Commit Graph

286 Commits

Author SHA1 Message Date
jmc@openbsd.org 16e82bf53f
upstream: sort SYNOPSIS;
OpenBSD-Commit-ID: dacd9da33277d5669a51213d880632599c890c1e
2023-02-16 21:11:32 +11:00
djm@openbsd.org 18938d11a9
upstream: add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.

bz3460 feedback/ok dtucker@

OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29
2023-02-10 16:12:42 +11:00
millert@openbsd.org 7d17ea151c
upstream: Add a -V (version) option to sshd like the ssh client
has. OK markus@ deraadt@

OpenBSD-Commit-ID: abe990ec3e636fb040132aab8cbbede98f0c413e
2023-01-18 13:21:00 +11:00
jmc@openbsd.org 113523bf0b
upstream: .Li -> .Vt where appropriate; from josiah frentsos,
tweaked by schwarze

ok schwarze

OpenBSD-Commit-ID: 565046e3ce68b46c2f440a93d67c2a92726de8ed
2022-09-14 10:16:04 +10:00
djm@openbsd.org ec1ddb72a1 upstream: allow certificate validity intervals, sshsig verification
times and authorized_keys expiry-time options to accept dates in the UTC time
zone in addition to the default of interpreting them in the system time zone.
YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
suffixed with a 'Z' character.

Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow.

bz3468 ok dtucker

OpenBSD-Commit-ID: 454db1cdffa9fa346aea5211223a2ce0588dfe13
2022-08-11 12:00:49 +10:00
jmc@openbsd.org 575771bf79 upstream: remove an obsolete rsa1 format example from an example;
from megan batty
ok djm

OpenBSD-Commit-ID: db2c89879c29bf083df996bd830abfb1e70d62bf
2022-05-05 11:34:52 +10:00
naddy@openbsd.org 9ec2713d12 upstream: man pages: add missing commas between subordinate and
main clauses

jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.

ok jmc@

OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3
2022-04-06 09:16:05 +10:00
dtucker@openbsd.org b0ec59a708 upstream: Document that non-interactive commands are run via the user's
shell using the -c flag.  ok jmc@

OpenBSD-Commit-ID: 4f0d912077732eead10423afd1acf4fc0ceec477
2021-09-10 22:05:35 +10:00
jmc@openbsd.org dd533c7ab7 upstream: fix a formatting error and add some Xr; from debian at
helgefjell de

removed references to rlogin etc. as no longer relevant;
suggested by djm

ok djm dtucker

OpenBSD-Commit-ID: 3c431c303068d3aec5bb18573a0bd5e0cd77c5ae
2021-08-03 09:39:58 +10:00
djm@openbsd.org c298c4da57 upstream: rework authorized_keys example section, removing irrelevant
stuff, de-wrapping the example lines and better aligning the examples with
common usage and FAQs; ok jmc

OpenBSD-Commit-ID: d59f1c9281f828148e2a2e49eb9629266803b75c
2021-06-04 16:00:31 +10:00
djm@openbsd.org 460aee9298 upstream: fix incorrect plural; from Ville Skyt
=?UTF-8?q?t=C3=A4=20via=20GHPR#181?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenBSD-Commit-ID: 92f31754c6296d8f403d7c293e09dc27292d22c9
2021-04-03 16:49:02 +11:00
djm@openbsd.org 801c9f095e upstream: support for requiring user verified FIDO keys in sshd
This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6
2020-08-27 11:28:36 +10:00
djm@openbsd.org 734f2f83f5 upstream: mention that permitopen=/PermitOpen do no name to address
translation; prompted by bz3099

OpenBSD-Commit-ID: 0dda8e54d566b29855e76bebf9cfecce573f5c23
2020-01-25 17:04:14 +11:00
naddy@openbsd.org 141df487ba upstream: Replace the term "security key" with "(FIDO)
authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-30 14:31:40 +11:00
dtucker@openbsd.org bc2dc091e0 upstream: "Forward security" -> "Forward secrecy" since that's the
correct term. Add "MAC" since we use that acronym in other man pages.  ok
naddy@

OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
2019-12-20 14:25:08 +11:00
naddy@openbsd.org e905f7260d upstream: cut obsolete lists of crypto algorithms from outline of
how SSH works ok markus@ jmc@

OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
2019-12-20 14:25:08 +11:00
jmc@openbsd.org 483cc723d1 upstream: tweak the Nd lines for a bit of consistency; ok markus
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
djm@openbsd.org 2e71263b80 upstream: add a "no-touch-required" option for authorized_keys and
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.

feedback deraadt, ok markus

OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org e2e1283404 upstream: mention ed25519-sk key/cert types here too; prompted by
jmc@

OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
naddy@openbsd.org aa4c640dc3 upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-08 14:09:32 +11:00
dtucker@openbsd.org 01c98d9661 upstream: Switch authorized_keys example from ssh-dss to ssh-rsa
since the former is no longer enabled by default.  Pointed out by Daniel A.
Maierhofer, ok jmc

OpenBSD-Commit-ID: 6a196cef53d7524e0c9b58cdbc1b5609debaf8c7
2018-07-26 13:54:30 +10:00
jmc@openbsd.org f535ff922a upstream: spelling;
OpenBSD-Commit-ID: db542918185243bea17202383a581851736553cc
2018-06-26 08:30:43 +10:00
djm@openbsd.org 87ddd676da upstream: allow bare port numbers to appear in PermitListen directives,
e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
2018-06-19 13:00:50 +10:00
jmc@openbsd.org 6ff6fda705 upstream: tweak previous;
OpenBSD-Commit-ID: f98f16af10b28e24bcecb806cb71ea994b648fd6
2018-06-09 13:10:59 +10:00
djm@openbsd.org 803d896ef3 upstream: man bits for permitlisten authorized_keys option
OpenBSD-Commit-ID: 86910af8f781a4ac5980fea125442eb25466dd78
2018-06-07 04:27:21 +10:00
Damien Miller 10479cc2a4 Many typo fixes from Karsten Weiss
Spotted using https://github.com/lucasdemarchi/codespell
2018-04-10 10:19:02 +10:00
jmc@openbsd.org 037fdc1dc2 upstream: sort expiry-time;
OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
2018-03-14 18:55:33 +11:00
djm@openbsd.org abc0fa38c9 upstream: rename recently-added "valid-before" key restriction to
"expiry-time" as the former is confusing wrt similar terminology in X.509;
pointed out by jsing@

OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
2018-03-14 18:55:33 +11:00
djm@openbsd.org bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
dtucker@openbsd.org 055e09e221 upstream: Update RSA minimum modulus size to 1024. sshkey.h rev 1.18
bumped the minimum from 768 to 1024, update man page accordingly.

OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
2018-03-04 12:48:08 +11:00
djm@openbsd.org 88c50a5ae2 upstream: stop loading DSA keys by default, remove sshd_config
stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@

OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
2018-02-16 13:35:28 +11:00
djm@openbsd.org 2b428f90ea upstream commit
I accidentially a word

OpenBSD-Commit-ID: 4547ee713fa941da861e83ae7a3e6432f915e14a
2018-02-07 07:50:46 +11:00
dtucker@openbsd.org@openbsd.org 0208a48517 upstream commit
When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.  ok djm@, man page help jmc@

OpenBSD-Commit-ID: b4e773c4212d3dea486d0259ae977551aab2c1fc
2017-11-03 16:20:41 +11:00
djm@openbsd.org 68af80e6fd upstream commit
add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
2017-10-25 12:26:21 +11:00
jmc@openbsd.org e2004d4bb7 upstream commit
word fix;

Upstream-ID: 8539bdaf2366603a34a9b2f034527ca13bb795c5
2017-06-24 16:49:46 +10:00
djm@openbsd.org 6f8ca3b925 upstream commit
use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@

Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
2017-06-24 16:48:39 +10:00
djm@openbsd.org acaf34fd82 upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@

Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
2017-05-08 09:21:00 +10:00
dtucker@openbsd.org 6ba9f89383 upstream commit
Small correction to the known_hosts section on when it is
updated. Patch from lkppo at free.fr some time ago, pointed out by smallm at
sdf.org

Upstream-ID: 1834d7af179dea1a12ad2137f84566664af225d5
2017-02-03 14:23:24 +11:00
djm@openbsd.org fd6dcef203 upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.

The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.

Pointed out by Jann Horn of Project Zero; ok dtucker@

Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30 19:44:01 +11:00
djm@openbsd.org 83b581862a upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker

Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
2016-08-23 14:29:07 +10:00
naddy@openbsd.org ffe6549c2f upstream commit
Catch up with the SSH1 code removal and delete all
mention of protocol 1 particularities, key files and formats, command line
options, and configuration keywords from the server documentation and
examples.  ok jmc@

Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
2016-08-23 13:28:30 +10:00
jmc@openbsd.org a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org deae7d52d5 upstream commit
mention internal DH-GEX fallback groups; bz#2302

Upstream-ID: e7b395fcca3122cd825515f45a2e41c9a157e09e
2016-02-08 21:58:29 +11:00
djm@openbsd.org 383f10fb84 upstream commit
Add a new authorized_keys option "restrict" that
 includes all current and future key restrictions (no-*-forwarding, etc). Also
 add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty".
 This simplifies the task of setting up restricted keys and ensures they are
 maximally-restricted, regardless of any permissions we might implement in the
 future.

Example:

restrict,pty,command="nethack" ssh-ed25519 AAAAC3NzaC1lZDI1...

Idea from Jann Horn; ok markus@

Upstream-ID: 04ceb9d448e46e67e13887a7ae5ea45b4f1719d0
2015-11-16 11:31:41 +11:00
djm@openbsd.org 2bca8a43e7 upstream commit
more clarity on what AuthorizedKeysFile=none does; based
 on diff by Thiebaud Weksteen

Upstream-ID: 78ab87f069080f0cc3bc353bb04eddd9e8ad3704
2015-09-11 13:28:01 +10:00
djm@openbsd.org 933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
djm@openbsd.org 8d4d1bfddb upstream commit
mention that the user's shell from /etc/passwd is used
 for commands too; bz#1459 ok dtucker@
2015-05-10 11:35:07 +10:00
bentley@openbsd.org da8af83d3f upstream commit
Reduce instances of `` '' in manuals.

troff displays these as typographic quotes, but nroff implementations
almost always print them literally, which rarely has the intended effect
with modern fonts, even in stock xterm.

These uses of `` '' can be replaced either with more semantic alternatives
or with Dq, which prints typographic quotes in a UTF-8 locale (but will
automatically fall back to `` '' in an ASCII locale).

improvements and ok schwarze@
2014-11-17 11:19:33 +11:00
sobrado@openbsd.org f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller 72e6b5c9ed - djm@cvs.openbsd.org 2014/07/03 22:40:43
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
     executed, mirroring the no-user-rc authorized_keys option;
     bz#2160; ok markus@
2014-07-04 09:00:04 +10:00