summaryrefslogtreecommitdiffstats
path: root/servconf.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* - djm@cvs.openbsd.org 2014/01/29 06:18:35Damien Miller2014-02-041-3/+1
| | | | | | | [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c] [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h] [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c] remove experimental, never-enabled JPAKE code; ok markus@
* - djm@cvs.openbsd.org 2013/12/05 01:16:41Damien Miller2013-12-051-1/+4
| | | | | | | [servconf.c servconf.h] bz#2161 - fix AuthorizedKeysCommand inside a Match block and rearrange things so the same error is harder to make next time; with and ok dtucker@
* - djm@cvs.openbsd.org 2013/10/29 09:48:02Damien Miller2013-10-301-1/+2
| | | | | | | [servconf.c servconf.h session.c sshd_config sshd_config.5] shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
* - markus@cvs.openbsd.org 2013/07/19 07:37:48Damien Miller2013-07-201-1/+2
| | | | | | | | [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c] [servconf.h session.c sshd.c sshd_config.5] add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974 ok djm@
* - dtucker@cvs.openbsd.org 2013/05/16 04:09:14Darren Tucker2013-05-161-1/+4
| | | | | | | [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
* - djm@cvs.openbsd.org 2013/01/03 05:49:36Damien Miller2013-01-091-1/+3
| | | | | | | [servconf.h] add a couple of ServerOptions members that should be copied to the privsep child (for consistency, in this case they happen only to be accessed in the monitor); ok dtucker@
* - djm@cvs.openbsd.org 2012/12/02 20:46:11Damien Miller2012-12-021-2/+8
| | | | | | | | [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@
* - djm@cvs.openbsd.org 2012/11/04 11:09:15Damien Miller2012-11-041-1/+6
| | | | | | | | | | [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c] [sshd_config.5] Support multiple required authentication via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete; feedback and ok markus@
* - djm@cvs.openbsd.org 2012/10/30 21:29:55Damien Miller2012-10-301-1/+3
| | | | | | | | | | | | [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
* - djm@cvs.openbsd.org 2012/07/10 02:19:15Damien Miller2012-07-311-2/+2
| | | | | | | [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.
* - markus@cvs.openbsd.org 2012/06/19 18:25:28Damien Miller2012-06-201-1/+6
| | | | | | | [servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March)
* - (dtucker) OpenBSD CVS SyncDarren Tucker2012-05-191-5/+17
| | | | | | | - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5] Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests to match. Feedback and ok djm@ markus@.
* - djm@cvs.openbsd.org 2012/04/12 02:42:32Damien Miller2012-04-221-1/+3
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
* - djm@cvs.openbsd.org 2011/06/22 21:57:01Damien Miller2011-06-231-1/+6
| | | | | | | | | | | | | | | | | | | | | | [servconf.c servconf.h sshd.c sshd_config.5 sandbox-rlimit.c] [sandbox-systrace.c sandbox.h configure.ac Makefile.in] introduce sandboxing of the pre-auth privsep child using systrace(4). This introduces a new "UsePrivilegeSeparation=sandbox" option for sshd_config that applies mandatory restrictions on the syscalls the privsep child can perform. This prevents a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. The sandbox is implemented using systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option. UsePrivilegeSeparation=sandbox will become the default in the future so please start testing it now. feedback dtucker@; ok markus@
* OpenBSD CVS SyncDamien Miller2011-05-291-3/+5
| | | | | | | | | | | | - djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
* - djm@cvs.openbsd.org 2011/05/20 03:25:45Damien Miller2011-05-201-1/+15
| | | | | | | | | [monitor.c monitor_wrap.c servconf.c servconf.h] use a macro to define which string options to copy between configs for Match. This avoids problems caused by forgetting to keep three code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@
* - djm@cvs.openbsd.org 2011/05/11 04:47:06Damien Miller2011-05-151-2/+1
| | | | | | | [auth.c auth.h auth2-pubkey.c pathnames.h servconf.c servconf.h] remove support for authorized_keys2; it is a relic from the early days of protocol v.2 support and has been undocumented for many years; ok markus@
* - djm@cvs.openbsd.org 2010/11/13 23:27:51Damien Miller2010-11-201-1/+3
| | | | | | | | | [clientloop.c misc.c misc.h packet.c packet.h readconf.c readconf.h] [servconf.c servconf.h session.c ssh.c ssh_config.5 sshd_config.5] allow ssh and sshd to set arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 patch from philipp AT redfish-solutions.com; ok markus@ deraadt@
* - djm@cvs.openbsd.org 2010/09/22 05:01:30Damien Miller2010-09-241-1/+2
| | | | | | | | | [kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c readconf.c readconf.h] [servconf.c servconf.h ssh_config.5 sshconnect2.c sshd.c sshd_config.5] add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. ok markus@
* - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller2010-05-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
* - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller2010-03-041-1/+3
| | | | | | | | | | | | | | | [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
* - OpenBSD CVS SyncDamien Miller2010-02-261-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* - djm@cvs.openbsd.org 2010/01/13 03:48:13Darren Tucker2010-01-131-1/+2
| | | | | | [servconf.c servconf.h sshd.c] avoid run-time failures when specifying hostkeys via a relative path by prepending the cwd in these cases; bz#1290; ok dtucker@
* - dtucker@cvs.openbsd.org 2010/01/09 23:04:13Darren Tucker2010-01-101-3/+1
| | | | | | | | | | | | | | | [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c readconf.h scp.1 sftp.1 ssh_config.5 misc.h] Remove RoutingDomain from ssh since it's now not needed. It can be replaced with "route exec" or "nc -V" as a proxycommand. "route exec" also ensures that trafic such as DNS lookups stays withing the specified routingdomain. For example (from reyk): # route -T 2 exec /usr/sbin/sshd or inherited from the parent process $ route -T 2 exec sh $ ssh 10.1.2.3 ok deraadt@ markus@ stevesk@ reyk@
* - reyk@cvs.openbsd.org 2009/10/28 16:38:18Darren Tucker2010-01-081-1/+3
| | | | | | | | [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 sftp.1 sshd_config.5 readconf.c ssh.c misc.c] Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. ok markus@
* - djm@cvs.openbsd.org 2009/01/22 10:02:34Damien Miller2009-01-281-4/+4
| | | | | | | | | | | [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] [serverloop.c ssh-keyscan.c ssh.c sshd.c] make a2port() return -1 when it encounters an invalid port number rather than 0, which it will now treat as valid (needed for future work) adjust current consumers of a2port() to check its return value is <= 0, which in turn required some things to be converted from u_short => int make use of int vs. u_short consistent in some other places too feedback & ok markus@
* - djm@cvs.openbsd.org 2008/11/04 08:22:13Damien Miller2008-11-051-1/+3
| | | | | | | | | | | | | | | | | | | | | [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] [Makefile.in] Add support for an experimental zero-knowledge password authentication method using the J-PAKE protocol described in F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling", 16th Workshop on Security Protocols, Cambridge, April 2008. This method allows password-based authentication without exposing the password to the server. Instead, the client and server exchange cryptographic proofs to demonstrate of knowledge of the password while revealing nothing useful to an attacker or compromised endpoint. This is experimental, work-in-progress code and is presently compiled-time disabled (turn on -DJPAKE in Makefile.inc). "just commit it. It isn't too intrusive." deraadt@
* - dtucker@cvs.openbsd.org 2008/06/10 04:50:25Darren Tucker2008-06-101-1/+2
| | | | | | | | [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] Add extended test mode (-T) and connection parameters for test mode (-C). -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm
* - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller2008-05-191-1/+3
| | | | | | | | | | | | | | | | | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
* - pyr@cvs.openbsd.org 2008/05/07 05:49:37Damien Miller2008-05-191-1/+2
| | | | | | | | | | | [servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@
* - djm@cvs.openbsd.org 2008/02/13 22:38:17Damien Miller2008-03-071-1/+4
| | | | | | | [servconf.h session.c sshd.c] rekey arc4random and OpenSSL RNG in postauth child closefrom fds > 2 before shell/command execution ok markus@
* - djm@cvs.openbsd.org 2008/02/08 23:24:07Damien Miller2008-02-101-1/+3
| | | | | | | | [servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
* - dtucker@cvs.openbsd.org 2007/02/19 10:45:58Darren Tucker2007-02-191-2/+2
| | | | | | | | [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
* - dtucker@cvs.openbsd.org 2006/08/14 12:40:25Damien Miller2006-08-181-1/+2
| | | | | | [servconf.c servconf.h sshd_config.5] Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@.
* - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller2006-08-051-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
* - dtucker@cvs.openbsd.org 2006/07/21 12:43:36Damien Miller2006-07-241-1/+3
| | | | | | | [channels.c channels.h servconf.c servconf.h sshd_config.5] Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
* - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller2006-07-241-1/+3
| | | | | | | [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
* - dtucker@cvs.openbsd.org 2006/07/12 11:34:58Darren Tucker2006-07-121-3/+8
| | | | | | | | | | | | | | [sshd.c servconf.h servconf.c sshd_config.5 auth.c] Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@
* - djm@cvs.openbsd.org 2006/07/06 10:47:05Damien Miller2006-07-101-1/+2
| | | | | [servconf.c servconf.h session.c sshd_config.5] support arguments to Subsystem commands; ok markus@
* - djm@cvs.openbsd.org 2006/03/25 22:22:43Damien Miller2006-03-261-1/+1
| | | | | | | | | | | | | | [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] [ttymodes.h uidswap.h uuencode.h xmalloc.h] standardise spacing in $OpenBSD$ tags; requested by deraadt@
* - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller2005-12-131-1/+4
| | | | | | | | | | | | | | | | | [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
* - djm@cvs.openbsd.org 2004/12/23 23:11:00Darren Tucker2005-01-201-1/+2
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz; ok deraadt@
* - djm@cvs.openbsd.org 2004/06/24 19:30:54Darren Tucker2004-06-251-3/+5
| | | | | [servconf.c servconf.h sshd.c] re-exec sshd on accept(); initial work, final debugging and ok markus@
* - dtucker@cvs.openbsd.org 2004/05/23 23:59:53Darren Tucker2004-05-241-1/+3
| | | | | [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
* - djm@cvs.openbsd.org 2004/04/27 09:46:37Darren Tucker2004-05-021-1/+5
| | | | | | | [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c ssh_config.5 sshd_config.5] bz #815: implement ability to pass specified environment variables from the client to the server; ok markus@
* - jakob@cvs.openbsd.org 2003/12/23 16:12:10Darren Tucker2003-12-311-1/+3
| | | | | [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@
* - markus@cvs.openbsd.org 2003/12/09 21:53:37Damien Miller2003-12-171-2/+2
| | | | | | | [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] [ssh_config.5 sshconnect.c sshd.c sshd_config.5] rename keepalive to tcpkeepalive; the old name causes too much confusion; ok djm, dtucker; with help from jmc@
* - markus@cvs.openbsd.org 2003/09/01 18:15:50Damien Miller2003-09-021-3/+1
| | | | | [readconf.c readconf.h servconf.c servconf.h ssh.c] remove unused kerberos code; ok henning@
* - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker2003-08-261-1/+3
| | | | | | | | | [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
* - markus@cvs.openbsd.org 2003/08/13 08:46:31Darren Tucker2003-08-131-3/+1
| | | | | | | [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others