tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

- naddy@cvs.openbsd.org 2014/03/28 05:17:11

Browse Source 
[ssh_config.5 sshd_config.5]
     sync available and default algorithms, improve algorithm list formatting
     help from jmc@ and schwarze@, ok deraadt@
This commit is contained in:
Damien Miller 2014-04-20 13:22:46 +10:00
parent f2719b7c2b
commit c1621c84f2
3 changed files with 153 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -61,6 +61,10 @@
- tedu@cvs.openbsd.org 2014/03/26 19:58:37 - tedu@cvs.openbsd.org 2014/03/26 19:58:37
[sshd.8 sshd.c] [sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl remove libwrap support. ok deraadt djm mfriedl
- naddy@cvs.openbsd.org 2014/03/28 05:17:11
[ssh_config.5 sshd_config.5]
sync available and default algorithms, improve algorithm list formatting
help from jmc@ and schwarze@, ok deraadt@
20140401 20140401
- (djm) On platforms that support it, use prctl() to prevent sftp-server - (djm) On platforms that support it, use prctl() to prevent sftp-server

74
ssh_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $ .\" $OpenBSD: ssh_config.5,v 1.186 2014/03/28 05:17:11 naddy Exp $
.Dd $Mdocdate: February 23 2014 $ .Dd $Mdocdate: March 28 2014 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -342,30 +342,47 @@ in order of preference.
Multiple ciphers must be comma-separated. Multiple ciphers must be comma-separated.
The supported ciphers are: The supported ciphers are:
.Pp .Pp
.Dq 3des-cbc , .Bl -item -compact -offset indent
.Dq aes128-cbc , .It
.Dq aes192-cbc , 3des-cbc
.Dq aes256-cbc , .It
.Dq aes128-ctr , aes128-cbc
.Dq aes192-ctr , .It
.Dq aes256-ctr , aes192-cbc
.Dq aes128-gcm@openssh.com , .It
.Dq aes256-gcm@openssh.com , aes256-cbc
.Dq arcfour128 , .It
.Dq arcfour256 , aes128-ctr
.Dq arcfour , .It
.Dq blowfish-cbc , aes192-ctr
.Dq cast128-cbc , .It
and aes256-ctr
.Dq chacha20-poly1305@openssh.com . .It
aes128-gcm@openssh.com
.It
aes256-gcm@openssh.com
.It
arcfour
.It
arcfour128
.It
arcfour256
.It
blowfish-cbc
.It
cast128-cbc
.It
chacha20-poly1305@openssh.com
.El
.Pp .Pp
The default is: The default is:
.Bd -literal -offset 3n .Bd -literal -offset indent
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com, chacha20-poly1305@openssh.com,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc, arcfour256,arcfour128,
aes256-cbc,arcfour aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
aes192-cbc,aes256-cbc,arcfour
.Ed .Ed
.Pp .Pp
The list of available ciphers may also be obtained using the The list of available ciphers may also be obtained using the
@ -893,8 +910,8 @@ The default is:
curve25519-sha256@libssh.org, curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1, diffie-hellman-group14-sha1,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group1-sha1 diffie-hellman-group1-sha1
.Ed .Ed
.It Cm LocalCommand .It Cm LocalCommand
@ -974,13 +991,14 @@ calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended. These are considered safer and their use recommended.
The default is: The default is:
.Bd -literal -offset indent .Bd -literal -offset indent
hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com, umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com,
hmac-md5-96-etm@openssh.com, hmac-sha2-256,hmac-sha2-512,
hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com, hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd160-etm@openssh.com,
hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
hmac-md5,hmac-sha1,hmac-ripemd160,
hmac-sha1-96,hmac-md5-96 hmac-sha1-96,hmac-md5-96
.Ed .Ed
.It Cm NoHostAuthenticationForLocalhost .It Cm NoHostAuthenticationForLocalhost

136
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
.Dd $Mdocdate: February 27 2014 $ .Dd $Mdocdate: March 28 2014 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -337,30 +337,44 @@ Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. Multiple ciphers must be comma-separated.
The supported ciphers are: The supported ciphers are:
.Pp .Pp
.Dq 3des-cbc , .Bl -item -compact -offset indent
.Dq aes128-cbc , .It
.Dq aes192-cbc , 3des-cbc
.Dq aes256-cbc , .It
.Dq aes128-ctr , aes128-cbc
.Dq aes192-ctr , .It
.Dq aes256-ctr , aes192-cbc
.Dq aes128-gcm@openssh.com , .It
.Dq aes256-gcm@openssh.com , aes256-cbc
.Dq arcfour128 , .It
.Dq arcfour256 , aes128-ctr
.Dq arcfour , .It
.Dq blowfish-cbc , aes192-ctr
.Dq cast128-cbc , .It
and aes256-ctr
.Dq chacha20-poly1305@openssh.com . .It
aes128-gcm@openssh.com
.It
aes256-gcm@openssh.com
.It
arcfour
.It
arcfour128
.It
arcfour256
.It
blowfish-cbc
.It
cast128-cbc
.It
chacha20-poly1305@openssh.com
.El
.Pp .Pp
The default is: The default is:
.Bd -literal -offset 3n .Bd -literal -offset indent
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com, chacha20-poly1305@openssh.com
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
.Ed .Ed
.Pp .Pp
The list of available ciphers may also be obtained using the The list of available ciphers may also be obtained using the
@ -672,14 +686,33 @@ The default is
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
The default is The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
.It
curve25519-sha256@libssh.org
.It
diffie-hellman-group1-sha1
.It
diffie-hellman-group14-sha1
.It
diffie-hellman-group-exchange-sha1
.It
diffie-hellman-group-exchange-sha256
.It
ecdh-sha2-nistp256
.It
ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.El
.Pp
The default is:
.Bd -literal -offset indent .Bd -literal -offset indent
curve25519-sha256@libssh.org, curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
.Ed .Ed
.It Cm KeyRegenerationInterval .It Cm KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically regenerated In protocol version 1, the ephemeral server key is automatically regenerated
@ -751,16 +784,53 @@ The algorithms that contain
.Dq -etm .Dq -etm
calculate the MAC after encryption (encrypt-then-mac). calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended. These are considered safer and their use recommended.
The supported MACs are:
.Pp
.Bl -item -compact -offset indent
.It
hmac-md5
.It
hmac-md5-96
.It
hmac-ripemd160
.It
hmac-sha1
.It
hmac-sha1-96
.It
hmac-sha2-256
.It
hmac-sha2-512
.It
umac-64@openssh.com
.It
umac-128@openssh.com
.It
hmac-md5-etm@openssh.com
.It
hmac-md5-96-etm@openssh.com
.It
hmac-ripemd160-etm@openssh.com
.It
hmac-sha1-etm@openssh.com
.It
hmac-sha1-96-etm@openssh.com
.It
hmac-sha2-256-etm@openssh.com
.It
hmac-sha2-512-etm@openssh.com
.It
umac-64-etm@openssh.com
.It
umac-128-etm@openssh.com
.El
.Pp
The default is: The default is:
.Bd -literal -offset indent .Bd -literal -offset indent
hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
umac-64-etm@openssh.com,umac-128-etm@openssh.com, umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com, umac-64@openssh.com,umac-128@openssh.com,
hmac-md5-96-etm@openssh.com, hmac-sha2-256,hmac-sha2-512
hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-sha1-96,hmac-md5-96
.Ed .Ed
.It Cm Match .It Cm Match
Introduces a conditional block. Introduces a conditional block.