1. 24 Nov, 2015 1 commit
  2. 17 Sep, 2015 1 commit
    • Colin Watson's avatar
      Restore TCP wrappers support · 1850a2c9
      Colin Watson authored
      Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
      and thread:
      
        https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
      
      It is true that this reduces preauth attack surface in sshd.  On the
      other hand, this support seems to be quite widely used, and abruptly
      dropping it (from the perspective of users who don't read
      openssh-unix-dev) could easily cause more serious problems in practice.
      
      It's not entirely clear what the right long-term answer for Debian is,
      but it at least probably doesn't involve dropping this feature shortly
      before a freeze.
      
      Forwarded: not-needed
      Last-Update: 2014-10-07
      
      Patch-Name: restore-tcp-wrappers.patch
      1850a2c9
  3. 10 May, 2015 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 8d4d1bfd
      djm@openbsd.org authored
      mention that the user's shell from /etc/passwd is used
       for commands too; bz#1459 ok dtucker@
      8d4d1bfd
  4. 17 Nov, 2014 1 commit
    • bentley@openbsd.org's avatar
      upstream commit · da8af83d
      bentley@openbsd.org authored
      Reduce instances of `` '' in manuals.
      
      troff displays these as typographic quotes, but nroff implementations
      almost always print them literally, which rarely has the intended effect
      with modern fonts, even in stock xterm.
      
      These uses of `` '' can be replaced either with more semantic alternatives
      or with Dq, which prints typographic quotes in a UTF-8 locale (but will
      automatically fall back to `` '' in an ASCII locale).
      
      improvements and ok schwarze@
      da8af83d
  5. 13 Oct, 2014 1 commit
  6. 03 Jul, 2014 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2014/07/03 22:40:43 · 72e6b5c9
      Damien Miller authored
           [servconf.c servconf.h session.c sshd.8 sshd_config.5]
           Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
           executed, mirroring the no-user-rc authorized_keys option;
           bz#2160; ok markus@
      72e6b5c9
  7. 20 Apr, 2014 2 commits
  8. 18 Dec, 2013 1 commit
  9. 07 Dec, 2013 2 commits
  10. 18 Jul, 2013 1 commit
    • Damien Miller's avatar
      - jmc@cvs.openbsd.org 2013/06/27 14:05:37 · fecfd118
      Damien Miller authored
           [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
           do not use Sx for sections outwith the man page - ingo informs me that
           stuff like html will render with broken links;
      
           issue reported by Eric S. Raymond, via djm
      fecfd118
  11. 23 Apr, 2013 2 commits
  12. 05 Oct, 2012 1 commit
  13. 20 Jun, 2012 1 commit
  14. 19 May, 2012 1 commit
    • Darren Tucker's avatar
      - (dtucker) OpenBSD CVS Sync · fbcf8275
      Darren Tucker authored
         - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
           [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
           Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
           to match.  Feedback and ok djm@ markus@.
      fbcf8275
  15. 02 Oct, 2011 1 commit
  16. 05 Aug, 2011 1 commit
  17. 29 May, 2011 2 commits
    • Damien Miller's avatar
      - jmc@cvs.openbsd.org 2011/05/23 07:10:21 · b9132fc4
      Damien Miller authored
           [sshd.8 sshd_config.5]
           tweak previous; ok djm
      b9132fc4
    • Damien Miller's avatar
      OpenBSD CVS Sync · d8478b6a
      Damien Miller authored
         - djm@cvs.openbsd.org 2011/05/23 03:30:07
           [auth-rsa.c auth.c auth.h auth2-pubkey.c monitor.c monitor_wrap.c pathnames.h servconf.c servconf.h sshd.8 sshd_config sshd_config.5]
           allow AuthorizedKeysFile to specify multiple files, separated by spaces.
           Bring back authorized_keys2 as a default search path (to avoid breaking
           existing users of this file), but override this in sshd_config so it will
           be no longer used on fresh installs. Maybe in 2015 we can remove it
           entierly :)
      
           feedback and ok markus@ dtucker@
      d8478b6a
  18. 04 Nov, 2010 1 commit
  19. 31 Aug, 2010 2 commits
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/08/31 11:54:45 · eb8b60e3
      Damien Miller authored
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
           [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
           [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
           [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
           [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
           [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
           [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
           Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
           host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
           better performance than plain DH and DSA at the same equivalent symmetric
           key length, as well as much shorter keys.
      
           Only the mandatory sections of RFC5656 are implemented, specifically the
           three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
           ECDSA. Point compression (optional in RFC5656 is NOT implemented).
      
           Certificate host and user keys using the new ECDSA key types are supported.
      
           Note that this code has not been tested for interoperability and may be
           subject to change.
      
           feedback and ok markus@
      eb8b60e3
    • Damien Miller's avatar
      - jmc@cvs.openbsd.org 2010/08/08 19:36:30 · afdae616
      Damien Miller authored
           [ssh-keysign.8 ssh.1 sshd.8]
           use the same template for all FILES sections; i.e. -compact/.Pp where we
           have multiple items, and .Pa for path names;
      afdae616
  20. 05 Aug, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/08/04 05:37:01 · 7fa96602
      Damien Miller authored
           [ssh.1 ssh_config.5 sshd.8]
           Remove mentions of weird "addr/port" alternate address format for IPv6
           addresses combinations. It hasn't worked for ages and we have supported
           the more commen "[addr]:port" format for a long time. ok jmc@ markus@
      7fa96602
  21. 10 May, 2010 1 commit
    • Damien Miller's avatar
      - djm@cvs.openbsd.org 2010/05/07 11:30:30 · 30da3447
      Damien Miller authored
           [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
           [key.c servconf.c servconf.h sshd.8 sshd_config.5]
           add some optional indirection to matching of principal names listed
           in certificates. Currently, a certificate must include the a user's name
           to be accepted for authentication. This change adds the ability to
           specify a list of certificate principal names that are acceptable.
      
           When authenticating using a CA trusted through ~/.ssh/authorized_keys,
           this adds a new principals="name1[,name2,...]" key option.
      
           For CAs listed through sshd_config's TrustedCAKeys option, a new config
           option "AuthorizedPrincipalsFile" specifies a per-user file containing
           the list of acceptable names.
      
           If either option is absent, the current behaviour of requiring the
           username to appear in principals continues to apply.
      
           These options are useful for role accounts, disjoint account namespaces
           and "user@realm"-style naming policies in certificates.
      
           feedback and ok markus@
      30da3447
  22. 05 Mar, 2010 1 commit
  23. 04 Mar, 2010 2 commits
  24. 02 Mar, 2010 1 commit
  25. 26 Feb, 2010 1 commit
    • Damien Miller's avatar
      - OpenBSD CVS Sync · 0a80ca19
      Damien Miller authored
         - djm@cvs.openbsd.org 2010/02/26 20:29:54
           [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
           [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
           [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
           [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
           [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
           [sshconnect2.c sshd.8 sshd.c sshd_config.5]
           Add support for certificate key types for users and hosts.
      
           OpenSSH certificate key types are not X.509 certificates, but a much
           simpler format that encodes a public key, identity information and
           some validity constraints and signs it with a CA key. CA keys are
           regular SSH keys. This certificate style avoids the attack surface
           of X.509 certificates and is very easy to deploy.
      
           Certified host keys allow automatic acceptance of new host keys
           when a CA certificate is marked as sh/known_hosts.
           see VERIFYING HOST KEYS in ssh(1) for details.
      
           Certified user keys allow authentication of users when the signing
           CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
           FILE FORMAT" in sshd(8) for details.
      
           Certificates are minted using ssh-keygen(1), documentation is in
           the "CERTIFICATES" section of that manpage.
      
           Documentation on the format of certificates is in the file
           PROTOCOL.certkeys
      
           feedback and ok markus@
      0a80ca19
  26. 02 Feb, 2010 1 commit
  27. 11 Oct, 2009 1 commit
  28. 21 Jun, 2009 1 commit
  29. 03 Nov, 2008 1 commit
  30. 02 Jul, 2008 1 commit
  31. 12 Jun, 2008 1 commit
  32. 10 Jun, 2008 3 commits
    • Darren Tucker's avatar
      - djm@cvs.openbsd.org 2008/06/10 23:06:19 · 896ad5a4
      Darren Tucker authored
           [auth-options.c match.c servconf.c addrmatch.c sshd.8]
           support CIDR address matching in .ssh/authorized_keys from="..." stanzas
           ok and extensive testing dtucker@
      896ad5a4
    • Darren Tucker's avatar
      - jmc@cvs.openbsd.org 2008/06/10 08:17:40 · e7f3f756
      Darren Tucker authored
           [sshd.8 sshd.c]
           - update usage()
           - fix SYNOPSIS, and sort options
           - some minor additional fixes
      e7f3f756
    • Darren Tucker's avatar
      - dtucker@cvs.openbsd.org 2008/06/10 04:50:25 · e7140f20
      Darren Tucker authored
           [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
           Add extended test mode (-T) and connection parameters for test mode (-C).
           -T causes sshd to write its effective configuration to stdout and exit.
           -C causes any relevant Match rules to be applied before output.  The
           combination allows tesing of the parser and config files.  ok deraadt djm
      e7140f20