Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessi

Make the maximum number of sessions run-time controllable via
a sshd_config MaxSessions knob. This is useful for disabling
login/shell/subsystem access while leaving port-forwarding working
(MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
simply increasing the number of allows multiplexed sessions.

Because some bozos are sure to configure MaxSessions in excess of the
number of available file descriptors in sshd (which, at peak, might be
as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
on error paths, and make it fail gracefully on out-of-fd conditions -
sending channel errors instead of than exiting with fatal().

bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com

ok markus@

show more ...

push the sshd_config bits in, spotted by ajacoutot@

add sshd_config ChrootDirectory option to chroot(2) users to a directory and
tweak internal sftp server to work with it (no special files in chroot
required). ok markus@

Support "Banner=none" to disable displaying of the pre-login banner;
ok dtucker@ deraadt@

Disable the legacy SSH protocol 1 for new installations via
a configuration override. In the future, we will change the
server's default itself so users who need the legacy protocol
will need to turn

Disable the legacy SSH protocol 1 for new installations via
a configuration override. In the future, we will change the
server's default itself so users who need the legacy protocol
will need to turn it on explicitly

show more ...

Add ForceCommand keyword to sshd_config, equivalent to the "command="
key option, man page entry and example in sshd_config. Feedback & ok djm@,
man page corrections & ok jmc@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections,

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

show more ...

add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they i

add a new compression method that delays compression until the user
has been authenticated successfully and set compression to 'delayed'
for sshd.

this breaks older openssh clients (< 3.5) if they insist on
compression, so you have to re-enable compression in sshd_config.
ok djm@

show more ...

whitespace nit, from grunk AT pestilenz.org

bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.cz
ok deraadt@

Add MaxAuthTries sshd config option; ok markus@

KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK

implement KerberosGetAFSToken server option. ok markus@, beck@

GSSAPICleanupCreds -> GSSAPICleanupCredentials

remove kerberos support from ssh1, since it has been replaced with GSSAPI;
but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...

support GSS API user authentication; patches from Simon Wilkinson,
stripped down and tested by Jakob and myself.

remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
fgsch@, miod@, henning@, jakob@ and others

remove AFS; itojun@

sync some implemented options; ok markus@

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyRev

deprecate VerifyReverseMapping since it's dangerous if combined
with IP based access control as noted by Mike Harding; replace with
a UseDNS option, UseDNS is on by default and includes the
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
ok deraadt@, djm@

show more ...

sync LoginGraceTime with default

change LoginGraceTime default to 1 minute; ok mouring@ markus@

add PermitUserEnvironment (off by default!); from dot@dotat.at; ok provos, deraadt

add Compression

refer to config file man page