summaryrefslogtreecommitdiffstats
path: root/sshd_config (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use "prohibit-password" in -portable comments.Darren Tucker2022-11-071-1/+1
| | | | | "without-password" is the deprecated alias for "prohibit-password", so we should reference the latter. From emaste at freebsd.org.
* Replace remaining references to ChallengeResponse.Darren Tucker2021-07-031-3/+3
| | | | | Portable had a few additional references to ChallengeResponse related to UsePAM, replaces these with equivalent keyboard-interactive ones.
* upstream: Remove references to ChallengeResponseAuthentication indtucker@openbsd.org2021-07-021-2/+2
| | | | | | | | | | | | | favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it. Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@ OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
* upstream: the UseLogin option was removed, so remove it here too.tj@openbsd.org2018-04-101-2/+1
| | | | | | ok dtucker OpenBSD-Commit-ID: 7080be73a64d68e21f22f5408a67a0ba8b1b6b06
* upstream: stop loading DSA keys by default, remove sshd_configdjm@openbsd.org2018-02-161-2/+1
| | | | | | stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
* upstream commitdjm@openbsd.org2017-03-151-2/+1
| | | | | | | | | | | Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@ (note: this doesn't remove the !privsep code paths, though that will happen eventually). Upstream-ID: b4c52666256c4dd865f8ce9431af5d6ce2d74a0a
* upstream commitnaddy@openbsd.org2016-08-231-15/+2
| | | | | | | | | Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@ Upstream-ID: 850328854675b4b6a0d4a90f0b4a9dd9ca4e905f
* upstream committedu@openbsd.org2016-07-141-2/+1
| | | | | | | obsolete note about fascistloggin is obsolete. ok djm dtucker Upstream-ID: dae60df23b2bb0e89f42661ddd96a7b0d1b7215a
* upstream commitdjm@openbsd.org2016-02-171-2/+2
| | | | | | | make sandboxed privilege separation the default, not just for new installs; "absolutely" deraadt@ Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
* upstream commitV_7_0_P1deraadt@openbsd.org2015-08-111-2/+2
| | | | | | | | | add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
* upstream commitderaadt@openbsd.org2015-08-021-2/+2
| | | | | | | change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
* upstream commitdjm@openbsd.org2015-04-291-2/+2
| | | | | Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
* upstream commitderaadt@openbsd.org2015-02-031-2/+2
| | | | | increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
* - djm@cvs.openbsd.org 2014/01/10 05:59:19Damien Miller2014-01-121-1/+2
| | | | | [sshd_config] the /etc/ssh/ssh_host_ed25519_key is loaded by default too
* - djm@cvs.openbsd.org 2013/10/29 09:48:02Damien Miller2013-10-301-1/+3
| | | | | | | [servconf.c servconf.h session.c sshd_config sshd_config.5] shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
* - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.Darren Tucker2013-09-181-2/+2
|
* - sthen@cvs.openbsd.org 2013/09/07 13:53:11Damien Miller2013-09-141-1/+1
| | | | | | | | [sshd_config] Remove commented-out kerberos/gssapi config options from sample config, kerberos support is currently not enabled in ssh in OpenBSD. Discussed with various people; ok deraadt@ ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
* - dtucker@cvs.openbsd.org 2013/05/16 04:09:14Darren Tucker2013-05-161-1/+4
| | | | | | | [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
* - dtucker@cvs.openbsd.org 2013/02/06 00:20:42Damien Miller2013-02-121-2/+2
| | | | | | | | [servconf.c sshd_config sshd_config.5] Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@
* - djm@cvs.openbsd.org 2012/10/30 21:29:55Damien Miller2012-10-301-1/+4
| | | | | | | | | | | | [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h] [sshd.c sshd_config sshd_config.5] new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option. patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
* - djm@cvs.openbsd.org 2012/07/10 02:19:15Damien Miller2012-07-311-2/+2
| | | | | | | [servconf.c servconf.h sshd.c sshd_config] Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too.
* - djm@cvs.openbsd.org 2012/04/12 02:43:55Damien Miller2012-04-221-1/+3
| | | | | [sshd_config sshd_config.5] mention AuthorizedPrincipalsFile=none default
* - djm@cvs.openbsd.org 2012/04/12 02:42:32Damien Miller2012-04-221-1/+2
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
* OpenBSD CVS SyncDamien Miller2011-05-291-2/+5
| | | | | | | | | | | | - djm@cvs.openbsd.org 2011/05/23 03:30:07 [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5] allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :) feedback and ok markus@ dtucker@
* - dtucker@cvs.openbsd.org 2011/05/06 01:03:35Damien Miller2011-05-151-2/+2
| | | | | [sshd_config] clarify language about overriding defaults. bz#1892, from Petr Cerny
* - naddy@cvs.openbsd.org 2010/09/06 17:10:19Damien Miller2010-09-101-1/+2
| | | | | | | [sshd_config] add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@
* - (dtucker) OpenBSD CVS SyncDarren Tucker2009-10-111-5/+3
| | | | | | | - markus@cvs.openbsd.org 2009/10/08 14:03:41 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
* - djm@cvs.openbsd.org 2008/07/02 02:24:18Darren Tucker2008-07-021-2/+2
| | | | | | [sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
* - djm@cvs.openbsd.org 2008/05/08 12:21:16Damien Miller2008-05-191-1/+2
| | | | | | | | | | | | | | | | | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@
* - pyr@cvs.openbsd.org 2008/05/07 06:43:35Damien Miller2008-05-191-1/+2
| | | | | [sshd_config] push the sshd_config bits in, spotted by ajacoutot@
* - djm@cvs.openbsd.org 2008/02/08 23:24:07Damien Miller2008-02-101-1/+2
| | | | | | | | [servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
* - djm@cvs.openbsd.org 2007/08/23 03:22:16Damien Miller2007-09-171-2/+2
| | | | | | [auth2-none.c sshd_config sshd_config.5] Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@
* - djm@cvs.openbsd.org 2007/03/19 01:01:29Darren Tucker2007-03-211-2/+6
| | | | | | | | [sshd_config] Disable the legacy SSH protocol 1 for new installations via a configuration override. In the future, we will change the server's default itself so users who need the legacy protocol will need to turn it on explicitly
* - dtucker@cvs.openbsd.org 2006/07/19 13:07:10Damien Miller2006-07-241-1/+7
| | | | | | | [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
* - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect currentDarren Tucker2006-02-231-6/+7
| | | | reality. Pointed out by tryponraj at gmail.com.
* - reyk@cvs.openbsd.org 2005/12/06 22:38:28Damien Miller2005-12-131-1/+2
| | | | | | | | | | | | | | | | | [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
* - markus@cvs.openbsd.org 2005/07/25 11:59:40Damien Miller2005-07-261-2/+2
| | | | | | | | | | | [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] [sshconnect2.c sshd.c sshd_config sshd_config.5] add a new compression method that delays compression until the user has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
* - djm@cvs.openbsd.org 2005/05/19 02:40:52Damien Miller2005-05-261-2/+2
| | | | | [sshd_config] whitespace nit, from grunk AT pestilenz.org
* - djm@cvs.openbsd.org 2004/12/23 23:11:00Darren Tucker2005-01-201-1/+2
| | | | | | [servconf.c servconf.h sshd.c sshd_config sshd_config.5] bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz; ok deraadt@
* - dtucker@cvs.openbsd.org 2004/05/23 23:59:53Darren Tucker2004-05-241-1/+2
| | | | | [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config sshd_config.5] Add MaxAuthTries sshd config option; ok markus@
* - (djm) Explain consequences of UsePAM=yes a little better in sshd_config;Damien Miller2004-05-231-3/+8
| | | | ok dtucker@
* - millert@cvs.openbsd.org 2003/12/29 16:39:50Darren Tucker2003-12-311-2/+2
| | | | | [sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
* - jakob@cvs.openbsd.org 2003/12/23 16:12:10Darren Tucker2003-12-311-1/+2
| | | | | [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@
* - (djm) Clarify UsePAM consequences a little moreDamien Miller2003-11-061-1/+1
|
* - markus@cvs.openbsd.org 2003/09/29 20:19:57Darren Tucker2003-10-021-2/+2
| | | | | [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials
* [sshd_config] UsePAM defaults to no.Tim Rice2003-09-261-1/+1
|
* - markus@cvs.openbsd.org 2003/08/28 12:54:34Damien Miller2003-09-021-2/+1
| | | | | | | | [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
* - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker2003-08-261-1/+5
| | | | | | | | | [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.
* - markus@cvs.openbsd.org 2003/08/13 08:46:31Darren Tucker2003-08-131-5/+3
| | | | | | | [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, fgsch@, miod@, henning@, jakob@ and others
* - markus@cvs.openbsd.org 2003/07/23 07:42:43Darren Tucker2003-08-021-5/+1
| | | | | [sshd_config] remove AFS; itojun@