summaryrefslogtreecommitdiff
path: root/sshd.8
AgeCommit message (Collapse)Author
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:19:29Damien Miller
[ssh.1 sshd.8] move section on CA and revoked keys from ssh.1 to sshd.8's known hosts format section and rework it a bit; requested by jmc@
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 22:49:50Damien Miller
[sshd.8] the authorized_keys option for CA keys is "cert-authority", not "from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-03 - jmc@cvs.openbsd.org 2010/02/26 22:09:28Damien Miller
[ssh-keygen.1 ssh.1 sshd.8] tweak previous;
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-02 - djm@cvs.openbsd.org 2010/01/30 21:08:33Damien Miller
[sshd.8] debug output goes to stderr, not "the system log"; ok markus dtucker
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-06-21 - sobrado@cvs.openbsd.org 2009/03/26 08:38:39Darren Tucker
[sftp-server.8 sshd.8 ssh-agent.1] fix a few typographical errors found by spell(1). ok dtucker@, jmc@
2008-11-03 - jmc@cvs.openbsd.org 2008/10/03 13:08:12Damien Miller
[sshd.8] do not give an example of how to chmod files: we can presume the user knows that. removes an ambiguity in the permission of authorized_keys; ok deraadt
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker
[sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/11 07:30:37Darren Tucker
[sshd.8] kill trailing whitespace;
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 23:06:19Darren Tucker
[auth-options.c match.c servconf.c addrmatch.c sshd.8] support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 08:17:40Darren Tucker
[sshd.8 sshd.c] - update usage() - fix SYNOPSIS, and sort options - some minor additional fixes
2008-06-10 - dtucker@cvs.openbsd.org 2008/06/10 04:50:25Darren Tucker
[sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] Add extended test mode (-T) and connection parameters for test mode (-C). -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm
2008-04-03 - jmc@cvs.openbsd.org 2008/03/27 22:37:57Damien Miller
[sshd.8] remove trailing whitespace;
2008-03-27 - djm@cvs.openbsd.org 2008/03/26 21:28:14Damien Miller
[auth-options.c auth-options.h session.c sshd.8] add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
2008-03-27 - jmc@cvs.openbsd.org 2008/02/11 07:58:28Damien Miller
[ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c;
2008-02-10 - mcbride@cvs.openbsd.org 2008/02/09 12:15:43Damien Miller
[ssh.1 sshd.8] Document the correct permissions for the ~/.ssh/ directory. ok jmc
2007-08-17 - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote lockedDarren Tucker
accounts and that's what the code looks for, so make man page and code agree. Pointed out by Roumen Petrov.
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-03-21 - jmc@cvs.openbsd.org 2007/03/20 15:57:15Darren Tucker
[sshd.8] - let synopsis and description agree for -f - sort FILES - +.Xr ssh-keyscan 1 , from Igor Sobrado
2006-08-30 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57Damien Miller
[sshd.8] Add more detail about what permissions are and aren't accepted for authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
2006-07-12 - jmc@cvs.openbsd.org 2006/07/10 16:04:21Darren Tucker
[sshd.8] s/and and/and/
2006-07-10 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51Darren Tucker
[misc.c misc.h sshd.8 sshconnect.c] Add port identifier to known_hosts for non-default ports, based originally on a patch from Devin Nate in bz#910. For any connection using the default port or using a HostKeyAlias the format is unchanged, otherwise the host name or address is enclosed within square brackets in the same format as sshd's ListenAddress. Tested by many, ok markus@.
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 20:31:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/24 10:39:52Damien Miller
[sshd.8] signpost to PATTERNS section;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 20:05:00Damien Miller
[sshd.8] grammar;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 20:02:17Damien Miller
[sshd.8] sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/19 19:52:10Damien Miller
[sshd.8] move the sshrc stuff out of FILES, and into its own section: FILES is not a good place to document how stuff works;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/16 09:05:34Damien Miller
[sshd.8] sync some of the FILES entries w/ ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/15 16:55:33Damien Miller
[sshd.8] remove ietf draft references; RFC list now maintained in ssh.1;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:27:25Damien Miller
[sshd.8] sort FILES and use a -compact list;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:08:43Damien Miller
[sshd.8] - avoid nasty line split - `*' does not need to be escaped
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 11:02:26Damien Miller
[sshd.8] turn this into an example ssh_known_hosts file; ok djm
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 10:21:25Damien Miller
[sshd.8] small tweaks for the ssh_known_hosts section;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/13 10:16:39Damien Miller
[sshd.8] no need to subsection the authorized_keys examples - instead, convert this to look like an actual file. also use proto 2 keys, and use IETF example addresses;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/12 17:57:19Damien Miller
[sshd.8] sort the list of options permissable w/ authorized_keys; ok djm dtucker
2006-03-15 - jmc@cvs.openbsd.org 2006/02/12 10:52:41Damien Miller
[sshd.8] rework the description of authorized_keys a little;
2006-03-15 - jmc@cvs.openbsd.org 2006/02/09 10:10:47Damien Miller
[sshd.8] - move some text into a CAVEATS section - merge the COMMAND EXECUTION... section into AUTHENTICATION
2006-02-01 - jmc@cvs.openbsd.org 2006/02/01 09:11:41Damien Miller
[sshd.8] small tweak;
2006-02-01 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2006/02/01 09:06:50 [sshd.8] - merge sections on protocols 1 and 2 into a single section - remove configuration file section ok markus
2006-01-31 - jmc@cvs.openbsd.org 2006/01/25 09:07:22Damien Miller
[sshd.8] move subsections to full sections;
2006-01-31 - jmc@cvs.openbsd.org 2006/01/25 09:04:34Damien Miller
[sshd.8] move the options description up the page, and a few additional tweaks whilst in here; ok markus
2006-01-14 - jmc@cvs.openbsd.org 2006/01/12 22:20:00Damien Miller
[sshd.8] refer to TCP forwarding, rather than TCP/IP forwarding;
2005-12-24 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26Damien Miller
[sshd.8] clarify precedence of -p, Port, ListenAddress; ok and help jmc@
2005-12-13 - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller
[auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-11-28 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)Tim Rice
for UnixWare.
2005-10-05 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prependedDarren Tucker
"*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and senthilkumar_sen at hotpop.com.
2005-06-16 - djm@cvs.openbsd.org 2005/06/08 03:50:00Damien Miller
[ssh-keygen.1 ssh-keygen.c sshd.8] increase default rsa/dsa key length from 1024 to 2048 bits; ok markus@ deraadt@