 2005/06/08 03:50:00Damien Miller
[ssh-keygen.1 ssh-keygen.c sshd.8] increase default rsa/dsa key length from 1024 to 2048 bits; ok markus@ deraadt@
2005-05-26 - djm@cvs.openbsd.org 2005/04/21 06:17:50Damien Miller
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@
2005-05-25Merge 4.0p1 to the trunk.Colin Watson
2005-03-02 - jmc@cvs.openbsd.org 2005/03/01 14:59:49Damien Miller
[sshd.8] new sentence, new line; whitespace;
2005-03-01 - djm@cvs.openbsd.org 2005/03/01 10:40:27Damien Miller
[hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5] [sshconnect.c sshd.8] add support for hashing host names and addresses added to known_hosts files, to improve privacy of which hosts user have been visiting; ok markus@ deraadt@
2005-03-01 - jmc@cvs.openbsd.org 2005/02/25 10:55:13Damien Miller
[sshd.8] add /etc/motd and $HOME/.hushlogin to FILES; from michael knudsen;
2005-01-04Merge 3.9p1 to the trunk.Colin Watson
2004-12-06 - dtucker@cvs.openbsd.org 2004/12/06 11:41:03Darren Tucker
[auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8] Discard over-length authorized_keys entries rather than complaining when they don't decode. bz #884, with & ok djm@
2004-08-29 - markus@cvs.openbsd.org 2004/08/26 16:00:55Darren Tucker
[ssh.1 sshd.8] get rid of references to rhosts authentication; with jmc@
2004-05-02 - dtucker@cvs.openbsd.org 2004/05/02 11:54:31Darren Tucker
[sshd.8] Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk via Debian; ok djm@
2004-05-01Fix grammar in sshd(8) (closes: #238753).Colin Watson
2004-03-01Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested itColin Watson
extensively yet. ProtocolKeepAlives is now just a compatibility alias for ServerAliveInterval.
2003-10-15 - jmc@cvs.openbsd.org 2003/10/08 08:27:36Darren Tucker
[scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] scp and sftp: add options list and sort options. options list requested by deraadt@ sshd: use same format as ssh ssh: remove wrong option from list sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) ok deraadt@ markus@