Age | Commit message (Collapse) | Author |
|
[auth2.c sshd_config.5 servconf.c]
Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.
|
|
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
|
|
[sshd_config.5]
do not use lists for SYNOPSIS;
from eric s. raymond via brad
|
|
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
[sshd_config.5]
Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
ok jmc@ djm@
|
|
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
|
|
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
|
|
[servconf.c sshd_config.5]
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@
|
|
[sshd_config.5]
Clarify description of Match, with minor correction from jmc@
|
|
[ssh-agent.1 sshd_config.5]
mark up angle brackets;
|
|
[sshd_config.5]
tweak; ok dtucker
|
|
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
|
|
[sshd_config.5]
- new sentence, new line
- s/The the/The/
- kill a bad comma
|
|
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|
|
[servconf.c servconf.h session.c sshd_config.5]
support arguments to Subsystem commands; ok markus@
|
|
[ssh.1 ssh.c ssh_config.5 sshd_config.5]
more details and clarity for tun(4) device forwarding; ok and help
jmc@
|
|
[ssh_config.5 sshd_config.5]
*AliveCountMax applies to protcol v2 only; ok dtucker, djm
|
|
[misc.c ssh_config.5 sshd_config.5]
Allow config directives to contain whitespace by surrounding them by double
quotes. mindrot #482, man page help from jmc@, ok djm@
|
|
[sshd_config.5]
subsection is pointless here;
|
|
[sshd_config.5]
document the order in which allow/deny directives are processed;
help/ok dtucker
|
|
[sshd_config.5]
oops - bits i missed;
|
|
[sshd_config.5]
some grammar/wording fixes;
|
|
[ssh.1 ssh_config.5 sshd.8 sshd_config.5]
more consistency fixes;
|
|
[ssh-keysign.8 ssh_config.5 sshd_config.5]
some consistency fixes;
|
|
[sshd_config.5]
signpost to PATTERNS;
|
|
reality. Pointed out by tryponraj at gmail.com.
|
|
- jmc@cvs.openbsd.org 2006/01/02 17:09:49
[ssh_config.5 sshd_config.5]
some corrections from michael knudsen;
|
|
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
[serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
two changes to the new ssh tunnel support. this breaks compatibility
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).
ok djm@, man page bits by jmc@
|
|
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
[misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
[serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
[sshconnect.h sshd.8 sshd_config sshd_config.5]
Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
|
|
[sshd_config.5]
aquire -> acquire, from stevesk@
|
|
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@
|
|
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
ok markus@
|
|
[sshd_config.5]
sort config options, from grunk AT pestilenz.org; ok jmc@
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
[sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
variable, so don't say that we do (bz #623); ok deraadt@
|
|
[sshd_config.5]
typo;
|
|
[auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
[misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
[sshd_config.5]
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote
forwards to bind to client-specified ports.
|
|
keyboard-interactive since this is no longer the case.
|
|
[sshd_config.5]
`login'(n) -> `log in'(v);
|
|
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
bz #898: support AddressFamily in sshd_config. from
peak@argo.troja.mff.cuni.cz; ok deraadt@
|
|
[sshd_config.5]
mention PrintLastLog only prints last login time for interactive
sessions, like PrintMotd mentions.
From Michael Knudsen, with wording changed slightly to match the
PrintMotd description.
ok djm
|
|
[sshd_config.5]
new sentence, new line;
|
|
[ssh.1 ssh_config.5 sshd_config.5]
List supported ciphers in man pages, tidy up ssh -c;
"looks fine" jmc@, ok markus@
|
|
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5]
Add MaxAuthTries sshd config option; ok markus@
|
|
UsePAM section. Parts from djm@ and jmc@.
|
|
[sshd_config.5]
remove unnecessary .Pp;
|
|
[ssh_config.5 sshd_config.5]
manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
|
|
[readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c
ssh_config.5 sshd_config.5]
bz #815: implement ability to pass specified environment variables from
the client to the server; ok markus@
|
|
from bug #701 (text from jfh at cise.ufl.edu).
|
|
[sshd_config.5]
Document KerberosGetAFSToken; ok markus@
|
|
[sshd_config.5]
remove cruft left over from RhostsAuthentication removal;
ok markus@
|