summaryrefslogtreecommitdiff
path: root/sshd_config.5
AgeCommit message (Collapse)Author
2009-08-28downgrade mention of login.conf to be an example and mention PAM asDamien Miller
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/21 15:13:17Darren Tucker
[sshd_config.5] clarify we cd to user's home after chroot; ok markus@ on earlier version; tweaks and ok jmc@
2009-06-21 - jmc@cvs.openbsd.org 2009/04/18 18:39:10Darren Tucker
[sshd_config.5] tweak previous; ok stevesk
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17Darren Tucker
[sshd_config.5] clarify that even internal-sftp needs /dev/log for logging to work; ok markus@
2009-06-21 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44Darren Tucker
[sshd_config.5] fix possessive; ok djm@
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:59:25Damien Miller
[sshd_config.5] missing period
2009-02-23 - djm@cvs.openbsd.org 2009/02/22 23:50:57Damien Miller
[ssh_config.5 sshd_config.5] don't advertise experimental options
2009-01-28 - naddy@cvs.openbsd.org 2009/01/24 17:10:22Damien Miller
[ssh_config.5 sshd_config.5] sync list of preferred ciphers; ok djm@
2009-01-28 - okan@cvs.openbsd.org 2008/12/30 00:46:56Damien Miller
[sshd_config.5] add AllowAgentForwarding to available Match keywords list ok djm
2008-11-05 - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
2008-11-03 - djm@cvs.openbsd.org 2008/10/09 03:50:54Damien Miller
[servconf.c sshd_config.5] support setting PermitEmptyPasswords in a Match block requested in PR3891; ok dtucker@
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker
[sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
2008-06-16 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40Damien Miller
[servconf.c sshd_config.5] Allow MaxAuthTries within a Match block. ok djm@
2008-06-16 - dtucker@cvs.openbsd.org 2008/06/15 16:55:38Damien Miller
[sshd_config.5] MaxSessions is allowed in a Match block too
2008-06-10 - jmc@cvs.openbsd.org 2008/06/10 07:12:00Darren Tucker
[sshd_config.5] tweak previous;
2008-06-10 - djm@cvs.openbsd.org 2008/06/10 04:17:46Darren Tucker
[sshd_config.5] better reference for pattern-list
2008-06-10 - (dtucker) OpenBSD CVS SyncDarren Tucker
- djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
2008-05-19 - jmc@cvs.openbsd.org 2008/05/07 08:00:14Damien Miller
[sshd_config.5] sort;
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 05:49:37Damien Miller
[servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
2008-05-19 - djm@cvs.openbsd.org 2008/04/05 02:46:02Damien Miller
[sshd_config.5] HostbasedAuthentication is supported under Match too
2008-05-19 - djm@cvs.openbsd.org 2008/04/04 06:44:26Damien Miller
[sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@
2008-05-19 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2008/04/04 05:14:38 [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk
2008-03-27 - djm@cvs.openbsd.org 2008/03/25 11:58:02Damien Miller
[session.c sshd_config.5] ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@
2008-03-27 - jmc@cvs.openbsd.org 2008/02/11 07:58:28Damien Miller
[ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c;
2008-02-10 - djm@cvs.openbsd.org 2008/02/10 09:55:37Damien Miller
[sshd_config.5] mantion that "internal-sftp" is useful with ForceCommand too
2008-02-10 - jmc@cvs.openbsd.org 2008/02/09 08:04:31Damien Miller
[sshd_config.5] missing `)';
2008-02-10 - djm@cvs.openbsd.org 2008/02/08 23:24:07Damien Miller
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
2008-01-01 - dtucker@cvs.openbsd.org 2008/01/01 09:27:33Darren Tucker
[sshd_config.5 servconf.c] Allow PermitRootLogin in a Match block. Allows for, eg, permitting root only from the local network. ok markus@, man page bit ok jmc@
2007-09-17 - djm@cvs.openbsd.org 2007/08/23 03:22:16Damien Miller
[auth2-none.c sshd_config sshd_config.5] Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@
2007-06-11 - jmc@cvs.openbsd.org 2007/06/08 07:48:09Damien Miller
[sshd_config.5] oops, here too: put the MAC list into a display, like we do for ciphers, since groff has trouble with wide lines;
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-03-06 - OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2007/03/01 16:19:33 [sshd_config.5] sort the `match' keywords;
2007-03-01 - dtucker@cvs.openbsd.org 2007/03/01 10:28:02Darren Tucker
[auth2.c sshd_config.5 servconf.c] Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
2007-02-19 - dtucker@cvs.openbsd.org 2007/02/19 10:45:58Darren Tucker
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
2007-01-05 - jmc@cvs.openbsd.org 2007/01/02 09:57:25Damien Miller
[sshd_config.5] do not use lists for SYNOPSIS; from eric s. raymond via brad
2006-08-30 - (djm) OpenBSD CVS SyncDamien Miller
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01 [sshd_config.5] Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, ok jmc@ djm@
2006-08-19 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25Damien Miller
[servconf.c servconf.h sshd_config.5] Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@.
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36Damien Miller
[channels.c channels.h servconf.c servconf.h sshd_config.5] Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41Damien Miller
[servconf.c sshd_config.5] Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23Damien Miller
[sshd_config.5] Clarify description of Match, with minor correction from jmc@
2006-07-24 - jmc@cvs.openbsd.org 2006/07/18 08:03:09Damien Miller
[ssh-agent.1 sshd_config.5] mark up angle brackets;
2006-07-24 - jmc@cvs.openbsd.org 2006/07/18 07:50:40Damien Miller
[sshd_config.5] tweak; ok dtucker
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00Damien Miller
[channels.c channels.h servconf.c sshd_config.5] Add PermitOpen directive to sshd_config which is equivalent to the "permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
2006-07-24 - jmc@cvs.openbsd.org 2006/07/12 13:39:55Damien Miller
[sshd_config.5] - new sentence, new line - s/The the/The/ - kill a bad comma
2006-07-12 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58Darren Tucker
[sshd.c servconf.h servconf.c sshd_config.5 auth.c] Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@
2006-07-10 - djm@cvs.openbsd.org 2006/07/06 10:47:05Damien Miller
[servconf.c servconf.h session.c sshd_config.5] support arguments to Subsystem commands; ok markus@
2006-07-10 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58Damien Miller
[ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@