summaryrefslogtreecommitdiff
path: root/sshd_config
Commit message (Collapse)AuthorAgeFilesLines
* - djm@cvs.openbsd.org 2014/01/10 05:59:19djm2014-01-121-1/+2
| | | | | [sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too
* - djm@cvs.openbsd.org 2013/10/29 09:48:02djm2013-10-301-1/+3
| | | | | | | [servconf.c servconf.h session.c sshd_config sshd_config.5] shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
* - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.dtucker2013-09-181-2/+2
|
* - sthen@cvs.openbsd.org 2013/09/07 13:53:11djm2013-09-131-1/+1
| | | | | | | | [sshd_config] Remove commented-out kerberos/gssapi config options from sample config, kerberos support is currently not enabled in ssh in OpenBSD. Discussed with various people; ok deraadt@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
* - dtucker@cvs.openbsd.org 2013/05/16 04:09:14dtucker2013-05-161-1/+4
| | | | | | | [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
* - dtucker@cvs.openbsd.org 2013/02/06 00:20:42djm2013-02-121-2/+2
| | | | | | | | [servconf.c sshd_config sshd_config.5] Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@
* - djm@cvs.openbsd.org 2012/10/30 21:29:55djm2012-10-301-1/+4
| | | | | | | | | | | | [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
* - djm@cvs.openbsd.org 2012/07/10 02:19:15djm2012-07-311-2/+2
| | | | | | | [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.
* - djm@cvs.openbsd.org 2012/04/12 02:43:55djm2012-04-221-1/+3
| | | | | [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default
* - djm@cvs.openbsd.org 2012/04/12 02:42:32djm2012-04-221-1/+2
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
* OpenBSD CVS Syncdjm2011-05-291-2/+5
| | | | | | | | | | | | - djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
* - dtucker@cvs.openbsd.org 2011/05/06 01:03:35djm2011-05-141-2/+2
| | | | | [sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny
* - naddy@cvs.openbsd.org 2010/09/06 17:10:19djm2010-09-101-1/+2
| | | | | | | [sshd_config] add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@
* - (dtucker) OpenBSD CVS Syncdtucker2009-10-111-5/+3
| | | | | | | - markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
* - djm@cvs.openbsd.org 2008/07/02 02:24:18dtucker2008-07-021-2/+2
| | | | | | [sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
* - djm@cvs.openbsd.org 2008/05/08 12:21:16djm2008-05-191-1/+2
| | | | | | | | | | | | | | | | | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
* - pyr@cvs.openbsd.org 2008/05/07 06:43:35djm2008-05-191-1/+2
| | | | | [sshd_config] push the sshd_config bits in, spotted by ajacoutot@
* - djm@cvs.openbsd.org 2008/02/08 23:24:07djm2008-02-101-1/+2
| | | | | | | | [servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
* - djm@cvs.openbsd.org 2007/08/23 03:22:16djm2007-09-171-2/+2
| | | | | | [auth2-none.c sshd_config sshd_config.5] Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@
* - djm@cvs.openbsd.org 2007/03/19 01:01:29dtucker2007-03-211-2/+6
| | | | | | | | [sshd_config] Disable the legacy SSH protocol 1 for new installations via a configuration override. In the future, we will change the server's default itself so users who need the legacy protocol will need to turn it on explicitly
* - dtucker@cvs.openbsd.org 2006/07/19 13:07:10djm2006-07-241-1/+7
| | | | | | | [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
* - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect currentdtucker2006-02-231-6/+7
| | | | reality. Pointed out by tryponraj at gmail.com.
* - reyk@cvs.openbsd.org 2005/12/06 22:38:28djm2005-12-131-1/+2
| | | | | | | | | | | | | | | | | [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
* - markus@cvs.openbsd.org 2005/07/25 11:59:40djm2005-07-261-2/+2
| | | | | | | | | | | [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] [sshconnect2.c sshd.c sshd_config sshd_config.5] add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
* - djm@cvs.openbsd.org 2005/05/19 02:40:52djm2005-05-261-2/+2
| | | | | [sshd_config] whitespace nit, from grunk AT pestilenz.org
* - djm@cvs.openbsd.org 2004/12/23 23:11:00dtucker2005-01-191-1/+2
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz; ok deraadt@
* - dtucker@cvs.openbsd.org 2004/05/23 23:59:53dtucker2004-05-241-1/+2
| | | | | [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
* - (djm) Explain consequences of UsePAM=yes a little better in sshd_config;djm2004-05-231-3/+8
| | | | ok dtucker@
* - millert@cvs.openbsd.org 2003/12/29 16:39:50dtucker2003-12-311-2/+2
| | | | | [sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
* - jakob@cvs.openbsd.org 2003/12/23 16:12:10dtucker2003-12-311-1/+2
| | | | | [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@
* - (djm) Clarify UsePAM consequences a little moredjm2003-11-061-1/+1
|
* - markus@cvs.openbsd.org 2003/09/29 20:19:57dtucker2003-10-021-2/+2
| | | | | [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials
* [sshd_config] UsePAM defaults to no.tim2003-09-261-1/+1
|
* - markus@cvs.openbsd.org 2003/08/28 12:54:34djm2003-09-021-2/+1
| | | | | | | | [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
* - markus@cvs.openbsd.org 2003/08/22 10:56:09dtucker2003-08-261-1/+5
| | | | | | | | | [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
* - markus@cvs.openbsd.org 2003/08/13 08:46:31dtucker2003-08-131-5/+3
| | | | | | | [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others
* - markus@cvs.openbsd.org 2003/07/23 07:42:43dtucker2003-08-021-5/+1
| | | | | [sshd_config] remove AFS; itojun@
* 20030622dtucker2003-06-221-5/+10
| | | | | | | - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/06/20 05:48:21 [sshd_config] sync some implemented options; ok markus@
* - (djm) OpenBSD CVS Syncdjm2003-06-031-2/+2
| | | | | | | | | | | | | - markus@cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ - (djm) Fix portable-specific uses of verify_reverse_mapping too
* clarifydjm2003-05-161-3/+3
|
* - jakob@cvs.openbsd.org 2003/05/15 01:48:10djm2003-05-151-2/+3
| | | | | | [readconf.c readconf.h servconf.c servconf.h] always parse kerberos options. ok djm@ markus@ - (djm) Always parse UsePAM
* - (djm) OpenBSD CVS Syncdjm2002-09-271-2/+2
| | | | | | - markus@cvs.openbsd.org 2002/09/25 11:17:16 [sshd_config] sync LoginGraceTime with default
* - stevesk@cvs.openbsd.org 2002/08/21 19:38:06djm2002-09-041-2/+2
| | | | | [servconf.c sshd.8 sshd_config sshd_config.5] change LoginGraceTime default to 1 minute; ok mouring@ markus@
* - markus@cvs.openbsd.org 2002/07/30 17:03:55mouring2002-08-011-1/+2
| | | | | | [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5] add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt
* 20020628stevesk2002-06-271-1/+1
| | | | | - (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented options should contain default value. from solar.
* - markus@cvs.openbsd.org 2002/06/20 23:37:12mouring2002-06-211-1/+2
| | | | | [sshd_config] add Compression
* - stevesk@cvs.openbsd.org 2002/06/20 20:03:34mouring2002-06-211-3/+3
| | | | | [ssh_config sshd_config] refer to config file man page
* - markus@cvs.openbsd.org 2002/05/15 21:56:38mouring2002-06-061-2/+2
| | | | | [servconf.c sshd.8 sshd_config] re-enable privsep and disable setuid for post-3.2.2
* - markus@cvs.openbsd.org 2002/05/15 21:02:53mouring2002-05-151-2/+2
| | | | | [servconf.c sshd.8 sshd_config] disable privsep and enable setuid for the 3.2.2 release
* - deraadt@cvs.openbsd.org 2002/05/04 02:39:35mouring2002-05-151-2/+2
| | | | | | [servconf.c sshd.8 sshd_config] enable privsep by default; provos ok (historical)
View Lorry Controller Status