History log of /openssh-portable/servconf.h (Results 1 - 25 of 262)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 793b583d 16-Oct-2020 djm@openbsd.org

upstream: LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7

upstream: LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356

show more ...


Revision tags: V_8_4_P1
# 801c9f09 26-Aug-2020 djm@openbsd.org

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that

upstream: support for requiring user verified FIDO keys in sshd

This adds a "verify-required" authorized_keys flag and a corresponding
sshd_config option that tells sshd to require that FIDO keys verify the
user identity before completing the signing/authentication attempt.
Whether or not user verification was performed is already baked into the
signature made on the FIDO token, so this is just plumbing that flag
through and adding ways to require it.

feedback and ok markus@

OpenBSD-Commit-ID: 3a2313aae153e043d57763d766bb6d55c4e276e6

show more ...


# 6d755706 05-Jul-2020 djm@openbsd.org

upstream: some language improvements; ok markus

OpenBSD-Commit-ID: 939d787d571b4d5da50b3b721fd0b2ac236acaa8


Revision tags: V_8_3_P1
# c90f72d2 16-Apr-2020 djm@openbsd.org

upstream: make IgnoreRhosts a tri-state option: "yes" ignore

rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@

O

upstream: make IgnoreRhosts a tri-state option: "yes" ignore

rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow
.shosts files but not .rhosts. ok dtucker@

OpenBSD-Commit-ID: d08d6930ed06377a80cf53923c1955e9589342e9

show more ...


Revision tags: V_8_2_P1
# 92725d4d 01-Feb-2020 Darren Tucker

Use sys-queue.h from compat library.

Fixes build on platforms that don't have sys/queue.h (eg MUSL).


# c2bd7f74 31-Jan-2020 djm@openbsd.org

upstream: Add a sshd_config "Include" directive to allow inclusion

of files. This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Base

upstream: Add a sshd_config "Include" directive to allow inclusion

of files. This has sensible semantics wrt Match blocks and accepts glob(3)
patterns to specify the included files. Based on patch by Jakub Jelen in
bz2468; feedback and ok markus@

OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff

show more ...


# 56584cce 15-Dec-2019 djm@openbsd.org

upstream: allow security keys to act as host keys as well as user

keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FID

upstream: allow security keys to act as host keys as well as user

keys.

Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.

ok markus@

OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c

show more ...


# 0fddf296 24-Nov-2019 djm@openbsd.org

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested be

upstream: Add a sshd_config PubkeyAuthOptions directive

This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).

ok markus@

OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de

show more ...


Revision tags: V_8_1_P1
# e826bbca 18-Apr-2019 dtucker@openbsd.org

upstream: When running sshd -T, assume any attibute not provided by

-C does not match, which allows it to work when sshd_config contains a Match
directive with or without -C. bz#2858, o

upstream: When running sshd -T, assume any attibute not provided by

-C does not match, which allows it to work when sshd_config contains a Match
directive with or without -C. bz#2858, ok djm@

OpenBSD-Commit-ID: 1a701f0a33e3bc96753cfda2fe0b0378520b82eb

show more ...


Revision tags: V_8_0_P1
# 172a592a 19-Jan-2019 djm@openbsd.org

upstream: convert servconf.c to new packet API

with & ok markus@

OpenBSD-Commit-ID: 126553aecca302c9e02fd77e333b9cb217e623b4


# 928f1231 18-Nov-2018 djm@openbsd.org

upstream: silence (to log level debug2) failure messages when

loading the default hostkeys. Hostkeys explicitly specified in the
configuration or on the command-line are still reported a

upstream: silence (to log level debug2) failure messages when

loading the default hostkeys. Hostkeys explicitly specified in the
configuration or on the command-line are still reported as errors, and
failure to load at least one host key remains a fatal error.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Based on patch from Dag-Erling Smørgrav via
https://github.com/openssh/openssh-portable/pull/103

ok markus@

OpenBSD-Commit-ID: ffc2e35a75d1008effaf05a5e27425041c27b684

show more ...


Revision tags: V_7_9_P1
# 86e5737c 19-Sep-2018 djm@openbsd.org

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban c

upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.

ok markus@

OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac

show more ...


Revision tags: V_7_8_P1
# 2808d18c 09-Jul-2018 markus@openbsd.org

upstream: sshd: switch loginmsg to sshbuf API; ok djm@

OpenBSD-Commit-ID: f3cb4e54bff15c593602d95cc43e32ee1a4bac42


# 95344c25 03-Jul-2018 djm@openbsd.org

upstream: allow sshd_config PermitUserEnvironment to accept a

pattern-list of whitelisted environment variable names in addition to yes|no.

bz#1800, feedback and ok markus@

upstream: allow sshd_config PermitUserEnvironment to accept a

pattern-list of whitelisted environment variable names in addition to yes|no.

bz#1800, feedback and ok markus@

OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24

show more ...


# 28013759 08-Jun-2018 djm@openbsd.org

upstream: add a SetEnv directive for sshd_config to allow an

administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environ

upstream: add a SetEnv directive for sshd_config to allow an

administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.

ok markus@

OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0

show more ...


# 93c06ab6 06-Jun-2018 djm@openbsd.org

upstream: permitlisten option for authorized_keys; ok markus@

OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672


# 115063a6 06-Jun-2018 djm@openbsd.org

upstream: Add a PermitListen directive to control which server-side

addresses may be listened on when the client requests remote forwarding (ssh
-R).

This is the converse of the

upstream: Add a PermitListen directive to control which server-side

addresses may be listened on when the client requests remote forwarding (ssh
-R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f

show more ...


# e9d910b0 12-Apr-2018 dtucker@openbsd.org

upstream: Defend against user enumeration timing attacks. This

establishes a minimum time for each failed authentication attempt (5ms) and
adds a per-user constant derived from a host se

upstream: Defend against user enumeration timing attacks. This

establishes a minimum time for each failed authentication attempt (5ms) and
adds a per-user constant derived from a host secret (0-4ms). Based on work
by joona.kannisto at tut.fi, ok markus@ djm@.

OpenBSD-Commit-ID: b7845b355bb7381703339c8fb0e57e81a20ae5ca

show more ...


Revision tags: V_7_7_P1
# 68af80e6 24-Oct-2017 djm@openbsd.org

upstream commit

add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus

upstream commit

add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb

show more ...


# 35eb33fb 24-Oct-2017 djm@openbsd.org

upstream commit

add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

upstream commit

add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5

show more ...


# acf559e1 24-Oct-2017 djm@openbsd.org

upstream commit

Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

upstream commit

Add optional rdomain qualifier to sshd_config's
ListenAddress option to allow listening on a different rdomain(4), e.g.

ListenAddress 0.0.0.0 rdomain 4

Upstream-ID: 24b6622c376feeed9e9be8b9605e593695ac9091

show more ...


# 6f722805 19-Oct-2017 Damien Miller

upstream commit

Apply missing commit 1.127 to servconf.h

Upstream-ID: f14c4bac74a2b7cf1e3cff6bea5c447f192a7d15


Revision tags: V_7_6_P1
# 66bf74a9 02-Oct-2017 djm@openbsd.org

upstream commit

Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@

Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c


# dbee4119 12-Sep-2017 djm@openbsd.org

upstream commit

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "st

upstream commit

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

Upstream-ID: 11828f161656b965cc306576422613614bea2d8f

show more ...


# 8f574959 24-Jun-2017 djm@openbsd.org

upstream commit

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and

upstream commit

refactor authentication logging

optionally record successful auth methods and public credentials
used in a file accessible to user sessions

feedback and ok markus@

Upstream-ID: 090b93036967015717b9a54fd0467875ae9d32fb

show more ...


1234567891011