#
bdfa5c1b |
| 02-Jul-2021 |
dtucker <dtucker@openbsd.org> |
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as som
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as deprecated alias so config files continue to work and a reference in the man page for people looking for it.
Prompted by bz#3303 which pointed out the discrepancy between the two when used with Match. Man page help & ok jmc@, with & ok djm@
show more ...
|
#
e1fddbef |
| 09-Apr-2018 |
tj <tj@openbsd.org> |
the UseLogin option was removed, so remove it here too.
ok dtucker
|
#
732e635f |
| 16-Feb-2018 |
djm <djm@openbsd.org> |
stop loading DSA keys by default, remove sshd_config stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@
|
#
1ed792c4 |
| 14-Mar-2017 |
djm <djm@openbsd.org> |
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@
(note: this doesn't remove the !privsep code paths, tho
Mark the sshd_config UsePrivilegeSeparation option as deprecated, effectively making privsep mandatory in sandboxing mode. ok markus@ deraadt@
(note: this doesn't remove the !privsep code paths, though that will happen eventually).
show more ...
|
#
8915e95c |
| 15-Aug-2016 |
naddy <naddy@openbsd.org> |
Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and exa
Catch up with the SSH1 code removal and delete all mention of protocol 1 particularities, key files and formats, command line options, and configuration keywords from the server documentation and examples. ok jmc@
show more ...
|
#
2c243dd6 |
| 11-Jul-2016 |
tedu <tedu@openbsd.org> |
obsolete note about fascistloggin is obsolete. ok djm dtucker
|
#
6cf7fd87 |
| 17-Feb-2016 |
djm <djm@openbsd.org> |
make sandboxed privilege separation the default, not just for new installs; "absolutely" deraadt@
|
#
50779363 |
| 06-Aug-2015 |
deraadt <deraadt@openbsd.org> |
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is en
add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus
show more ...
|
#
275150b9 |
| 30-Jul-2015 |
deraadt <deraadt@openbsd.org> |
change default: PermitRootLogin without-password matching install script changes coming as well ok djm markus
|
#
727f4a1b |
| 27-Apr-2015 |
djm <djm@openbsd.org> |
Make sshd default to PermitRootLogin=no; ok deraadt@ rpe@
|
#
386cc376 |
| 02-Feb-2015 |
deraadt <deraadt@openbsd.org> |
increasing encounters with difficult DNS setups in darknets has convinced me UseDNS off by default is better ok djm
|
#
5bf2634b |
| 10-Jan-2014 |
djm <djm@openbsd.org> |
the /etc/ssh/ssh_host_ed25519_key is loaded by default too
|
#
20230816 |
| 29-Oct-2013 |
djm <djm@openbsd.org> |
shd_config PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option; bz#2070, patch from Teran McKinney; ok markus@
|
#
712a2b12 |
| 07-Sep-2013 |
sthen <sthen@openbsd.org> |
Remove commented-out kerberos/gssapi config options from sample config, kerberos support is currently not enabled in ssh in OpenBSD. Discussed with various people; ok deraadt@
|
#
53eed79d |
| 16-May-2013 |
dtucker <dtucker@openbsd.org> |
Add RekeyLimit to sshd with the same syntax as the client allowing rekeying based on traffic volume or time. ok djm@, help & ok jmc@ for the man page.
|
#
e3a5059c |
| 06-Feb-2013 |
dtucker <dtucker@openbsd.org> |
Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original v
Change default of MaxStartups to 10:30:100 to start doing random early drop at 10 connections up to 100 connections. This will make it harder to DoS as CPUs have come a long way since the original value was set back in 2000. Prompted by nion at debian org, ok markus@
show more ...
|
#
ed4ad9c0 |
| 30-Oct-2012 |
djm <djm@openbsd.org> |
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless
new sshd_config option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run as the target server user unless another specified via a new AuthorizedKeysCommandUser option.
patch originally by jchadima AT redhat.com, reworked by me; feedback and ok markus@
show more ...
|
#
be6d2ad5 |
| 10-Jul-2012 |
djm <djm@openbsd.org> |
Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the
Turn on systrace sandboxing of pre-auth sshd by default for new installs by shipping a config that overrides the current UsePrivilegeSeparation=yes default. Make it easier to flip the default in the future by adding too. prodded markus@ feedback dtucker@ "get it in" deraadt@
show more ...
|
#
8aa34bd2 |
| 12-Apr-2012 |
djm <djm@openbsd.org> |
mention AuthorizedPrincipalsFile=none default
|
#
4ac8c3f5 |
| 12-Apr-2012 |
djm <djm@openbsd.org> |
VersionAddendum option to allow server operators to append some arbitrary text to the SSH-... banner; ok deraadt@ "don't care" markus@
|
#
3d892b28 |
| 23-May-2011 |
djm <djm@openbsd.org> |
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in ssh
allow AuthorizedKeysFile to specify multiple files, separated by spaces. Bring back authorized_keys2 as a default search path (to avoid breaking existing users of this file), but override this in sshd_config so it will be no longer used on fresh installs. Maybe in 2015 we can remove it entierly :)
feedback and ok markus@ dtucker@
show more ...
|
#
f9930b5f |
| 06-May-2011 |
dtucker <dtucker@openbsd.org> |
clarify language about overriding defaults. bz#1892, from Petr Cerny
|
#
a7f102b9 |
| 06-Sep-2010 |
naddy <naddy@openbsd.org> |
add ssh_host_ecdsa_key to /etc; from Mattieu Baptiste <mattieu.b@gmail.com> ok deraadt@
|
#
5c4b6541 |
| 08-Oct-2009 |
markus <markus@openbsd.org> |
disable protocol 1 by default (after a transition period of about 10 years) ok deraadt
|
#
025ef034 |
| 02-Jul-2008 |
djm <djm@openbsd.org> |
increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@
|