| Age | Commit message (Collapse) | Author |
|---|
|
|
|
'ask', or 'confirm', and defaults to 'no'. When enabled, a private
key that is used during authentication will be added to ssh-agent if
it is running (with confirmation enabled if set to 'confirm').
Initial version from Joachim Schipper many years ago.
ok markus@
|
|
a certificate; patch from Meghana Bhat on bz#2436; ok markus@
|
|
|
|
|
|
patch from Christian Hesse w/ feedback from dtucker@
|
|
|
|
|
|
(i snuck in a tweak while here)
ok dtucker
|
|
by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
|
|
PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
|
|
(already off in server, this turns it off in the client by default too)
ok dtucker@
|
|
bz#1993; ok dtucker@
|
|
|
|
diffie-hellman-group14-sha1. ok djm@
|
|
time round...
|
|
and AcceptEnv. bz#2386, based loosely on a patch from jjelen at redhat,
help and ok jmc@
|
|
diff originally from jiri b;
|
|
I accidentally changed the format of the hostkeys@openssh.com messages
last week without changing the extension name, and this has been causing
connection failures for people who are running -current. First reported
by sthen@
s/hostkeys@openssh.com/hostkeys-00@openssh.com/
Change the name of the proof message too, and reorder it a little.
Also, UpdateHostKeys=ask is incompatible with ControlPersist (no TTY
available to read the response) so disable UpdateHostKeys if it is in
ask mode and ControlPersist is active (and document this)
|
|
The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.
Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.
ok markus@
|
|
warning message; requested by deraadt@
|
|
host public key types are tried during hostbased authentication.
This may be used to prevent too many keys being sent to the server,
and blowing past its MaxAuthTries limit.
bz#2211 based on patch by Iain Morgan; ok markus@
|
|
add it to -o lists for ssh, scp and sftp;
pointed out by jmc@
|
|
Add a hostkeys@openssh.com protocol extension (global request) for
a server to inform a client of all its available host key after
authentication has completed. The client may record the keys in
known_hosts, allowing it to upgrade to better host key algorithms
and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config
option (default on).
ok markus@
|
|
|
|
algorithms in more places and include the query string used to
list the relevant information; bz#2288
|
|
|
|
Allow textfile or KRL-based revocation of hostkeys.
|
|
mention ControlPersist=0 is the same as ControlPersist=yes
recommend that ControlPath sockets be placed in a og-w directory
|
|
|
|
Make the second pass through the config files always run when
hostname canonicalisation is enabled.
Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.
Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"
Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).
bz#2267 bz#2286; ok markus
|
|
ok djm@
|
|
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
a lingering process; bz#1977
|
|
|
|
to a unique identifer based on a has of the tuple of (local host,
remote user, hostname, port).
Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
control paths.
bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
|
|
be used to specify IPv6 link-local addresses
|
|
help from jmc@ and schwarze@, ok deraadt@
|
|
the hostname. This allows users to write configurations that always
refer to canonical hostnames, e.g.
CanonicalizeHostname yes
CanonicalDomains int.example.org example.org
CanonicalizeFallbackLocal no
Host *.int.example.org
Compression off
Host *.example.org
User djm
ok markus@
|
|
|
|
|
|
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
|
|
|
|
that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC
to build an authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
|
|
|
|
ok djm, man page help jmc@
|
|
|
|
"exec"; it's shorter, clearer in intent and we might want to add the
ability to match against the command being executed at the remote end in
the future.
|
|
|
|
|
