![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.355 / (download) - annotate - [select for diffs], Wed Feb 21 06:17:29 2024 UTC (2 months, 3 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.354: +9 -1 lines
Diff to previous 1.354 (colored)
explain arguments of internal-sftp GHPR#454 from Niklas Hambüchen
Revision 1.354 / (download) - annotate - [select for diffs], Wed Feb 21 06:06:43 2024 UTC (2 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.353: +3 -3 lines
Diff to previous 1.353 (colored)
clarify permissions requirements for ChrootDirectory Part of GHPR#454 from Niklas Hambüchen
Revision 1.353 / (download) - annotate - [select for diffs], Wed Feb 21 06:05:06 2024 UTC (2 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.352: +4 -3 lines
Diff to previous 1.352 (colored)
.Cm for a keyword. Part of GHPR#454 from Niklas Hambüchen
Revision 1.352 / (download) - annotate - [select for diffs], Wed Jan 10 06:33:13 2024 UTC (4 months ago) by jmc
Branch: MAIN
Changes since 1.351: +3 -3 lines
Diff to previous 1.351 (colored)
fix incorrect capitalisation;
Revision 1.351 / (download) - annotate - [select for diffs], Tue Jan 9 22:19:00 2024 UTC (4 months ago) by djm
Branch: MAIN
Changes since 1.350: +26 -18 lines
Diff to previous 1.350 (colored)
add a "global" ChannelTimeout type to ssh(1) and sshd(8) that watches all open channels and will close all open channels if there is no traffic on any of them for the specified interval. This is in addition to the existing per-channel timeouts added a few releases ago. This supports use-cases like having a session + x11 forwarding channel open where one may be idle for an extended period but the other is actively used. The global timeout would allow closing both channels when both have been idle for too long. ok dtucker@
Revision 1.350 / (download) - annotate - [select for diffs], Fri Jul 28 05:42:36 2023 UTC (9 months, 2 weeks ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.349: +3 -3 lines
Diff to previous 1.349 (colored)
%C is a callable macro in mdoc(7) so, as we do for %D, escape it;
Revision 1.349 / (download) - annotate - [select for diffs], Thu Jul 27 22:25:17 2023 UTC (9 months, 2 weeks ago) by djm
Branch: MAIN
Changes since 1.348: +8 -4 lines
Diff to previous 1.348 (colored)
make sshd_config AuthorizedPrincipalsCommand and AuthorizedKeysCommand accept the %D (routing domain) and a new %C (connection address/port 4-tuple) as expansion sequences; ok markus
Revision 1.348 / (download) - annotate - [select for diffs], Fri Mar 3 04:36:20 2023 UTC (14 months, 2 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.347: +15 -3 lines
Diff to previous 1.347 (colored)
some options are not first-match-wins. Mention that there are exceptions at the start of the manpage and label some of them in the option description.
Revision 1.347 / (download) - annotate - [select for diffs], Wed Jan 18 06:55:32 2023 UTC (15 months, 4 weeks ago) by jmc
Branch: MAIN
Changes since 1.346: +4 -4 lines
Diff to previous 1.346 (colored)
tweak previous; ok djm
Revision 1.346 / (download) - annotate - [select for diffs], Tue Jan 17 09:44:48 2023 UTC (15 months, 4 weeks ago) by djm
Branch: MAIN
Changes since 1.345: +33 -1 lines
Diff to previous 1.345 (colored)
Add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@
Revision 1.345 / (download) - annotate - [select for diffs], Fri Jan 6 08:44:11 2023 UTC (16 months, 1 week ago) by jmc
Branch: MAIN
Changes since 1.344: +11 -10 lines
Diff to previous 1.344 (colored)
tweak previous; ok djm
Revision 1.344 / (download) - annotate - [select for diffs], Fri Jan 6 02:47:19 2023 UTC (16 months, 1 week ago) by djm
Branch: MAIN
Changes since 1.343: +67 -2 lines
Diff to previous 1.343 (colored)
Implement channel inactivity timeouts This adds a sshd_config ChannelTimeouts directive that allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. Note: this only affects channels over an opened SSH connection and not the connection itself. Most clients close the connection when their channels go away, with a notable exception being ssh(1) in multiplexing mode. ok markus dtucker
Revision 1.343 / (download) - annotate - [select for diffs], Sat Sep 17 10:34:29 2022 UTC (19 months, 4 weeks ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.342: +12 -2 lines
Diff to previous 1.342 (colored)
Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@
Revision 1.342 / (download) - annotate - [select for diffs], Fri Jun 24 04:27:14 2022 UTC (22 months, 3 weeks ago) by djm
Branch: MAIN
Changes since 1.341: +5 -5 lines
Diff to previous 1.341 (colored)
make it clear that RekeyLimit applies to both transmitted and received data. GHPR#328 from Jan Pazdziora
Revision 1.341 / (download) - annotate - [select for diffs], Tue Apr 12 05:09:49 2022 UTC (2 years, 1 month ago) by dtucker
Branch: MAIN
Changes since 1.340: +3 -3 lines
Diff to previous 1.340 (colored)
Correct path for system known hosts file in description of IgnoreUserKnownHosts. Patch from Martin Vahlensieck via tech@
Revision 1.340 / (download) - annotate - [select for diffs], Thu Mar 31 17:58:44 2022 UTC (2 years, 1 month ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.339: +3 -3 lines
Diff to previous 1.339 (colored)
ssh: document sntrup761x25519-sha512@openssh.com as default KEX
Revision 1.339 / (download) - annotate - [select for diffs], Sat Dec 4 00:05:39 2021 UTC (2 years, 5 months ago) by naddy
Branch: MAIN
Changes since 1.338: +4 -7 lines
Diff to previous 1.338 (colored)
RSA/SHA-1 is not used by default anymore on the server
Revision 1.338 / (download) - annotate - [select for diffs], Thu Dec 2 22:35:05 2021 UTC (2 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.337: +3 -3 lines
Diff to previous 1.337 (colored)
ssh-rsa is no longer in the default for PubkeyAcceptedAlgorithms.
Revision 1.337 / (download) - annotate - [select for diffs], Wed Nov 10 06:29:25 2021 UTC (2 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.336: +3 -2 lines
Diff to previous 1.336 (colored)
add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). ok markus@
Revision 1.336 / (download) - annotate - [select for diffs], Sat Oct 9 10:52:42 2021 UTC (2 years, 7 months ago) by dtucker
Branch: MAIN
Changes since 1.335: +5 -2 lines
Diff to previous 1.335 (colored)
Document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. Patch from eehakkin via github PR#277.
Revision 1.335 / (download) - annotate - [select for diffs], Fri Sep 3 05:25:50 2021 UTC (2 years, 8 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.334: +5 -5 lines
Diff to previous 1.334 (colored)
Refer to KEX "algorithms" instead of "methods" to match other references and improve consistency. Patch from scop via github PR#241, ok djm@
Revision 1.334 / (download) - annotate - [select for diffs], Thu Aug 12 23:59:25 2021 UTC (2 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.333: +15 -4 lines
Diff to previous 1.333 (colored)
mention that CASignatureAlgorithms accepts +/- similarly to the other algorithm list directives; ok jmc bz#3335
Revision 1.333 / (download) - annotate - [select for diffs], Tue Jul 27 14:28:46 2021 UTC (2 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.332: +3 -3 lines
Diff to previous 1.332 (colored)
word fix; reported by debian at helgefjell de
Revision 1.332 / (download) - annotate - [select for diffs], Fri Jul 2 05:11:21 2021 UTC (2 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.331: +8 -13 lines
Diff to previous 1.331 (colored)
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
Revision 1.331 / (download) - annotate - [select for diffs], Sun Apr 4 11:36:56 2021 UTC (3 years, 1 month ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.330: +3 -3 lines
Diff to previous 1.330 (colored)
remove stray inserts; from matthias schmidt
Revision 1.330 / (download) - annotate - [select for diffs], Sat Apr 3 06:55:52 2021 UTC (3 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.329: +5 -4 lines
Diff to previous 1.329 (colored)
sync CASignatureAlgorithms lists with reality. GHPR#174 from Matt Hazinski
Revision 1.329 / (download) - annotate - [select for diffs], Fri Mar 12 04:08:19 2021 UTC (3 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.328: +12 -2 lines
Diff to previous 1.328 (colored)
Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX. This will allow us to run tests against arbitrary moduli files without having to install them. ok djm@
Revision 1.328 / (download) - annotate - [select for diffs], Sat Feb 27 23:42:37 2021 UTC (3 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.327: +8 -8 lines
Diff to previous 1.327 (colored)
fix alphabetic ordering of options; spotted by Iain Morgan
Revision 1.327 / (download) - annotate - [select for diffs], Tue Feb 23 21:55:08 2021 UTC (3 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.326: +13 -13 lines
Diff to previous 1.326 (colored)
lots more s/key types/signature algorithms/ mostly in HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen
Revision 1.326 / (download) - annotate - [select for diffs], Tue Feb 23 21:50:18 2021 UTC (3 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.325: +3 -3 lines
Diff to previous 1.325 (colored)
Correct reference to signature algorithms as keys; from Jakub Jelen
Revision 1.325 / (download) - annotate - [select for diffs], Tue Jan 26 05:32:22 2021 UTC (3 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.324: +6 -5 lines
Diff to previous 1.324 (colored)
Rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more accurately reflects its effect. This matches a previous change to PubkeyAcceptedAlgorithms. The previous names are retained as aliases. ok djm@
Revision 1.324 / (download) - annotate - [select for diffs], Fri Jan 22 02:44:58 2021 UTC (3 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.323: +10 -10 lines
Diff to previous 1.323 (colored)
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
Revision 1.323 / (download) - annotate - [select for diffs], Thu Jan 14 19:45:06 2021 UTC (3 years, 4 months ago) by rob
Branch: MAIN
Changes since 1.322: +2 -2 lines
Diff to previous 1.322 (colored)
Minor grammatical correction. OK jmc@
Revision 1.322 / (download) - annotate - [select for diffs], Sat Jan 9 12:51:12 2021 UTC (3 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.321: +3 -3 lines
Diff to previous 1.321 (colored)
add a comma to previous;
Revision 1.321 / (download) - annotate - [select for diffs], Sat Jan 9 12:10:02 2021 UTC (3 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.320: +19 -2 lines
Diff to previous 1.320 (colored)
Add PerSourceMaxStartups and PerSourceNetBlockSize options which provide more fine grained MaxStartups limits. Man page help jmc@, feedback & ok djm@
Revision 1.320 / (download) - annotate - [select for diffs], Fri Jan 8 02:19:24 2021 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.319: +3 -2 lines
Diff to previous 1.319 (colored)
mention that DisableForwarding is valid in a sshd_config Match block reported by Fredrik Eriksson in bz3239
Revision 1.319 / (download) - annotate - [select for diffs], Tue Dec 29 00:59:15 2020 UTC (3 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.318: +2 -2 lines
Diff to previous 1.318 (colored)
Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default)
Revision 1.318 / (download) - annotate - [select for diffs], Fri Oct 16 14:34:33 2020 UTC (3 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.317: +3 -3 lines
Diff to previous 1.317 (colored)
add space between macro arg and punctuation;
Revision 1.317 / (download) - annotate - [select for diffs], Fri Oct 16 13:26:13 2020 UTC (3 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.316: +19 -2 lines
Diff to previous 1.316 (colored)
LogVerbose keyword for ssh and sshd Allows forcing maximum debug logging by file/function/line pattern- lists. ok markus@
Revision 1.316 / (download) - annotate - [select for diffs], Sat Oct 3 04:15:06 2020 UTC (3 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.315: +15 -12 lines
Diff to previous 1.315 (colored)
prefer ed25519 signature algorithm variants to ECDSA; ok markus@
Revision 1.315 / (download) - annotate - [select for diffs], Thu Aug 27 12:34:00 2020 UTC (3 years, 8 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.314: +2 -2 lines
Diff to previous 1.314 (colored)
sentence fix; from pedro martelletto
Revision 1.314 / (download) - annotate - [select for diffs], Thu Aug 27 06:15:22 2020 UTC (3 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.313: +5 -5 lines
Diff to previous 1.313 (colored)
tweak previous;
Revision 1.313 / (download) - annotate - [select for diffs], Thu Aug 27 01:07:10 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.312: +17 -6 lines
Diff to previous 1.312 (colored)
support for requiring user verified FIDO keys in sshd This adds a "verify-required" authorized_keys flag and a corresponding sshd_config option that tells sshd to require that FIDO keys verify the user identity before completing the signing/authentication attempt. Whether or not user verification was performed is already baked into the signature made on the FIDO token, so this is just plumbing that flag through and adding ways to require it. feedback and ok markus@
Revision 1.312 / (download) - annotate - [select for diffs], Fri May 29 05:37:03 2020 UTC (3 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.311: +2 -2 lines
Diff to previous 1.311 (colored)
mention that wildcards are processed in lexical order; bz#3165
Revision 1.311 / (download) - annotate - [select for diffs], Fri Apr 17 06:12:41 2020 UTC (4 years, 1 month ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.310: +2 -2 lines
Diff to previous 1.310 (colored)
add space beteen macro arg and punctuation;
Revision 1.310 / (download) - annotate - [select for diffs], Fri Apr 17 04:27:03 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.309: +3 -5 lines
Diff to previous 1.309 (colored)
auth2-pubkey r1.89 changed the order of operations to checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand if no key was found in a file. Document this order here; bz3134
Revision 1.309 / (download) - annotate - [select for diffs], Fri Apr 17 03:30:05 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.308: +21 -8 lines
Diff to previous 1.308 (colored)
make IgnoreRhosts a tri-state option: "yes" ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts. ok dtucker@
Revision 1.308 / (download) - annotate - [select for diffs], Fri Apr 17 03:23:13 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.307: +3 -2 lines
Diff to previous 1.307 (colored)
allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148, ok dtucker@
Revision 1.307 / (download) - annotate - [select for diffs], Fri Feb 7 03:54:44 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.306: +6 -6 lines
Diff to previous 1.306 (colored)
Add ssh -Q key-sig for all key and signature types. Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as an alias for the corresponding query. Man page help jmc@, ok djm@.
Revision 1.306 / (download) - annotate - [select for diffs], Thu Feb 6 22:34:58 2020 UTC (4 years, 3 months ago) by naddy
Branch: MAIN
Changes since 1.305: +3 -2 lines
Diff to previous 1.305 (colored)
Add Include to the list of permitted keywords after a Match keyword. ok markus@
Revision 1.305 / (download) - annotate - [select for diffs], Sat Feb 1 06:53:12 2020 UTC (4 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.304: +4 -4 lines
Diff to previous 1.304 (colored)
tweak previous;
Revision 1.304 / (download) - annotate - [select for diffs], Fri Jan 31 22:42:45 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.303: +16 -3 lines
Diff to previous 1.303 (colored)
Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@
Revision 1.303 / (download) - annotate - [select for diffs], Tue Jan 28 01:49:36 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.302: +2 -1 lines
Diff to previous 1.302 (colored)
make IPTOS_DSCP_LE available via IPQoS directive; bz2986, based on patch by veegish AT cyberstorm.mu
Revision 1.302 / (download) - annotate - [select for diffs], Sat Jan 25 22:41:01 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.301: +4 -1 lines
Diff to previous 1.301 (colored)
make sshd_config:ClientAliveCountMax=0 disable the connection killing behaviour, rather than killing the connection after sending the first liveness test probe (regardless of whether the client was responsive) bz2627; ok markus
Revision 1.301 / (download) - annotate - [select for diffs], Sat Jan 25 22:36:22 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.300: +7 -19 lines
Diff to previous 1.300 (colored)
clarify order of AllowUsers/DenyUsers vs AllowGroups/DenyGroups; bz1690, ok markus@
Revision 1.300 / (download) - annotate - [select for diffs], Sat Jan 25 07:09:14 2020 UTC (4 years, 3 months ago) by tedu
Branch: MAIN
Changes since 1.299: +3 -3 lines
Diff to previous 1.299 (colored)
group14-sha1 is no longer a default algorithm
Revision 1.299 / (download) - annotate - [select for diffs], Sat Jan 25 06:03:11 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.298: +5 -3 lines
Diff to previous 1.298 (colored)
mention that permitopen=/PermitOpen do no name to address translation; prompted by bz3099
Revision 1.298 / (download) - annotate - [select for diffs], Tue Jan 21 06:09:56 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.297: +4 -2 lines
Diff to previous 1.297 (colored)
Document sntrup4591761x25519-sha512@tinyssh.org. Patch from jtesta@positronsecurity.com via github PR#151.
Revision 1.297 / (download) - annotate - [select for diffs], Sat Dec 21 20:22:34 2019 UTC (4 years, 4 months ago) by naddy
Branch: MAIN
Changes since 1.296: +9 -9 lines
Diff to previous 1.296 (colored)
Replace the term "security key" with "(FIDO) authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@
Revision 1.296 / (download) - annotate - [select for diffs], Thu Dec 19 15:09:30 2019 UTC (4 years, 4 months ago) by naddy
Branch: MAIN
Changes since 1.295: +21 -9 lines
Diff to previous 1.295 (colored)
Document that security key-hosted keys can act as host keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@
Revision 1.295 / (download) - annotate - [select for diffs], Sat Nov 30 07:07:59 2019 UTC (4 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.294: +3 -3 lines
Diff to previous 1.294 (colored)
tweak the Nd lines for a bit of consistency; ok markus
Revision 1.294 / (download) - annotate - [select for diffs], Tue Nov 26 22:42:26 2019 UTC (4 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.293: +6 -5 lines
Diff to previous 1.293 (colored)
tweak previous;
Revision 1.293 / (download) - annotate - [select for diffs], Mon Nov 25 00:52:46 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.292: +25 -2 lines
Diff to previous 1.292 (colored)
Add a sshd_config PubkeyAuthOptions directive This directive has a single valid option "no-touch-required" that causes sshd to skip checking whether user presence was tested before a security key signature was made (usually by the user touching the key). ok markus@
Revision 1.292 / (download) - annotate - [select for diffs], Mon Nov 18 04:55:02 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.291: +4 -2 lines
Diff to previous 1.291 (colored)
mention ed25519-sk key/cert types here too; prompted by jmc@
Revision 1.291 / (download) - annotate - [select for diffs], Thu Nov 7 08:38:38 2019 UTC (4 years, 6 months ago) by naddy
Branch: MAIN
Changes since 1.290: +10 -5 lines
Diff to previous 1.290 (colored)
Fill in missing man page bits for U2F security key support: Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@
Revision 1.290 / (download) - annotate - [select for diffs], Fri Sep 6 14:45:34 2019 UTC (4 years, 8 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.289: +22 -2 lines
Diff to previous 1.289 (colored)
Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@
Revision 1.289 / (download) - annotate - [select for diffs], Wed Sep 4 20:31:15 2019 UTC (4 years, 8 months ago) by naddy
Branch: MAIN
Changes since 1.288: +12 -12 lines
Diff to previous 1.288 (colored)
Call comma-separated lists as such to clarify semantics. Options such as Ciphers take values that may be a list of ciphers; the complete list, not indiviual elements, may be prefixed with a dash or plus character to remove from or append to the default list, respectively. Users might read the current text as if each elment took an optional prefix, so tweak the wording from "values" to "list" to prevent such ambiguity for all options supporting these semantics. Fix instances missed in first commit. ok jmc@ kn@
Revision 1.288 / (download) - annotate - [select for diffs], Fri Aug 9 04:24:03 2019 UTC (4 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.287: +3 -3 lines
Diff to previous 1.287 (colored)
Change description of TCPKeepAlive from "inactive" to "unresponsive" to clarify what it checks for. Patch from jblaine at kickflop.net via github pr#129, ok djm@.
Revision 1.287 / (download) - annotate - [select for diffs], Tue Jul 23 23:06:57 2019 UTC (4 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.286: +3 -3 lines
Diff to previous 1.286 (colored)
Fix typo in CASignatureAlgorithms wherein what should be a comma is a dot. Patch from hnj2 via github pr#141.
Revision 1.286 / (download) - annotate - [select for diffs], Wed Jun 12 05:53:21 2019 UTC (4 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.285: +3 -3 lines
Diff to previous 1.285 (colored)
deraadt noticed some inconsistency in the way we denote the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent (effectively reversing my commit of yesterday); ok deraadt markus djm
Revision 1.285 / (download) - annotate - [select for diffs], Tue May 14 12:47:17 2019 UTC (5 years ago) by schwarze
Branch: MAIN
Changes since 1.284: +3 -5 lines
Diff to previous 1.284 (colored)
Delete some .Sx macros that were used in a wrong way. Part of a patch from Stephen Gregoratto <dev at sgregoratto dot me>.
Revision 1.284 / (download) - annotate - [select for diffs], Fri Mar 22 20:58:34 2019 UTC (5 years, 1 month ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.283: +3 -3 lines
Diff to previous 1.283 (colored)
full stop in the wrong place;
Revision 1.283 / (download) - annotate - [select for diffs], Wed Jan 23 20:48:52 2019 UTC (5 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.282: +3 -3 lines
Diff to previous 1.282 (colored)
Remove duplicate word. bz#2958, patch from jjelen at redhat.com
Revision 1.282 / (download) - annotate - [select for diffs], Thu Sep 20 03:28:06 2018 UTC (5 years, 7 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.281: +13 -2 lines
Diff to previous 1.281 (colored)
Add sshd_config CASignatureAlgorithms option to allow control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@
Revision 1.281 / (download) - annotate - [select for diffs], Fri Jul 20 05:01:10 2018 UTC (5 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.280: +3 -3 lines
Diff to previous 1.280 (colored)
slightly-clearer description for AuthenticationMethods - the lists have comma-separated elements; bz#2663 from Hans Meier
Revision 1.280 / (download) - annotate - [select for diffs], Wed Jul 4 13:49:31 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.279: +3 -3 lines
Diff to previous 1.279 (colored)
repair PubkeyAcceptedKeyTypes (and friends) after RSA signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@
Revision 1.279 / (download) - annotate - [select for diffs], Tue Jul 3 11:39:54 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.278: +8 -5 lines
Diff to previous 1.278 (colored)
Improve strictness and control over RSA-SHA2 signature types: In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@
Revision 1.278 / (download) - annotate - [select for diffs], Tue Jul 3 10:59:35 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.277: +7 -1 lines
Diff to previous 1.277 (colored)
allow sshd_config PermitUserEnvironment to accept a pattern-list of whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@
Revision 1.277 / (download) - annotate - [select for diffs], Tue Jun 19 05:36:57 2018 UTC (5 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.276: +3 -3 lines
Diff to previous 1.276 (colored)
spelling;
Revision 1.276 / (download) - annotate - [select for diffs], Tue Jun 19 02:59:41 2018 UTC (5 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.275: +12 -8 lines
Diff to previous 1.275 (colored)
allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@
Revision 1.275 / (download) - annotate - [select for diffs], Sat Jun 9 03:18:11 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.274: +2 -2 lines
Diff to previous 1.274 (colored)
slightly better wording re handing of $TERM, from Jakub Jelen via bz2386
Revision 1.274 / (download) - annotate - [select for diffs], Sat Jun 9 03:03:10 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.273: +18 -2 lines
Diff to previous 1.273 (colored)
add a SetEnv directive for sshd_config to allow an administrator to explicitly specify environment variables set in sessions started by sshd. These override the default environment and any variables set by user configuration (PermitUserEnvironment, etc), but not the SSH_* variables set by sshd itself. ok markus@
Revision 1.273 / (download) - annotate - [select for diffs], Sat Jun 9 03:01:12 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.272: +4 -2 lines
Diff to previous 1.272 (colored)
add a SetEnv directive to ssh_config that allows setting environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@
Revision 1.272 / (download) - annotate - [select for diffs], Thu Jun 7 11:26:14 2018 UTC (5 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.271: +3 -3 lines
Diff to previous 1.271 (colored)
tweak previous;
Revision 1.271 / (download) - annotate - [select for diffs], Wed Jun 6 18:24:00 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.270: +40 -1 lines
Diff to previous 1.270 (colored)
man bits for PermitListen
Revision 1.270 / (download) - annotate - [select for diffs], Fri Jun 1 06:23:10 2018 UTC (5 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.269: +6 -6 lines
Diff to previous 1.269 (colored)
add missing punctuation after %i in ssh_config.5, and make the grammatical format in sshd_config.5 match that in ssh_config.5;
Revision 1.269 / (download) - annotate - [select for diffs], Fri Jun 1 05:52:26 2018 UTC (5 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.268: +3 -3 lines
Diff to previous 1.268 (colored)
oops - further adjustment to text neccessary;
Revision 1.268 / (download) - annotate - [select for diffs], Fri Jun 1 05:50:18 2018 UTC (5 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.267: +4 -4 lines
Diff to previous 1.267 (colored)
%U needs to be escaped; tweak text;
Revision 1.267 / (download) - annotate - [select for diffs], Fri Jun 1 03:33:53 2018 UTC (5 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.266: +9 -7 lines
Diff to previous 1.266 (colored)
make UID available as a %-expansion everywhere that the username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@
Revision 1.266 / (download) - annotate - [select for diffs], Tue May 15 05:40:11 2018 UTC (6 years ago) by jmc
Branch: MAIN
Changes since 1.265: +3 -3 lines
Diff to previous 1.265 (colored)
correct keyowrd name (permitemptypasswords); from brendan macdonell
Revision 1.265 / (download) - annotate - [select for diffs], Sun Apr 8 07:36:02 2018 UTC (6 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.264: +4 -4 lines
Diff to previous 1.264 (colored)
tweak previous;
Revision 1.264 / (download) - annotate - [select for diffs], Wed Apr 4 15:12:17 2018 UTC (6 years, 1 month ago) by job
Branch: MAIN
Changes since 1.263: +5 -3 lines
Diff to previous 1.263 (colored)
Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
Revision 1.263 / (download) - annotate - [select for diffs], Fri Feb 16 02:40:45 2018 UTC (6 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.262: +10 -3 lines
Diff to previous 1.262 (colored)
Mention recent DH KEX methods: diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 From Jakub Jelen via bz#2826
Revision 1.262 / (download) - annotate - [select for diffs], Fri Feb 16 02:32:40 2018 UTC (6 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.261: +2 -3 lines
Diff to previous 1.261 (colored)
stop loading DSA keys by default, remove sshd_config stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
Revision 1.261 / (download) - annotate - [select for diffs], Sat Feb 10 06:54:38 2018 UTC (6 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.260: +5 -3 lines
Diff to previous 1.260 (colored)
clarify IgnoreUserKnownHosts; based on github PR from Christoph Anton Mitterer.
Revision 1.260 / (download) - annotate - [select for diffs], Thu Oct 26 06:44:01 2017 UTC (6 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.259: +5 -5 lines
Diff to previous 1.259 (colored)
mark up the rdomain keyword;
Revision 1.259 / (download) - annotate - [select for diffs], Wed Oct 25 06:18:06 2017 UTC (6 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.258: +13 -14 lines
Diff to previous 1.258 (colored)
simplify macros in previous, and some minor tweaks;
Revision 1.258 / (download) - annotate - [select for diffs], Wed Oct 25 00:19:47 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.257: +9 -2 lines
Diff to previous 1.257 (colored)
add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which rdomain(4) a connection was recevied on. ok markus@
Revision 1.257 / (download) - annotate - [select for diffs], Wed Oct 25 00:17:08 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.256: +17 -2 lines
Diff to previous 1.256 (colored)
add sshd_config RDomain keyword to place sshd and the subsequent user session (including the shell and any TCP/IP forwardings) into the specified rdomain(4) ok markus@
Revision 1.256 / (download) - annotate - [select for diffs], Wed Oct 25 00:15:35 2017 UTC (6 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.255: +23 -6 lines
Diff to previous 1.255 (colored)
Add optional rdomain qualifier to sshd_config's ListenAddress option to allow listening on a different rdomain(4), e.g. ListenAddress 0.0.0.0 rdomain 4
Revision 1.255 / (download) - annotate - [select for diffs], Fri Oct 13 16:50:45 2017 UTC (6 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.254: +4 -5 lines
Diff to previous 1.254 (colored)
trim permitrootlogin description somewhat, to avoid ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and myself ok sthen schwarze deraadt
Revision 1.254 / (download) - annotate - [select for diffs], Mon Oct 9 20:12:51 2017 UTC (6 years, 7 months ago) by benno
Branch: MAIN
Changes since 1.253: +3 -2 lines
Diff to previous 1.253 (colored)
clarify the order in which config statements are used. ok jmc@ djm@
Revision 1.253 / (download) - annotate - [select for diffs], Wed Sep 27 06:45:53 2017 UTC (6 years, 7 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.252: +4 -2 lines
Diff to previous 1.252 (colored)
tweak EposeAuthinfo; diff from lars nooden tweaked by sthen; ok djm dtucker
Revision 1.252 / (download) - annotate - [select for diffs], Fri Sep 1 15:41:26 2017 UTC (6 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.251: +2 -3 lines
Diff to previous 1.251 (colored)
remove blank line;
Revision 1.251 / (download) - annotate - [select for diffs], Fri Sep 1 05:50:48 2017 UTC (6 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.250: +15 -2 lines
Diff to previous 1.250 (colored)
document available AuthenticationMethods; bz#2453 ok dtucker@
Revision 1.250 / (download) - annotate - [select for diffs], Sun Jul 23 23:37:02 2017 UTC (6 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.249: +5 -3 lines
Diff to previous 1.249 (colored)
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@
Revision 1.249 / (download) - annotate - [select for diffs], Thu Jul 13 19:16:33 2017 UTC (6 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.248: +1 -3 lines
Diff to previous 1.248 (colored)
man pages with pseudo synopses which list filenames end up creating very ugly output in man -k; after some discussion with ingo, we feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly helpful at page top, is contained already in FILES, and there are sufficiently few that just zapping them is simple; ok schwarze, who also helpfully ran things through a build to check output;
Revision 1.248 / (download) - annotate - [select for diffs], Sat Jun 24 07:08:57 2017 UTC (6 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.247: +2 -2 lines
Diff to previous 1.247 (colored)
correct env var name
Revision 1.247 / (download) - annotate - [select for diffs], Sat Jun 24 06:57:04 2017 UTC (6 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.246: +4 -4 lines
Diff to previous 1.246 (colored)
spelling;
Revision 1.246 / (download) - annotate - [select for diffs], Sat Jun 24 06:34:38 2017 UTC (6 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.245: +8 -2 lines
Diff to previous 1.245 (colored)
refactor authentication logging optionally record successful auth methods and public credentials used in a file accessible to user sessions feedback and ok markus@
Revision 1.245 / (download) - annotate - [select for diffs], Wed May 17 01:24:17 2017 UTC (7 years ago) by djm
Branch: MAIN
Changes since 1.244: +3 -2 lines
Diff to previous 1.244 (colored)
allow LogLevel in sshd_config Match blocks; ok dtucker bz#2717
Revision 1.244 / (download) - annotate - [select for diffs], Sun May 7 23:12:57 2017 UTC (7 years ago) by djm
Branch: MAIN
Changes since 1.243: +2 -16 lines
Diff to previous 1.243 (colored)
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Revision 1.243 / (download) - annotate - [select for diffs], Tue Mar 14 07:19:07 2017 UTC (7 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.242: +2 -24 lines
Diff to previous 1.242 (colored)
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually).
Revision 1.242 / (download) - annotate - [select for diffs], Fri Feb 3 23:01:19 2017 UTC (7 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.241: +21 -1 lines
Diff to previous 1.241 (colored)
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@
Revision 1.241 / (download) - annotate - [select for diffs], Fri Jan 6 16:28:12 2017 UTC (7 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.240: +4 -4 lines
Diff to previous 1.240 (colored)
keep the tokens list sorted;
Revision 1.240 / (download) - annotate - [select for diffs], Fri Jan 6 02:34:54 2017 UTC (7 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.239: +3 -3 lines
Diff to previous 1.239 (colored)
Re-add '%k' token for AuthorizedKeysCommand which was lost during the re-org in rev 1.235. bz#2656, from jboning at gmail.com.
Revision 1.239 / (download) - annotate - [select for diffs], Wed Nov 30 03:00:05 2016 UTC (7 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.238: +8 -2 lines
Diff to previous 1.238 (colored)
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@
Revision 1.238 / (download) - annotate - [select for diffs], Wed Nov 23 23:14:15 2016 UTC (7 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.237: +4 -2 lines
Diff to previous 1.237 (colored)
allow ClientAlive{Interval,CountMax} in Match; ok dtucker, djm
Revision 1.237 / (download) - annotate - [select for diffs], Fri Oct 7 14:41:52 2016 UTC (7 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.236: +210 -253 lines
Diff to previous 1.236 (colored)
tidy up the formatting in this file. more specifically, replace .Dq, which looks appalling, with .Cm, where appropriate;
Revision 1.236 / (download) - annotate - [select for diffs], Wed Sep 28 20:32:42 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.235: +6 -4 lines
Diff to previous 1.235 (colored)
restore pre-auth compression support in the client -- the previous commit was intended to remove it from the server only. remove a few server-side pre-auth compression bits that escaped adjust wording of Compression directive in sshd_config(5) pointed out by naddy@ ok markus@
Revision 1.235 / (download) - annotate - [select for diffs], Thu Sep 22 19:19:01 2016 UTC (7 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.234: +86 -54 lines
Diff to previous 1.234 (colored)
organise the token stuff into a separate section; ok markus for an earlier version of the diff ok/tweaks djm
Revision 1.234 / (download) - annotate - [select for diffs], Thu Sep 22 17:55:13 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.233: +5 -3 lines
Diff to previous 1.233 (colored)
mention curve25519-sha256 KEX
Revision 1.233 / (download) - annotate - [select for diffs], Wed Sep 21 01:34:45 2016 UTC (7 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.232: +10 -8 lines
Diff to previous 1.232 (colored)
add a way for principals command to get see key ID and serial too
Revision 1.232 / (download) - annotate - [select for diffs], Wed Sep 14 05:42:25 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.231: +14 -5 lines
Diff to previous 1.231 (colored)
add %-escapes to AuthorizedPrincipalsCommand to match those supported for AuthorizedKeysCommand (key, key type, fingerprint, etc) and a few more to provide access to the certificate's CA key; 'looks ok' dtucker@
Revision 1.231 / (download) - annotate - [select for diffs], Wed Sep 7 18:39:24 2016 UTC (7 years, 8 months ago) by jmc
Branch: MAIN
Changes since 1.230: +18 -18 lines
Diff to previous 1.230 (colored)
sort; from matthew martin
Revision 1.230 / (download) - annotate - [select for diffs], Fri Aug 19 03:18:07 2016 UTC (7 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.229: +2 -24 lines
Diff to previous 1.229 (colored)
remove UseLogin option and support for having /bin/login manage login sessions; ok deraadt markus dtucker
Revision 1.229 / (download) - annotate - [select for diffs], Mon Aug 15 12:32:04 2016 UTC (7 years, 9 months ago) by naddy
Branch: MAIN
Changes since 1.228: +4 -68 lines
Diff to previous 1.228 (colored)
Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@
Revision 1.228 / (download) - annotate - [select for diffs], Fri Aug 12 19:19:04 2016 UTC (7 years, 9 months ago) by jca
Branch: MAIN
Changes since 1.227: +2 -2 lines
Diff to previous 1.227 (colored)
Use 2001:db8::/32, the official IPv6 subnet for configuration examples. This makes the IPv6 example consistent with IPv4, and removes a dubious mention of a 6bone subnet. ok sthen@ millert@
Revision 1.227 / (download) - annotate - [select for diffs], Tue Jul 19 12:59:16 2016 UTC (7 years, 9 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.226: +4 -4 lines
Diff to previous 1.226 (colored)
tweak previous;
Revision 1.226 / (download) - annotate - [select for diffs], Tue Jul 19 11:38:53 2016 UTC (7 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.225: +4 -1 lines
Diff to previous 1.225 (colored)
Allow wildcard for PermitOpen hosts as well as ports. bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok markus@
Revision 1.225 / (download) - annotate - [select for diffs], Fri Jun 17 06:33:30 2016 UTC (7 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.224: +3 -3 lines
Diff to previous 1.224 (colored)
grammar fix;
Revision 1.224 / (download) - annotate - [select for diffs], Fri Jun 17 05:03:40 2016 UTC (7 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.223: +11 -6 lines
Diff to previous 1.223 (colored)
ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication bz#2398 from Jakub Jelen; ok dtucker@
Revision 1.223 / (download) - annotate - [select for diffs], Wed May 4 14:29:58 2016 UTC (8 years ago) by markus
Branch: MAIN
Changes since 1.222: +3 -3 lines
Diff to previous 1.222 (colored)
allow setting IdentityAgent to SSH_AUTH_SOCK; ok djm@
Revision 1.222 / (download) - annotate - [select for diffs], Wed Apr 27 13:53:48 2016 UTC (8 years ago) by jmc
Branch: MAIN
Changes since 1.221: +6 -2 lines
Diff to previous 1.221 (colored)
cidr permitted for {allow,deny}users; from lars nooden
ok djm
Revision 1.221 / (download) - annotate - [select for diffs], Thu Mar 17 17:19:43 2016 UTC (8 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.220: +2 -2 lines
Diff to previous 1.220 (colored)
UseDNS affects ssh hostname processing in authorized_keys, not known_hosts; bz#2554 reported by jjelen AT redhat.com
Revision 1.220 / (download) - annotate - [select for diffs], Wed Feb 17 08:57:34 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.219: +5 -5 lines
Diff to previous 1.219 (colored)
rsa-sha2-512,rsa-sha2-256 cannot be selected explicitly in *KeyTypes options yet. Remove them from the lists of algorithms for now. committing on behalf of markus@ ok djm@
Revision 1.219 / (download) - annotate - [select for diffs], Wed Feb 17 07:38:19 2016 UTC (8 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.218: +7 -20 lines
Diff to previous 1.218 (colored)
since these pages now clearly tell folks to avoid v1, normalise the docs from a v2 perspective (i.e. stop pointing out which bits are v2 only); ok/tweaks djm ok markus
Revision 1.218 / (download) - annotate - [select for diffs], Tue Feb 16 05:11:04 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.217: +6 -2 lines
Diff to previous 1.217 (colored)
Replace list of ciphers and MACs adjacent to -1/-2 flag descriptions in ssh(1) with a strong recommendation not to use protocol 1. Add a similar warning to the Protocol option descriptions in ssh_config(5) and sshd_config(5); prompted by and ok mmcc@
Revision 1.217 / (download) - annotate - [select for diffs], Thu Feb 11 02:56:32 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.216: +7 -6 lines
Diff to previous 1.216 (colored)
sync crypto algorithm lists in ssh_config(5) and sshd_config(5) with current reality. bz#2527
Revision 1.216 / (download) - annotate - [select for diffs], Fri Feb 5 02:37:56 2016 UTC (8 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.215: +10 -2 lines
Diff to previous 1.215 (colored)
better description for MaxSessions; bz#2531
Revision 1.215 / (download) - annotate - [select for diffs], Fri Nov 13 04:38:06 2015 UTC (8 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.214: +7 -3 lines
Diff to previous 1.214 (colored)
Support "none" as an argument for sshd_config ForceCommand and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 ok dtucker@
Revision 1.214 / (download) - annotate - [select for diffs], Fri Nov 13 02:57:46 2015 UTC (8 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.213: +4 -2 lines
Diff to previous 1.213 (colored)
list a couple more options usable in Match blocks; bz#2489
Revision 1.213 / (download) - annotate - [select for diffs], Wed Oct 7 14:45:30 2015 UTC (8 years, 7 months ago) by sobrado
Branch: MAIN
Changes since 1.212: +9 -4 lines
Diff to previous 1.212 (colored)
UsePrivilegeSeparation defaults to sandbox now. ok djm@
Revision 1.212 / (download) - annotate - [select for diffs], Fri Sep 11 03:13:36 2015 UTC (8 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.211: +5 -2 lines
Diff to previous 1.211 (colored)
more clarity on what AuthorizedKeysFile=none does; based on diff by Thiebaud Weksteen
Revision 1.211 / (download) - annotate - [select for diffs], Fri Aug 14 15:32:41 2015 UTC (8 years, 9 months ago) by jmc
Branch: MAIN
Changes since 1.210: +5 -5 lines
Diff to previous 1.210 (colored)
match myproposal.h order; from brian conway (i snuck in a tweak while here) ok dtucker
Revision 1.210 / (download) - annotate - [select for diffs], Thu Aug 6 14:53:21 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.209: +6 -3 lines
Diff to previous 1.209 (colored)
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
Revision 1.209 / (download) - annotate - [select for diffs], Thu Jul 30 19:23:02 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.208: +3 -3 lines
Diff to previous 1.208 (colored)
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus
Revision 1.208 / (download) - annotate - [select for diffs], Thu Jul 30 00:01:34 2015 UTC (8 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.207: +24 -2 lines
Diff to previous 1.207 (colored)
Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
Revision 1.207 / (download) - annotate - [select for diffs], Mon Jul 20 00:30:01 2015 UTC (8 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.206: +14 -5 lines
Diff to previous 1.206 (colored)
mention that the default of UseDNS=no implies that hostnames cannot be used for host matching in sshd_config and authorized_keys; bz#2045, ok dtucker@
Revision 1.206 / (download) - annotate - [select for diffs], Fri Jul 10 06:21:53 2015 UTC (8 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.205: +51 -9 lines
Diff to previous 1.205 (colored)
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
Revision 1.205 / (download) - annotate - [select for diffs], Fri Jul 3 03:49:45 2015 UTC (8 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.204: +3 -3 lines
Diff to previous 1.204 (colored)
refuse to generate or accept RSA keys smaller than 1024 bits; feedback and ok dtucker@
Revision 1.204 / (download) - annotate - [select for diffs], Fri Jun 5 03:44:14 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.203: +3 -3 lines
Diff to previous 1.203 (colored)
typo: accidental repetition; bz#2386
Revision 1.203 / (download) - annotate - [select for diffs], Fri May 22 03:50:02 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.202: +16 -1 lines
Diff to previous 1.202 (colored)
add knob to relax GSSAPI host credential check for multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD)
Revision 1.202 / (download) - annotate - [select for diffs], Thu May 21 06:43:31 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.201: +38 -2 lines
Diff to previous 1.201 (colored)
add AuthorizedPrincipalsCommand that allows getting authorized_principals from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@
Revision 1.201 / (download) - annotate - [select for diffs], Thu May 21 06:38:35 2015 UTC (8 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.200: +17 -5 lines
Diff to previous 1.200 (colored)
support arguments to AuthorizedKeysCommand bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@
Revision 1.200 / (download) - annotate - [select for diffs], Wed Apr 29 03:48:56 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.199: +2 -5 lines
Diff to previous 1.199 (colored)
Allow ListenAddress, Port and AddressFamily in any order. bz#68, ok djm@, jmc@ (for the man page bit).
Revision 1.199 / (download) - annotate - [select for diffs], Tue Apr 28 13:47:38 2015 UTC (9 years ago) by jmc
Branch: MAIN
Changes since 1.198: +2 -2 lines
Diff to previous 1.198 (colored)
enviroment -> environment: apologies to darren for not spotting that first time round...
Revision 1.198 / (download) - annotate - [select for diffs], Tue Apr 28 10:25:15 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.197: +3 -3 lines
Diff to previous 1.197 (colored)
Fix typo in previous
Revision 1.197 / (download) - annotate - [select for diffs], Tue Apr 28 10:17:58 2015 UTC (9 years ago) by dtucker
Branch: MAIN
Changes since 1.196: +7 -3 lines
Diff to previous 1.196 (colored)
Document that the TERM environment variable is not subject to SendEnv and AcceptEnv. bz#2386, based loosely on a patch from jjelen at redhat, help and ok jmc@
Revision 1.196 / (download) - annotate - [select for diffs], Mon Apr 27 21:42:48 2015 UTC (9 years ago) by djm
Branch: MAIN
Changes since 1.195: +3 -3 lines
Diff to previous 1.195 (colored)
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
Revision 1.195 / (download) - annotate - [select for diffs], Thu Apr 16 23:25:50 2015 UTC (9 years, 1 month ago) by dtucker
Branch: MAIN
Changes since 1.194: +13 -5 lines
Diff to previous 1.194 (colored)
Document "none" for PidFile XAuthLocation TrustedUserCAKeys and RevokedKeys. bz#2382, feedback from jmc@, ok djm@
Revision 1.194 / (download) - annotate - [select for diffs], Fri Feb 20 23:46:01 2015 UTC (9 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.193: +4 -4 lines
Diff to previous 1.193 (colored)
sort options useable under Match case-insensitively; prodded jmc@
Revision 1.193 / (download) - annotate - [select for diffs], Fri Feb 20 22:40:32 2015 UTC (9 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.192: +10 -4 lines
Diff to previous 1.192 (colored)
more options that are available under Match; bz#2353 reported by calestyo AT scientia.net
Revision 1.192 / (download) - annotate - [select for diffs], Mon Feb 2 01:57:44 2015 UTC (9 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.191: +2 -2 lines
Diff to previous 1.191 (colored)
increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
Revision 1.191 / (download) - annotate - [select for diffs], Thu Jan 22 21:00:42 2015 UTC (9 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.190: +3 -3 lines
Diff to previous 1.190 (colored)
heirarchy -> hierarchy;
Revision 1.190 / (download) - annotate - [select for diffs], Thu Jan 22 20:24:41 2015 UTC (9 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.189: +13 -4 lines
Diff to previous 1.189 (colored)
Provide a warning about chroot misuses (which sadly, seem to have become quite popular because shiny). sshd cannot detect/manage/do anything about these cases, best we can do is warn in the right spot in the man page. ok markus
Revision 1.189 / (download) - annotate - [select for diffs], Tue Jan 13 07:39:19 2015 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.188: +25 -1 lines
Diff to previous 1.188 (colored)
add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
Revision 1.188 / (download) - annotate - [select for diffs], Mon Dec 22 09:05:17 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.187: +18 -2 lines
Diff to previous 1.187 (colored)
mention ssh -Q feature to list supported { MAC, cipher, KEX, key }
algorithms in more places and include the query string used to
list the relevant information; bz#2288
Revision 1.187 / (download) - annotate - [select for diffs], Mon Dec 22 08:24:17 2014 UTC (9 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.186: +2 -2 lines
Diff to previous 1.186 (colored)
tweak previous;
Revision 1.186 / (download) - annotate - [select for diffs], Mon Dec 22 08:04:23 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.185: +8 -4 lines
Diff to previous 1.185 (colored)
correct description of what will happen when a AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser is not (sshd will refuse to start)
Revision 1.185 / (download) - annotate - [select for diffs], Mon Dec 22 07:51:30 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.184: +13 -1 lines
Diff to previous 1.184 (colored)
remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
Revision 1.184 / (download) - annotate - [select for diffs], Sun Dec 21 23:35:14 2014 UTC (9 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.183: +2 -3 lines
Diff to previous 1.183 (colored)
tweak previous;
Revision 1.183 / (download) - annotate - [select for diffs], Sun Dec 21 22:27:55 2014 UTC (9 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.182: +11 -2 lines
Diff to previous 1.182 (colored)
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
Revision 1.182 / (download) - annotate - [select for diffs], Fri Dec 12 00:02:17 2014 UTC (9 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.181: +2 -14 lines
Diff to previous 1.181 (colored)
revert chunk I didn't mean to commit yet; via jmc@
Revision 1.181 / (download) - annotate - [select for diffs], Thu Dec 11 05:25:06 2014 UTC (9 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.180: +16 -1 lines
Diff to previous 1.180 (colored)
mention AuthorizedKeysCommandUser must be set for AuthorizedKeysCommand to be run; bz#2287
Revision 1.180 / (download) - annotate - [select for diffs], Sat Nov 22 19:21:03 2014 UTC (9 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.179: +6 -5 lines
Diff to previous 1.179 (colored)
restore word zapped in previous, and remove some useless "No" macros;
Revision 1.179 / (download) - annotate - [select for diffs], Sat Nov 22 18:15:41 2014 UTC (9 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.178: +2 -4 lines
Diff to previous 1.178 (colored)
/dev/random has created the same effect as /dev/arandom (and /dev/urandom) for quite some time. Mop up the last few, by using /dev/random where we actually want it, or not even mentioning arandom where it is irrelevant.
Revision 1.178 / (download) - annotate - [select for diffs], Tue Sep 9 09:45:36 2014 UTC (9 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.177: +6 -2 lines
Diff to previous 1.177 (colored)
mention permissions on tun(4) devices in PermitTunnel documentation; bz#2273
Revision 1.177 / (download) - annotate - [select for diffs], Sat Aug 30 16:32:25 2014 UTC (9 years, 8 months ago) by sobrado
Branch: MAIN
Changes since 1.176: +3 -3 lines
Diff to previous 1.176 (colored)
typo.
Revision 1.176 / (download) - annotate - [select for diffs], Mon Jul 28 15:40:08 2014 UTC (9 years, 9 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.175: +4 -4 lines
Diff to previous 1.175 (colored)
some systems no longer need /dev/log; issue noticed by jirib; ok deraadt
Revision 1.175 / (download) - annotate - [select for diffs], Tue Jul 15 15:54:14 2014 UTC (9 years, 10 months ago) by millert
Branch: MAIN
Changes since 1.174: +49 -2 lines
Diff to previous 1.174 (colored)
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
Revision 1.174 / (download) - annotate - [select for diffs], Thu Jul 3 22:40:43 2014 UTC (9 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.173: +9 -2 lines
Diff to previous 1.173 (colored)
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
Revision 1.173 / (download) - annotate - [select for diffs], Fri Mar 28 05:17:11 2014 UTC (10 years, 1 month ago) by naddy
Branch: MAIN
Changes since 1.172: +103 -33 lines
Diff to previous 1.172 (colored)
sync available and default algorithms, improve algorithm list formatting help from jmc@ and schwarze@, ok deraadt@
Revision 1.172 / (download) - annotate - [select for diffs], Thu Feb 27 22:47:07 2014 UTC (10 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.171: +6 -2 lines
Diff to previous 1.171 (colored)
bz#2184 clarify behaviour of a keyword that appears in multiple matching Match blocks; ok dtucker@
Revision 1.171 / (download) - annotate - [select for diffs], Wed Jan 29 14:04:51 2014 UTC (10 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.170: +13 -2 lines
Diff to previous 1.170 (colored)
document kbdinteractiveauthentication; requested From: Ross L Richardson dtucker/markus helped explain its workings;
Revision 1.170 / (download) - annotate - [select for diffs], Sun Dec 8 09:53:27 2013 UTC (10 years, 5 months ago) by dtucker
Branch: MAIN
Changes since 1.169: +10 -10 lines
Diff to previous 1.169 (colored)
Use a literal for the default value of KEXAlgorithms. ok deraadt jmc
Revision 1.169 / (download) - annotate - [select for diffs], Sat Dec 7 11:58:46 2013 UTC (10 years, 5 months ago) by naddy
Branch: MAIN
Changes since 1.168: +5 -3 lines
Diff to previous 1.168 (colored)
add missing mentions of ed25519; ok djm@
Revision 1.168 / (download) - annotate - [select for diffs], Thu Nov 21 08:05:09 2013 UTC (10 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.167: +2 -3 lines
Diff to previous 1.167 (colored)
no need for .Pp before displays;
Revision 1.167 / (download) - annotate - [select for diffs], Thu Nov 21 00:45:44 2013 UTC (10 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.166: +14 -4 lines
Diff to previous 1.166 (colored)
Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
Revision 1.166 / (download) - annotate - [select for diffs], Sat Nov 2 22:39:19 2013 UTC (10 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.165: +2 -1 lines
Diff to previous 1.165 (colored)
the default kex is now curve25519-sha256@libssh.org
Revision 1.165 / (download) - annotate - [select for diffs], Tue Oct 29 18:49:32 2013 UTC (10 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.164: +3 -3 lines
Diff to previous 1.164 (colored)
pty(4), not pty(7);
Revision 1.164 / (download) - annotate - [select for diffs], Tue Oct 29 09:48:02 2013 UTC (10 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.163: +9 -2 lines
Diff to previous 1.163 (colored)
shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
Revision 1.163 / (download) - annotate - [select for diffs], Thu Oct 24 00:51:48 2013 UTC (10 years, 6 months ago) by dtucker
Branch: MAIN
Changes since 1.162: +5 -3 lines
Diff to previous 1.162 (colored)
Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@
Revision 1.162 / (download) - annotate - [select for diffs], Fri Jul 19 07:37:48 2013 UTC (10 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.161: +14 -2 lines
Diff to previous 1.161 (colored)
add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
Revision 1.161 / (download) - annotate - [select for diffs], Thu Jun 27 14:05:37 2013 UTC (10 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.160: +11 -28 lines
Diff to previous 1.160 (colored)
do not use Sx for sections outwith the man page - ingo informs me that stuff like html will render with broken links; issue reported by Eric S. Raymond, via djm
Revision 1.160 / (download) - annotate - [select for diffs], Thu May 16 06:30:06 2013 UTC (11 years ago) by jmc
Branch: MAIN
Changes since 1.159: +3 -4 lines
Diff to previous 1.159 (colored)
oops! avoid Xr to self;
Revision 1.159 / (download) - annotate - [select for diffs], Thu May 16 04:09:14 2013 UTC (11 years ago) by dtucker
Branch: MAIN
Changes since 1.158: +30 -2 lines
Diff to previous 1.158 (colored)
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
Revision 1.158 / (download) - annotate - [select for diffs], Fri Apr 19 01:00:10 2013 UTC (11 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.157: +4 -3 lines
Diff to previous 1.157 (colored)
document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@
Revision 1.157 / (download) - annotate - [select for diffs], Thu Mar 7 19:27:25 2013 UTC (11 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.156: +16 -2 lines
Diff to previous 1.156 (colored)
add submethod support to AuthenticationMethods; ok and freedback djm@
Revision 1.156 / (download) - annotate - [select for diffs], Wed Feb 6 00:20:42 2013 UTC (11 years, 3 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.155: +3 -3 lines
Diff to previous 1.155 (colored)
Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@
Revision 1.155 / (download) - annotate - [select for diffs], Fri Jan 18 08:00:49 2013 UTC (11 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.154: +3 -3 lines
Diff to previous 1.154 (colored)
tweak previous;
Revision 1.154 / (download) - annotate - [select for diffs], Thu Jan 17 23:00:01 2013 UTC (11 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.153: +10 -3 lines
Diff to previous 1.153 (colored)
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
Revision 1.153 / (download) - annotate - [select for diffs], Tue Jan 8 18:49:04 2013 UTC (11 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.152: +5 -2 lines
Diff to previous 1.152 (colored)
support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
Revision 1.152 / (download) - annotate - [select for diffs], Tue Dec 11 22:31:18 2012 UTC (11 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.151: +11 -2 lines
Diff to previous 1.151 (colored)
add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@
Revision 1.151 / (download) - annotate - [select for diffs], Mon Dec 3 08:33:03 2012 UTC (11 years, 5 months ago) by jmc
Branch: MAIN
Changes since 1.150: +4 -3 lines
Diff to previous 1.150 (colored)
tweak previous;
Revision 1.150 / (download) - annotate - [select for diffs], Sun Dec 2 20:46:11 2012 UTC (11 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.149: +13 -1 lines
Diff to previous 1.149 (colored)
make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
Revision 1.149 / (download) - annotate - [select for diffs], Sun Nov 4 11:09:15 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.148: +25 -2 lines
Diff to previous 1.148 (colored)
Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
Revision 1.148 / (download) - annotate - [select for diffs], Sun Nov 4 10:38:43 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.147: +2 -3 lines
Diff to previous 1.147 (colored)
Remove default of AuthorizedCommandUser. Administrators are now expected to explicitly specify a user. feedback and ok markus@
Revision 1.147 / (download) - annotate - [select for diffs], Wed Oct 31 08:04:50 2012 UTC (11 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.146: +8 -6 lines
Diff to previous 1.146 (colored)
tweak previous;
Revision 1.146 / (download) - annotate - [select for diffs], Tue Oct 30 21:29:55 2012 UTC (11 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.145: +20 -2 lines
Diff to previous 1.145 (colored)
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
Revision 1.145 / (download) - annotate - [select for diffs], Thu Oct 4 13:21:50 2012 UTC (11 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.144: +3 -3 lines
Diff to previous 1.144 (colored)
add umac128 variant; ok djm@ at n2k12
Revision 1.144 / (download) - annotate - [select for diffs], Fri Jun 29 13:57:25 2012 UTC (11 years, 10 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.143: +4 -4 lines
Diff to previous 1.143 (colored)
match the documented MAC order of preference to the actual one; ok dtucker@
Revision 1.143 / (download) - annotate - [select for diffs], Thu Jun 28 05:07:45 2012 UTC (11 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.142: +2 -3 lines
Diff to previous 1.142 (colored)
Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed from draft6 of the spec and will not be in the RFC when published. Patch from mdb at juniper net via bz#2023, ok markus.
Revision 1.142 / (download) - annotate - [select for diffs], Tue Jun 19 21:35:54 2012 UTC (11 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.141: +6 -6 lines
Diff to previous 1.141 (colored)
tweak previous; ok markus
Revision 1.141 / (download) - annotate - [select for diffs], Tue Jun 19 18:25:28 2012 UTC (11 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.140: +9 -4 lines
Diff to previous 1.140 (colored)
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
Revision 1.140 / (download) - annotate - [select for diffs], Sat May 19 06:30:30 2012 UTC (12 years ago) by dtucker
Branch: MAIN
Changes since 1.139: +5 -2 lines
Diff to previous 1.139 (colored)
Document PermitOpen none. bz#2001, patch from Loganaden Velvindron
Revision 1.139 / (download) - annotate - [select for diffs], Sun May 13 01:42:32 2012 UTC (12 years ago) by dtucker
Branch: MAIN
Changes since 1.138: +3 -1 lines
Diff to previous 1.138 (colored)
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
Revision 1.138 / (download) - annotate - [select for diffs], Thu Apr 12 02:43:55 2012 UTC (12 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.137: +5 -3 lines
Diff to previous 1.137 (colored)
mention AuthorizedPrincipalsFile=none default
Revision 1.137 / (download) - annotate - [select for diffs], Thu Apr 12 02:42:32 2012 UTC (12 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.136: +7 -2 lines
Diff to previous 1.136 (colored)
VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
Revision 1.136 / (download) - annotate - [select for diffs], Fri Sep 9 00:43:00 2011 UTC (12 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.135: +3 -3 lines
Diff to previous 1.135 (colored)
fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
Revision 1.135 / (download) - annotate - [select for diffs], Tue Aug 2 01:22:11 2011 UTC (12 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.134: +5 -3 lines
Diff to previous 1.134 (colored)
Add new SHA256 and SHA512 based HMAC modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt feedback and ok markus@
Revision 1.134 / (download) - annotate - [select for diffs], Wed Jun 22 21:57:01 2011 UTC (12 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.133: +7 -1 lines
Diff to previous 1.133 (colored)
introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
Revision 1.133 / (download) - annotate - [select for diffs], Mon May 23 07:10:21 2011 UTC (12 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.132: +5 -7 lines
Diff to previous 1.132 (colored)
tweak previous; ok djm
Revision 1.132 / (download) - annotate - [select for diffs], Mon May 23 03:30:07 2011 UTC (12 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.131: +7 -4 lines
Diff to previous 1.131 (colored)
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
Revision 1.131 / (download) - annotate - [select for diffs], Wed Dec 8 04:02:47 2010 UTC (13 years, 5 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.130: +3 -3 lines
Diff to previous 1.130 (colored)
explain that IPQoS arguments are separated by whitespace; iirc requested by jmc@ a while back CVS ----------------------------------------------------------------------
Revision 1.130 / (download) - annotate - [select for diffs], Thu Nov 18 15:01:00 2010 UTC (13 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.129: +3 -3 lines
Diff to previous 1.129 (colored)
add IPQoS to the various -o lists, and zap some trailing whitespace;
Revision 1.129 / (download) - annotate - [select for diffs], Sat Nov 13 23:27:51 2010 UTC (13 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.128: +39 -2 lines
Diff to previous 1.128 (colored)
allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
Revision 1.128 / (download) - annotate - [select for diffs], Thu Oct 28 18:33:28 2010 UTC (13 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.127: +2 -3 lines
Diff to previous 1.127 (colored)
knock out some "-*- nroff -*-" lines;
Revision 1.127 / (download) - annotate - [select for diffs], Wed Sep 22 05:01:30 2010 UTC (13 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.126: +13 -2 lines
Diff to previous 1.126 (colored)
add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
Revision 1.126 / (download) - annotate - [select for diffs], Tue Aug 31 11:54:45 2010 UTC (13 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.125: +7 -5 lines
Diff to previous 1.125 (colored)
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
Revision 1.125 / (download) - annotate - [select for diffs], Wed Jun 30 07:28:34 2010 UTC (13 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.124: +4 -4 lines
Diff to previous 1.124 (colored)
tweak previous;
Revision 1.124 / (download) - annotate - [select for diffs], Tue Jun 29 23:16:46 2010 UTC (13 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.123: +12 -3 lines
Diff to previous 1.123 (colored)
allow key options (command="..." and friends) in AuthorizedPrincipals; ok markus@
Revision 1.123 / (download) - annotate - [select for diffs], Tue Jun 22 04:22:59 2010 UTC (13 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.122: +5 -1 lines
Diff to previous 1.122 (colored)
expose some more sshd_config options inside Match blocks: AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
Revision 1.122 / (download) - annotate - [select for diffs], Fri May 7 12:49:17 2010 UTC (14 years ago) by jmc
Branch: MAIN
Changes since 1.121: +3 -4 lines
Diff to previous 1.121 (colored)
tweak previous;
Revision 1.121 / (download) - annotate - [select for diffs], Fri May 7 11:30:30 2010 UTC (14 years ago) by djm
Branch: MAIN
Changes since 1.120: +38 -1 lines
Diff to previous 1.120 (colored)
add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
Revision 1.120 / (download) - annotate - [select for diffs], Thu Mar 4 23:17:25 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored)
missing word; spotted by jmc@
Revision 1.119 / (download) - annotate - [select for diffs], Thu Mar 4 12:51:25 2010 UTC (14 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.118: +4 -4 lines
Diff to previous 1.118 (colored)
tweak previous;
Revision 1.118 / (download) - annotate - [select for diffs], Thu Mar 4 10:36:03 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.117: +23 -2 lines
Diff to previous 1.117 (colored)
Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Feb 26 20:29:54 2010 UTC (14 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.116: +10 -2 lines
Diff to previous 1.116 (colored)
Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
Revision 1.116 / (download) - annotate - [select for diffs], Sat Jan 9 23:04:13 2010 UTC (14 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.115: +1 -4 lines
Diff to previous 1.115 (colored)
Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
Revision 1.115 / (download) - annotate - [select for diffs], Tue Dec 29 18:03:32 2009 UTC (14 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.114: +5 -5 lines
Diff to previous 1.114 (colored)
sort previous;
Revision 1.114 / (download) - annotate - [select for diffs], Tue Dec 29 16:38:41 2009 UTC (14 years, 4 months ago) by stevesk
Branch: MAIN
Changes since 1.113: +3 -3 lines
Diff to previous 1.113 (colored)
Rename RDomain config option to RoutingDomain to be more clear and consistent with other options. NOTE: if you currently use RDomain in the ssh client or server config, or ssh/sshd -o, you must update to use RoutingDomain. ok markus@ djm@
Revision 1.113 / (download) - annotate - [select for diffs], Sat Dec 19 16:53:13 2009 UTC (14 years, 5 months ago) by stevesk
Branch: MAIN
Changes since 1.112: +5 -5 lines
Diff to previous 1.112 (colored)
try to clarify ChrootDirectory pathname argument a bit; resulting from a question on openssh-unix-dev. ok jmc@
Revision 1.112 / (download) - annotate - [select for diffs], Tue Nov 10 02:58:56 2009 UTC (14 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.111: +4 -1 lines
Diff to previous 1.111 (colored)
clarify that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532
Revision 1.111 / (download) - annotate - [select for diffs], Wed Oct 28 21:45:08 2009 UTC (14 years, 6 months ago) by jmc
Branch: MAIN
Changes since 1.110: +5 -5 lines
Diff to previous 1.110 (colored)
tweak previous;
Revision 1.110 / (download) - annotate - [select for diffs], Wed Oct 28 16:38:18 2009 UTC (14 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.109: +4 -1 lines
Diff to previous 1.109 (colored)
Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
Revision 1.109 / (download) - annotate - [select for diffs], Thu Oct 8 20:42:13 2009 UTC (14 years, 7 months ago) by jmc
Branch: MAIN
Changes since 1.108: +3 -3 lines
Diff to previous 1.108 (colored)
some tweaks now that protocol 1 is not offered by default; ok markus
Revision 1.108 / (download) - annotate - [select for diffs], Thu Oct 8 14:03:41 2009 UTC (14 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.107: +3 -3 lines
Diff to previous 1.107 (colored)
disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
Revision 1.107 / (download) - annotate - [select for diffs], Sun Aug 16 23:29:26 2009 UTC (14 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.106: +3 -2 lines
Diff to previous 1.106 (colored)
Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
Revision 1.106 / (download) - annotate - [select for diffs], Tue Apr 21 15:13:17 2009 UTC (15 years ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.105: +5 -2 lines
Diff to previous 1.105 (colored)
clarify we cd to user's home after chroot; ok markus@ on earlier version; tweaks and ok jmc@
Revision 1.105 / (download) - annotate - [select for diffs], Sat Apr 18 18:39:10 2009 UTC (15 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.104: +5 -8 lines
Diff to previous 1.104 (colored)
tweak previous; ok stevesk
Revision 1.104 / (download) - annotate - [select for diffs], Fri Apr 17 19:40:17 2009 UTC (15 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.103: +9 -3 lines
Diff to previous 1.103 (colored)
clarify that even internal-sftp needs /dev/log for logging to work; ok markus@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Apr 13 19:07:44 2009 UTC (15 years, 1 month ago) by stevesk
Branch: MAIN
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored)
fix possessive; ok djm@
Revision 1.102 / (download) - annotate - [select for diffs], Sun Feb 22 23:59:25 2009 UTC (15 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.101: +3 -3 lines
Diff to previous 1.101 (colored)
missing period
Revision 1.101 / (download) - annotate - [select for diffs], Sun Feb 22 23:50:57 2009 UTC (15 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.100: +4 -16 lines
Diff to previous 1.100 (colored)
don't advertise experimental options
Revision 1.100 / (download) - annotate - [select for diffs], Sat Jan 24 17:10:22 2009 UTC (15 years, 3 months ago) by naddy
Branch: MAIN
Changes since 1.99: +5 -5 lines
Diff to previous 1.99 (colored)
sync list of preferred ciphers; ok djm@
Revision 1.99 / (download) - annotate - [select for diffs], Tue Dec 30 00:46:56 2008 UTC (15 years, 4 months ago) by okan
Branch: MAIN
Changes since 1.98: +3 -2 lines
Diff to previous 1.98 (colored)
add AllowAgentForwarding to available Match keywords list ok djm
Revision 1.98 / (download) - annotate - [select for diffs], Tue Nov 4 08:22:13 2008 UTC (15 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.97: +15 -3 lines
Diff to previous 1.97 (colored)
Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
Revision 1.97 / (download) - annotate - [select for diffs], Thu Oct 9 03:50:54 2008 UTC (15 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.96: +3 -2 lines
Diff to previous 1.96 (colored)
support setting PermitEmptyPasswords in a Match block requested in PR3891; ok dtucker@
Revision 1.96 / (download) - annotate - [select for diffs], Wed Jul 2 02:24:18 2008 UTC (15 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)
increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
Revision 1.95 / (download) - annotate - [select for diffs], Sun Jun 15 16:58:40 2008 UTC (15 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.94: +3 -2 lines
Diff to previous 1.94 (colored)
Allow MaxAuthTries within a Match block. ok djm@
Revision 1.94 / (download) - annotate - [select for diffs], Sun Jun 15 16:55:38 2008 UTC (15 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.93: +2 -1 lines
Diff to previous 1.93 (colored)
MaxSessions is allowed in a Match block too
Revision 1.93 / (download) - annotate - [select for diffs], Tue Jun 10 07:12:00 2008 UTC (15 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.92: +5 -4 lines
Diff to previous 1.92 (colored)
tweak previous;
Revision 1.92 / (download) - annotate - [select for diffs], Tue Jun 10 04:17:46 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.91: +4 -4 lines
Diff to previous 1.91 (colored)
better reference for pattern-list
Revision 1.91 / (download) - annotate - [select for diffs], Tue Jun 10 03:57:27 2008 UTC (15 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.90: +24 -2 lines
Diff to previous 1.90 (colored)
support CIDR address matching in sshd_config "Match address" blocks, with
full support for negation and fall-back to classic wildcard matching.
For example:
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
PasswordAuthentication yes
addrmatch.c code mostly lifted from flowd's addr.c
feedback and ok dtucker@
Revision 1.90 / (download) - annotate - [select for diffs], Thu May 8 12:21:16 2008 UTC (16 years ago) by djm
Branch: MAIN
Changes since 1.89: +4 -1 lines
Diff to previous 1.89 (colored)
Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
Revision 1.89 / (download) - annotate - [select for diffs], Wed May 7 08:00:14 2008 UTC (16 years ago) by jmc
Branch: MAIN
Changes since 1.88: +11 -11 lines
Diff to previous 1.88 (colored)
sort;
Revision 1.88 / (download) - annotate - [select for diffs], Wed May 7 05:49:37 2008 UTC (16 years ago) by pyr
Branch: MAIN
Changes since 1.87: +11 -2 lines
Diff to previous 1.87 (colored)
Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
Revision 1.87 / (download) - annotate - [select for diffs], Sat Apr 5 02:46:02 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.86: +3 -2 lines
Diff to previous 1.86 (colored)
HostbasedAuthentication is supported under Match too
Revision 1.86 / (download) - annotate - [select for diffs], Fri Apr 4 06:44:26 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.85: +2 -35 lines
Diff to previous 1.85 (colored)
oops, some unrelated stuff crept into that commit - backout. spotted by jmc@
Revision 1.85 / (download) - annotate - [select for diffs], Fri Apr 4 05:14:38 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.84: +36 -2 lines
Diff to previous 1.84 (colored)
ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk
Revision 1.84 / (download) - annotate - [select for diffs], Tue Mar 25 11:58:02 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.83: +5 -3 lines
Diff to previous 1.83 (colored)
ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@
Revision 1.83 / (download) - annotate - [select for diffs], Mon Feb 11 07:58:28 2008 UTC (16 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c;
Revision 1.82 / (download) - annotate - [select for diffs], Sun Feb 10 09:55:37 2008 UTC (16 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.81: +7 -2 lines
Diff to previous 1.81 (colored)
mantion that "internal-sftp" is useful with ForceCommand too
Revision 1.81 / (download) - annotate - [select for diffs], Sat Feb 9 08:04:31 2008 UTC (16 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.80: +3 -3 lines
Diff to previous 1.80 (colored)
missing `)';
Revision 1.80 / (download) - annotate - [select for diffs], Fri Feb 8 23:24:07 2008 UTC (16 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.79: +52 -2 lines
Diff to previous 1.79 (colored)
add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
Revision 1.79 / (download) - annotate - [select for diffs], Tue Jan 1 09:27:33 2008 UTC (16 years, 4 months ago) by dtucker
Branch: MAIN
Changes since 1.78: +3 -2 lines
Diff to previous 1.78 (colored)
Allow PermitRootLogin in a Match block. Allows for, eg, permitting root only from the local network. ok markus@, man page bit ok jmc@
Revision 1.78 / (download) - annotate - [select for diffs], Thu Aug 23 03:22:16 2007 UTC (16 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.77: +5 -4 lines
Diff to previous 1.77 (colored)
Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jun 8 07:48:09 2007 UTC (16 years, 11 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.76: +5 -2 lines
Diff to previous 1.76 (colored)
oops, here too: put the MAC list into a display, like we do for ciphers, since groff has trouble with wide lines;
Revision 1.76 / (download) - annotate - [select for diffs], Thu Jun 7 19:37:34 2007 UTC (16 years, 11 months ago) by pvalchev
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)
Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
Revision 1.75 / (download) - annotate - [select for diffs], Thu May 31 19:20:17 2007 UTC (16 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)
convert to new .Dd format;
Revision 1.74 / (download) - annotate - [select for diffs], Thu Mar 1 16:19:33 2007 UTC (17 years, 2 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)
sort the `match' keywords;
Revision 1.73 / (download) - annotate - [select for diffs], Thu Mar 1 10:28:02 2007 UTC (17 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.72: +2 -3 lines
Diff to previous 1.72 (colored)
Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
Revision 1.72 / (download) - annotate - [select for diffs], Mon Feb 19 10:45:58 2007 UTC (17 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.71: +9 -1 lines
Diff to previous 1.71 (colored)
Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
Revision 1.71 / (download) - annotate - [select for diffs], Tue Jan 2 09:57:25 2007 UTC (17 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.70: +2 -4 lines
Diff to previous 1.70 (colored)
do not use lists for SYNOPSIS; from eric s. raymond via brad
Revision 1.44.2.2 / (download) - annotate - [select for diffs], Fri Oct 6 03:19:33 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.44.2.1: +212 -95 lines
Diff to previous 1.44.2.1 (colored) to branchpoint 1.44 (colored) next main 1.45 (colored)
upgrade to OpenSSH 4.4
Revision 1.55.2.1 / (download) - annotate - [select for diffs], Sat Sep 30 04:06:51 2006 UTC (17 years, 7 months ago) by brad
Branch: OPENBSD_3_9
Changes since 1.55: +103 -7 lines
Diff to previous 1.55 (colored) next main 1.56 (colored)
upgrade to OpenSSH 4.4
Revision 1.70 / (download) - annotate - [select for diffs], Mon Aug 21 08:14:01 2006 UTC (17 years, 9 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.69: +18 -1 lines
Diff to previous 1.69 (colored)
Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, ok jmc@ djm@
Revision 1.69 / (download) - annotate - [select for diffs], Mon Aug 14 12:40:25 2006 UTC (17 years, 9 months ago) by dtucker
Branch: MAIN
Changes since 1.68: +2 -1 lines
Diff to previous 1.68 (colored)
Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@.
Revision 1.68 / (download) - annotate - [select for diffs], Fri Jul 21 12:43:36 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.67: +2 -4 lines
Diff to previous 1.67 (colored)
Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
Revision 1.67 / (download) - annotate - [select for diffs], Wed Jul 19 13:07:10 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.66: +14 -1 lines
Diff to previous 1.66 (colored)
Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
Revision 1.66 / (download) - annotate - [select for diffs], Wed Jul 19 08:56:41 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.65: +5 -2 lines
Diff to previous 1.65 (colored)
Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@
Revision 1.65 / (download) - annotate - [select for diffs], Tue Jul 18 08:22:23 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.64: +6 -5 lines
Diff to previous 1.64 (colored)
Clarify description of Match, with minor correction from jmc@
Revision 1.64 / (download) - annotate - [select for diffs], Tue Jul 18 08:03:09 2006 UTC (17 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)
mark up angle brackets;
Revision 1.63 / (download) - annotate - [select for diffs], Tue Jul 18 07:50:40 2006 UTC (17 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.62: +2 -2 lines
Diff to previous 1.62 (colored)
tweak; ok dtucker
Revision 1.62 / (download) - annotate - [select for diffs], Mon Jul 17 12:06:00 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.61: +33 -3 lines
Diff to previous 1.61 (colored)
Add PermitOpen directive to sshd_config which is equivalent to the "permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
Revision 1.61 / (download) - annotate - [select for diffs], Wed Jul 12 13:39:55 2006 UTC (17 years, 10 months ago) by jmc
Branch: MAIN
Changes since 1.60: +5 -4 lines
Diff to previous 1.60 (colored)
- new sentence, new line - s/The the/The/ - kill a bad comma
Revision 1.60 / (download) - annotate - [select for diffs], Wed Jul 12 11:34:58 2006 UTC (17 years, 10 months ago) by dtucker
Branch: MAIN
Changes since 1.59: +22 -1 lines
Diff to previous 1.59 (colored)
Add support for conditional directives to sshd_config via a "Match" keyword,
which works similarly to the "Host" directive in ssh_config.
Lines after a Match line override the default set in the main section
if the condition on the Match line is true, eg
AllowTcpForwarding yes
Match User anoncvs
AllowTcpForwarding no
will allow port forwarding by all users except "anoncvs".
Currently only a very small subset of directives are supported.
ok djm@
Revision 1.59 / (download) - annotate - [select for diffs], Thu Jul 6 10:47:05 2006 UTC (17 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.58: +3 -3 lines
Diff to previous 1.58 (colored)
support arguments to Subsystem commands; ok markus@
Revision 1.58 / (download) - annotate - [select for diffs], Sun Jul 2 17:12:58 2006 UTC (17 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.57: +11 -4 lines
Diff to previous 1.57 (colored)
more details and clarity for tun(4) device forwarding; ok and help jmc@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Mar 14 16:32:48 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.56: +2 -1 lines
Diff to previous 1.56 (colored)
*AliveCountMax applies to protcol v2 only; ok dtucker, djm
Revision 1.56 / (download) - annotate - [select for diffs], Mon Mar 13 10:14:29 2006 UTC (18 years, 2 months ago) by dtucker
Branch: MAIN
Changes since 1.55: +4 -1 lines
Diff to previous 1.55 (colored)
Allow config directives to contain whitespace by surrounding them by double quotes. mindrot #482, man page help from jmc@, ok djm@
Revision 1.55 / (download) - annotate - [select for diffs], Sun Feb 26 18:01:13 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE
Branch point for: OPENBSD_3_9
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
subsection is pointless here;
Revision 1.54 / (download) - annotate - [select for diffs], Sat Feb 25 12:28:34 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.53: +25 -1 lines
Diff to previous 1.53 (colored)
document the order in which allow/deny directives are processed; help/ok dtucker
Revision 1.53 / (download) - annotate - [select for diffs], Fri Feb 24 23:51:17 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.52: +9 -10 lines
Diff to previous 1.52 (colored)
oops - bits i missed;
Revision 1.52 / (download) - annotate - [select for diffs], Fri Feb 24 23:43:57 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.51: +50 -57 lines
Diff to previous 1.51 (colored)
some grammar/wording fixes;
Revision 1.51 / (download) - annotate - [select for diffs], Fri Feb 24 20:31:31 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.50: +4 -4 lines
Diff to previous 1.50 (colored)
more consistency fixes;
Revision 1.50 / (download) - annotate - [select for diffs], Fri Feb 24 20:22:16 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.49: +3 -3 lines
Diff to previous 1.49 (colored)
some consistency fixes;
Revision 1.49 / (download) - annotate - [select for diffs], Fri Feb 24 10:33:54 2006 UTC (18 years, 2 months ago) by jmc
Branch: MAIN
Changes since 1.48: +25 -20 lines
Diff to previous 1.48 (colored)
signpost to PATTERNS;
Revision 1.44.2.1 / (download) - annotate - [select for diffs], Fri Feb 3 03:01:58 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.44: +16 -4 lines
Diff to previous 1.44 (colored)
upgrade to OpenSSH 4.3
Revision 1.40.2.2 / (download) - annotate - [select for diffs], Fri Feb 3 02:53:46 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.40.2.1: +16 -4 lines
Diff to previous 1.40.2.1 (colored) to branchpoint 1.40 (colored) next main 1.41 (colored)
upgrade to OpenSSH 4.3
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jan 2 17:09:49 2006 UTC (18 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.47: +3 -3 lines
Diff to previous 1.47 (colored)
some corrections from michael knudsen;
Revision 1.47 / (download) - annotate - [select for diffs], Thu Dec 8 18:34:11 2005 UTC (18 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.46: +7 -1 lines
Diff to previous 1.46 (colored)
two changes to the new ssh tunnel support. this breaks compatibility with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@
Revision 1.46 / (download) - annotate - [select for diffs], Tue Dec 6 22:38:28 2005 UTC (18 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.45: +7 -1 lines
Diff to previous 1.45 (colored)
Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
Revision 1.45 / (download) - annotate - [select for diffs], Wed Sep 21 23:36:54 2005 UTC (18 years, 7 months ago) by djm
Branch: MAIN
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)
aquire -> acquire, from stevesk@
Revision 1.40.2.1 / (download) - annotate - [select for diffs], Sun Sep 4 18:40:11 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.40: +21 -16 lines
Diff to previous 1.40 (colored)
upgrade to OpenSSH 4.2
Revision 1.35.2.2 / (download) - annotate - [select for diffs], Fri Sep 2 03:45:01 2005 UTC (18 years, 8 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.35.2.1: +22 -17 lines
Diff to previous 1.35.2.1 (colored) to branchpoint 1.35 (colored) next main 1.36 (colored)
upgrade to OpenSSH 4.2
Revision 1.44 / (download) - annotate - [select for diffs], Mon Jul 25 11:59:40 2005 UTC (18 years, 9 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.43: +6 -4 lines
Diff to previous 1.43 (colored)
add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
Revision 1.43 / (download) - annotate - [select for diffs], Mon May 23 23:32:46 2005 UTC (18 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.42: +6 -3 lines
Diff to previous 1.42 (colored)
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@
Revision 1.42 / (download) - annotate - [select for diffs], Thu May 19 02:39:55 2005 UTC (19 years ago) by djm
Branch: MAIN
Changes since 1.41: +10 -10 lines
Diff to previous 1.41 (colored)
sort config options, from grunk AT pestilenz.org; ok jmc@
Revision 1.41 / (download) - annotate - [select for diffs], Thu Apr 21 06:17:50 2005 UTC (19 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@
Revision 1.40 / (download) - annotate - [select for diffs], Fri Mar 18 17:05:00 2005 UTC (19 years, 2 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
typo;
Revision 1.29.2.2 / (download) - annotate - [select for diffs], Thu Mar 10 17:15:05 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.29.2.1: +24 -9 lines
Diff to previous 1.29.2.1 (colored) to branchpoint 1.29 (colored) next main 1.30 (colored)
upgrade to OpenSSH 4.0
Revision 1.35.2.1 / (download) - annotate - [select for diffs], Thu Mar 10 16:28:28 2005 UTC (19 years, 2 months ago) by brad
Branch: OPENBSD_3_6
Changes since 1.35: +24 -9 lines
Diff to previous 1.35 (colored)
upgrade to OpenSSH 4.0
Revision 1.39 / (download) - annotate - [select for diffs], Tue Mar 1 10:09:52 2005 UTC (19 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.38: +9 -6 lines
Diff to previous 1.38 (colored)
bz#413: allow optional specification of bind address for port forwardings. Patch originally by Dan Astorian, but worked on by several people Adds GatewayPorts=clientspecified option on server to allow remote forwards to bind to client-specified ports. ok markus@
Revision 1.38 / (download) - annotate - [select for diffs], Sat Jan 8 00:41:19 2005 UTC (19 years, 4 months ago) by jmc
Branch: MAIN
Changes since 1.37: +3 -3 lines
Diff to previous 1.37 (colored)
`login'(n) -> `log in'(v);
Revision 1.37 / (download) - annotate - [select for diffs], Thu Dec 23 23:11:00 2004 UTC (19 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.36: +12 -1 lines
Diff to previous 1.36 (colored)
bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz ok deraadt@
Revision 1.36 / (download) - annotate - [select for diffs], Wed Sep 15 03:25:41 2004 UTC (19 years, 8 months ago) by jaredy
Branch: MAIN
Changes since 1.35: +3 -2 lines
Diff to previous 1.35 (colored)
mention PrintLastLog only prints last login time for interactive sessions, like PrintMotd mentions. From Michael Knudsen, with wording changed slightly to match the PrintMotd description. ok djm
Revision 1.25.2.2 / (download) - annotate - [select for diffs], Thu Aug 19 22:37:33 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.25.2.1: +46 -7 lines
Diff to previous 1.25.2.1 (colored) to branchpoint 1.25 (colored) next main 1.26 (colored)
upgrade to OpenSSH 3.9
Revision 1.29.2.1 / (download) - annotate - [select for diffs], Thu Aug 19 04:13:28 2004 UTC (19 years, 9 months ago) by brad
Branch: OPENBSD_3_5
Changes since 1.29: +41 -7 lines
Diff to previous 1.29 (colored)
upgrade to OpenSSH 3.9
Revision 1.35 / (download) - annotate - [select for diffs], Sat Jun 26 09:14:40 2004 UTC (19 years, 10 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.34: +5 -3 lines
Diff to previous 1.34 (colored)
new sentence, new line;
Revision 1.34 / (download) - annotate - [select for diffs], Sun Jun 13 14:01:42 2004 UTC (19 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.33: +13 -1 lines
Diff to previous 1.33 (colored)
List supported ciphers in man pages, tidy up ssh -c; "looks fine" jmc@, ok markus@
Revision 1.33 / (download) - annotate - [select for diffs], Sun May 23 23:59:53 2004 UTC (19 years, 11 months ago) by dtucker
Branch: MAIN
Changes since 1.32: +5 -1 lines
Diff to previous 1.32 (colored)
Add MaxAuthTries sshd config option; ok markus@
Revision 1.32 / (download) - annotate - [select for diffs], Wed Apr 28 07:02:56 2004 UTC (20 years ago) by jmc
Branch: MAIN
Changes since 1.31: +1 -8 lines
Diff to previous 1.31 (colored)
remove unnecessary .Pp;
Revision 1.31 / (download) - annotate - [select for diffs], Wed Apr 28 05:17:10 2004 UTC (20 years ago) by djm
Branch: MAIN
Changes since 1.30: +4 -4 lines
Diff to previous 1.30 (colored)
manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
Revision 1.30 / (download) - annotate - [select for diffs], Tue Apr 27 09:46:37 2004 UTC (20 years ago) by djm
Branch: MAIN
Changes since 1.29: +24 -1 lines
Diff to previous 1.29 (colored)
bz #815: implement ability to pass specified environment variables from the client to the server; ok markus@
Revision 1.29 / (download) - annotate - [select for diffs], Mon Mar 8 10:18:57 2004 UTC (20 years, 2 months ago) by dtucker
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE
Branch point for: OPENBSD_3_5
Changes since 1.28: +6 -1 lines
Diff to previous 1.28 (colored)
Document KerberosGetAFSToken; ok markus@
Revision 1.14.2.3 / (download) - annotate - [select for diffs], Thu Mar 4 18:18:17 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.14.2.2: +25 -32 lines
Diff to previous 1.14.2.2 (colored) to branchpoint 1.14 (colored) next main 1.15 (colored)
upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8upgrade to OpenSSH 3.8
Revision 1.25.2.1 / (download) - annotate - [select for diffs], Sat Feb 28 03:51:34 2004 UTC (20 years, 2 months ago) by brad
Branch: OPENBSD_3_4
Changes since 1.25: +25 -32 lines
Diff to previous 1.25 (colored)
upgrade to OpenSSH 3.8
Revision 1.28 / (download) - annotate - [select for diffs], Tue Feb 17 19:35:21 2004 UTC (20 years, 3 months ago) by jmc
Branch: MAIN
Changes since 1.27: +1 -8 lines
Diff to previous 1.27 (colored)
remove cruft left over from RhostsAuthentication removal; ok markus@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Dec 9 21:53:37 2003 UTC (20 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.26: +24 -24 lines
Diff to previous 1.26 (colored)
rename keepalive to tcpkeepalive; the old name causes too much confusion; ok djm, dtucker; with help from jmc@
Revision 1.26 / (download) - annotate - [select for diffs], Fri Nov 21 11:57:03 2003 UTC (20 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)
unexpand and delete whitespace at EOL; ok markus@
Revision 1.13.2.3 / (download) - annotate - [select for diffs], Tue Sep 16 21:20:29 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_2
Changes since 1.13.2.2: +51 -51 lines
Diff to previous 1.13.2.2 (colored) to branchpoint 1.13 (colored) next main 1.14 (colored)
upgrade to OpenSSH 3.7
Revision 1.14.2.2 / (download) - annotate - [select for diffs], Tue Sep 16 20:50:44 2003 UTC (20 years, 8 months ago) by brad
Branch: OPENBSD_3_3
Changes since 1.14.2.1: +51 -51 lines
Diff to previous 1.14.2.1 (colored) to branchpoint 1.14 (colored)
upgrade to OpenSSH 3.7
Revision 1.25 / (download) - annotate - [select for diffs], Mon Sep 1 09:50:04 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE
Branch point for: OPENBSD_3_4
Changes since 1.24: +2 -4 lines
Diff to previous 1.24 (colored)
gss kex is not supported; sxw@inf.ed.ac.uk
Revision 1.24 / (download) - annotate - [select for diffs], Thu Aug 28 12:54:34 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.23: +3 -9 lines
Diff to previous 1.23 (colored)
remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
Revision 1.23 / (download) - annotate - [select for diffs], Fri Aug 22 10:56:09 2003 UTC (20 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.22: +14 -1 lines
Diff to previous 1.22 (colored)
support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
Revision 1.22 / (download) - annotate - [select for diffs], Wed Aug 13 08:46:31 2003 UTC (20 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.21: +1 -6 lines
Diff to previous 1.21 (colored)
remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others
Revision 1.21 / (download) - annotate - [select for diffs], Tue Jul 22 13:35:22 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.20: +2 -7 lines
Diff to previous 1.20 (colored)
remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); test+ok henning@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Jun 20 05:47:58 2003 UTC (20 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
sync description of protocol 2 cipher proposal; ok markus
Revision 1.19 / (download) - annotate - [select for diffs], Tue Jun 10 09:12:12 2003 UTC (20 years, 11 months ago) by jmc
Branch: MAIN
Changes since 1.18: +4 -5 lines
Diff to previous 1.18 (colored)
- section reorder - COMPATIBILITY merge - macro cleanup - kill whitespace at EOL - new sentence, new line ssh pages ok markus@
Revision 1.18 / (download) - annotate - [select for diffs], Mon Jun 2 09:17:34 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.17: +9 -9 lines
Diff to previous 1.17 (colored)
deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@
Revision 1.17 / (download) - annotate - [select for diffs], Tue May 20 12:09:32 2003 UTC (21 years ago) by jmc
Branch: MAIN
Changes since 1.16: +22 -16 lines
Diff to previous 1.16 (colored)
new sentence, new line
Revision 1.14.2.1 / (download) - annotate - [select for diffs], Sun May 11 12:01:52 2003 UTC (21 years ago) by margarida
Branch: OPENBSD_3_3
Changes since 1.14: +17 -13 lines
Diff to previous 1.14 (colored)
Update OpenSSH to version 3.6.1
Revision 1.16 / (download) - annotate - [select for diffs], Wed Apr 30 01:16:20 2003 UTC (21 years ago) by mouring
Branch: MAIN
Changes since 1.15: +5 -5 lines
Diff to previous 1.15 (colored)
Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable Bug #550 and * escaping suggested by jmc@.
Revision 1.13.2.2 / (download) - annotate - [select for diffs], Thu Apr 3 23:27:13 2003 UTC (21 years, 1 month ago) by margarida
Branch: OPENBSD_3_2
Changes since 1.13.2.1: +17 -13 lines
Diff to previous 1.13.2.1 (colored) to branchpoint 1.13 (colored)
Update to OpenSSH 3.6.1
Revision 1.4.2.3 / (download) - annotate - [select for diffs], Thu Apr 3 22:35:18 2003 UTC (21 years, 1 month ago) by miod
Branch: OPENBSD_3_1
Changes since 1.4.2.2: +18 -14 lines
Diff to previous 1.4.2.2 (colored) next main 1.5 (colored)
Merge OpenSSH 3.6.1
Revision 1.13.2.1 / (download) - annotate - [select for diffs], Tue Apr 1 00:12:14 2003 UTC (21 years, 1 month ago) by margarida
Branch: OPENBSD_3_2
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
Update to OpenSSH 3.6
Revision 1.15 / (download) - annotate - [select for diffs], Fri Mar 28 10:11:43 2003 UTC (21 years, 1 month ago) by jmc
Branch: MAIN
Changes since 1.14: +17 -13 lines
Diff to previous 1.14 (colored)
- killed whitespace - new sentence new line - .Bk for arguments ok markus@
Revision 1.14 / (download) - annotate - [select for diffs], Thu Jan 23 08:58:47 2003 UTC (21 years, 3 months ago) by jmc
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE
Branch point for: OPENBSD_3_3
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
typos; ok millert@
Revision 1.3.2.3 / (download) - annotate - [select for diffs], Fri Oct 11 14:53:07 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.3.2.2: +54 -8 lines
Diff to previous 1.3.2.2 (colored) next main 1.4 (colored)
Update to OpenSSH 3.5
Revision 1.4.2.2 / (download) - annotate - [select for diffs], Fri Oct 11 14:51:53 2002 UTC (21 years, 7 months ago) by miod
Branch: OPENBSD_3_1
Changes since 1.4.2.1: +54 -8 lines
Diff to previous 1.4.2.1 (colored)
Update to OpenSSH 3.5
Revision 1.13 / (download) - annotate - [select for diffs], Mon Sep 16 20:12:11 2002 UTC (21 years, 8 months ago) by stevesk
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.12: +28 -3 lines
Diff to previous 1.12 (colored)
more details on X11Forwarding security issues and threats; ok markus@
Revision 1.12 / (download) - annotate - [select for diffs], Wed Sep 4 18:52:42 2002 UTC (21 years, 8 months ago) by stevesk
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
default LoginGraceTime to 2m; 1m may be too short for slow systems. ok markus@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Aug 29 22:54:10 2002 UTC (21 years, 8 months ago) by stevesk
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
state XAuthLocation is a full pathname
Revision 1.10 / (download) - annotate - [select for diffs], Wed Aug 21 19:38:06 2002 UTC (21 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
change LoginGraceTime default to 1 minute; ok mouring@ markus@
Revision 1.9 / (download) - annotate - [select for diffs], Mon Aug 12 17:30:35 2002 UTC (21 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.8: +7 -8 lines
Diff to previous 1.8 (colored)
more PermitUserEnvironment; ok markus@
Revision 1.8 / (download) - annotate - [select for diffs], Fri Aug 9 17:41:12 2002 UTC (21 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
proxy vs. fake display
Revision 1.7 / (download) - annotate - [select for diffs], Fri Aug 9 17:21:42 2002 UTC (21 years, 9 months ago) by stevesk
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
use Op for mdoc conformance; from esr@golux.thyrsus.com ok aaron@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jul 30 17:03:55 2002 UTC (21 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.5: +16 -1 lines
Diff to previous 1.5 (colored)
add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt
Revision 1.5 / (download) - annotate - [select for diffs], Tue Jul 9 17:46:25 2002 UTC (21 years, 10 months ago) by stevesk
Branch: MAIN
Changes since 1.4: +9 -2 lines
Diff to previous 1.4 (colored)
clarify no preference ordering in protocol list; ok markus@
Revision 1.3.2.2 / (download) - annotate - [select for diffs], Wed Jun 26 18:22:37 2002 UTC (21 years, 10 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.3.2.1: +2 -2 lines
Diff to previous 1.3.2.1 (colored)
There was an update to OpenSSH 3.4, and people rejoiced.
Revision 1.4.2.1 / (download) - annotate - [select for diffs], Wed Jun 26 15:30:39 2002 UTC (21 years, 10 months ago) by jason
Branch: OPENBSD_3_1
Changes since 1.4: +1 -1 lines
Diff to previous 1.4 (colored)
Pull in OpenSSH-3.4
Revision 1.4 / (download) - annotate - [select for diffs], Sat Jun 22 16:45:29 2002 UTC (21 years, 10 months ago) by stevesk
Branch: MAIN
Branch point for: OPENBSD_3_1
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
use process ID vs. pid/PID/process identifier
Revision 1.3.2.1 / (download) - annotate - [select for diffs], Sat Jun 22 07:23:18 2002 UTC (21 years, 11 months ago) by miod
Branch: OPENBSD_3_0
Changes since 1.3: +7 -7 lines
Diff to previous 1.3 (colored)
Update OpenSSH to version 3.3 (with local changes, configuration files still living in /etc and privsep user being nobody).
Revision 1.3 / (download) - annotate - [select for diffs], Thu Jun 20 23:37:12 2002 UTC (21 years, 11 months ago) by markus
Branch: MAIN
Branch point for: OPENBSD_3_0
Changes since 1.2: +9 -1 lines
Diff to previous 1.2 (colored)
add Compression
Revision 1.2 / (download) - annotate - [select for diffs], Thu Jun 20 20:21:23 2002 UTC (21 years, 11 months ago) by stevesk
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
typo
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jun 20 19:56:07 2002 UTC (21 years, 11 months ago) by stevesk
Branch: MAIN
move configuration file options from ssh.1/sshd.8 to ssh_config.5/sshd_config.5; ok deraadt@ millert@