From 46bc075474211c711b102f6278783bb68d7530a8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 May 2004 22:11:30 +1000 Subject: - djm@cvs.openbsd.org 2004/04/27 09:46:37 [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c ssh_config.5 sshd_config.5] bz #815: implement ability to pass specified environment variables from the client to the server; ok markus@ --- sshd_config.5 | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index e15a225f2..b702e5ad4 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.30 2004/04/27 09:46:37 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,6 +61,29 @@ The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds +.It Cm AcceptEnv +Specifies what environment variables sent by the client will be copied into +the session's +.Xr environ 7 . +See +.Cm SendEnv +in +.Xr ssh_config 5 +for how to configure the client. +Note that environment passingis only supported for protocol 2. +Variables are specified by name, which may contain the wildcard characters +.Ql \&* +and +.Ql \&? . +Multiple environment variables may be seperated by whitespace or spread +across multiple +.Cm AcceptEnv +directives. +Be warned that some enviornment variables could be used to bypass restricted +user environments. +For this reason, care should be taken in the use of this directive. +The default is not to accept any environment variables. +.Pp .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. -- cgit v1.2.3 From 1e0c9bf9fb22054f8815c6e6f6e6bc9aec94758b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 May 2004 22:12:48 +1000 Subject: - djm@cvs.openbsd.org 2004/04/28 05:17:10 [ssh_config.5 sshd_config.5] manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) --- ChangeLog | 5 ++++- ssh_config.5 | 8 ++++---- sshd_config.5 | 8 ++++---- 3 files changed, 12 insertions(+), 9 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 52c9eabdd..f8430f083 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ ssh_config.5 sshd_config.5] bz #815: implement ability to pass specified environment variables from the client to the server; ok markus@ + - djm@cvs.openbsd.org 2004/04/28 05:17:10 + [ssh_config.5 sshd_config.5] + manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) 20040423 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno @@ -1050,4 +1053,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3334 2004/05/02 12:11:30 dtucker Exp $ +$Id: ChangeLog,v 1.3335 2004/05/02 12:12:48 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index fbe8c657d..5915c98d0 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.32 2004/04/27 09:46:37 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.33 2004/04/28 05:17:10 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -575,8 +575,8 @@ Specifies what variables from the local .Xr environ 7 should be sent to the server. Note that environment passing is only supported for protocol 2, the -server must also support it and must be configured to accept these -enviornment variables. +server must also support it, and the server must be configured to +accept these environment variables. Refer to .Cm AcceptEnv in @@ -586,7 +586,7 @@ Variables are specified by name, which may contain the wildcard characters .Ql \&* and .Ql \&? . -Multiple environment variables may be seperated by whitespace or spread +Multiple environment variables may be separated by whitespace or spread across multiple .Cm SendEnv directives. diff --git a/sshd_config.5 b/sshd_config.5 index b702e5ad4..2ac0a5ff3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.30 2004/04/27 09:46:37 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.31 2004/04/28 05:17:10 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -70,16 +70,16 @@ See in .Xr ssh_config 5 for how to configure the client. -Note that environment passingis only supported for protocol 2. +Note that environment passing is only supported for protocol 2. Variables are specified by name, which may contain the wildcard characters .Ql \&* and .Ql \&? . -Multiple environment variables may be seperated by whitespace or spread +Multiple environment variables may be separated by whitespace or spread across multiple .Cm AcceptEnv directives. -Be warned that some enviornment variables could be used to bypass restricted +Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables. -- cgit v1.2.3 From b2a601cc99f26f26f6854f542d87915537a60a35 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 2 May 2004 22:13:20 +1000 Subject: - jmc@cvs.openbsd.org 2004/04/28 07:02:56 [sshd_config.5] remove unnecessary .Pp; --- ChangeLog | 5 ++++- sshd_config.5 | 9 +-------- 2 files changed, 5 insertions(+), 9 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index f8430f083..c8e416ca2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - djm@cvs.openbsd.org 2004/04/28 05:17:10 [ssh_config.5 sshd_config.5] manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) + - jmc@cvs.openbsd.org 2004/04/28 07:02:56 + [sshd_config.5] + remove unnecessary .Pp; 20040423 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno @@ -1053,4 +1056,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3335 2004/05/02 12:12:48 dtucker Exp $ +$Id: ChangeLog,v 1.3336 2004/05/02 12:13:20 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 2ac0a5ff3..f8aa0f2f3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.31 2004/04/28 05:17:10 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -83,7 +83,6 @@ Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables. -.Pp .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -96,7 +95,6 @@ can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -.Pp .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is @@ -104,7 +102,6 @@ The default is Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. -.Pp .It Cm AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. @@ -120,7 +117,6 @@ By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. -.Pp .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. @@ -143,7 +139,6 @@ The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. -.Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. All authentication styles from @@ -155,7 +150,6 @@ The default is Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The default is -.Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' @@ -216,7 +210,6 @@ can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. -.Pp .It Cm DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. -- cgit v1.2.3 From 1dcff9a3a8891db8d7fce77e43e675ce60e0fe44 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 May 2004 16:51:40 +1000 Subject: - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to UsePAM section. Parts from djm@ and jmc@. --- ChangeLog | 4 +++- sshd_config.5 | 25 +++++++++++++++++++------ 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 7ccb6f241..7defe636c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,8 @@ - dtucker@cvs.openbsd.org 2004/05/13 02:47:50 [ssh-agent.1] Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@ + - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to + UsePAM section. Parts from djm@ and jmc@. 20040502 - (dtucker) OpenBSD CVS Sync @@ -1110,4 +1112,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3351 2004/05/13 06:45:46 dtucker Exp $ +$Id: ChangeLog,v 1.3352 2004/05/13 06:51:40 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index f8aa0f2f3..05558c569 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -624,12 +624,25 @@ If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. .It Cm UsePAM -Enables PAM authentication (via challenge-response) and session set up. -If you enable this, you should probably disable -.Cm PasswordAuthentication . -If you enable -.CM UsePAM -then you will not be able to run sshd as a non-root user. The default is +Enables the Pluggable Authentication Module interface. +If set to +.Dq yes +this will enable PAM authentication using +.Cm ChallengeResponseAuthentication +and PAM account and session module processing for all authentication types. +.Pp +Because PAM challenge-response authentication usually serves an equivalent +role to password authentication, you should disable either +.Cm PasswordAuthentication +or +.Cm ChallengeResponseAuthentication. +.Pp +If +.Cm UsePAM +is enabled, you will not be able to run +.Xr sshd 8 +as a non-root user. +The default is .Dq no . .It Cm UsePrivilegeSeparation Specifies whether -- cgit v1.2.3 From 89413dbafa5a5f237ba1040b74e6437b8b1ff1e0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 24 May 2004 10:36:23 +1000 Subject: - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@ --- ChangeLog | 5 ++++- auth.c | 4 ++-- auth.h | 4 +--- auth1.c | 4 ++-- auth2.c | 4 ++-- servconf.c | 13 +++++++++++-- servconf.h | 4 +++- sshd_config | 3 ++- sshd_config.5 | 6 +++++- 9 files changed, 32 insertions(+), 15 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index ff05bc462..9ce0adb09 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - jmc@cvs.openbsd.org 2004/05/22 16:01:05 [ssh.1] kill whitespace at eol; + - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 + [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] + Add MaxAuthTries sshd config option; ok markus@ 20040523 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in @@ -1150,4 +1153,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3364 2004/05/24 00:35:14 dtucker Exp $ +$Id: ChangeLog,v 1.3365 2004/05/24 00:36:23 dtucker Exp $ diff --git a/auth.c b/auth.c index 4f93ce5ae..ef3cdba3c 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.53 2004/05/11 19:01:43 deraadt Exp $"); +RCSID("$OpenBSD: auth.c,v 1.54 2004/05/23 23:59:53 dtucker Exp $"); #ifdef HAVE_LOGIN_H #include @@ -242,7 +242,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) /* Raise logging level */ if (authenticated == 1 || !authctxt->valid || - authctxt->failures >= AUTH_FAIL_LOG || + authctxt->failures >= options.max_authtries / 2 || strcmp(method, "password") == 0) authlog = logit; diff --git a/auth.h b/auth.h index 3a7d222ef..2f094403d 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -181,8 +181,6 @@ void auth_debug_reset(void); struct passwd *fakepw(void); -#define AUTH_FAIL_MAX 6 -#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " diff --git a/auth1.c b/auth1.c index 376007a05..471f27172 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.56 2004/05/09 01:19:27 djm Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.57 2004/05/23 23:59:53 dtucker Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -261,7 +261,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); packet_start(SSH_SMSG_FAILURE); diff --git a/auth2.c b/auth2.c index 1177efa73..e4a3cded9 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -243,7 +243,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); diff --git a/servconf.c b/servconf.c index 467ad64e8..ef8651651 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.133 2004/05/23 23:59:53 dtucker Exp $"); #include "ssh.h" #include "log.h" @@ -94,6 +94,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_begin = -1; options->max_startups_rate = -1; options->max_startups = -1; + options->max_authtries = -1; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -212,6 +213,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -262,7 +265,8 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -357,6 +361,7 @@ static struct { { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, + { "maxauthtries", sMaxAuthTries }, { "banner", sBanner }, { "usedns", sUseDNS }, { "verifyreversemapping", sDeprecated }, @@ -869,6 +874,10 @@ parse_flag: options->max_startups = options->max_startups_begin; break; + case sMaxAuthTries: + intptr = &options->max_authtries; + goto parse_int; + case sBanner: charptr = &options->banner; goto parse_filename; diff --git a/servconf.h b/servconf.h index 1c6296acc..36d2e5ca6 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.68 2004/04/27 09:46:37 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.69 2004/05/23 23:59:53 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -33,6 +33,7 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ typedef struct { u_int num_ports; @@ -114,6 +115,7 @@ typedef struct { int max_startups_begin; int max_startups_rate; int max_startups; + int max_authtries; char *banner; /* SSH-2 banner message */ int use_dns; int client_alive_interval; /* diff --git a/sshd_config b/sshd_config index 2b8d9f695..65e6f1c32 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ +# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -35,6 +35,7 @@ #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes +#MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 index 05558c569..8edaf030c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.32 2004/04/28 07:02:56 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -402,6 +402,10 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm MaxAuthTries +Specifies the maximum number of authentication attempts permitted per +connection. Once the number of failures reaches half this value, additional +failures are logged. The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm sshd -- cgit v1.2.3 From 05202ffe214115afa24bf6e7a6d8c8457e6759bb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 15 Jun 2004 10:30:39 +1000 Subject: - dtucker@cvs.openbsd.org 2004/06/13 14:01:42 [ssh.1 ssh_config.5 sshd_config.5] List supported ciphers in man pages, tidy up ssh -c; "looks fine" jmc@, ok markus@ --- ChangeLog | 6 +++++- ssh.1 | 51 +++++++++++++++++++++++++++++++++++++-------------- ssh_config.5 | 14 +++++++++++++- sshd_config.5 | 14 +++++++++++++- 4 files changed, 68 insertions(+), 17 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 1d2563ba8..3edf2d19b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ [ssh-keyscan.c sshconnect2.c sshd.c] implement diffie-hellman-group14-sha1 kex method (trivial extension to existing diffie-hellman-group1-sha1); ok markus@ + - dtucker@cvs.openbsd.org 2004/06/13 14:01:42 + [ssh.1 ssh_config.5 sshd_config.5] + List supported ciphers in man pages, tidy up ssh -c; + "looks fine" jmc@, ok markus@ 20040603 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions. @@ -1204,4 +1208,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3380 2004/06/15 00:30:09 djm Exp $ +$Id: ChangeLog,v 1.3381 2004/06/15 00:30:39 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 203e8f288..6cef0851d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.188 2004/05/22 16:01:05 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.189 2004/06/13 14:01:42 dtucker Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -241,8 +241,8 @@ Additionally, supports hostbased or challenge response authentication. .Pp Protocol 2 provides additional mechanisms for confidentiality -(the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) -and integrity (hmac-md5, hmac-sha1). +(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) +and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Ss Login session and remote execution @@ -449,13 +449,18 @@ The default value can be set on a host-by-host basis in the configuration files; see the .Cm Compression option. -.It Fl c Ar blowfish | 3des | des -Selects the cipher to use for encrypting the session. -.Ar 3des -is used by default. -It is believed to be secure. +.It Fl c Ar cipher_spec +Selects the cipher specification for encrypting the session. +.Pp +Protocol version 1 allows specification of a single cipher. +The suported values are +.Dq 3des , +.Dq blowfish +and +.Dq des . .Ar 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. +It is believed to be secure. .Ar blowfish is a fast block cipher; it appears very secure and is much faster than .Ar 3des . @@ -467,12 +472,30 @@ that do not support the .Ar 3des cipher. Its use is strongly discouraged due to cryptographic weaknesses. -.It Fl c Ar cipher_spec -Additionally, for protocol version 2 a comma-separated list of ciphers can -be specified in order of preference. -See -.Cm Ciphers -for more information. +The default is +.Dq 3des . +.Pp +For protocol version 2 +.Ar cipher_spec +is a comma-separated list of ciphers +listed in order of preference. +The supported ciphers are +.Dq 3des-cbc , +.Dq aes128-cbc , +.Dq aes192-cbc , +.Dq aes256-cbc , +.Dq aes128-ctr , +.Dq aes192-ctr , +.Dq aes256-ctr , +.Dq arcfour , +.Dq blowfish-cbc , +and +.Dq cast128-cbc . +The default is +.Bd -literal + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + aes192-cbc,aes256-cbc'' +.Ed .It Fl D Ar port Specifies a local .Dq dynamic diff --git a/ssh_config.5 b/ssh_config.5 index 97fcdd80e..46d3012c8 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.34 2004/05/06 11:24:23 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.35 2004/06/13 14:01:42 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -185,6 +185,18 @@ The default is Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. +The supported ciphers are +.Dq 3des-cbc , +.Dq aes128-cbc , +.Dq aes192-cbc , +.Dq aes256-cbc , +.Dq aes128-ctr , +.Dq aes192-ctr , +.Dq aes256-ctr , +.Dq arcfour , +.Dq blowfish-cbc , +and +.Dq cast128-cbc . The default is .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, diff --git a/sshd_config.5 b/sshd_config.5 index 8edaf030c..3a377ca74 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.33 2004/05/23 23:59:53 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.34 2004/06/13 14:01:42 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -149,6 +149,18 @@ The default is .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. +The supported ciphers are +.Dq 3des-cbc , +.Dq aes128-cbc , +.Dq aes192-cbc , +.Dq aes256-cbc , +.Dq aes128-ctr , +.Dq aes192-ctr , +.Dq aes256-ctr , +.Dq arcfour , +.Dq blowfish-cbc , +and +.Dq cast128-cbc . The default is .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, -- cgit v1.2.3 From 26213e556b517bd01d4a1912afb7ef1f48f136f6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 30 Jun 2004 22:39:34 +1000 Subject: - jmc@cvs.openbsd.org 2004/06/26 09:14:40 [sshd_config.5] new sentence, new line; --- ChangeLog | 5 ++++- sshd_config.5 | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 41b5891d8..0333ba30d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - jmc@cvs.openbsd.org 2004/06/26 09:11:14 [ssh_config.5] punctuation and grammar fixes. also, keep the options in order. + - jmc@cvs.openbsd.org 2004/06/26 09:14:40 + [sshd_config.5] + new sentence, new line; 20040627 - (tim) update README files. @@ -1456,4 +1459,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3460 2004/06/30 12:38:52 djm Exp $ +$Id: ChangeLog,v 1.3461 2004/06/30 12:39:34 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 3a377ca74..09532fb8d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.34 2004/06/13 14:01:42 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.35 2004/06/26 09:14:40 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -416,8 +416,10 @@ The default is .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per -connection. Once the number of failures reaches half this value, additional -failures are logged. The default is 6. +connection. +Once the number of failures reaches half this value, +additional failures are logged. +The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the .Nm sshd -- cgit v1.2.3