summaryrefslogtreecommitdiff
path: root/sshd_config.5
AgeCommit message (Collapse)Author
2017-03-29Remove ssh_host_dsa_key from HostKey defaultColin Watson
The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
2017-03-29Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
2017-03-29Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch
2017-03-29Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
2017-03-29Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2016-12-26 Patch-Name: keepalive-extensions.patch
2017-03-29GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
2017-03-15upstream commitdjm@openbsd.org
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually). Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
2017-02-04upstream commitdjm@openbsd.org
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
2017-01-30upstream commitjmc@openbsd.org
keep the tokens list sorted; Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
2017-01-30upstream commitdtucker@openbsd.org
Re-add '%k' token for AuthorizedKeysCommand which was lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com. Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-24upstream commitmarkus@openbsd.org
allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
2016-10-10upstream commitjmc@openbsd.org
tidy up the formatting in this file. more specifically, replace .Dq, which looks appalling, with .Cm, where appropriate; Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
2016-09-29upstream commitdjm@openbsd.org
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@ Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
2016-09-24upstream commitjmc@openbsd.org
organise the token stuff into a separate section; ok markus for an earlier version of the diff ok/tweaks djm Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
2016-09-24upstream commitdjm@openbsd.org
mention curve25519-sha256 KEX Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
2016-09-21upstream commitdjm@openbsd.org
add a way for principals command to get see key ID and serial too Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
2016-09-14upstream commitdjm@openbsd.org
add %-escapes to AuthorizedPrincipalsCommand to match those supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a few more to provide access to the certificate's CA key; 'looks ok' dtucker@ Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
2016-09-12upstream commitjmc@openbsd.org
sort; from matthew martin Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
2016-08-23upstream commitdjm@openbsd.org
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23upstream commitnaddy@openbsd.org
Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@ Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-14upstream commitjca@openbsd.org
Use 2001:db8::/32, the official IPv6 subnet for configuration examples. This makes the IPv6 example consistent with IPv4, and removes a dubious mention of a 6bone subnet. ok sthen@ millert@ Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
2016-07-22upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
2016-07-22upstream commitdtucker@openbsd.org
Allow wildcard for PermitOpen hosts as well as ports. bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok markus@ Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
2016-06-24upstream commitjmc@openbsd.org
grammar fix; Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
2016-06-24upstream commitdjm@openbsd.org
ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@ Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
2016-05-19upstream commitmarkus@openbsd.org
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@ Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
2016-04-28upstream commitjmc@openbsd.org
cidr permitted for {allow,deny}users; from lars nooden ok djm Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
2016-03-18upstream commitdjm@openbsd.org
UseDNS affects ssh hostname processing in authorized_keys, not known_hosts; bz#2554 reported by jjelen AT redhat.com Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
2016-02-18upstream commitdjm@openbsd.org
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly in *KeyTypes options yet. Remove them from the lists of algorithms for now. committing on behalf of markus@ ok djm@ Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
2016-02-18upstream commitjmc@openbsd.org
since these pages now clearly tell folks to avoid v1, normalise the docs from a v2 perspective (i.e. stop pointing out which bits are v2 only); ok/tweaks djm ok markus Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-17upstream commitdjm@openbsd.org
Replace list of ciphers and MACs adjacent to -1/-2 flag descriptions in ssh(1) with a strong recommendation not to use protocol 1. Add a similar warning to the Protocol option descriptions in ssh_config(5) and sshd_config(5); prompted by and ok mmcc@ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-11upstream commitdjm@openbsd.org
sync crypto algorithm lists in ssh_config(5) and sshd_config(5) with current reality. bz#2527 Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
2016-02-08upstream commitdjm@openbsd.org
better description for MaxSessions; bz#2531 Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
2015-11-16upstream commitdjm@openbsd.org
Support "none" as an argument for sshd_config ForceCommand and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 ok dtucker@ Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-11-16upstream commitdjm@openbsd.org
list a couple more options usable in Match blocks; bz#2489 Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
2015-10-08upstream commitsobrado@openbsd.org
UsePrivilegeSeparation defaults to sandbox now. ok djm@ Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
2015-09-11upstream commitdjm@openbsd.org
more clarity on what AuthorizedKeysFile=none does; based on diff by Thiebaud Weksteen Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-08-19upstream commitjmc@openbsd.org
match myproposal.h order; from brian conway (i snuck in a tweak while here) ok dtucker Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
2015-08-11upstream commitderaadt@openbsd.org
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-02upstream commitderaadt@openbsd.org
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-20upstream commitdjm@openbsd.org
mention that the default of UseDNS=no implies that hostnames cannot be used for host matching in sshd_config and authorized_keys; bz#2045, ok dtucker@ Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15upstream commitdjm@openbsd.org
refuse to generate or accept RSA keys smaller than 1024 bits; feedback and ok dtucker@ Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-06-05upstream commitdjm@openbsd.org
typo: accidental repetition; bz#2386 Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
2015-05-22upstream commitdjm@openbsd.org
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21upstream commitdjm@openbsd.org
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@ Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-04-29upstream commitdtucker@openbsd.org
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).