summaryrefslogtreecommitdiff
path: root/sshd_config.5
AgeCommit message (Collapse)Author
2019-10-09Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2019-10-09Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: debian-banner.patch
2019-10-09Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2018-10-19 Patch-Name: keepalive-extensions.patch
2019-10-09GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2019-10-09 Patch-Name: gssapi.patch
2019-09-08upstream: Allow prepending a list of algorithms to the default setnaddy@openbsd.org
by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-05upstream: Call comma-separated lists as such to clarify semantics.naddy@openbsd.org
Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list, respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting these semantics. Fix instances missed in first commit. ok jmc@ kn@ OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417
2019-08-09upstream: Change description of TCPKeepAlive from "inactive" todtucker@openbsd.org
"unresponsive" to clarify what it checks for. Patch from jblaine at kickflop.net via github pr#129, ok djm@. OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9
2019-07-30upstream: Fix typo in CASignatureAlgorithms wherein what should bedtucker@openbsd.org
a comma is a dot. Patch from hnj2 via github pr#141. OpenBSD-Commit-ID: 01f5a460438ff1af09aab483c0a70065309445f0
2019-06-14upstream: deraadt noticed some inconsistency in the way we denotejmc@openbsd.org
the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent (effectively reversing my commit of yesterday); ok deraadt markus djm OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667
2019-05-17upstream: Delete some .Sx macros that were used in a wrong way.schwarze@openbsd.org
Part of a patch from Stephen Gregoratto <dev at sgregoratto dot me>. OpenBSD-Commit-ID: 15501ed13c595f135e7610b1a5d8345ccdb513b7
2019-03-26upstream: full stop in the wrong place;jmc@openbsd.org
OpenBSD-Commit-ID: 478a0567c83553a2aebf95d0f1bd67ac1b1253e4
2019-01-24upstream: Remove duplicate word. bz#2958, patch from jjelen atdtucker@openbsd.org
redhat.com OpenBSD-Commit-ID: cca3965a8333f2b6aae48b79ec1d72f7a830dd2c
2018-09-20upstream: Add sshd_config CASignatureAlgorithms option to allowdjm@openbsd.org
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-20upstream: slightly-clearer description for AuthenticationMethods - thedjm@openbsd.org
lists have comma-separated elements; bz#2663 from Hans Meier OpenBSD-Commit-ID: 931c983d0fde4764d0942fb2c2b5017635993b5a
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSAdjm@openbsd.org
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03upstream: allow sshd_config PermitUserEnvironment to accept adjm@openbsd.org
pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@ OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
2018-06-26upstream: spelling;jmc@openbsd.org
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-19upstream: allow bare port numbers to appear in PermitListen directives,djm@openbsd.org
e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-11upstream: slightly better wording re handing of $TERM, from Jakubdjm@openbsd.org
Jelen via bz2386 OpenBSD-Commit-ID: 14bea3f069a93c8be66a7b97794255a91fece964
2018-06-09upstream: add a SetEnv directive for sshd_config to allow andjm@openbsd.org
administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@ OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
2018-06-09upstream: add a SetEnv directive to ssh_config that allows settingdjm@openbsd.org
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-09upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-07upstream: man bits for PermitListendjm@openbsd.org
OpenBSD-Commit-ID: 35b200cba4e46a16a4db6a80ef11838ab0fad67c
2018-06-04upstream: add missing punctuation after %i in ssh_config.5, andjmc@openbsd.org
make the grammatical format in sshd_config.5 match that in ssh_config.5; OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-04upstream: oops - further adjustment to text neccessary;jmc@openbsd.org
OpenBSD-Commit-ID: 23585576c807743112ab956be0fb3c786bdef025
2018-06-04upstream: %U needs to be escaped; tweak text;jmc@openbsd.org
OpenBSD-Commit-ID: 30887b73ece257273fb619ab6f4e86dc92ddc15e
2018-06-01upstream: make UID available as a %-expansion everywhere that thedjm@openbsd.org
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-05-22upstream: correct keyowrd name (permitemptypasswords); from brendanjmc@openbsd.org
macdonell OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
2018-04-10upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
2018-04-06upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 forjob@openbsd.org
interactive and CS1 for bulk AF21 was selected as this is the highest priority within the low-latency service class (and it is higher than what we have today). SSH is elastic and time-sensitive data, where a user is waiting for a response via the network in order to continue with a task at hand. As such, these flows should be considered foreground traffic, with delays or drops to such traffic directly impacting user-productivity. For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable networks implementing a scavanger/lower-than-best effort class to discriminate scp(1) below normal activities, such as web surfing. In general this type of bulk SSH traffic is a background activity. An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH is that they are recognisable values on all common platforms (IANA https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and for AF21 specifically a definition of the intended behavior exists https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662 The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate", or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e, MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK"). OK deraadt@, "no objection" djm@ OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-02-16upstream: Mention recent DH KEX methods:djm@openbsd.org
diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 From Jakub Jelen via bz#2826 OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
2018-02-16upstream: stop loading DSA keys by default, remove sshd_configdjm@openbsd.org
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-10upstream commitdjm@openbsd.org
clarify IgnoreUserKnownHosts; based on github PR from Christoph Anton Mitterer. OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3
2017-10-31upstream commitjmc@openbsd.org@openbsd.org
mark up the rdomain keyword; OpenBSD-Commit-ID: 1b597d0ad0ad20e94dbd61ca066057e6f6313b8a
2017-10-31upstream commitjmc@openbsd.org@openbsd.org
simplify macros in previous, and some minor tweaks; OpenBSD-Commit-ID: 6efeca3d8b095b76e21b484607d9cc67ac9a11ca
2017-10-25upstream commitdjm@openbsd.org
add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@ Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25upstream commitdjm@openbsd.org
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@ Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
2017-10-25upstream commitdjm@openbsd.org
Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4 Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
2017-10-20upstream commitjmc@openbsd.org
trim permitrootlogin description somewhat, to avoid ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and myself ok sthen schwarze deraadt Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
2017-10-20upstream commitbenno@openbsd.org
clarify the order in which config statements are used. ok jmc@ djm@ Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed
2017-10-01upstream commitjmc@openbsd.org
tweak EposeAuthinfo; diff from lars nooden tweaked by sthen; ok djm dtucker Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
2017-09-04upstream commitjmc@openbsd.org
remove blank line; Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
2017-09-04upstream commitdjm@openbsd.org
document available AuthenticationMethods; bz#2453 ok dtucker@ Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
2017-07-24upstream commitdjm@openbsd.org
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@ Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
2017-07-21upstream commitjmc@openbsd.org
man pages with pseudo synopses which list filenames end up creating very ugly output in man -k; after some discussion with ingo, we feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly helpful at page top, is contained already in FILES, and there are sufficiently few that just zapping them is simple; ok schwarze, who also helpfully ran things through a build to check output; Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
2017-06-24upstream commitdjm@openbsd.org
correct env var name Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
2017-06-24upstream commitjmc@openbsd.org
spelling; Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
2017-06-24upstream commitdjm@openbsd.org
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@ Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb