summaryrefslogtreecommitdiff
path: root/sshd_config.5
AgeCommit message (Collapse)Author
2016-04-28upstream commitjmc@openbsd.org
cidr permitted for {allow,deny}users; from lars nooden ok djm Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
2016-03-18upstream commitdjm@openbsd.org
UseDNS affects ssh hostname processing in authorized_keys, not known_hosts; bz#2554 reported by jjelen AT redhat.com Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
2016-02-18upstream commitdjm@openbsd.org
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly in *KeyTypes options yet. Remove them from the lists of algorithms for now. committing on behalf of markus@ ok djm@ Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
2016-02-18upstream commitjmc@openbsd.org
since these pages now clearly tell folks to avoid v1, normalise the docs from a v2 perspective (i.e. stop pointing out which bits are v2 only); ok/tweaks djm ok markus Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-17upstream commitdjm@openbsd.org
Replace list of ciphers and MACs adjacent to -1/-2 flag descriptions in ssh(1) with a strong recommendation not to use protocol 1. Add a similar warning to the Protocol option descriptions in ssh_config(5) and sshd_config(5); prompted by and ok mmcc@ Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
2016-02-11upstream commitdjm@openbsd.org
sync crypto algorithm lists in ssh_config(5) and sshd_config(5) with current reality. bz#2527 Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
2016-02-08upstream commitdjm@openbsd.org
better description for MaxSessions; bz#2531 Upstream-ID: e2c0d74ee185cd1a3e9d4ca1f1b939b745b354da
2015-11-16upstream commitdjm@openbsd.org
Support "none" as an argument for sshd_config ForceCommand and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 ok dtucker@ Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
2015-11-16upstream commitdjm@openbsd.org
list a couple more options usable in Match blocks; bz#2489 Upstream-ID: e4d03f39d254db4c0cc54101921bb89fbda19879
2015-10-08upstream commitsobrado@openbsd.org
UsePrivilegeSeparation defaults to sandbox now. ok djm@ Upstream-ID: bff136c38bcae89df82e044d2f42de21e1ad914f
2015-09-11upstream commitdjm@openbsd.org
more clarity on what AuthorizedKeysFile=none does; based on diff by Thiebaud Weksteen Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-08-19upstream commitjmc@openbsd.org
match myproposal.h order; from brian conway (i snuck in a tweak while here) ok dtucker Upstream-ID: 35174a19b5237ea36aa3798f042bf5933b772c67
2015-08-11upstream commitderaadt@openbsd.org
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
2015-08-02upstream commitderaadt@openbsd.org
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
2015-07-30upstream commitdjm@openbsd.org
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
2015-07-20upstream commitdjm@openbsd.org
mention that the default of UseDNS=no implies that hostnames cannot be used for host matching in sshd_config and authorized_keys; bz#2045, ok dtucker@ Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
2015-07-15upstream commitmarkus@openbsd.org
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
2015-07-15upstream commitdjm@openbsd.org
refuse to generate or accept RSA keys smaller than 1024 bits; feedback and ok dtucker@ Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-06-05upstream commitdjm@openbsd.org
typo: accidental repetition; bz#2386 Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
2015-05-22upstream commitdjm@openbsd.org
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD) Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
2015-05-21upstream commitdjm@openbsd.org
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@ Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
2015-05-21upstream commitdjm@openbsd.org
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@ Upstream-ID: b080387a14aa67dddd8ece67c00f268d626541f7
2015-04-29upstream commitdtucker@openbsd.org
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
2015-04-29upstream commitjmc@openbsd.org
enviroment -> environment: apologies to darren for not spotting that first time round...
2015-04-29upstream commitdtucker@openbsd.org
Fix typo in previous
2015-04-29upstream commitdtucker@openbsd.org
Document that the TERM environment variable is not subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from jjelen at redhat, help and ok jmc@
2015-04-29upstream commitdjm@openbsd.org
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
2015-04-29upstream commitdtucker@openbsd.org
Document "none" for PidFile XAuthLocation TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
2015-02-22upstream commitdjm@openbsd.org
sort options useable under Match case-insensitively; prodded jmc@
2015-02-21upstream commitdjm@openbsd.org
more options that are available under Match; bz#2353 reported by calestyo AT scientia.net
2015-02-03upstream commitderaadt@openbsd.org
increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
2015-01-26upstream commitjmc@openbsd.org
heirarchy -> hierarchy;
2015-01-26upstream commitderaadt@openbsd.org
Provide a warning about chroot misuses (which sadly, seem to have become quite popular because shiny). sshd cannot detect/manage/do anything about these cases, best we can do is warn in the right spot in the man page. ok markus
2015-01-13upstream commitdjm@openbsd.org
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
2014-12-22upstream commitdjm@openbsd.org
mention ssh -Q feature to list supported { MAC, cipher, KEX, key } algorithms in more places and include the query string used to list the relevant information; bz#2288
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
correct description of what will happen when a AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd will refuse to start)
2014-12-22upstream commitdjm@openbsd.org
remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
2014-12-22upstream commitjmc@openbsd.org
tweak previous;
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-12-18upstream commitdjm@openbsd.org
revert chunk I didn't mean to commit yet; via jmc@
2014-12-11upstream commitdjm@openbsd.org
mention AuthorizedKeysCommandUser must be set for AuthorizedKeysCommand to be run; bz#2287
2014-11-24upstream commitjmc@openbsd.org
restore word zapped in previous, and remove some useless "No" macros;
2014-11-24upstream commitderaadt@openbsd.org
/dev/random has created the same effect as /dev/arandom (and /dev/urandom) for quite some time. Mop up the last few, by using /dev/random where we actually want it, or not even mentioning arandom where it is irrelevant.
2014-10-13upstream commitdjm@openbsd.org
mention permissions on tun(4) devices in PermitTunnel documentation; bz#2273
2014-10-13upstream commitsobrado@openbsd.org
typo.
2014-10-03 - (djm) [sshd_config.5] typo; from Iain MorganDamien Miller
2014-07-30 - schwarze@cvs.openbsd.org 2014/07/28 15:40:08Damien Miller
[sftp-server.8 sshd_config.5] some systems no longer need /dev/log; issue noticed by jirib; ok deraadt
2014-07-18 - millert@cvs.openbsd.org 2014/07/15 15:54:14Damien Miller
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
2014-07-04 - djm@cvs.openbsd.org 2014/07/03 22:40:43Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config.5] Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@