summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/sshd_config.5
AgeCommit message (Collapse)Author
2008-02-11bump Mdocdate for pages committed in "febuary", necessary becauseJason McIntyre
of a typo in rcs.c;
2008-02-10mantion that "internal-sftp" is useful with ForceCommand tooDamien Miller
2008-02-09missing `)';Jason McIntyre
2008-02-08add sshd_config ChrootDirectory option to chroot(2) users to a directory andDamien Miller
tweak internal sftp server to work with it (no special files in chroot required). ok markus@
2008-01-01Allow PermitRootLogin in a Match block. Allows for, eg, permitting rootDarren Tucker
only from the local network. ok markus@, man page bit ok jmc@
2007-08-23Support "Banner=none" to disable displaying of the pre-login banner;Damien Miller
ok dtucker@ deraadt@
2007-06-08oops, here too: put the MAC list into a display, like we do forJason McIntyre
ciphers, since groff has trouble with wide lines;
2007-06-07Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, mustPeter Valchev
specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-05-31convert to new .Dd format;Jason McIntyre
2007-03-01sort the `match' keywords;Jason McIntyre
2007-03-01Remove ChallengeResponseAuthentication support inside a MatchDarren Tucker
block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation.
2007-02-19Teach Match how handle config directives that are used before authentication.Darren Tucker
This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@
2007-01-02do not use lists for SYNOPSIS;Jason McIntyre
from eric s. raymond via brad
2006-08-21Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, ok jmc@ djm@Darren Tucker
2006-08-14Add ability to match groups to Match keyword in sshd_config. Feedback djm@,Darren Tucker
stevesk@, ok stevesk@.
2006-07-21Make PermitOpen take a list of permitted ports and act more like most otherDarren Tucker
keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
2006-07-19Add ForceCommand keyword to sshd_config, equivalent to the "command="Darren Tucker
key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@
2006-07-19Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost toDarren Tucker
Match. ok djm@
2006-07-18Clarify description of Match, with minor correction from jmc@Darren Tucker
2006-07-18mark up angle brackets;Jason McIntyre
2006-07-18tweak; ok dtuckerJason McIntyre
2006-07-17Add PermitOpen directive to sshd_config which is equivalent to theDarren Tucker
"permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
2006-07-12 - new sentence, new lineJason McIntyre
- s/The the/The/ - kill a bad comma
2006-07-12Add support for conditional directives to sshd_config via a "Match" keyword,Darren Tucker
which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@
2006-07-06support arguments to Subsystem commands; ok markus@Damien Miller
2006-07-02more details and clarity for tun(4) device forwarding; ok and helpKevin Steves
jmc@
2006-03-14*AliveCountMax applies to protcol v2 only; ok dtucker, djmMarkus Friedl
2006-03-13Allow config directives to contain whitespace by surrounding them by doubleDarren Tucker
quotes. mindrot #482, man page help from jmc@, ok djm@
2006-02-26subsection is pointless here;Jason McIntyre
2006-02-25document the order in which allow/deny directives are processed;Jason McIntyre
help/ok dtucker
2006-02-24oops - bits i missed;Jason McIntyre
2006-02-24some grammar/wording fixes;Jason McIntyre
2006-02-24more consistency fixes;Jason McIntyre
2006-02-24some consistency fixes;Jason McIntyre
2006-02-24signpost to PATTERNS;Jason McIntyre
2006-01-02some corrections from michael knudsen;Jason McIntyre
2005-12-08two changes to the new ssh tunnel support. this breaks compatibilityReyk Floeter
with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@
2005-12-06Add support for tun(4) forwarding over OpenSSH, based on an idea andReyk Floeter
initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2005-09-21aquire -> acquire, from stevesk@Damien Miller
2005-07-25add a new compression method that delays compression until the userMarkus Friedl
has been authenticated successfully and set compression to 'delayed' for sshd. this breaks older openssh clients (< 3.5) if they insist on compression, so you have to re-enable compression in sshd_config. ok djm@
2005-05-23add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;Damien Miller
ok markus@
2005-05-19sort config options, from grunk AT pestilenz.org; ok jmc@Damien Miller
2005-04-21OpenSSH doesn't ever look at the $HOME environment variable, so don't sayDamien Miller
that we do (bz #623); ok deraadt@
2005-03-18typo;Jason McIntyre
2005-03-01bz#413: allow optional specification of bind address for port forwardings.Damien Miller
Patch originally by Dan Astorian, but worked on by several people Adds GatewayPorts=clientspecified option on server to allow remote forwards to bind to client-specified ports. ok markus@
2005-01-08`login'(n) -> `log in'(v);Jason McIntyre
2004-12-23bz #898: support AddressFamily in sshd_config. from peak@argo.troja.mff.cuni.czDamien Miller
ok deraadt@
2004-09-15mention PrintLastLog only prints last login time for interactiveJared Yanovich
sessions, like PrintMotd mentions. From Michael Knudsen, with wording changed slightly to match the PrintMotd description. ok djm
2004-06-26new sentence, new line;Jason McIntyre
2004-06-13List supported ciphers in man pages, tidy up ssh -c;Darren Tucker
"looks fine" jmc@, ok markus@