summaryrefslogtreecommitdiff
path: root/sshd_config
AgeCommit message (Collapse)Author
2011-05-29OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
2011-05-15 - dtucker@cvs.openbsd.org 2011/05/06 01:03:35Damien Miller
[sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny
2010-09-10 - naddy@cvs.openbsd.org 2010/09/06 17:10:19Damien Miller
[sshd_config] add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@
2009-10-11 - (dtucker) OpenBSD CVS SyncDarren Tucker
- markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
2008-07-02 - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker
[sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
2008-05-19 - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
2008-05-19 - pyr@cvs.openbsd.org 2008/05/07 06:43:35Damien Miller
[sshd_config] push the sshd_config bits in, spotted by ajacoutot@
2008-02-10 - djm@cvs.openbsd.org 2008/02/08 23:24:07Damien Miller
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
2007-09-17 - djm@cvs.openbsd.org 2007/08/23 03:22:16Damien Miller
[auth2-none.c sshd_config sshd_config.5] Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@
2007-03-21 - djm@cvs.openbsd.org 2007/03/19 01:01:29Darren Tucker
[sshd_config] Disable the legacy SSH protocol 1 for new installations via a configuration override. In the future, we will change the server's default itself so users who need the legacy protocol will need to turn it on explicitly
2006-07-24 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
2006-02-23 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect currentDarren Tucker
reality. Pointed out by tryponraj at gmail.com.
2005-12-13 - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller
[auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-07-26 - markus@cvs.openbsd.org 2005/07/25 11:59:40Damien Miller
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] [sshconnect2.c sshd.c sshd_config sshd_config.5] add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
2005-05-26 - djm@cvs.openbsd.org 2005/05/19 02:40:52Damien Miller
[sshd_config] whitespace nit, from grunk AT pestilenz.org
2005-01-20 - djm@cvs.openbsd.org 2004/12/23 23:11:00Darren Tucker
[servconf.c servconf.h sshd.c sshd_config sshd_config.5] bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz; ok deraadt@
2004-05-24 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53Darren Tucker
[auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
2004-05-23 - (djm) Explain consequences of UsePAM=yes a little better in sshd_config;Damien Miller
ok dtucker@
2003-12-31 - millert@cvs.openbsd.org 2003/12/29 16:39:50Darren Tucker
[sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
2003-12-31 - jakob@cvs.openbsd.org 2003/12/23 16:12:10Darren Tucker
[servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@
2003-11-06 - (djm) Clarify UsePAM consequences a little moreDamien Miller
2003-10-02 - markus@cvs.openbsd.org 2003/09/29 20:19:57Darren Tucker
[servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials
2003-09-25[sshd_config] UsePAM defaults to no.Tim Rice
2003-09-02 - markus@cvs.openbsd.org 2003/08/28 12:54:34Damien Miller
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
2003-08-26 - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
2003-08-13 - markus@cvs.openbsd.org 2003/08/13 08:46:31Darren Tucker
[auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others
2003-08-02 - markus@cvs.openbsd.org 2003/07/23 07:42:43Darren Tucker
[sshd_config] remove AFS; itojun@
2003-06-2220030622Darren Tucker
- (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/06/20 05:48:21 [sshd_config] sync some implemented options; ok markus@
2003-06-03 - (djm) OpenBSD CVS SyncDamien Miller
- markus@cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ - (djm) Fix portable-specific uses of verify_reverse_mapping too
2003-05-16clarifyDamien Miller
2003-05-15 - jakob@cvs.openbsd.org 2003/05/15 01:48:10Damien Miller
[readconf.c readconf.h servconf.c servconf.h] always parse kerberos options. ok djm@ markus@ - (djm) Always parse UsePAM
2002-09-27 - (djm) OpenBSD CVS SyncDamien Miller
- markus@cvs.openbsd.org 2002/09/25 11:17:16 [sshd_config] sync LoginGraceTime with default
2002-09-04 - stevesk@cvs.openbsd.org 2002/08/21 19:38:06Damien Miller
[servconf.c sshd.8 sshd_config sshd_config.5] change LoginGraceTime default to 1 minute; ok mouring@ markus@
2002-08-01 - markus@cvs.openbsd.org 2002/07/30 17:03:55Ben Lindstrom
[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5] add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt
2002-06-2720020628Kevin Steves
- (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented options should contain default value. from solar.
2002-06-21 - markus@cvs.openbsd.org 2002/06/20 23:37:12Ben Lindstrom
[sshd_config] add Compression
2002-06-21 - stevesk@cvs.openbsd.org 2002/06/20 20:03:34Ben Lindstrom
[ssh_config sshd_config] refer to config file man page
2002-06-06 - markus@cvs.openbsd.org 2002/05/15 21:56:38Ben Lindstrom
[servconf.c sshd.8 sshd_config] re-enable privsep and disable setuid for post-3.2.2
2002-05-15 - markus@cvs.openbsd.org 2002/05/15 21:02:53Ben Lindstrom
[servconf.c sshd.8 sshd_config] disable privsep and enable setuid for the 3.2.2 release
2002-05-15 - deraadt@cvs.openbsd.org 2002/05/04 02:39:35Ben Lindstrom
[servconf.c sshd.8 sshd_config] enable privsep by default; provos ok (historical)
2002-04-23 - markus@cvs.openbsd.org 2002/04/22 16:16:53Damien Miller
[servconf.c sshd.8 sshd_config] do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@
2002-04-23 - stevesk@cvs.openbsd.org 2002/04/21 16:19:27Damien Miller
[sshd.8 sshd_config] document default AFSTokenPassing no; ok deraadt@
2002-03-22 - markus@cvs.openbsd.org 2002/03/21 20:51:12Ben Lindstrom
[sshd_config] add privsep (off)
2002-02-26 - (bal) Update sshd_config CVSIDBen Lindstrom
2002-02-19 - deraadt@cvs.openbsd.org 2002/02/19 02:50:59Damien Miller
[sshd_config] stategy is not an english word
2002-02-10 - (djm) OpenBSD CVS SyncDamien Miller
- deraadt@cvs.openbsd.org 2002/02/09 17:37:34 [pathnames.h session.c ssh.1 sshd.8 sshd_config ssh-keyscan.1] move ssh config files to /etc/ssh - (djm) Adjust portable Makefile.in tnd ssh-rand-helper.c o match
2002-02-05 - markus@cvs.openbsd.org 2002/01/29 14:32:03Damien Miller
[auth2.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c canohost.c servconf.c servconf.h session.c sshd.8 sshd_config] s/ReverseMappingCheck/VerifyReverseMapping/ and avoid confusion; ok stevesk@
2002-02-05 - stevesk@cvs.openbsd.org 2002/01/27 14:57:46Damien Miller
[channels.c servconf.c servconf.h session.c sshd.8 sshd_config] add X11UseLocalhost; ok markus@
2002-01-30[configure.ac] fix logic on when ssh-rand-helper is installed.Tim Rice
[sshd_config] put back in line that tells what PATH was compiled into sshd.
2002-01-22 - stevesk@cvs.openbsd.org 2002/01/16 17:40:23Damien Miller
[sshd_config] The stategy now used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. Subsystem is currently the only default option changed. ok markus@