Age | Commit message (Collapse) | Author |
|
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@
OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
|
|
macdonell
OpenBSD-Commit-ID: ef1bdbc936b2ea693ee37a4c20a94d4d43f5fda3
|
|
OpenBSD-Commit-ID: 2b9c23022ea7b9dddb62864de4e906000f9d7474
|
|
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
|
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
From Jakub Jelen via bz#2826
OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
|
|
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
|
|
clarify IgnoreUserKnownHosts; based on github PR from
Christoph Anton Mitterer.
OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3
|
|
mark up the rdomain keyword;
OpenBSD-Commit-ID: 1b597d0ad0ad20e94dbd61ca066057e6f6313b8a
|
|
simplify macros in previous, and some minor tweaks;
OpenBSD-Commit-ID: 6efeca3d8b095b76e21b484607d9cc67ac9a11ca
|
|
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@
Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
|
|
add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)
ok markus@
Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
|
|
Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.
ListenAddress 0.0.0.0 rdomain 4
Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
|
|
trim permitrootlogin description somewhat, to avoid
ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and
myself
ok sthen schwarze deraadt
Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
|
|
clarify the order in which config statements are used. ok
jmc@ djm@
Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed
|
|
tweak EposeAuthinfo; diff from lars nooden
tweaked by sthen; ok djm dtucker
Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
|
|
remove blank line;
Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
|
|
document available AuthenticationMethods; bz#2453 ok
dtucker@
Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
|
|
Allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default; ok dtucker@
Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
|
|
man pages with pseudo synopses which list filenames end
up creating very ugly output in man -k; after some discussion with ingo, we
feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly
helpful at page top, is contained already in FILES, and there are
sufficiently few that just zapping them is simple;
ok schwarze, who also helpfully ran things through a build to check
output;
Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
|
|
correct env var name
Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313
|
|
spelling;
Upstream-ID: 606f933c8e2d0be902ea663946bc15e3eee40b25
|
|
refactor authentication logging
optionally record successful auth methods and public credentials
used in a file accessible to user sessions
feedback and ok markus@
Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb
|
|
allow LogLevel in sshd_config Match blocks; ok dtucker
bz#2717
Upstream-ID: 662e303be63148f47db1aa78ab81c5c2e732baa8
|
|
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
|
|
Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
|
|
support =- for removing methods from algorithms lists,
e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
it" markus@
Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
|
|
keep the tokens list sorted;
Upstream-ID: b96239dae4fb3aa94146bb381afabcc7740a1638
|
|
Re-add '%k' token for AuthorizedKeysCommand which was
lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
Upstream-ID: 2884e203c02764d7b3fe7472710d9c24bdc73e38
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
tidy up the formatting in this file. more specifically,
replace .Dq, which looks appalling, with .Cm, where appropriate;
Upstream-ID: ff8e90aa0343d9bb56f40a535e148607973cc738
|
|
restore pre-auth compression support in the client -- the
previous commit was intended to remove it from the server only.
remove a few server-side pre-auth compression bits that escaped
adjust wording of Compression directive in sshd_config(5)
pointed out by naddy@ ok markus@
Upstream-ID: d23696ed72a228dacd4839dd9f2dec424ba2016b
|
|
organise the token stuff into a separate section; ok
markus for an earlier version of the diff ok/tweaks djm
Upstream-ID: 81a6daa506a4a5af985fce7cf9e59699156527c8
|
|
mention curve25519-sha256 KEX
Upstream-ID: 33ae1f433ce4795ffa6203761fbdf86e0d7ffbaf
|
|
add a way for principals command to get see key ID and serial
too
Upstream-ID: 0d30978bdcf7e8eaeee4eea1b030eb2eb1823fcb
|
|
add %-escapes to AuthorizedPrincipalsCommand to match those
supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a
few more to provide access to the certificate's CA key; 'looks ok' dtucker@
Upstream-ID: 6b00fd446dbebe67f4e4e146d2e492d650ae04eb
|
|
sort; from matthew martin
Upstream-ID: 73cec7f7ecc82d37a4adffad7745e4684de67ce7
|
|
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
|
|
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples. ok jmc@
Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
|
|
Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
This makes the IPv6 example consistent with IPv4, and removes a dubious
mention of a 6bone subnet.
ok sthen@ millert@
Upstream-ID: b027f3d0e0073419a132fd1bf002e8089b233634
|
|
tweak previous;
Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
|
|
Allow wildcard for PermitOpen hosts as well as ports.
bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok
markus@
Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
|
|
grammar fix;
Upstream-ID: 5d5b21c80f1e81db367333ce0bb3e5874fb3e463
|
|
ban AuthenticationMethods="" and accept
AuthenticationMethods=any for the default behaviour of not requiring multiple
authentication
bz#2398 from Jakub Jelen; ok dtucker@
Upstream-ID: fabd7f44d59e4518d241d0d01e226435cc23cf27
|
|
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@
Upstream-ID: 20c508480d8db3eef18942c0fc39b1fcf25652ac
|
|
cidr permitted for {allow,deny}users; from lars nooden ok djm
Upstream-ID: 13e7327fe85f6c63f3f7f069e0fdc8c351515d11
|
|
UseDNS affects ssh hostname processing in authorized_keys,
not known_hosts; bz#2554 reported by jjelen AT redhat.com
Upstream-ID: c1c1bb895dde46095fc6d81d8653703928437591
|
|
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly
in *KeyTypes options yet. Remove them from the lists of algorithms for now.
committing on behalf of markus@ ok djm@
Upstream-ID: c6e8820eb8e610ac21551832c0c89684a9a51bb7
|
|
since these pages now clearly tell folks to avoid v1,
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
are v2 only);
ok/tweaks djm ok markus
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
Replace list of ciphers and MACs adjacent to -1/-2 flag
descriptions in ssh(1) with a strong recommendation not to use protocol 1.
Add a similar warning to the Protocol option descriptions in ssh_config(5)
and sshd_config(5);
prompted by and ok mmcc@
Upstream-ID: 961f99e5437d50e636feca023978950a232ead5e
|