Commit Graph

133 Commits

Author SHA1 Message Date
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller d59dab8353 - jmc@cvs.openbsd.org 2010/06/30 07:28:34
[sshd_config.5]
     tweak previous;
2010-07-02 13:37:17 +10:00
Damien Miller 6018a36864 - djm@cvs.openbsd.org 2010/06/29 23:16:46
[auth2-pubkey.c sshd_config.5]
     allow key options (command="..." and friends) in AuthorizedPrincipals;
     ok markus@
2010-07-02 13:35:19 +10:00
Damien Miller ab6de35140 - djm@cvs.openbsd.org 2010/06/22 04:22:59
[servconf.c sshd_config.5]
     expose some more sshd_config options inside Match blocks:
       AuthorizedKeysFile AuthorizedPrincipalsFile
       HostbasedUsesNameFromPacketOnly PermitTunnel
     bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
2010-06-26 09:38:45 +10:00
Damien Miller 81d3fc535b - jmc@cvs.openbsd.org 2010/05/07 12:49:17
[sshd_config.5]
     tweak previous;
2010-05-10 11:58:45 +10:00
Damien Miller 30da3447d2 - djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.

     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.

     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.

     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.

     These options are useful for role accounts, disjoint account namespaces
     and "user@realm"-style naming policies in certificates.

     feedback and ok markus@
2010-05-10 11:58:03 +10:00
Damien Miller c6db99ec14 - djm@cvs.openbsd.org 2010/03/04 23:17:25
[sshd_config.5]
     missing word; spotted by jmc@
2010-03-05 10:41:45 +11:00
Damien Miller 72b33820af - jmc@cvs.openbsd.org 2010/03/04 12:51:25
[ssh.1 sshd_config.5]
     tweak previous;
2010-03-05 07:39:01 +11:00
Damien Miller 1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller 0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Darren Tucker 7bd98e7f74 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
[channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
2010-01-10 10:31:12 +11:00
Darren Tucker 98e5d9a0d3 - jmc@cvs.openbsd.org 2009/12/29 18:03:32
[sshd_config.5 ssh_config.5]
     sort previous;
2010-01-08 18:57:39 +11:00
Darren Tucker 535b5e1721 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
[sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
2010-01-08 18:56:48 +11:00
Darren Tucker b8c884a0ba - guenther@cvs.openbsd.org 2009/12/20 07:28:36
[ssh.c sftp.c scp.c]
     When passing user-controlled options with arguments to other programs,
     pass the option and option argument as separate argv entries and
     not smashed into one (e.g., as -l foo and not -lfoo).  Also, always
     pass a "--" argument to stop option parsing, so that a positional
     argument that starts with a '-' isn't treated as an option.  This
     fixes some error cases as well as the handling of hostnames and
     filenames that start with a '-'.
     Based on a diff by halex@
     ok halex@ djm@ deraadt@
2010-01-08 18:53:43 +11:00
Darren Tucker f788a91624 - djm@cvs.openbsd.org 2009/11/10 02:58:56
[sshd_config.5]
     clarify that StrictModes does not apply to ChrootDirectory. Permissions
     and ownership are always checked when chrooting. bz#1532
2010-01-08 17:06:47 +11:00
Darren Tucker cc117f0deb - jmc@cvs.openbsd.org 2009/10/28 21:45:08
[sshd_config.5 sftp.1]
     tweak previous;
2010-01-08 17:05:26 +11:00
Darren Tucker 34e314da1b - reyk@cvs.openbsd.org 2009/10/28 16:38:18
[ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
2010-01-08 17:03:46 +11:00
Darren Tucker 7a4a76579e - jmc@cvs.openbsd.org 2009/10/08 20:42:12
[sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
2009-10-11 21:51:40 +11:00
Darren Tucker bad5076bb5 - (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2009/10/08 14:03:41
     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
     disable protocol 1 by default (after a transition period of about 10 years)
     ok deraadt
2009-10-11 21:51:08 +11:00
Darren Tucker 1477ea162c - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
[sshd_config.5]
     Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
2009-10-07 08:36:05 +11:00
Damien Miller 9c7bf8dfc8 downgrade mention of login.conf to be an example and mention PAM as
another provider for ChallengeResponseAuthentication; bz#1408; ok dtucker@
2009-08-28 10:27:08 +10:00
Darren Tucker 51dbe503bf - stevesk@cvs.openbsd.org 2009/04/21 15:13:17
[sshd_config.5]
     clarify we cd to user's home after chroot; ok markus@ on
     earlier version; tweaks and ok jmc@
2009-06-21 17:56:51 +10:00
Darren Tucker f92077f05c - jmc@cvs.openbsd.org 2009/04/18 18:39:10
[sshd_config.5]
     tweak previous; ok stevesk
2009-06-21 17:56:25 +10:00
Darren Tucker 00fcd719a5 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17
[sshd_config.5]
     clarify that even internal-sftp needs /dev/log for logging to work; ok
     markus@
2009-06-21 17:56:00 +10:00
Darren Tucker af501cfce4 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44
[sshd_config.5]
     fix possessive; ok djm@
2009-06-21 17:53:04 +10:00
Damien Miller 0296ae85ec - djm@cvs.openbsd.org 2009/02/22 23:59:25
[sshd_config.5]
     missing period
2009-02-23 11:00:24 +11:00
Damien Miller 1991384764 - djm@cvs.openbsd.org 2009/02/22 23:50:57
[ssh_config.5 sshd_config.5]
     don't advertise experimental options
2009-02-23 10:53:58 +11:00
Damien Miller 9aa72ba57a - naddy@cvs.openbsd.org 2009/01/24 17:10:22
[ssh_config.5 sshd_config.5]
     sync list of preferred ciphers; ok djm@
2009-01-28 16:34:00 +11:00
Damien Miller 17819015f0 - okan@cvs.openbsd.org 2008/12/30 00:46:56
[sshd_config.5]
     add AllowAgentForwarding to available Match keywords list
     ok djm
2009-01-28 16:20:17 +11:00
Damien Miller 01ed2272a1 - djm@cvs.openbsd.org 2008/11/04 08:22:13
[auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
     [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
     [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
     [Makefile.in]
     Add support for an experimental zero-knowledge password authentication
     method using the J-PAKE protocol described in F. Hao, P. Ryan,
     "Password Authenticated Key Exchange by Juggling", 16th Workshop on
     Security Protocols, Cambridge, April 2008.

     This method allows password-based authentication without exposing
     the password to the server. Instead, the client and server exchange
     cryptographic proofs to demonstrate of knowledge of the password while
     revealing nothing useful to an attacker or compromised endpoint.

     This is experimental, work-in-progress code and is presently
     compiled-time disabled (turn on -DJPAKE in Makefile.inc).

     "just commit it.  It isn't too intrusive." deraadt@
2008-11-05 16:20:46 +11:00
Damien Miller 51bde6000a - djm@cvs.openbsd.org 2008/10/09 03:50:54
[servconf.c sshd_config.5]
     support setting PermitEmptyPasswords in a Match block
     requested in PR3891; ok dtucker@
2008-11-03 19:23:10 +11:00
Darren Tucker 7499b0cca0 - djm@cvs.openbsd.org 2008/07/02 02:24:18
[sshd_config sshd_config.5 sshd.8 servconf.c]
     increase default size of ssh protocol 1 ephemeral key from 768 to 1024
     bits; prodded by & ok dtucker@ ok deraadt@
2008-07-02 22:35:43 +10:00
Damien Miller 307c1d10a7 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40
[servconf.c sshd_config.5]
     Allow MaxAuthTries within a Match block.  ok djm@
2008-06-16 07:56:20 +10:00
Damien Miller c62a5af29a - dtucker@cvs.openbsd.org 2008/06/15 16:55:38
[sshd_config.5]
     MaxSessions is allowed in a Match block too
2008-06-16 07:55:46 +10:00
Darren Tucker 6a2a400f7a - jmc@cvs.openbsd.org 2008/06/10 07:12:00
[sshd_config.5]
     tweak previous;
2008-06-10 23:03:04 +10:00
Darren Tucker b06cc4abf8 - djm@cvs.openbsd.org 2008/06/10 04:17:46
[sshd_config.5]
     better reference for pattern-list
2008-06-10 22:59:53 +10:00
Darren Tucker 7a3935de2f - (dtucker) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/06/10 03:57:27
     [servconf.c match.h sshd_config.5]
     support CIDR address matching in sshd_config "Match address" blocks, with
     full support for negation and fall-back to classic wildcard matching.
     For example:
     Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
         PasswordAuthentication yes
     addrmatch.c code mostly lifted from flowd's addr.c
     feedback and ok dtucker@
2008-06-10 22:59:10 +10:00
Damien Miller 7207f64a23 - djm@cvs.openbsd.org 2008/05/08 12:21:16
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
     [sshd_config sshd_config.5]
     Make the maximum number of sessions run-time controllable via
     a sshd_config MaxSessions knob. This is useful for disabling
     login/shell/subsystem access while leaving port-forwarding working
     (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
     simply increasing the number of allows multiplexed sessions.
     Because some bozos are sure to configure MaxSessions in excess of the
     number of available file descriptors in sshd (which, at peak, might be
     as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
     on error paths, and make it fail gracefully on out-of-fd conditions -
     sending channel errors instead of than exiting with fatal().
     bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
     ok markus@
2008-05-19 15:34:50 +10:00
Damien Miller e989019303 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
[sshd_config.5]
     sort;
2008-05-19 14:59:02 +10:00
Damien Miller 4f755cdc05 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
[servconf.c servconf.h session.c sshd_config.5]
     Enable the AllowAgentForwarding option in sshd_config (global and match
     context), to specify if agents should be permitted on the server.
     As the man page states:
     ``Note that disabling Agent forwarding does not improve security
     unless users are also denied shell access, as they can always install
     their own forwarders.''
     ok djm@, ok and a mild frown markus@
2008-05-19 14:57:41 +10:00
Damien Miller 25434de460 - djm@cvs.openbsd.org 2008/04/05 02:46:02
[sshd_config.5]
     HostbasedAuthentication is supported under Match too
2008-05-19 14:29:08 +10:00
Damien Miller 56f41ddc54 - djm@cvs.openbsd.org 2008/04/04 06:44:26
[sshd_config.5]
     oops, some unrelated stuff crept into that commit - backout.
     spotted by jmc@
2008-05-19 14:28:19 +10:00
Damien Miller 797e3d117f - (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2008/04/04 05:14:38
     [sshd_config.5]
     ChrootDirectory is supported in Match blocks (in fact, it is most useful
     there). Spotted by Minstrel AT minstrel.org.uk
2008-05-19 14:27:42 +10:00
Damien Miller a1b48ccf2d - djm@cvs.openbsd.org 2008/03/25 11:58:02
[session.c sshd_config.5]
     ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
     from dtucker@ ok deraadt@ djm@
2008-03-27 11:02:02 +11:00
Damien Miller 5447eb2454 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
[ssh.1 sshd.8 sshd_config.5]
     bump Mdocdate for pages committed in "febuary", necessary because
     of a typo in rcs.c;
2008-03-27 10:50:21 +11:00
Damien Miller cdb6e65175 - djm@cvs.openbsd.org 2008/02/10 09:55:37
[sshd_config.5]
     mantion that "internal-sftp" is useful with ForceCommand too
2008-02-10 22:47:24 +11:00
Damien Miller 70433b5d73 - jmc@cvs.openbsd.org 2008/02/09 08:04:31
[sshd_config.5]
     missing `)';
2008-02-10 22:45:13 +11:00
Damien Miller d8cb1f184f - djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
     [sshd_config.5]
     add sshd_config ChrootDirectory option to chroot(2) users to a directory
     and tweak internal sftp server to work with it (no special files in
     chroot required). ok markus@
2008-02-10 22:40:12 +11:00
Darren Tucker 15f94271be - dtucker@cvs.openbsd.org 2008/01/01 09:27:33
[sshd_config.5 servconf.c]
     Allow PermitRootLogin in a Match block.  Allows for, eg, permitting root
     only from the local network.  ok markus@, man page bit ok jmc@
2008-01-01 20:36:56 +11:00
Damien Miller 4890e53977 - djm@cvs.openbsd.org 2007/08/23 03:22:16
[auth2-none.c sshd_config sshd_config.5]
     Support "Banner=none" to disable displaying of the pre-login banner;
     ok dtucker@ deraadt@
2007-09-17 11:57:38 +10:00