99e85e0d | 28-Oct-2012 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard supp
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline * sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks * ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
show more ...
|
61aab03f | 18-Jun-2019 |
Matthew Dillon <dillon@apollo.backplane.com> |
sshd - Change options defaults to be more secure
* Change the password_authentication default to 0. Passworded logins are NOT considered secure by default in DragonFly.
* Put in a succinct comme
sshd - Change options defaults to be more secure
* Change the password_authentication default to 0. Passworded logins are NOT considered secure by default in DragonFly.
* Put in a succinct comment for both the pam default (0) and the password authentication default (also 0) to try to prevent them from being improper changed back to 1 accidently.
show more ...
|
080b1348 | 19-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
ssh(1): Restore default behaviour.
This part in ad5056c75c7ccd8379444d5b953c08015846e23c should be handled ssh_config. There are no reasons to prevent base ssh(1) and sftp(1) to fallback to passwor
ssh(1): Restore default behaviour.
This part in ad5056c75c7ccd8379444d5b953c08015846e23c should be handled ssh_config. There are no reasons to prevent base ssh(1) and sftp(1) to fallback to password authentification (ssh_config is in user control).
show more ...
|