Age | Commit message (Collapse) | Author |
|
[sshd_config.5]
mantion that "internal-sftp" is useful with ForceCommand too
|
|
[sshd_config.5]
missing `)';
|
|
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
|
|
[sshd_config.5 servconf.c]
Allow PermitRootLogin in a Match block. Allows for, eg, permitting root
only from the local network. ok markus@, man page bit ok jmc@
|
|
[auth2-none.c sshd_config sshd_config.5]
Support "Banner=none" to disable displaying of the pre-login banner;
ok dtucker@ deraadt@
|
|
[sshd_config.5]
oops, here too: put the MAC list into a display, like we do for
ciphers, since groff has trouble with wide lines;
|
|
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
|
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
|
|
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
[sshd_config.5]
sort the `match' keywords;
|
|
[auth2.c sshd_config.5 servconf.c]
Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.
|
|
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
|
|
[sshd_config.5]
do not use lists for SYNOPSIS;
from eric s. raymond via brad
|
|
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
[sshd_config.5]
Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
ok jmc@ djm@
|
|
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
|
|
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
|
|
[servconf.c sshd_config.5]
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@
|
|
[sshd_config.5]
Clarify description of Match, with minor correction from jmc@
|
|
[ssh-agent.1 sshd_config.5]
mark up angle brackets;
|
|
[sshd_config.5]
tweak; ok dtucker
|
|
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
|
|
[sshd_config.5]
- new sentence, new line
- s/The the/The/
- kill a bad comma
|
|
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
|
[servconf.c servconf.h session.c sshd_config.5]
support arguments to Subsystem commands; ok markus@
|
|
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
more details and clarity for tun(4) device forwarding; ok and help
jmc@
|
|
[ssh_config.5 sshd_config.5]
*AliveCountMax applies to protcol v2 only; ok dtucker, djm
|
|
[misc.c ssh_config.5 sshd_config.5]
Allow config directives to contain whitespace by surrounding them by double
quotes. mindrot #482, man page help from jmc@, ok djm@
|
|
[sshd_config.5]
subsection is pointless here;
|
|
[sshd_config.5]
document the order in which allow/deny directives are processed;
help/ok dtucker
|
|
[sshd_config.5]
oops - bits i missed;
|
|
[sshd_config.5]
some grammar/wording fixes;
|
|
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
more consistency fixes;
|
|
[ssh-keysign.8 ssh_config.5 sshd_config.5]
some consistency fixes;
|
|
[sshd_config.5]
signpost to PATTERNS;
|
|
reality. Pointed out by tryponraj at gmail.com.
|
|
- jmc@cvs.openbsd.org 2006/01/02 17:09:49
[ssh_config.5 sshd_config.5]
some corrections from michael knudsen;
|
|
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
[serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
two changes to the new ssh tunnel support. this breaks compatibility
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).
ok djm@, man page bits by jmc@
|
|
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
[misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
[serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
[sshconnect.h sshd.8 sshd_config sshd_config.5]
Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
|
|
[sshd_config.5]
aquire -> acquire, from stevesk@
|
|
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@
|
|
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
ok markus@
|
|
[sshd_config.5]
sort config options, from grunk AT pestilenz.org; ok jmc@
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
[sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
variable, so don't say that we do (bz #623); ok deraadt@
|
|
[sshd_config.5]
typo;
|
|
[auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
[misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
[sshd_config.5]
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote
forwards to bind to client-specified ports.
|
|
keyboard-interactive since this is no longer the case.
|
|
[sshd_config.5]
`login'(n) -> `log in'(v);
|
|
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
bz #898: support AddressFamily in sshd_config. from
peak@argo.troja.mff.cuni.cz; ok deraadt@
|
|
[sshd_config.5]
mention PrintLastLog only prints last login time for interactive
sessions, like PrintMotd mentions.
From Michael Knudsen, with wording changed slightly to match the
PrintMotd description.
ok djm
|
|
[sshd_config.5]
new sentence, new line;
|