Mark the sshd_config UsePrivilegeSeparation option as
deprecated, effectively making privsep mandatory in sandboxing mode. ok
markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will
happen eventually).
Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples. ok jmc@
Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
make sandboxed privilege separation the default, not just
for new installs; "absolutely" deraadt@
Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
[sshd_config]
Remove commented-out kerberos/gssapi config options from sample config,
kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
various people; ok deraadt@
ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
[sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man
page.
[servconf.c sshd_config sshd_config.5]
Change default of MaxStartups to 10:30:100 to start doing random early
drop at 10 connections up to 100 connections. This will make it harder
to DoS as CPUs have come a long way since the original value was set
back in 2000. Prompted by nion at debian org, ok markus@
[auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
[sshd.c sshd_config sshd_config.5]
new sshd_config option AuthorizedKeysCommand to support fetching
authorized_keys from a command in addition to (or instead of) from
the filesystem. The command is run as the target server user unless
another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback
and ok markus@
[servconf.c servconf.h sshd.c sshd_config]
Turn on systrace sandboxing of pre-auth sshd by default for new installs
by shipping a config that overrides the current UsePrivilegeSeparation=yes
default. Make it easier to flip the default in the future by adding too.
[servconf.c servconf.h sshd.c sshd_config sshd_config.5]
VersionAddendum option to allow server operators to append some arbitrary
text to the SSH-... banner; ok deraadt@ "don't care" markus@
- djm@cvs.openbsd.org 2011/05/23 03:30:07
[auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
allow AuthorizedKeysFile to specify multiple files, separated by spaces.
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
- markus@cvs.openbsd.org 2009/10/08 14:03:41
[sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
disable protocol 1 by default (after a transition period of about 10 years)
ok deraadt
[sshd_config sshd_config.5 sshd.8 servconf.c]
increase default size of ssh protocol 1 ephemeral key from 768 to 1024
bits; prodded by & ok dtucker@ ok deraadt@
[monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
[sshd_config sshd_config.5]
Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.
Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().
bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
ok markus@
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
[sshd_config]
Disable the legacy SSH protocol 1 for new installations via
a configuration override. In the future, we will change the
server's default itself so users who need the legacy protocol
will need to turn it on explicitly
[servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config.
Feedback & ok djm@, man page corrections & ok jmc@
[auth-options.c auth-options.h channels.c channels.h clientloop.c]
[misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
[serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
[sshconnect.h sshd.8 sshd_config sshd_config.5]
Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.
ok djm@, markus@, jmc@ (manpages), tested and discussed with others
[kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
[sshconnect2.c sshd.c sshd_config sshd_config.5]
add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.
this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
[sshconnect1.c sshd.c sshd_config sshd_config.5]
remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.
- markus@cvs.openbsd.org 2003/06/02 09:17:34
[auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
[canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
[sshd_config.5]
deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@
- (djm) Fix portable-specific uses of verify_reverse_mapping too
tj@openbsd.org
djm@openbsd.org
naddy@openbsd.org
tedu@openbsd.org
deraadt@openbsd.org
Damien Miller
Darren Tucker
Tim Rice