summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/sshd_config.5 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* UsePrivilegeSeparation defaults to sandbox now.sobrado2015-10-071-4/+9
| | | | ok djm@
* more clarity on what AuthorizedKeysFile=none does;djm2015-09-111-2/+5
| | | | based on diff by Thiebaud Weksteen
* match myproposal.h order; from brian conwayjmc2015-08-141-5/+5
| | | | | | (i snuck in a tweak while here) ok dtucker
* add prohibit-password as a synonymn for without-password, since thederaadt2015-08-061-4/+7
| | | | | | without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
* change default: PermitRootLogin without-passwordderaadt2015-07-301-2/+2
| | | | | matching install script changes coming as well ok djm markus
* Allow ssh_config and sshd_config kex parameters options be prefixeddjm2015-07-301-2/+24
| | | | | | | by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@
* mention that the default of UseDNS=no implies that hostnames cannotdjm2015-07-201-5/+14
| | | | | be used for host matching in sshd_config and authorized_keys; bz#2045, ok dtucker@
* Turn off DSA by default; add HostKeyAlgorithms to the server andmarkus2015-07-101-9/+51
| | | | | PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@
* refuse to generate or accept RSA keys smaller than 1024 bits;djm2015-07-031-3/+3
| | | | feedback and ok dtucker@
* typo: accidental repetition; bz#2386djm2015-06-051-3/+3
|
* add knob to relax GSSAPI host credential check for multihomed hostsdjm2015-05-221-2/+17
| | | | | bz#928, patch by Simon Wilkinson; ok dtucker (kerberos/GSSAPI is not compiled by default on OpenBSD)
* add AuthorizedPrincipalsCommand that allows getting authorized_principalsdjm2015-05-211-1/+37
| | | | | | | from a subprocess rather than a file, which is quite useful in deployments with large userbases feedback and ok markus@
* support arguments to AuthorizedKeysCommanddjm2015-05-211-5/+17
| | | | | bz#2081 loosely based on patch by Sami Hartikainen feedback and ok markus@
* Allow ListenAddress, Port and AddressFamily in any order. bz#68,dtucker2015-04-291-6/+3
| | | | ok djm@, jmc@ (for the man page bit).
* enviroment -> environment: apologies to darren for not spotting that firstjmc2015-04-281-2/+2
| | | | time round...
* Fix typo in previousdtucker2015-04-281-2/+2
|
* Document that the TERM environment variable is not subject to SendEnvdtucker2015-04-281-3/+7
| | | | | and AcceptEnv. bz#2386, based loosely on a patch from jjelen at redhat, help and ok jmc@
* Make sshd default to PermitRootLogin=no;djm2015-04-271-3/+3
| | | | ok deraadt@ rpe@
* Document "none" for PidFile XAuthLocation TrustedUserCAKeys and RevokedKeys.dtucker2015-04-161-6/+14
| | | | bz#2382, feedback from jmc@, ok djm@
* sort options useable under Match case-insensitively;djm2015-02-201-3/+3
| | | | prodded jmc@
* more options that are available under Match;djm2015-02-201-4/+10
| | | | bz#2353 reported by calestyo AT scientia.net
* increasing encounters with difficult DNS setups in darknets hasderaadt2015-02-021-3/+3
| | | | | convinced me UseDNS off by default is better ok djm
* heirarchy -> hierarchy;jmc2015-01-221-2/+2
|
* Provide a warning about chroot misuses (which sadly, seem to have becomederaadt2015-01-221-4/+13
| | | | | | quite popular because shiny). sshd cannot detect/manage/do anything about these cases, best we can do is warn in the right spot in the man page. ok markus
* add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypesdjm2015-01-131-2/+26
| | | | | options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
* mention ssh -Q feature to list supported { MAC, cipher, KEX, key }djm2014-12-221-2/+18
| | | | | algorithms in more places and include the query string used to list the relevant information; bz#2288
* tweak previous;jmc2014-12-221-2/+2
|
* correct description of what will happen when a AuthorizedKeysCommand isdjm2014-12-221-3/+7
| | | | specified but AuthorizedKeysCommandUser is not (sshd will refuse to start)
* remember which public keys have been used for authentication anddjm2014-12-221-2/+14
| | | | | | | | | refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ pubkeys. ok markus@
* tweak previous;jmc2014-12-211-2/+1
|
* Add FingerprintHash option to control algorithm used for keydjm2014-12-211-2/+11
| | | | | | | fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* revert chunk I didn't mean to commit yet; via jmc@djm2014-12-121-14/+2
|
* mention AuthorizedKeysCommandUser must be set fordjm2014-12-111-2/+17
| | | | AuthorizedKeysCommand to be run; bz#2287
* restore word zapped in previous, and remove some useless "No" macros;jmc2014-11-221-4/+5
|
* /dev/random has created the same effect as /dev/arandom (and /dev/urandom)deraadt2014-11-221-4/+2
| | | | | for quite some time. Mop up the last few, by using /dev/random where we actually want it, or not even mentioning arandom where it is irrelevant.
* mention permissions on tun(4) devices in PermitTunnel documentation;djm2014-09-091-2/+6
| | | | bz#2273
* typo.sobrado2014-08-301-3/+3
|
* some systems no longer need /dev/log;schwarze2014-07-281-4/+4
| | | | | issue noticed by jirib; ok deraadt
* Add support for Unix domain socket forwarding. A remote TCP portmillert2014-07-151-2/+49
| | | | | | | | may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
* Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc isdjm2014-07-031-2/+9
| | | | | executed, mirroring the no-user-rc authorized_keys option; bz#2160; ok markus@
* sync available and default algorithms, improve algorithm list formattingnaddy2014-03-281-33/+103
| | | | help from jmc@ and schwarze@, ok deraadt@
* bz#2184 clarify behaviour of a keyword that appears in multipledjm2014-02-271-2/+6
| | | | matching Match blocks; ok dtucker@
* document kbdinteractiveauthentication;jmc2014-01-291-2/+13
| | | | | | requested From: Ross L Richardson dtucker/markus helped explain its workings;
* Use a literal for the default value of KEXAlgorithms. ok deraadt jmcdtucker2013-12-081-10/+10
|
* add missing mentions of ed25519; ok djm@naddy2013-12-071-4/+6
|
* no need for .Pp before displays;jmc2013-11-211-2/+1
|
* Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com"djm2013-11-211-4/+14
| | | | | | | | | | | | | | that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
* the default kex is now curve25519-sha256@libssh.orgmarkus2013-11-021-2/+3
|
* pty(4), not pty(7);jmc2013-10-291-2/+2
|
* shd_config PermitTTY to disallow TTY allocation, mirroring thedjm2013-10-291-2/+9
| | | | | longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.