Commit Graph

346 Commits

Author SHA1 Message Date
dtucker@openbsd.org eb4362e5e3 upstream: Refer to KEX "algorithms" instead of "methods" to match
other references and improve consistency.  Patch from scop via github PR#241,
ok djm@

OpenBSD-Commit-ID: 840bc94ff6861b28d8603c8e8c16499bfb65e32c
2021-09-03 17:33:08 +10:00
djm@openbsd.org dcce2a2bcf upstream: mention that CASignatureAlgorithms accepts +/- similarly to
the other algorithm list directives; ok jmc bz#3335

OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9
2021-08-13 10:01:15 +10:00
Darren Tucker 9ebd182888 Missing space between macro arg and punctuation.
From jmc@
2021-08-03 21:03:23 +10:00
jmc@openbsd.org bec429338e upstream: word fix; reported by debian at helgefjell de
OpenBSD-Commit-ID: 0c6fd22142422a25343c5bd1a618f31618f41ece
2021-08-03 09:39:57 +10:00
Darren Tucker 4d2d4d47a1 Replace remaining references to ChallengeResponse.
Portable had a few additional references to ChallengeResponse related to
UsePAM, replaces these with equivalent keyboard-interactive ones.
2021-07-03 19:27:43 +10:00
dtucker@openbsd.org c73b02d92d upstream: Remove references to ChallengeResponseAuthentication in
favour of KbdInteractiveAuthentication.  The former is what was in SSHv1, the
latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
not entirely equivalent.  We retain the old name as deprecated alias so
config files continue to work and a reference in the man page for people
looking for it.

Prompted by bz#3303 which pointed out the discrepancy between the two
when used with Match.  Man page help & ok jmc@, with & ok djm@

OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
2021-07-02 15:39:29 +10:00
jmc@openbsd.org 320af2f3de upstream: remove stray inserts; from matthias schmidt
OpenBSD-Commit-ID: 2c36ebdc54e14bbf1daad70c6a05479a073d5c63
2021-04-06 19:08:53 +10:00
djm@openbsd.org 53ea05e09b upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from
Matt Hazinski

OpenBSD-Commit-ID: f05e4ca54d7e67b90fe58fe1bdb1d2a37e0e2696
2021-04-03 17:57:01 +11:00
dtucker@openbsd.org 88057eb6df upstream: Add ModuliFile keyword to sshd_config to specify the
location of the "moduli" file containing the groups for DH-GEX.  This will
allow us to run tests against arbitrary moduli files without having to
install them. ok djm@

OpenBSD-Commit-ID: 8df99d60b14ecaaa28f3469d01fc7f56bff49f66
2021-03-13 13:14:13 +11:00
djm@openbsd.org 351c5dbbd7 upstream: fix alphabetic ordering of options; spotted by Iain Morgan
OpenBSD-Commit-ID: f955fec617d74af0feb5b275831a9fee813d7ad5
2021-02-28 10:54:19 +11:00
djm@openbsd.org 8b8b60542d upstream: lots more s/key types/signature algorithms/ mostly in
HostbasedAcceptedAlgorithms and HostKeyAlgorithms; prompted by Jakub Jelen

OpenBSD-Commit-ID: 3f719de4385b1a89e4323b2549c66aae050129cb
2021-02-24 08:56:22 +11:00
djm@openbsd.org 0aeb508aaa upstream: Correct reference to signature algorithms as keys; from
Jakub Jelen

OpenBSD-Commit-ID: 36f7ecee86fc811aa0f8e21e7a872eee044b4be5
2021-02-24 08:56:22 +11:00
dtucker@openbsd.org e9f78d6b06 upstream: Rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms, which more
accurately reflects its effect. This matches a previous change to
PubkeyAcceptedAlgorithms.  The previous names are retained as aliases.  ok
djm@

OpenBSD-Commit-ID: 49451c382adc6e69d3fa0e0663eeef2daa4b199e
2021-01-26 22:50:40 +11:00
dtucker@openbsd.org ee9c0da803 upstream: Rename PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
actually specifies the signature algorithms that are accepted.  Some key
types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
so the old name is becoming increasingly misleading.  The old name is
retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@

OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
2021-01-22 15:03:56 +11:00
rob@openbsd.org a164862dfa upstream: Minor grammatical correction.
OK jmc@

OpenBSD-Commit-ID: de0fad0581e212b2750751e479b79c18ff8cac02
2021-01-18 18:43:43 +11:00
jmc@openbsd.org 7a57adb8b0 upstream: add a comma to previous;
OpenBSD-Commit-ID: 9139433701c0aa86a0d3a6c7afe10d1c9c2e0869
2021-01-11 15:04:12 +11:00
dtucker@openbsd.org 3a92312953 upstream: Add PerSourceMaxStartups and PerSourceNetBlockSize
options which provide more fine grained MaxStartups limits.  Man page help
jmc@, feedback & ok djm@

OpenBSD-Commit-ID: e2f68664e3d02c0895b35aa751c48a2af622047b
2021-01-11 15:04:12 +11:00
djm@openbsd.org 16448ff529 upstream: mention that DisableForwarding is valid in a sshd_config
Match block reported by Fredrik Eriksson in bz3239

OpenBSD-Commit-ID: 3a71c3d84b597f5e43e4b40d5232797daf0993f6
2021-01-08 13:46:35 +11:00
djm@openbsd.org 2c71cec020 upstream: Update/replace the experimental post-quantim hybrid key
exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
2020-12-29 12:38:53 +11:00
jmc@openbsd.org 616029a85a upstream: add space between macro arg and punctuation;
OpenBSD-Commit-ID: bb81e2ed5a77832fe62ab30a915ae67cda57633e
2020-10-17 22:45:37 +11:00
djm@openbsd.org 793b583d09 upstream: LogVerbose keyword for ssh and sshd
Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356
2020-10-17 00:43:17 +11:00
djm@openbsd.org 12ae8f95e2 upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@

OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-10-03 14:34:06 +10:00
jmc@openbsd.org 2a3a982231 upstream: sentence fix; from pedro martelletto
OpenBSD-Commit-ID: f95b84a1e94e9913173229f3787448eea2f8a575
2020-08-31 14:34:34 +10:00
jmc@openbsd.org 744df42a12 upstream: tweak previous;
OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
2020-08-27 19:47:35 +10:00
djm@openbsd.org 801c9f095e upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
2020-08-27 11:28:36 +10:00
djm@openbsd.org 188e332d1c upstream: mention that wildcards are processed in lexical order;
bz#3165

OpenBSD-Commit-ID: 8856f3d1612bd42e9ee606d89386cae456dd165c
2020-05-29 15:46:47 +10:00
jmc@openbsd.org 4e04f46f24 upstream: add space beteen macro arg and punctuation;
OpenBSD-Commit-ID: c93a6cbb4bf9468fc4c13e64bc1fd4efee201a44
2020-04-17 17:17:47 +10:00
djm@openbsd.org 44ae009a01 upstream: auth2-pubkey r1.89 changed the order of operations to
checking AuthorizedKeysFile first and falling back to AuthorizedKeysCommand
if no key was found in a file. Document this order here; bz3134

OpenBSD-Commit-ID: afce0872cbfcfc1d4910ad7722e50f792a1dce12
2020-04-17 17:17:47 +10:00
djm@openbsd.org c90f72d29e upstream: make IgnoreRhosts a tri-state option: "yes" ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@

OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9
2020-04-17 14:03:36 +10:00
djm@openbsd.org 321c714707 upstream: allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks; bz3148, ok dtucker@

OpenBSD-Commit-ID: e042467d703bce640b1f42c5d1a62bf3825736e8
2020-04-17 14:03:36 +10:00
dtucker@openbsd.org d4d9e1d405 upstream: Add ssh -Q key-sig for all key and signature types.
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as
an alias for the corresponding query.  Man page help jmc@, ok djm@.

OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07 15:03:20 +11:00
naddy@openbsd.org a6ac5d36ef upstream: Add Include to the list of permitted keywords after a
Match keyword. ok markus@

OpenBSD-Commit-ID: 342e940538b13dd41e0fa167dc9ab192b9f6e2eb
2020-02-07 09:53:00 +11:00
jmc@openbsd.org 6fb3dd0ccd upstream: tweak previous;
OpenBSD-Commit-ID: 0c42851cdc88583402b4ab2b110a6348563626d3
2020-02-02 20:25:09 +11:00
djm@openbsd.org c2bd7f74b0 upstream: Add a sshd_config "Include" directive to allow inclusion
of files. This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub Jelen in
bz2468; feedback and ok markus@

OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
2020-02-01 10:20:24 +11:00
djm@openbsd.org 4594c76276 upstream: make IPTOS_DSCP_LE available via IPQoS directive; bz2986,
based on patch by veegish AT cyberstorm.mu

OpenBSD-Commit-ID: 9902bf4fbb4ea51de2193ac2b1d965bc5d99c425
2020-01-28 12:52:46 +11:00
djm@openbsd.org 69334996ae upstream: make sshd_config:ClientAliveCountMax=0 disable the
connection killing behaviour, rather than killing the connection after
sending the first liveness test probe (regardless of whether the client was
responsive) bz2627; ok markus

OpenBSD-Commit-ID: 5af79c35f4c9fa280643b6852f524bfcd9bccdaf
2020-01-26 10:15:13 +11:00
djm@openbsd.org bf986a9e27 upstream: clarify order of AllowUsers/DenyUsers vs
AllowGroups/DenyGroups; bz1690, ok markus@

OpenBSD-Commit-ID: 5637584ec30db9cf64822460f41b3e42c8f9facd
2020-01-26 10:15:13 +11:00
tedu@openbsd.org 0b813436bb upstream: group14-sha1 is no longer a default algorithm
OpenBSD-Commit-ID: a96f04d5e9c2ff760c6799579dc44f69b4ff431d
2020-01-25 18:20:01 +11:00
djm@openbsd.org 734f2f83f5 upstream: mention that permitopen=/PermitOpen do no name to address
translation; prompted by bz3099

OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25 17:04:14 +11:00
dtucker@openbsd.org 56bced43c1 upstream: Document sntrup4591761x25519-sha512@tinyssh.org. Patch
from jtesta@positronsecurity.com via github PR#151.

OpenBSD-Commit-ID: f3d48168623045c258245c340a5a2af7dbb74edc
2020-01-21 18:09:09 +11:00
naddy@openbsd.org 141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
naddy@openbsd.org ae024b22c4 upstream: Document that security key-hosted keys can act as host
keys.

Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5.  Copy the description of the SecurityKeyProvider
option to sshd_config.5.

ok jmc@

OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
2019-12-20 14:25:08 +11:00
jmc@openbsd.org 483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
jmc@openbsd.org 8635afa1cd upstream: tweak previous;
OpenBSD-Commit-ID: a4c097364c75da320f1b291568db830fb1ee4883
2019-11-27 10:44:29 +11:00
djm@openbsd.org 0fddf2967a upstream: Add a sshd_config PubkeyAuthOptions directive
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
2019-11-25 12:23:40 +11:00
djm@openbsd.org e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
naddy@openbsd.org aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
naddy@openbsd.org 91a2135f32 upstream: Allow prepending a list of algorithms to the default set
by starting the list with the '^' character, e.g.

HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com

ok djm@ dtucker@

OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
2019-09-08 14:49:04 +10:00
naddy@openbsd.org 4f9d75fbaf upstream: Call comma-separated lists as such to clarify semantics.
Options such as Ciphers take values that may be a list of ciphers; the
complete list, not indiviual elements, may be prefixed with a dash or plus
character to remove from or append to the default list, respectively.

Users might read the current text as if each elment took an optional prefix,
so tweak the wording from "values" to "list" to prevent such ambiguity for
all options supporting these semantics.

Fix instances missed in first commit.  ok jmc@ kn@

OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417
2019-09-05 14:56:51 +10:00
dtucker@openbsd.org 8fdbc7247f upstream: Change description of TCPKeepAlive from "inactive" to
"unresponsive" to clarify what it checks for.  Patch from jblaine at
kickflop.net via github pr#129, ok djm@.

OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9
2019-08-09 15:11:30 +10:00