1. 20 Oct, 2018 4 commits
    • Colin Watson's avatar
      Adjust various OpenBSD-specific references in manual pages · 96c85e74
      Colin Watson authored
      No single bug reference for this patch, but history includes:
       http://bugs.debian.org/154434 (login.conf(5))
       http://bugs.debian.org/513417 (/etc/rc)
       http://bugs.debian.org/530692 (ssl(8))
       https://bugs.launchpad.net/bugs/456660 (ssl(8))
      Forwarded: not-needed
      Last-Update: 2017-10-04
      Patch-Name: openbsd-docs.patch
    • Kees Cook's avatar
      Add DebianBanner server configuration option · a18385c6
      Kees Cook authored
      Setting this to "no" causes sshd to omit the Debian revision from its
      initial protocol handshake, for those scared by package-versioning.patch.
      Bug-Debian: http://bugs.debian.org/562048
      Forwarded: not-needed
      Last-Update: 2018-10-19
      Patch-Name: debian-banner.patch
    • Richard Kettlewell's avatar
      Various keepalive extensions · 7ba31c6f
      Richard Kettlewell authored
      Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
      in previous versions of Debian's OpenSSH package but since superseded by
      ServerAliveInterval.  (We're probably stuck with this bit for
      In batch mode, default ServerAliveInterval to five minutes.
      Adjust documentation to match and to give some more advice on use of
      Author: Ian Jackson <ian@chiark.greenend.org.uk>
      Author: Matthew Vernon <matthew@debian.org>
      Author: Colin Watson <cjwatson@debian.org>
      Last-Update: 2018-10-19
      Patch-Name: keepalive-extensions.patch
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 72b1d308
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-10-20
      Patch-Name: gssapi.patch
  2. 20 Sep, 2018 1 commit
  3. 31 Jul, 2018 1 commit
    • Damien Miller's avatar
      Remove support for S/Key · 87f08be0
      Damien Miller authored
      Most people will 1) be using modern multi-factor authentication methods
      like TOTP/OATH etc and 2) be getting support for multi-factor
      authentication via PAM or BSD Auth.
  4. 20 Jul, 2018 1 commit
  5. 04 Jul, 2018 1 commit
    • djm@openbsd.org's avatar
      upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA · 312d2f28
      djm@openbsd.org authored
      signature work - returns ability to add/remove/specify algorithms by
      Algorithm lists are now fully expanded when the server/client configs
      are finalised, so errors are reported early and the config dumps
      (e.g. "ssh -G ...") now list the actual algorithms selected.
      Clarify that, while wildcards are accepted in algorithm lists, they
      aren't full pattern-lists that support negation.
      (lots of) feedback, ok markus@
      OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
  6. 03 Jul, 2018 2 commits
    • djm@openbsd.org's avatar
      upstream: Improve strictness and control over RSA-SHA2 signature · 4ba0d547
      djm@openbsd.org authored
      In ssh, when an agent fails to return a RSA-SHA2 signature when
      requested and falls back to RSA-SHA1 instead, retry the signature to
      ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
      matches the one in the signature itself.
      In sshd, strictly enforce that the public key algorithm sent in the
      SSH_MSG_USERAUTH message matches what appears in the signature.
      Make the sshd_config PubkeyAcceptedKeyTypes and
      HostbasedAcceptedKeyTypes options control accepted signature algorithms
      (previously they selected supported key types). This allows these
      options to ban RSA-SHA1 in favour of RSA-SHA2.
      Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
      "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
      with certificate keys.
      feedback and ok markus@
      OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
    • djm@openbsd.org's avatar
      upstream: allow sshd_config PermitUserEnvironment to accept a · 95344c25
      djm@openbsd.org authored
      pattern-list of whitelisted environment variable names in addition to yes|no.
      bz#1800, feedback and ok markus@
      OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
  7. 25 Jun, 2018 1 commit
  8. 19 Jun, 2018 1 commit
  9. 10 Jun, 2018 1 commit
  10. 09 Jun, 2018 3 commits
  11. 06 Jun, 2018 1 commit
  12. 04 Jun, 2018 3 commits
  13. 01 Jun, 2018 1 commit
    • djm@openbsd.org's avatar
      upstream: make UID available as a %-expansion everywhere that the · 9c935dd9
      djm@openbsd.org authored
      username is available currently. In the client this is via %i, in the server
      %U (since %i was already used in the client in some places for this, but used
      for something different in the server); bz#2870, ok dtucker@
      OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
  14. 22 May, 2018 1 commit
  15. 10 Apr, 2018 1 commit
  16. 06 Apr, 2018 1 commit
    • job@openbsd.org's avatar
      upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for · 5ee8448a
      job@openbsd.org authored
      interactive and CS1 for bulk
      AF21 was selected as this is the highest priority within the low-latency
      service class (and it is higher than what we have today). SSH is elastic
      and time-sensitive data, where a user is waiting for a response via the
      network in order to continue with a task at hand. As such, these flows
      should be considered foreground traffic, with delays or drops to such
      traffic directly impacting user-productivity.
      For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
      networks implementing a scavanger/lower-than-best effort class to
      discriminate scp(1) below normal activities, such as web surfing. In
      general this type of bulk SSH traffic is a background activity.
      An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
      is that they are recognisable values on all common platforms (IANA
      https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
      for AF21 specifically a definition of the intended behavior exists
      https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
      of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
      for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
      The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
      802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
      or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
      MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
      OK deraadt@, "no objection" djm@
      OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
  17. 16 Feb, 2018 2 commits
  18. 10 Feb, 2018 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 62562cea
      djm@openbsd.org authored
      clarify IgnoreUserKnownHosts; based on github PR from
      Christoph Anton Mitterer.
      OpenBSD-Commit-ID: 4fff2c17620c342fb2f1f9c2d2e679aab3e589c3
  19. 30 Oct, 2017 2 commits
  20. 25 Oct, 2017 3 commits
    • djm@openbsd.org's avatar
      upstream commit · 68af80e6
      djm@openbsd.org authored
      add a "rdomain" criteria for the sshd_config Match
      keyword to allow conditional configuration that depends on which rdomain(4) a
      connection was recevied on. ok markus@
      Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb
    • djm@openbsd.org's avatar
      upstream commit · 35eb33fb
      djm@openbsd.org authored
      add sshd_config RDomain keyword to place sshd and the
      subsequent user session (including the shell and any TCP/IP forwardings) into
      the specified rdomain(4)
      ok markus@
      Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5
    • djm@openbsd.org's avatar
      upstream commit · acf559e1
      djm@openbsd.org authored
      Add optional rdomain qualifier to sshd_config's
      ListenAddress option to allow listening on a different rdomain(4), e.g.
      ListenAddress rdomain 4
      Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091
  21. 20 Oct, 2017 2 commits
    • jmc@openbsd.org's avatar
      upstream commit · 071325f4
      jmc@openbsd.org authored
      trim permitrootlogin description somewhat, to avoid
      ambiguity; original diff from walter alejandro iglesias, tweaked by sthen and
      ok sthen schwarze deraadt
      Upstream-ID: 1749418b2bc073f3fdd25fe21f8263c3637fe5d2
    • benno@openbsd.org's avatar
      upstream commit · cfa46825
      benno@openbsd.org authored
      clarify the order in which config statements are used. ok
      jmc@ djm@
      Upstream-ID: e37e27bb6bbac71315e22cb9690fd8a556a501ed
  22. 30 Sep, 2017 1 commit
    • jmc@openbsd.org's avatar
      upstream commit · 5fa1407e
      jmc@openbsd.org authored
      tweak EposeAuthinfo; diff from lars nooden
      tweaked by sthen; ok djm dtucker
      Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
  23. 03 Sep, 2017 2 commits
    • jmc@openbsd.org's avatar
      upstream commit · ff3c4238
      jmc@openbsd.org authored
      remove blank line;
      Upstream-ID: 2f46b51a0ddb3730020791719e94d3e418e9f423
    • djm@openbsd.org's avatar
      upstream commit · 8042bad9
      djm@openbsd.org authored
      document available AuthenticationMethods; bz#2453 ok
      Upstream-ID: 2c70576f237bb699aff59889dbf2acba4276d3d0
  24. 24 Jul, 2017 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 51676ec6
      djm@openbsd.org authored
      Allow IPQoS=none in ssh/sshd to not set an explicit
      ToS/DSCP value and just use the operating system default; ok dtucker@
      Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
  25. 21 Jul, 2017 1 commit
    • jmc@openbsd.org's avatar
      upstream commit · 1f3d2027
      jmc@openbsd.org authored
      man pages with pseudo synopses which list filenames end
      up creating very ugly output in man -k; after some discussion with ingo, we
      feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly
      helpful at page top, is contained already in FILES, and there are
      sufficiently few that just zapping them is simple;
      ok schwarze, who also helpfully ran things through a build to check
      Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
  26. 24 Jun, 2017 1 commit
    • djm@openbsd.org's avatar
      upstream commit · f17ee61c
      djm@openbsd.org authored
      correct env var name
      Upstream-ID: 721e761c2b1d6a4dcf700179f16fd53a1dadb313