path: root/ssh_config.5
AgeCommit message (Collapse)Author
2018-12-07upstream: tweak previous;
OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f
2018-11-23upstream: add a ssh_config "Match final"
Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 ok markus OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
2018-10-03upstream: Allow ssh_config IdentityAgent directive to
environment variable names as well as explicit paths. ok dtucker@ OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
2018-09-21upstream: Allow ssh_config ForwardX11Timeout=0 to disable
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
2018-09-21upstream: Treat connections with ProxyJump specified the same as
with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). Patch from Sven Wegener via bz#2896 OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
2018-09-21upstream: reorder CASignatureAlgorithms, and add them to
various -o lists; ok djm OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
2018-09-20upstream: add CASignatureAlgorithms option for the client,
it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
2018-07-31Remove support for S/KeyDamien Miller
Most people will 1) be using modern multi-factor authentication methods like TOTP/OATH etc and 2) be getting support for multi-factor authentication via PAM or BSD Auth.
2018-07-26upstream: Point to glob in section 7 for the actual list of
characters instead the C API in section 3. OK millert jmc nicm, "the right idea" deraadt OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6
2018-07-19upstream: Deprecate UsePrivilegedPort now that support for
ssh(1) setuid has been removed, remove supporting code and clean up references to it in the man pages We have not shipped ssh(1) the setuid bit since 2002. If ayone really needs to make connections from a low port number this can be implemented via a small setuid ProxyCommand. ok markus@ jmc@ djm@ OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
2018-07-04upstream: repair PubkeyAcceptedKeyTypes (and friends) after
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
2018-07-03upstream: Improve strictness and control over RSA-SHA2
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "" and "" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-06-11upstream: sort previous;
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
2018-06-09upstream: add a SetEnv directive to ssh_config that allows
environment variables for the remote session (subject to the server accepting them) refactor SendEnv to remove the arbitrary limit of variable names. ok markus@ OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
2018-06-04upstream: add missing punctuation after %i in ssh_config.5,
make the grammatical format in sshd_config.5 match that in ssh_config.5; OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
2018-06-01upstream: make UID available as a %-expansion everywhere that
username is available currently. In the client this is via %i, in the server %U (since %i was already used in the client in some places for this, but used for something different in the server); bz#2870, ok dtucker@ OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
2018-04-10upstream: lots of typos in comments/docs. Patch from Karsten
after checking with codespell tool ( OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
2018-04-10upstream: tweak previous;
OpenBSD-Commit-ID: 38e347b6f8e888f5e0700d01abb1eba7caa154f9
2018-04-06upstream: Allow "SendEnv -PATTERN" to clear environment
previously labeled for sendind. bz#1285 ok dtucker@ OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
2018-04-06upstream: We don't offer CBC cipher by default any more. Spotted
Renaud Allard (via otto@) OpenBSD-Commit-ID: a559b1eef741557dd959ae378b665a2977d92dca
2018-04-06upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21
interactive and CS1 for bulk AF21 was selected as this is the highest priority within the low-latency service class (and it is higher than what we have today). SSH is elastic and time-sensitive data, where a user is waiting for a response via the network in order to continue with a task at hand. As such, these flows should be considered foreground traffic, with delays or drops to such traffic directly impacting user-productivity. For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable networks implementing a scavanger/lower-than-best effort class to discriminate scp(1) below normal activities, such as web surfing. In general this type of bulk SSH traffic is a background activity. An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH is that they are recognisable values on all common platforms (IANA, and for AF21 specifically a definition of the intended behavior exists in addition to the definition of the Assured Forwarding PHB group, and for CS1 (Lower Effort) there is The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE 802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate", or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e, MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK"). OK deraadt@, "no objection" djm@ OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
2018-02-26upstream: some cleanup for BindInterface and ssh-keyscan;
OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
2018-02-23upstream: Add BindInterface ssh_config directive and
command-line argument to ssh(1) that directs it to bind its outgoing connection to the address of the specified network interface. BindInterface prefers to use addresses that aren't loopback or link- local, but will fall back to those if no other addresses of the required family are available on that interface. Based on patch by Mike Manning in bz#2820, ok dtucker@ OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
2018-02-16upstream: Mention recent DH KEX
diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 From Jakub Jelen via bz#2826 OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
Mention ServerAliveTimeout in context of TCPKeepAlives; prompted by Christoph Anton Mitterer via github OpenBSD-Commit-ID: f0cf1b5bd3f1fbf41d71c88d75d93afc1c880ca2
Shorter, more accurate explanation of NoHostAuthenticationForLocalhost without the confusing example. Prompted by Christoph Anton Mitterer via github and bz#2293. OpenBSD-Commit-ID: 19dc96bea25b80d78d416b581fb8506f1e7b76df
Replace "trojan horse" with the correct term (MITM). From maikel at via bz#2822, ok markus@ OpenBSD-Commit-ID: e86ac64c512057c89edfadb43302ac0aa81a6c53
tweak previous; ok djm Upstream-ID: 7d913981ab315296be1f759c67b6e17aea38fca9
Expose devices allocated for tun/tap forwarding. At the client, the device may be obtained from a new %T expansion for LocalCommand. At the server, the allocated devices will be listed in a SSH_TUNNEL variable exposed to the environment of any user sessions started after the tunnel forwarding was established. ok markus Upstream-ID: e61e53f8ae80566e9ddc0d67a5df5bdf2f3c9f9e
Add URI support to ssh, sftp and scp. For example ssh://user@host or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@ Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
remove unused Pp; Upstream-ID: 8ad26467f1f6a40be887234085a8e01a61a00550
In the description of pattern-lists, clarify negated matches by explicitly stating that a negated match will never yield a positive result, and that at least one positive term in the pattern-list must match. bz#1918 Upstream-ID: 652d2f9d993f158fc5f83cef4a95cd9d95ae6a14
%C is hashed; from klemens nanni ok markus Upstream-ID: 6ebed7b2e1b6ee5402a67875d74f5e2859d8f998
Add 'reverse' dynamic forwarding which combines dynamic forwarding (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@ Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
tweak previous; Upstream-ID: bb8cc40b61b15f6a13d81da465ac5bfc65cbfc4b
Expand ssh_config's StrictModes option with two new settings: StrictModes=accept-new will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. StrictModes=off is the same as StrictModes=no Motivation: StrictModes=no combines two behaviours for host key processing: automatically learning new hostkeys and continuing to connect to hosts with invalid/changed hostkeys. The latter behaviour is quite dangerous since it removes most of the protections the SSH protocol is supposed to provide. Quite a few users want to automatically learn hostkeys however, so this makes that feature available with less danger. At some point in the future, StrictModes=no will change to be a synonym for accept-new, with its current behaviour remaining available via StrictModes=off. bz#2400, suggested by Michael Samuel; ok markus Upstream-ID: 0f55502bf75fc93a74fb9853264a8276b9680b64
Allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default; ok dtucker@ Upstream-ID: 77906ff8c7b660b02ba7cb1e47b17d66f54f1f7e
man pages with pseudo synopses which list filenames end up creating very ugly output in man -k; after some discussion with ingo, we feel the simplest fix is to remove such SYNOPSIS sections: the info is hardly helpful at page top, is contained already in FILES, and there are sufficiently few that just zapping them is simple; ok schwarze, who also helpfully ran things through a build to check output; Upstream-ID: 3e211b99457e2f4c925c5927d608e6f97431336c
use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
tweak previous; Upstream-ID: 66987651046c42d142f7318c9695fb81a6d14031
Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
As promised in last release announcement: remove support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@ Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
restore mistakenly deleted description of the ConnectionAttempts option ok markus@ Upstream-ID: 943002b1b7c470caea3253ba7b7348c359de0348
remove miscellaneous SSH1 leftovers; ok markus@ Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
remove SSHv1 configuration options and man pages bits ok markus@ Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
sort; Upstream-ID: 7e6b56e52b039cf44d0418e9de9aca20a2d2d15a
Add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705, patch from erahn at, ok djm@ Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
errant dot; from klemens nanni Upstream-ID: 83d93366a5acf47047298c5d3ebc5e7426f37921
support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d
various formatting fixes, specifically removing Dq; Upstream-ID: 81e85df2b8e474f5f93d66e61d9a4419ce87347c