Commit Graph

157 Commits

Author SHA1 Message Date
Darren Tucker
ecbf14aa53 - naddy@cvs.openbsd.org 2012/06/29 13:57:25
[ssh_config.5 sshd_config.5]
     match the documented MAC order of preference to the actual one;
     ok dtucker@
2012-07-02 18:53:37 +10:00
Damien Miller
db4f8e8618 - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
[mac.c myproposal.h ssh_config.5 sshd_config.5]
     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
     from draft6 of the spec and will not be in the RFC when published.  Patch
     from mdb at juniper net via bz#2023, ok markus.
2012-06-30 08:34:59 +10:00
Damien Miller
7192433633 - dtucker@cvs.openbsd.org 2012/06/18 11:49:58
[ssh_config.5]
     RSA instead of DSA twice.  From Steve.McClellan at radisys com
2012-06-20 21:52:38 +10:00
Damien Miller
f6e758cdba - djm@cvs.openbsd.org 2011/09/09 00:43:00
[ssh_config.5 sshd_config.5]
     fix typo in IPQoS parsing: there is no "AF14" class, but there is
     an "AF21" class. Spotted by giesen AT snickers.org; ok markus stevesk
2011-09-22 21:37:13 +10:00
Damien Miller
20bd4535c0 - djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     Add new SHA256 and SHA512 based HMAC modes from
     http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
     Patch from mdb AT juniper.net; feedback and ok markus@
2011-08-06 06:17:30 +10:00
Damien Miller
6029e076b2 - djm@cvs.openbsd.org 2011/06/04 00:10:26
[ssh_config.5]
     explain IdentifyFile's semantics a little better, prompted by bz#1898
     ok dtucker jmc
2011-06-20 14:22:49 +10:00
Damien Miller
295ee63ab2 - djm@cvs.openbsd.org 2011/05/24 07:15:47
[readconf.c readconf.h ssh.c ssh_config.5 sshconnect.c sshconnect2.c]
     Remove undocumented legacy options UserKnownHostsFile2 and
     GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile
     accept multiple paths per line and making their defaults include
     known_hosts2; ok markus
2011-05-29 21:42:31 +10:00
Damien Miller
486dd2eadb - jmc@cvs.openbsd.org 2011/05/07 23:19:39
[ssh_config.5]
     - tweak previous
     - come consistency fixes

     ok djm
2011-05-15 08:47:18 +10:00
Damien Miller
21771e22d3 - djm@cvs.openbsd.org 2011/05/06 21:34:32
[clientloop.c mux.c readconf.c readconf.h ssh.c ssh_config.5]
     Add a RequestTTY ssh_config option to allow configuration-based
     control over tty allocation (like -t/-T); ok markus@
2011-05-15 08:45:50 +10:00
Damien Miller
fe92421772 - djm@cvs.openbsd.org 2011/05/06 21:31:38
[readconf.c ssh_config.5]
     support negated Host matching, e.g.

     Host *.example.org !c.example.org
        User mekmitasdigoat

     Will match "a.example.org", "b.example.org", but not "c.example.org"
     ok markus@
2011-05-15 08:44:45 +10:00
Damien Miller
dfc85fa181 - djm@cvs.openbsd.org 2011/05/06 21:18:02
[ssh.c ssh_config.5]
     add a %L expansion (short-form of the local host name) for ControlPath;
     sync some more expansions with LocalCommand; ok markus@
2011-05-15 08:44:02 +10:00
Damien Miller
928362dc03 - djm@cvs.openbsd.org 2010/12/08 04:02:47
[ssh_config.5 sshd_config.5]
     explain that IPQoS arguments are separated by whitespace; iirc requested
     by jmc@ a while back
2010-12-26 14:26:45 +11:00
Damien Miller
d925dcd8a5 - djm@cvs.openbsd.org 2010/11/29 23:45:51
[auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
     [sshconnect.h sshconnect2.c]
     automatically order the hostkeys requested by the client based on
     which hostkeys are already recorded in known_hosts. This avoids
     hostkey warnings when connecting to servers with new ECDSA keys
     that are preferred by default; with markus@
2010-12-01 12:21:51 +11:00
Damien Miller
8e1ea4e5a3 - jmc@cvs.openbsd.org 2010/11/15 07:40:14
[ssh_config.5]
     libary -> library;
2010-11-20 15:20:10 +11:00
Damien Miller
0dac6fb6b2 - djm@cvs.openbsd.org 2010/11/13 23:27:51
[clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h]
     [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5]
     allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of
     hardcoding lowdelay/throughput.

     bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
2010-11-20 15:19:38 +11:00
Damien Miller
55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller
7fe2b1fec3 - jmc@cvs.openbsd.org 2010/09/22 08:30:08
[ssh.1 ssh_config.5]
     ssh.1: add kexalgorithms to the -o list
     ssh_config.5: format the kexalgorithms in a more consistent
     (prettier!) way
     ok djm
2010-09-24 22:11:53 +10:00
Damien Miller
d5f62bf280 - djm@cvs.openbsd.org 2010/09/22 05:01:30
[kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h]
     [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5]
     add a KexAlgorithms knob to the client and server configuration to allow
     selection of which key exchange methods are used by ssh(1) and sshd(8)
     and their order of preference.
     ok markus@
2010-09-24 22:11:14 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
7fa96602e5 - djm@cvs.openbsd.org 2010/08/04 05:37:01
[ssh.1 ssh_config.5 sshd.8]
     Remove mentions of weird "addr/port" alternate address format for IPv6
     addresses combinations. It hasn't worked for ages and we have supported
     the more commen "[addr]:port" format for a long time. ok jmc@ markus@
2010-08-05 13:03:13 +10:00
Damien Miller
e11e1ea5d4 - djm@cvs.openbsd.org 2010/07/19 09:15:12
[clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
     add a "ControlPersist" option that automatically starts a background
     ssh(1) multiplex master when connecting. This connection can stay alive
     indefinitely, or can be set to automatically close after a user-specified
     duration of inactivity. bz#1330 - patch by dwmw2 AT infradead.org, but
     further hacked on by wmertens AT cisco.com, apb AT cequrux.com,
     martin-mindrot-bugzilla AT earth.li and myself; "looks ok" markus@
2010-08-03 16:04:46 +10:00
Damien Miller
d0244d498b - djm@cvs.openbsd.org 2010/07/12 22:41:13
[ssh.c ssh_config.5]
     expand %h to the hostname in ssh_config Hostname options. While this
     sounds useless, it is actually handy for working with unqualified
     hostnames:

     Host *.*
        Hostname %h
     Host *
        Hostname %h.example.org

     "I like it" markus@
2010-07-16 13:56:43 +10:00
Damien Miller
cede1dbc55 - jmc@cvs.openbsd.org 2010/06/26 00:57:07
[ssh_config.5]
     tweak previous;
2010-07-02 13:33:48 +10:00
Damien Miller
1ab6a51f9b - djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
2010-06-26 10:02:24 +10:00
Damien Miller
c4eddee1b7 - OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2010/04/16 06:45:01
     [ssh_config.5]
     tweak previous; ok djm
2010-04-18 08:07:43 +10:00
Damien Miller
b1b17047e3 - djm@cvs.openbsd.org 2010/04/14 22:27:42
[ssh_config.5 sshconnect.c]
     expand %r => remote username in ssh_config:ProxyCommand;
     ok deraadt markus
2010-04-16 15:54:19 +10:00
Damien Miller
544378da56 - jmc@cvs.openbsd.org 2010/03/27 14:26:55
[ssh_config.5]
     tweak previous; ok dtucker
2010-04-16 15:52:24 +10:00
Darren Tucker
ce3754bbf3 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
[ssh_config.5]
     Reformat default value of PreferredAuthentications entry (current
     formatting implies ", " is acceptable as a separator, which it's not.
     ok djm@
2010-03-26 12:09:13 +11:00
Damien Miller
5059d8d7e6 - djm@cvs.openbsd.org 2010/03/05 10:28:21
[ssh-add.1 ssh.1 ssh_config.5]
     mention loading of certificate files from [private]-cert.pub when
     they are present; feedback and ok jmc@
2010-03-05 21:31:11 +11:00
Damien Miller
a761844455 - markus@cvs.openbsd.org 2010/02/10 23:20:38
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
     pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00
Damien Miller
7ea845e48d - markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
2010-02-12 09:21:02 +11:00
Darren Tucker
7bd98e7f74 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 10:31:12 +11:00
Darren Tucker
98e5d9a0d3 - jmc@cvs.openbsd.org 2009/12/29 18:03:32
[sshd_config.5 ssh_config.5]
     sort previous;
2010-01-08 18:57:39 +11:00
Darren Tucker
535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker
78be8c54d6 - djm@cvs.openbsd.org 2009/11/10 02:56:22
[ssh_config.5]
     explain the constraints on LocalCommand some more so people don't
     try to abuse it.
2010-01-08 17:05:59 +11:00
Darren Tucker
34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker
7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker
bad5076bb5 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
     disable protocol 1 by default (after a transition period of about 10 years)
     ok deraadt
2009-10-11 21:51:08 +11:00
Damien Miller
1991384764 - djm@cvs.openbsd.org 2009/02/22 23:50:57
[ssh_config.5 sshd_config.5]
     don't advertise experimental options
2009-02-23 10:53:58 +11:00
Damien Miller
e379e10837 - jmc@cvs.openbsd.org 2009/02/12 07:34:20
[ssh_config.5]
     kill trailing whitespace;
2009-02-14 16:34:39 +11:00
Damien Miller
85c6d8a991 - djm@cvs.openbsd.org 2009/02/12 03:46:17
[ssh_config.5]
     document RemoteForward usage with 0 listen port
2009-02-14 16:34:21 +11:00
Damien Miller
9aa72ba57a - naddy@cvs.openbsd.org 2009/01/24 17:10:22
[ssh_config.5 sshd_config.5]
     sync list of preferred ciphers; ok djm@
2009-01-28 16:34:00 +11:00
Damien Miller
01ed2272a1 - djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@
2008-11-05 16:20:46 +11:00
Damien Miller
a414cd3b19 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24
[ssh_config.5]
     correct and clarify VisualHostKey; ok jmc@
2008-11-03 19:25:21 +11:00
Damien Miller
de7532e1d4 - stevesk@cvs.openbsd.org 2008/10/10 16:43:27
[ssh_config.5]
     use 'Privileged ports can be forwarded only when logging in as root on
     the remote machine.' for RemoteForward just like ssh.1 -R.
     ok djm@ jmc@
2008-11-03 19:24:45 +11:00
Damien Miller
fa51b1626c - krw@cvs.openbsd.org 2008/08/02 04:29:51
[ssh_config.5]
     whitepsace -> whitespace. From Matthew Clarke via bugs@.
2008-11-03 19:17:33 +11:00
Damien Miller
1028824e5c - grunk@cvs.openbsd.org 2008/06/26 11:46:31
[readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c]
     Move SSH Fingerprint Visualization away from sharing the config option
     CheckHostIP to an own config option named VisualHostKey.
     While there, fix the behaviour that ssh would draw a random art picture
     on every newly seen host even when the option was not enabled.
     prodded by deraadt@, discussions,
     help and ok markus@ djm@ dtucker@
2008-06-30 00:04:03 +10:00
Darren Tucker
f09e825329 - jmc@cvs.openbsd.org 2008/06/12 19:10:09
[ssh_config.5 ssh-keygen.1]
     tweak the ascii art text; ok grunk
2008-06-13 05:18:03 +10:00
Darren Tucker
f6b01b758f - dtucker@cvs.openbsd.org 2008/06/12 16:35:31
[ssh_config.5 ssh.c]
     keyword expansion for localcommand.  ok djm@
2008-06-13 04:56:37 +10:00
Darren Tucker
dcc1ab5483 - grunk@cvs.openbsd.org 2008/06/11 23:03:56
[ssh_config.5]
     CheckHostIP set to ``fingerprint'' will display both hex and random art
     spotted by naddy@
2008-06-13 04:44:25 +10:00