Age | Commit message (Collapse) | Author |
|
- markus@cvs.openbsd.org 2009/10/08 14:03:41
[sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt
|
|
[sshd_config.5]
Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
|
|
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
|
|
[sshd_config.5]
clarify we cd to user's home after chroot; ok markus@ on
earlier version; tweaks and ok jmc@
|
|
[sshd_config.5]
tweak previous; ok stevesk
|
|
[sshd_config.5]
clarify that even internal-sftp needs /dev/log for logging to work; ok
markus@
|
|
[sshd_config.5]
fix possessive; ok djm@
|
|
[sshd_config.5]
missing period
|
|
[ssh_config.5 sshd_config.5]
don't advertise experimental options
|
|
[ssh_config.5 sshd_config.5]
sync list of preferred ciphers; ok djm@
|
|
[sshd_config.5]
add AllowAgentForwarding to available Match keywords list
ok djm
|
|
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
[readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
[sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
[Makefile.in]
Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
|
|
[servconf.c sshd_config.5]
support setting PermitEmptyPasswords in a Match block
requested in PR3891; ok dtucker@
|
|
[sshd_config sshd_config.5 sshd.8 servconf.c]
increase default size of ssh protocol 1 ephemeral key from 768 to 1024
bits; prodded by & ok dtucker@ ok deraadt@
|
|
[servconf.c sshd_config.5]
Allow MaxAuthTries within a Match block. ok djm@
|
|
[sshd_config.5]
MaxSessions is allowed in a Match block too
|
|
[sshd_config.5]
tweak previous;
|
|
[sshd_config.5]
better reference for pattern-list
|
|
- djm@cvs.openbsd.org 2008/06/10 03:57:27
[servconf.c match.h sshd_config.5]
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@
|
|
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
|
|
[sshd_config.5]
sort;
|
|
[servconf.c servconf.h session.c sshd_config.5]
Enable the AllowAgentForwarding option in sshd_config (global and match
context), to specify if agents should be permitted on the server.
As the man page states:
``Note that disabling Agent forwarding does not improve security
unless users are also denied shell access, as they can always install
their own forwarders.''
ok djm@, ok and a mild frown markus@
|
|
[sshd_config.5]
HostbasedAuthentication is supported under Match too
|
|
[sshd_config.5]
oops, some unrelated stuff crept into that commit - backout.
spotted by jmc@
|
|
- djm@cvs.openbsd.org 2008/04/04 05:14:38
[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
|
|
[session.c sshd_config.5]
ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
from dtucker@ ok deraadt@ djm@
|
|
[ssh.1 sshd.8 sshd_config.5]
bump Mdocdate for pages committed in "febuary", necessary because
of a typo in rcs.c;
|
|
[sshd_config.5]
mantion that "internal-sftp" is useful with ForceCommand too
|
|
[sshd_config.5]
missing `)';
|
|
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
|
|
[sshd_config.5 servconf.c]
Allow PermitRootLogin in a Match block. Allows for, eg, permitting root
only from the local network. ok markus@, man page bit ok jmc@
|
|
[auth2-none.c sshd_config sshd_config.5]
Support "Banner=none" to disable displaying of the pre-login banner;
ok dtucker@ deraadt@
|
|
[sshd_config.5]
oops, here too: put the MAC list into a display, like we do for
ciphers, since groff has trouble with wide lines;
|
|
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on
one of its underlying hash algorithms is found to be vulnerable to a
new attack. http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
|
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
|
|
- jmc@cvs.openbsd.org 2007/03/01 16:19:33
[sshd_config.5]
sort the `match' keywords;
|
|
[auth2.c sshd_config.5 servconf.c]
Remove ChallengeResponseAuthentication support inside a Match
block as its interaction with KbdInteractive makes it difficult to
support. Also, relocate the CR/kbdint option special-case code into
servconf. "please commit" djm@, ok markus@ for the relocation.
|
|
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
|
|
[sshd_config.5]
do not use lists for SYNOPSIS;
from eric s. raymond via brad
|
|
- dtucker@cvs.openbsd.org 2006/08/21 08:14:01
[sshd_config.5]
Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
ok jmc@ djm@
|
|
[servconf.c servconf.h sshd_config.5]
Add ability to match groups to Match keyword in sshd_config. Feedback
djm@, stevesk@, ok stevesk@.
|
|
[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
|
|
[servconf.c sshd_config.5]
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
Match. ok djm@
|
|
[sshd_config.5]
Clarify description of Match, with minor correction from jmc@
|
|
[ssh-agent.1 sshd_config.5]
mark up angle brackets;
|
|
[sshd_config.5]
tweak; ok dtucker
|
|
[channels.c channels.h servconf.c sshd_config.5]
Add PermitOpen directive to sshd_config which is equivalent to the
"permitopen" key option. Allows server admin to allow TCP port
forwarding only two specific host/port pairs. Useful when combined
with Match.
If permitopen is used in both sshd_config and a key option, both
must allow a given connection before it will be permitted.
Note that users can still use external forwarders such as netcat,
so to be those must be controlled too for the limits to be effective.
Feedback & ok djm@, man page corrections & ok jmc@.
|
|
[sshd_config.5]
- new sentence, new line
- s/The the/The/
- kill a bad comma
|
|
[sshd.c servconf.h servconf.c sshd_config.5 auth.c]
Add support for conditional directives to sshd_config via a "Match"
keyword, which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
|