Name Date Size #Lines LOC

..21-Feb-2019-

contrib/H15-Feb-2018-

openbsd-compat/H02-Sep-2019-

regress/H06-Sep-2019-

.dependH A D08-Sep-2019126.6 KiB172170

.skipped-commit-idsH A D08-Sep-20192.2 KiB4037

CREDITSH A D29-Jul-20195.4 KiB10398

INSTALLH A D16-May-20199.2 KiB267184

LICENCEH A D29-Jul-201914.8 KiB320277

Makefile.inH A D06-Sep-201925.3 KiB680580

OVERVIEWH A D23-Oct-20186.2 KiB163119

PROTOCOLH A D02-Oct-201818 KiB500370

PROTOCOL.agentH A D03-Oct-2017220 64

PROTOCOL.certkeysH A D16-Nov-201811.9 KiB308246

PROTOCOL.chacha20poly1305H A D10-Apr-20184.5 KiB10884

PROTOCOL.keyH A D14-Dec-20161.5 KiB6951

PROTOCOL.krlH A D12-Sep-20185.1 KiB172118

PROTOCOL.muxH A D26-Sep-20188.9 KiB299219

PROTOCOL.sshsigH A D03-Sep-20193.3 KiB10073

READMEH A D17-Apr-20192.4 KiB6347

README.dnsH A D14-Dec-20161.6 KiB4830

README.mdH A D17-Apr-20194.2 KiB7549

README.platformH A D10-Apr-20184 KiB9774

README.privsepH A D15-Feb-20182.3 KiB5541

README.tunH A D14-Dec-20164.8 KiB13398

TODOH A D31-Jul-20182.5 KiB8161

aclocal.m4H A D08-Jun-20185.6 KiB187178

addrmatch.cH A D31-Jul-201811 KiB499355

atomicio.cH A D24-Jan-20194.7 KiB181130

atomicio.hH A D27-Dec-20182.2 KiB5414

audit-bsm.cH A D20-Jan-201911.8 KiB455322

audit-linux.cH A D20-Jan-20193.4 KiB12577

audit.cH A D20-Jan-20195.7 KiB185105

audit.hH A D20-Jan-20192.3 KiB5828

auth-bsdauth.cH A D10-Jul-20183.6 KiB14699

auth-krb5.cH A D10-Jul-20186.9 KiB273200

auth-options.cH A D13-Sep-201922.1 KiB870714

auth-options.hH A D09-Jul-20192.9 KiB9937

auth-pam.cH A D13-Sep-201935.9 KiB1,3861,077

auth-pam.hH A D20-Jan-20191.9 KiB4820

auth-passwd.cH A D11-Oct-20186.4 KiB224147

auth-rhosts.cH A D05-Jul-20198.9 KiB325211

auth-shadow.cH A D12-Jul-20184.3 KiB14286

auth-sia.cH A D12-Jul-20183.2 KiB11671

auth-sia.hH A D14-Dec-20161.4 KiB324

auth-skey.cH A D12-Jul-20182.8 KiB10865

auth.cH A D08-Sep-201932.3 KiB1,190919

auth.hH A D08-Sep-20197.9 KiB241151

auth2-chall.cH A D08-Sep-20199.8 KiB385307

auth2-gss.cH A D31-Jul-20189.6 KiB336237

auth2-hostbased.cH A D08-Sep-20198.1 KiB263206

auth2-kbdint.cH A D08-Sep-20192.2 KiB7335

auth2-none.cH A D10-Jul-20182.3 KiB7943

auth2-passwd.cH A D08-Sep-20192.4 KiB7944

auth2-pubkey.cH A D08-Sep-201928.8 KiB1,038812

auth2.cH A D08-Sep-201922.4 KiB823634

authfd.cH A D03-Sep-201915.2 KiB611452

authfd.hH A D03-Sep-20193.1 KiB9254

authfile.cH A D03-Sep-201912.9 KiB553423

authfile.hH A D03-Sep-20192.4 KiB5421

bitmap.cH A D20-Oct-20174.4 KiB215171

bitmap.hH A D20-Oct-20171.9 KiB5815

buildpkg.sh.inH A D14-Dec-201617.6 KiB678526

canohost.cH A D05-Jul-20194.7 KiB205143

canohost.hH A D14-Dec-2016842 279

chacha.cH A D14-Dec-20165.3 KiB220188

chacha.hH A D14-Dec-20161,000 3722

channels.cH A D08-Jul-2019134.9 KiB4,9233,921

channels.hH A D04-Oct-201813 KiB345228

cipher-aes.cH A D14-Dec-20164.5 KiB162119

cipher-aesctr.cH A D14-Dec-20162.1 KiB8450

cipher-aesctr.hH A D14-Dec-20161.3 KiB3613

cipher-chachapoly.cH A D14-Dec-20163.7 KiB12071

cipher-chachapoly.hH A D14-Dec-20161.6 KiB4219

cipher-ctr.cH A D14-Dec-20163.6 KiB147103

cipher.cH A D08-Sep-201913.6 KiB531424

cipher.hH A D08-Sep-20193.2 KiB7834

cleanup.cH A D14-Dec-20161 KiB3310

clientloop.cH A D30-Jul-201969 KiB2,4071,776

clientloop.hH A D10-Jul-20183.7 KiB8431

compat.cH A D13-Aug-20186.6 KiB236196

compat.hH A D13-Aug-20182.8 KiB7432

config.guessH A D14-Dec-201642.7 KiB1,4571,264

config.subH A D14-Dec-201635.5 KiB1,8241,686

configure.acH A D30-Aug-2019142.1 KiB5,2774,949

crypto_api.hH A D21-Jan-20191.7 KiB5737

defines.hH A D08-Jul-201921.6 KiB873647

dh.cH A D08-Sep-201915.1 KiB493393

dh.hH A D08-Sep-20192.6 KiB8435

digest-libc.cH A D23-Jul-20195.7 KiB259208

digest-openssl.cH A D23-Jul-20195 KiB211163

digest.hH A D10-May-20172.5 KiB7132

dispatch.cH A D20-Jan-20193.5 KiB13696

dispatch.hH A D20-Jan-20192 KiB5017

dns.cH A D26-Feb-20189.2 KiB357258

dns.hH A D26-Feb-20182 KiB5925

ed25519.cH A D14-Dec-20163.1 KiB145105

entropy.cH A D23-Jul-20196.7 KiB267185

entropy.hH A D10-Jul-20181.5 KiB357

fatal.cH A D14-Dec-20161.6 KiB4613

fe25519.cH A D14-Dec-20168.1 KiB338278

fe25519.hH A D14-Dec-20162.3 KiB7142

fixalgorithmsH A D14-Dec-2016422 2713

fixpathsH A D14-Dec-2016499 2312

ge25519.cH A D14-Dec-201611 KiB322249

ge25519.hH A D14-Dec-20161.4 KiB4425

ge25519_base.dataH A D14-Dec-2016164.6 KiB859856

groupaccess.cH A D08-Mar-20193.5 KiB13579

groupaccess.hH A D14-Dec-20161.5 KiB367

gss-genr.cH A D10-Jul-20188 KiB306211

gss-serv-krb5.cH A D10-Jul-20185.6 KiB212143

gss-serv.cH A D10-Jul-201810.3 KiB405256

hash.cH A D23-Jan-2018623 2815

hmac.cH A D08-Sep-20195.1 KiB201152

hmac.hH A D14-Dec-20161.6 KiB3915

hostfile.cH A D08-Jul-201921.7 KiB834636

hostfile.hH A D14-Dec-20163.8 KiB10961

includes.hH A D10-Jun-20173.9 KiB180136

install-shH A D01-Dec-201713.7 KiB528351

kex.cH A D08-Sep-201935.4 KiB1,3671,147

kex.hH A D08-Sep-20198.4 KiB269211

kexc25519.cH A D21-Jan-20195.7 KiB200149

kexdh.cH A D22-Jan-20195 KiB202159

kexecdh.cH A D23-Jul-20196.1 KiB240188

kexgen.cH A D08-Sep-20199.5 KiB341280

kexgex.cH A D23-Jan-20193.7 KiB10570

kexgexc.cH A D23-Jan-20196.4 KiB220168

kexgexs.cH A D23-Jan-20196 KiB205151

kexsntrup4591761x25519.cH A D21-Jan-20197.1 KiB220174

krl.cH A D08-Sep-201935.7 KiB1,3691,134

krl.hH A D21-Jun-20192.7 KiB6737

log.cH A D31-Jul-201810.7 KiB481370

log.hH A D08-Sep-20192.7 KiB8459

loginrec.cH A D08-Sep-201942 KiB1,7271,102

loginrec.hH A D20-Jan-20194.6 KiB13553

logintest.cH A D14-Dec-20168.6 KiB309214

mac.cH A D08-Sep-20197.2 KiB264210

mac.hH A D14-Dec-20162 KiB5424

match.cH A D12-Mar-20199.5 KiB364202

match.hH A D08-Mar-20191.2 KiB3114

md5crypt.cH A D13-Feb-20184 KiB166101

md5crypt.hH A D14-Dec-2016744 238

mdoc2man.awkH A D15-Feb-20188.4 KiB371341

misc.cH A D03-Sep-201947.2 KiB2,2121,705

misc.hH A D03-Sep-20196.3 KiB189138

mkinstalldirsH A D15-Feb-2018633 3923

moduliH A D26-Apr-2019563.9 KiB453452

moduli.5H A D14-Dec-20163.6 KiB128127

moduli.cH A D05-Jul-201920.6 KiB816500

monitor.cH A D05-Jul-201951.6 KiB1,9001,507

monitor.hH A D20-Jan-20193.9 KiB9656

monitor_fdpass.cH A D14-Dec-20164.7 KiB188146

monitor_fdpass.hH A D14-Dec-20161.5 KiB355

monitor_wrap.cH A D05-Jul-201926.8 KiB1,001783

monitor_wrap.hH A D08-Sep-20193.7 KiB10159

msg.cH A D10-Jul-20182.8 KiB9560

msg.hH A D14-Dec-20161.5 KiB336

mux.cH A D05-Jul-201966.1 KiB2,4022,008

myproposal.hH A D17-May-20195.4 KiB203151

nchan.cH A D05-Jul-201912.1 KiB447346

nchan.msH A D14-Dec-20163.9 KiB10074

nchan2.msH A D14-Dec-20163.4 KiB8964

openssh.xml.inH A D14-Dec-20162.8 KiB9161

opensshd.init.inH A D01-Dec-20171.9 KiB8964

packet.cH A D05-Jul-201971.2 KiB2,7042,083

packet.hH A D08-Sep-20197.4 KiB221156

pathnames.hH A D26-Feb-20185.7 KiB17369

pkcs11.hH A D14-Dec-201641.4 KiB1,3581,119

platform-misc.cH A D25-Aug-20171.1 KiB3613

platform-pledge.cH A D14-Dec-20161.9 KiB7227

platform-tracing.cH A D14-Dec-20161.7 KiB5229

platform.cH A D23-Jul-20194.7 KiB200129

platform.hH A D14-Dec-20161.4 KiB3817

poly1305.cH A D14-Dec-20164.5 KiB161121

poly1305.hH A D14-Dec-2016645 2311

progressmeter.cH A D08-May-20197.3 KiB299215

progressmeter.hH A D25-Jan-20191.5 KiB293

readconf.cH A D08-Sep-201980.1 KiB2,7802,295

readconf.hH A D23-Nov-20187.8 KiB220159

readpass.cH A D05-Jul-20195.3 KiB200139

rijndael.cH A D14-Dec-201651.6 KiB1,1301,009

rijndael.hH A D14-Dec-20162.1 KiB5721

sandbox-capsicum.cH A D28-Aug-20173.3 KiB12378

sandbox-darwin.cH A D16-Dec-20162.5 KiB10058

sandbox-null.cH A D14-Dec-20161.6 KiB7336

sandbox-pledge.cH A D14-Dec-20161.8 KiB7847

sandbox-rlimit.cH A D14-Dec-20162.4 KiB9759

sandbox-seccomp-filter.cH A D23-Aug-201911 KiB403318

sandbox-solaris.cH A D09-Jun-20172.9 KiB11577

sandbox-systrace.cH A D13-Apr-20186.3 KiB220164

sc25519.cH A D14-Dec-20167.2 KiB309255

sc25519.hH A D14-Dec-20162.8 KiB8146

scp.1H A D14-Jun-20196 KiB263262

scp.cH A D13-Sep-201939.3 KiB1,7111,397

servconf.cH A D08-Sep-201979.8 KiB2,7152,335

servconf.hH A D08-May-201910.3 KiB284196

serverloop.cH A D05-Jul-201929.4 KiB983746

serverloop.hH A D12-Sep-20171,000 295

session.cH A D05-Jul-201967.2 KiB2,7202,020

session.hH A D02-Oct-20182.6 KiB8548

sftp-client.cH A D12-Jul-201950.8 KiB1,9601,600

sftp-client.hH A D17-Jan-20194.4 KiB14654

sftp-common.cH A D24-Jan-20196.8 KiB260206

sftp-common.hH A D14-Dec-20162 KiB5319

sftp-glob.cH A D14-Dec-20163.4 KiB15195

sftp-realpath.cH A D08-Jul-20196 KiB227148

sftp-server-main.cH A D07-Jun-20191.4 KiB5528

sftp-server.8H A D14-Dec-20165 KiB171170

sftp-server.cH A D08-Jul-201944.2 KiB1,7771,512

sftp.1H A D21-Jun-201915.5 KiB682681

sftp.cH A D12-Jul-201960.6 KiB2,6062,140

sftp.hH A D14-Dec-20163.3 KiB10255

smult_curve25519_ref.cH A D14-Dec-20166.7 KiB266227

sntrup4591761.cH A D01-Apr-201924.8 KiB1,084708

sntrup4591761.shH A D01-Feb-20192.1 KiB5851

ssh-add.1H A D21-Jan-20196.8 KiB229228

ssh-add.cH A D08-Sep-201919.1 KiB755629

ssh-agent.1H A D14-Dec-20167.1 KiB232231

ssh-agent.cH A D05-Jul-201933.1 KiB1,3571,132

ssh-dss.cH A D13-Sep-20185.6 KiB210158

ssh-ecdsa.cH A D21-Jan-20195.5 KiB201149

ssh-ed25519.cH A D14-Dec-20164.2 KiB168134

ssh-gss.hH A D10-Jul-20184.7 KiB14092

ssh-keygen.1H A DToday32.1 KiB1,0801,079

ssh-keygen.cH A DToday89.4 KiB3,3342,890

ssh-keyscan.1H A D12-Mar-20183.8 KiB159158

ssh-keyscan.cH A D08-Sep-201918 KiB817689

ssh-keysign.8H A D14-Dec-20162.9 KiB9493

ssh-keysign.cH A D08-Sep-20198.1 KiB296218

ssh-pkcs11-client.cH A D21-Jan-20199.7 KiB385321

ssh-pkcs11-helper.8H A D21-Jan-20191.7 KiB6766

ssh-pkcs11-helper.cH A D08-Sep-201910.9 KiB456369

ssh-pkcs11.cH A D05-Sep-201946 KiB1,8421,498

ssh-pkcs11.hH A D21-Jan-20191.5 KiB4120

ssh-rsa.cH A D13-Sep-201811.9 KiB450359

ssh-sandbox.hH A D14-Dec-20161.1 KiB256

ssh-xmss.cH A D28-Feb-20185 KiB193159

ssh.1H A D14-Jun-201944 KiB1,7011,700

ssh.cH A D13-Sep-201961.9 KiB2,1681,668

ssh.hH A D27-Dec-20182.7 KiB10021

ssh2.hH A D14-Dec-20165.7 KiB17578

ssh_api.cH A D13-Sep-201914.6 KiB573453

ssh_api.hH A D10-Apr-20184.3 KiB13831

ssh_configH A D04-Feb-20191.4 KiB4641

ssh_config.5H A D13-Sep-201952.5 KiB1,8581,857

sshbuf-getput-basic.cH A D08-Sep-201912.1 KiB627521

sshbuf-getput-crypto.cH A D21-Jan-20194.5 KiB186145

sshbuf-misc.cH A D30-Jul-20195.3 KiB232194

sshbuf.cH A D16-Nov-20189 KiB403314

sshbuf.hH A D08-Sep-201913.6 KiB394180

sshconnect.cH A D13-Sep-201940.5 KiB1,4361,116

sshconnect.hH A D13-Sep-20192.2 KiB5721

sshconnect2.cH A D08-Aug-201960 KiB2,1861,752

sshd.8H A D26-Jul-201830.6 KiB994993

sshd.cH A D05-Jul-201962.4 KiB2,3281,666

sshd_configH A D10-Apr-20183 KiB11793

sshd_config.5H A D08-Sep-201950.7 KiB1,8411,840

ssherr.cH A D03-Jul-20185 KiB148129

ssherr.hH A D03-Jul-20183.3 KiB8863

sshkey-xmss.cH A D05-Jul-201928.2 KiB1,056919

sshkey-xmss.hH A D26-Feb-20182.9 KiB5728

sshkey.cH A D08-Sep-2019109.4 KiB4,4163,843

sshkey.hH A D03-Sep-201910.5 KiB296227

sshlogin.cH A D05-Jul-20195.3 KiB17196

sshlogin.hH A D14-Dec-2016935 248

sshpty.cH A D05-Jul-20195.7 KiB232164

sshpty.hH A D14-Dec-20161 KiB2910

sshsig.cH A D05-Sep-201920.7 KiB802682

sshsig.hH A D05-Sep-20193.2 KiB9326

sshtty.cH A D14-Dec-20162.9 KiB9752

survey.sh.inH A D14-Dec-20161.7 KiB7049

ttymodes.cH A D10-Jul-201810.1 KiB457334

ttymodes.hH A D01-May-20174.9 KiB170104

uidswap.cH A D13-Sep-20197.3 KiB239158

uidswap.hH A D19-Jul-2018680 183

umac.cH A D10-Apr-201844.9 KiB1,283769

umac.hH A D07-Jun-20194.6 KiB13042

umac128.cH A D09-Feb-2018274 117

utf8.cH A D22-Aug-20188.1 KiB341228

utf8.hH A D14-Dec-20161.2 KiB268

verify.cH A D14-Dec-2016668 5040

version.hH A D17-Apr-2019170 73

xmalloc.cH A D07-Jun-20192.4 KiB11380

xmalloc.hH A D07-Jun-20191.1 KiB278

xmss_commons.cH A D03-Mar-2018630 3725

xmss_commons.hH A D05-Mar-2018450 2213

xmss_fast.cH A D23-Mar-201832.2 KiB1,107734

xmss_fast.hH A D03-Mar-20183.6 KiB11250

xmss_hash.cH A D03-Mar-20183.4 KiB141100

xmss_hash.hH A D03-Mar-2018841 2311

xmss_hash_address.cH A D03-Mar-20181.2 KiB6742

xmss_hash_address.hH A D03-Mar-2018836 4115

xmss_wots.cH A D10-Apr-20184.7 KiB193135

xmss_wots.hH A D03-Mar-20181.9 KiB6521

README.dns

1How to verify host keys using OpenSSH and DNS
2---------------------------------------------
3
4OpenSSH contains support for verifying host keys using DNS as described in
5draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
6on how to use this feature. Configuring DNS is out of the scope of this
7document.
8
9
10(1) Server: Generate and publish the DNS RR
11
12To create a DNS resource record (RR) containing a fingerprint of the
13public host key, use the following command:
14
15	ssh-keygen -r hostname -f keyfile -g
16
17where "hostname" is your fully qualified hostname and "keyfile" is the
18file containing the public host key file. If you have multiple keys,
19you should generate one RR for each key.
20
21In the example above, ssh-keygen will print the fingerprint in a
22generic DNS RR format parsable by most modern name server
23implementations. If your nameserver has support for the SSHFP RR
24you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
25
26To publish the fingerprint using the DNS you must add the generated RR
27to your DNS zone file and sign your zone.
28
29
30(2) Client: Enable ssh to verify host keys using DNS
31
32To enable the ssh client to verify host keys using DNS, you have to
33add the following option to the ssh configuration file
34($HOME/.ssh/config or /etc/ssh/ssh_config):
35
36    VerifyHostKeyDNS yes
37
38Upon connection the client will try to look up the fingerprint RR
39using DNS. If the fingerprint received from the DNS server matches
40the remote host key, the user will be notified.
41
42
43	Jakob Schlyter
44	Wesley Griffin
45
46
47$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
48

README.platform

1This file contains notes about OpenSSH on specific platforms.
2
3AIX
4---
5As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
6settings, where previously it did not.  Because of this, it's possible for
7sites that have used OpenSSH's sshd exclusively to have accounts which
8have passwords expired longer than the inactive time (ie the "Weeks between
9password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
10chuser attribute).
11
12Accounts in this state must have their passwords reset manually by the
13administrator.  As a precaution, it is recommended that the administrative
14passwords be reset before upgrading from OpenSSH <3.8.
15
16As of OpenSSH 4.0, configure will attempt to detect if your version
17and maintenance level of AIX has a working getaddrinfo, and will use it
18if found.  This will enable IPv6 support.  If for some reason configure
19gets it wrong, or if you want to build binaries to work on earlier MLs
20than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
21to force the previous IPv4-only behaviour.
22
23IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
24IPv6 known broken: 4.3.3ML11 5.1ML4
25
26If you wish to use dynamic libraries that aren't in the normal system
27locations (eg IBM's OpenSSL and zlib packages) then you will need to
28define the environment variable blibpath before running configure, eg
29
30blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
31  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
32
33If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
34by default) then sshd checks that users are permitted via the
35loginrestrictions() function, in particular that the user has the
36"rlogin" attribute set.  This check is not done for the root account,
37instead the PermitRootLogin setting in sshd_config is used.
38
39If you are using the IBM compiler you probably want to use CC=xlc rather
40than the default of cc.
41
42
43Cygwin
44------
45To build on Cygwin, OpenSSH requires the following packages:
46gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
47openssl-devel, zlib, minres, minires-devel.
48
49
50Darwin and MacOS X
51------------------
52Darwin does not provide a tun(4) driver required for OpenSSH-based
53virtual private networks. The BSD manpage still exists, but the driver
54has been removed in recent releases of Darwin and MacOS X.
55
56Nevertheless, tunnel support is known to work with Darwin 8 and
57MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
58using a third party driver. More information is available at:
59	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
60
61
62Linux
63-----
64
65Some Linux distributions (including Red Hat/Fedora/CentOS) include
66headers and library links in the -devel RPMs rather than the main
67binary RPMs. If you get an error about headers, or complaining about a
68missing prerequisite then you may need to install the equivalent
69development packages.  On Redhat based distros these may be openssl-devel,
70zlib-devel and pam-devel, on Debian based distros these may be
71libssl-dev, libz-dev and libpam-dev.
72
73
74Solaris
75-------
76If you enable BSM auditing on Solaris, you need to update audit_event(4)
77for praudit(1m) to give sensible output.  The following line needs to be
78added to /etc/security/audit_event:
79
80	32800:AUE_openssh:OpenSSH login:lo
81
82The BSM audit event range available for third party TCB applications is
8332768 - 65535.  Event number 32800 has been chosen for AUE_openssh.
84There is no official registry of 3rd party event numbers, so if this
85number is already in use on your system, you may change it at build time
86by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
87
88
89Platforms using PAM
90-------------------
91As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
92PAM is enabled.  To maintain existing behaviour, pam_nologin should be
93added to sshd's session stack which will prevent users from starting shell
94sessions.  Alternatively, pam_nologin can be added to either the auth or
95account stacks which will prevent authentication entirely, but will still
96return the output from pam_nologin to the client.
97

README.privsep

1Privilege separation, or privsep, is method in OpenSSH by which
2operations that require root privilege are performed by a separate
3privileged monitor process.  Its purpose is to prevent privilege
4escalation by containing corruption to an unprivileged process.
5More information is available at:
6	http://www.citi.umich.edu/u/provos/ssh/privsep.html
7
8Privilege separation is now enabled by default; see the
9UsePrivilegeSeparation option in sshd_config(5).
10
11When privsep is enabled, during the pre-authentication phase sshd will
12chroot(2) to "/var/empty" and change its privileges to the "sshd" user
13and its primary group.  sshd is a pseudo-account that should not be
14used by other daemons, and must be locked and should contain a
15"nologin" or invalid shell.
16
17You should do something like the following to prepare the privsep
18preauth environment:
19
20	# mkdir /var/empty
21	# chown root:sys /var/empty
22	# chmod 755 /var/empty
23	# groupadd sshd
24	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
25
26/var/empty should not contain any files.
27
28configure supports the following options to change the default
29privsep user and chroot directory:
30
31  --with-privsep-path=xxx Path for privilege separation chroot
32  --with-privsep-user=user Specify non-privileged user for privilege separation
33
34PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
35HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
36
37On Cygwin, Tru64 Unix and OpenServer only the pre-authentication part
38of privsep is supported.  Post-authentication privsep is disabled
39automatically (so you won't see the additional process mentioned below).
40
41Note that for a normal interactive login with a shell, enabling privsep
42will require 1 additional process per login session.
43
44Given the following process listing (from HP-UX):
45
46     UID   PID  PPID  C    STIME TTY       TIME COMMAND
47    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
48    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
49 stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
50 stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
51
52process 1005 is the sshd process listening for new connections.
53process 6917 is the privileged monitor process, 6919 is the user owned
54sshd process and 6921 is the shell process.
55

README.tun

1How to use OpenSSH-based virtual private networks
2-------------------------------------------------
3
4OpenSSH contains support for VPN tunneling using the tun(4) network
5tunnel pseudo-device which is available on most platforms, either for
6layer 2 or 3 traffic.
7
8The following brief instructions on how to use this feature use
9a network configuration specific to the OpenBSD operating system.
10
11(1) Server: Enable support for SSH tunneling
12
13To enable the ssh server to accept tunnel requests from the client, you
14have to add the following option to the ssh server configuration file
15(/etc/ssh/sshd_config):
16
17	PermitTunnel yes
18
19Restart the server or send the hangup signal (SIGHUP) to let the server
20reread it's configuration.
21
22(2) Server: Restrict client access and assign the tunnel
23
24The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
25restrict the client to connect to a specified tunnel and to
26automatically start the related interface configuration command. These
27settings are optional but recommended:
28
29	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
30
31(3) Client: Configure the local network tunnel interface
32
33Use the hostname.if(5) interface-specific configuration file to set up
34the network tunnel configuration with OpenBSD. For example, use the
35following configuration in /etc/hostname.tun0 to set up the layer 3
36tunnel on the client:
37
38	inet 192.168.5.1 255.255.255.252 192.168.5.2
39
40OpenBSD also supports layer 2 tunneling over the tun device by adding
41the link0 flag:
42
43	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
44
45Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
46interface, like the following example for /etc/bridgename.bridge0:
47
48	add tun0
49	add sis0
50	up
51
52(4) Client: Configure the OpenSSH client
53
54To establish tunnel forwarding for connections to a specified
55remote host by default, use the following ssh client configuration for
56the privileged user (in /root/.ssh/config):
57
58	Host sshgateway
59		Tunnel yes
60		TunnelDevice 0:any
61		PermitLocalCommand yes
62	        LocalCommand sh /etc/netstart tun0
63
64A more complicated configuration is possible to establish a tunnel to
65a remote host which is not directly accessible by the client.
66The following example describes a client configuration to connect to
67the remote host over two ssh hops in between. It uses the OpenSSH
68ProxyCommand in combination with the nc(1) program to forward the final
69ssh tunnel destination over multiple ssh sessions.
70
71	Host access.somewhere.net
72	        User puffy
73	Host dmzgw
74	        User puffy
75	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
76	Host sshgateway
77	        Tunnel Ethernet
78	        TunnelDevice 0:any
79	        PermitLocalCommand yes
80	        LocalCommand sh /etc/netstart tun0
81	        ProxyCommand ssh dmzgw nc sshgateway 22
82
83The following network plan illustrates the previous configuration in
84combination with layer 2 tunneling and Ethernet bridging.
85
86+--------+       (          )      +----------------------+
87| Client |------(  Internet  )-----| access.somewhere.net |
88+--------+       (          )      +----------------------+
89    : 192.168.1.78                             |
90    :.............................         +-------+
91     Forwarded ssh connection    :         | dmzgw |
92     Layer 2 tunnel              :         +-------+
93                                 :             |
94                                 :             |
95                                 :      +------------+
96                                 :......| sshgateway |
97                                      | +------------+
98--- real connection                 Bridge ->  |          +----------+
99... "virtual connection"                     [ X ]--------| somehost |
100[X] switch                                                +----------+
101                                                          192.168.1.25
102
103(5) Client: Connect to the server and establish the tunnel
104
105Finally connect to the OpenSSH server to establish the tunnel by using
106the following command:
107
108	ssh sshgateway
109
110It is also possible to tell the client to fork into the background after
111the connection has been successfully established:
112
113	ssh -f sshgateway true
114
115Without the ssh configuration done in step (4), it is also possible
116to use the following command lines:
117
118	ssh -fw 0:1 sshgateway true
119	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
120
121Using OpenSSH tunnel forwarding is a simple way to establish secure
122and ad hoc virtual private networks. Possible fields of application
123could be wireless networks or administrative VPN tunnels.
124
125Nevertheless, ssh tunneling requires some packet header overhead and
126runs on top of TCP. It is still suggested to use the IP Security
127Protocol (IPSec) for robust and permanent VPN connections and to
128interconnect corporate networks.
129
130	Reyk Floeter
131
132$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
133