summaryrefslogtreecommitdiff
path: root/sshd_config.5
AgeCommit message (Collapse)Author
2011-06-23 - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller
[servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
2011-05-29 - jmc@cvs.openbsd.org 2011/05/23 07:10:21Damien Miller
[sshd.8 sshd_config.5] tweak previous; ok djm
2011-05-29OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
2010-12-26 - djm@cvs.openbsd.org 2010/12/08 04:02:47Damien Miller
[ssh_config.5 sshd_config.5] explain that IPQoS arguments are separated by whitespace; iirc requested by jmc@ a while back
2010-11-20 - jmc@cvs.openbsd.org 2010/11/18 15:01:00Damien Miller
[scp.1 sftp.1 ssh.1 sshd_config.5] add IPQoS to the various -o lists, and zap some trailing whitespace;
2010-11-20 - djm@cvs.openbsd.org 2010/11/13 23:27:51Damien Miller
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-05 - jmc@cvs.openbsd.org 2010/10/28 18:33:28Damien Miller
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5] knock out some "-*- nroff -*-" lines;
2010-09-24 - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-07-02 - jmc@cvs.openbsd.org 2010/06/30 07:28:34Damien Miller
[sshd_config.5] tweak previous;
2010-07-02 - djm@cvs.openbsd.org 2010/06/29 23:16:46Damien Miller
[auth2-pubkey.c sshd_config.5] allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@
2010-06-26 - djm@cvs.openbsd.org 2010/06/22 04:22:59Damien Miller
[servconf.c sshd_config.5] expose some more sshd_config options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-05-10 - jmc@cvs.openbsd.org 2010/05/07 12:49:17Damien Miller
[sshd_config.5] tweak previous;
2010-05-10 - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:17:25Damien Miller
[sshd_config.5] missing word; spotted by jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 12:51:25Damien Miller
[ssh.1 sshd_config.5] tweak previous;
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-01-10 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
2010-01-08 - jmc@cvs.openbsd.org 2009/12/29 18:03:32Darren Tucker
[sshd_config.5 ssh_config.5] sort previous;
2010-01-08 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41Darren Tucker
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
2010-01-08 - guenther@cvs.openbsd.org 2009/12/20 07:28:36Darren Tucker
[ssh.c sftp.c scp.c] When passing user-controlled options with arguments to other programs, pass the option and option argument as separate argv entries and not smashed into one (e.g., as -l foo and not -lfoo). Also, always pass a "--" argument to stop option parsing, so that a positional argument that starts with a '-' isn't treated as an option. This fixes some error cases as well as the handling of hostnames and filenames that start with a '-'. Based on a diff by halex@ ok halex@ djm@ deraadt@
2010-01-08 - djm@cvs.openbsd.org 2009/11/10 02:58:56Darren Tucker
[sshd_config.5] clarify that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532
2010-01-08 - jmc@cvs.openbsd.org 2009/10/28 21:45:08Darren Tucker
[sshd_config.5 sftp.1] tweak previous;
2010-01-08 - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
2009-10-11 - jmc@cvs.openbsd.org 2009/10/08 20:42:12Darren Tucker
[sshd_config.5 ssh_config.5 sshd.8 ssh.1] some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2009-10-07 - dtucker@cvs.openbsd.org 2009/08/16 23:29:26Darren Tucker
[sshd_config.5] Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
2009-08-28downgrade mention of login.conf to be an example and mention PAM asDamien Miller
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/21 15:13:17Darren Tucker
[sshd_config.5] clarify we cd to user's home after chroot; ok markus@ on earlier version; tweaks and ok jmc@
2009-06-21 - jmc@cvs.openbsd.org 2009/04/18 18:39:10Darren Tucker
[sshd_config.5] tweak previous; ok stevesk
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17Darren Tucker
[sshd_config.5] clarify that even internal-sftp needs /dev/log for logging to work; ok markus@
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44Darren Tucker
[sshd_config.5] fix possessive; ok djm@
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:59:25Damien Miller
[sshd_config.5] missing period
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:50:57Damien Miller
[ssh_config.5 sshd_config.5] don't advertise experimental options
2009-01-28 - naddy@cvs.openbsd.org 2009/01/24 17:10:22Damien Miller
[ssh_config.5 sshd_config.5] sync list of preferred ciphers; ok djm@
2009-01-28 - okan@cvs.openbsd.org 2008/12/30 00:46:56Damien Miller
[sshd_config.5] add AllowAgentForwarding to available Match keywords list ok djm
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-11-03 - djm@cvs.openbsd.org 2008/10/09 03:50:54Damien Miller
[servconf.c sshd_config.5] support setting PermitEmptyPasswords in a Match block requested in PR3891; ok dtucker@
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker
[sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
2008-06-16 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40Damien Miller
[servconf.c sshd_config.5] Allow MaxAuthTries within a Match block. ok djm@
2008-06-16 - dtucker@cvs.openbsd.org 2008/06/15 16:55:38Damien Miller
[sshd_config.5] MaxSessions is allowed in a Match block too
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 07:12:00Darren Tucker
[sshd_config.5] tweak previous;
2008-06-10 - djm@cvs.openbsd.org 2008/06/10 04:17:46Darren Tucker
[sshd_config.5] better reference for pattern-list
2008-06-10 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
2008-05-19 - jmc@cvs.openbsd.org 2008/05/07 08:00:14Damien Miller
[sshd_config.5] sort;
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 05:49:37Damien Miller
[servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/05 02:46:02Damien Miller
[sshd_config.5] HostbasedAuthentication is supported under Match too
2008-05-19 - djm@cvs.openbsd.org 2008/04/04 06:44:26Damien Miller
[sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@