Adding upstream version 1:9.8p1.upstream/1%9.8p1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 117 insertions, 20 deletions

diff --git a/sshd_config.0 b/sshd_config.0
index 8b39739..6883dda 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -616,16 +616,21 @@ DESCRIPTION
              cache file on logout.  The default is yes.
 
      KexAlgorithms
-             Specifies the available KEX (Key Exchange) algorithms.  Multiple
-             algorithms must be comma-separated.  Alternately if the specified
-             list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the specified algorithms
-             will be appended to the default set instead of replacing them.
-             If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y character, then the
-             specified algorithms (including wildcards) will be removed from
-             the default set instead of replacing them.  If the specified list
-             begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the specified algorithms will
-             be placed at the head of the default set.  The supported
-             algorithms are:
+             Specifies the permitted KEX (Key Exchange) algorithms that the
+             server will offer to clients.  The ordering of this list is not
+             important, as the client specifies the preference order.
+             Multiple algorithms must be comma-separated.
+
+             If the specified list begins with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
+             specified algorithms will be appended to the default set instead
+             of replacing them.  If the specified list begins with a M-bM-^@M-^X-M-bM-^@M-^Y
+             character, then the specified algorithms (including wildcards)
+             will be removed from the default set instead of replacing them.
+             If the specified list begins with a M-bM-^@M-^X^M-bM-^@M-^Y character, then the
+             specified algorithms will be placed at the head of the default
+             set.
+
+             The supported algorithms are:
 
                    curve25519-sha256
                    curve25519-sha256@libssh.org
@@ -650,7 +655,7 @@ DESCRIPTION
                    diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
                    diffie-hellman-group14-sha256
 
-             The list of available key exchange algorithms may also be
+             The list of supported key exchange algorithms may also be
              obtained using "ssh -Q KexAlgorithms".
 
      ListenAddress
@@ -779,13 +784,13 @@ DESCRIPTION
              HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
              IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication,
              KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions,
-             PasswordAuthentication, PermitEmptyPasswords, PermitListen,
-             PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel,
-             PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication,
-             PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv,
-             StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys,
-             UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and
-             X11UseLocalhost.
+             PAMServiceName, PasswordAuthentication, PermitEmptyPasswords,
+             PermitListen, PermitOpen, PermitRootLogin, PermitTTY,
+             PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms,
+             PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys,
+             RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink,
+             TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset,
+             X11Forwarding and X11UseLocalhost.
 
      MaxAuthTries
              Specifies the maximum number of authentication attempts permitted
@@ -821,9 +826,14 @@ DESCRIPTION
              M-bM-^@M-^\diffie-hellman-group-exchange-sha256M-bM-^@M-^] key exchange methods.  The
              default is /etc/moduli.
 
+     PAMServiceName
+             Specifies the service name used for Pluggable Authentication
+             Modules (PAM) authentication, authorisation and session controls
+             when UsePAM is enabled.  The default is sshd.
+
      PasswordAuthentication
              Specifies whether password authentication is allowed.  The
-             default is yes.
+             default is sshd.
 
      PermitEmptyPasswords
              When password authentication is allowed, it specifies whether the
@@ -926,6 +936,87 @@ DESCRIPTION
              separated by a colon.  The default is 32:128, which means each
              address is considered individually.
 
+     PerSourcePenalties
+             Controls penalties for various conditions that may represent
+             attacks on sshd(8).  If a penalty is enforced against a client
+             then its source address and any others in the same network, as
+             defined by PerSourceNetBlockSize, will be refused connection for
+             a period.
+
+             A penalty doesn't affect concurrent connections in progress, but
+             multiple penalties from the same source from concurrent
+             connections will accumulate up to a maximum.  Conversely,
+             penalties are not applied until a minimum threshold time has been
+             accumulated.
+
+             Penalties are enabled by default with the default settings listed
+             below but may disabled using the off keyword.  The defaults may
+             be overridden by specifying one or more of the keywords below,
+             separated by whitespace.  All keywords accept arguments, e.g.
+             "crash:2m".
+
+             crash:duration
+                     Specifies how long to refuse clients that cause a crash
+                     of sshd(8) (default: 90s).
+
+             authfail:duration
+                     Specifies how long to refuse clients that disconnect
+                     after making one or more unsuccessful authentication
+                     attempts (default: 5s).
+
+             noauth:duration
+                     Specifies how long to refuse clients that disconnect
+                     without attempting authentication (default: 1s).  This
+                     timeout should be used cautiously otherwise it may
+                     penalise legitimate scanning tools such as
+                     ssh-keyscan(1).
+
+             grace-exceeded:duration
+                     Specifies how long to refuse clients that fail to
+                     authenticate after LoginGraceTime (default: 20s).
+
+             max:duration
+                     Specifies the maximum time a particular source address
+                     range will be refused access for (default: 10m).
+                     Repeated penalties will accumulate up to this maximum.
+
+             min:duration
+                     Specifies the minimum penalty that must accrue before
+                     enforcement begins (default: 15s).
+
+             max-sources4:number, max-sources6:number
+                     Specifies the maximum number of client IPv4 and IPv6
+                     address ranges to track for penalties (default: 65536 for
+                     both).
+
+             overflow:mode
+                     Controls how the server behaves when max-sources4 or
+                     max-sources6 is exceeded.  There are two operating modes:
+                     deny-all, which denies all incoming connections other
+                     than those exempted via PerSourcePenaltyExemptList until
+                     a penalty expires, and permissive, which allows new
+                     connections by removing existing penalties early
+                     (default: permissive).  Note that client penalties below
+                     the min threshold count against the total number of
+                     tracked penalties.  IPv4 and IPv6 addresses are tracked
+                     separately, so an overflow in one will not affect the
+                     other.
+
+             overflow6:mode
+                     Allows specifying a different overflow mode for IPv6
+                     addresses.  The default it to use the same overflow mode
+                     as was specified for IPv4.
+
+     PerSourcePenaltyExemptList
+             Specifies a comma-separated list of addresses to exempt from
+             penalties.  This list may contain wildcards and CIDR
+             address/masklen ranges.  Note that the mask length provided must
+             be consistent with the address - it is an error to specify a mask
+             length that is too long for the address or one with bits set in
+             this host portion of the address.  For example, 192.0.2.0/33 and
+             192.0.2.0/8, respectively.  The default is not to exempt any
+             addresses.
+
      PidFile
              Specifies the file that contains the process ID of the SSH
              daemon, or none to not write one.  The default is
@@ -1047,6 +1138,12 @@ DESCRIPTION
              environment and any variables specified by the user via AcceptEnv
              or PermitUserEnvironment.
 
+     SshdSessionPath
+             Overrides the default path to the sshd-session binary that is
+             invoked to handle each connection.  The default is
+             /usr/libexec/sshd-session.  This option is intended for use by
+             tests.
+
      StreamLocalBindMask
              Sets the octal file creation mode mask (umask) used when creating
              a Unix-domain socket file for local or remote port forwarding.
@@ -1293,4 +1390,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 7.5                    February 21, 2024                   OpenBSD 7.5
+OpenBSD 7.5                      June 24, 2024                     OpenBSD 7.5