summaryrefslogtreecommitdiffstats
path: root/sshd_config
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sshd_config.052
-rw-r--r--sshd_config.547
2 files changed, 71 insertions, 28 deletions
diff --git a/sshd_config.0 b/sshd_config.0
index 6883dda..f4a8f99 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -644,11 +644,14 @@ DESCRIPTION
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
+ mlkem768x25519-sha256
+ sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
The default is:
- sntrup761x25519-sha512@openssh.com,
+ sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+ mlkem768x25519-sha256,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
@@ -690,9 +693,9 @@ DESCRIPTION
LogVerbose
Specify one or more overrides to LogLevel. An override consists
- of a pattern lists that matches the source file, function and
- line number to force detailed logging for. For example, an
- override pattern of:
+ of one or more pattern lists that matches the source file,
+ function and line number to force detailed logging for. For
+ example, an override pattern of:
kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
@@ -753,10 +756,12 @@ DESCRIPTION
the first instance of the keyword is applied.
The arguments to Match are one or more criteria-pattern pairs or
- the single token All which matches all criteria. The available
- criteria are User, Group, Host, LocalAddress, LocalPort, RDomain,
- and Address (with RDomain representing the rdomain(4) on which
- the connection was received).
+ one of the single token criteria: All, which matches all
+ criteria, or Invalid-User, which matches when the requested user-
+ name does not match any known account. The available criteria
+ are User, Group, Host, LocalAddress, LocalPort, RDomain, and
+ Address (with RDomain representing the rdomain(4) on which the
+ connection was received).
The match patterns may consist of single entries or comma-
separated lists and may use the wildcard and negation operators
@@ -787,10 +792,11 @@ DESCRIPTION
PAMServiceName, PasswordAuthentication, PermitEmptyPasswords,
PermitListen, PermitOpen, PermitRootLogin, PermitTTY,
PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms,
- PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys,
- RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink,
- TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset,
- X11Forwarding and X11UseLocalhost.
+ PubkeyAuthentication, PubkeyAuthOptions, RefuseConnection,
+ RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask,
+ StreamLocalBindUnlink, TrustedUserCAKeys,
+ UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and
+ X11UseLocalhost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -833,7 +839,7 @@ DESCRIPTION
PasswordAuthentication
Specifies whether password authentication is allowed. The
- default is sshd.
+ default is yes.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
@@ -950,8 +956,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the off keyword. The defaults may
- be overridden by specifying one or more of the keywords below,
+ below but may disabled using the no keyword. The defaults may be
+ overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -964,6 +970,11 @@ DESCRIPTION
after making one or more unsuccessful authentication
attempts (default: 5s).
+ refuseconnection:duration
+ Specifies how long to refuse clients that were
+ administratively prohibited connection via the
+ RefuseConnection option (default: 10s).
+
noauth:duration
Specifies how long to refuse clients that disconnect
without attempting authentication (default: 1s). This
@@ -973,7 +984,7 @@ DESCRIPTION
grace-exceeded:duration
Specifies how long to refuse clients that fail to
- authenticate after LoginGraceTime (default: 20s).
+ authenticate after LoginGraceTime (default: 10s).
max:duration
Specifies the maximum time a particular source address
@@ -1089,6 +1100,13 @@ DESCRIPTION
Specifies whether public key authentication is allowed. The
default is yes.
+ RefuseConnection
+ Indicates that sshd(8) should unconditionally terminate the
+ connection. Additionally, a refuseconnection penalty may be
+ recorded against the source of the connection if
+ PerSourcePenalties are enabled. This option is only really
+ useful in a Match block.
+
RekeyLimit
Specifies the maximum amount of data that may be transmitted or
received before the session key is renegotiated, optionally
@@ -1390,4 +1408,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
+OpenBSD 7.5 September 15, 2024 OpenBSD 7.5
diff --git a/sshd_config.5 b/sshd_config.5
index 1ab0f41..dbed44f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.365 2024/06/24 06:59:39 jmc Exp $
-.Dd $Mdocdate: June 24 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
+.Dd $Mdocdate: September 15 2024 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -1050,12 +1050,17 @@ ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.It
+mlkem768x25519-sha256
+.It
+sntrup761x25519-sha512
+.It
sntrup761x25519-sha512@openssh.com
.El
.Pp
The default is:
.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
+mlkem768x25519-sha256,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
@@ -1133,8 +1138,8 @@ Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm LogVerbose
Specify one or more overrides to
.Cm LogLevel .
-An override consists of a pattern lists that matches the source file, function
-and line number to force detailed logging for.
+An override consists of one or more pattern lists that matches the
+source file, function and line number to force detailed logging for.
For example, an override pattern of:
.Bd -literal -offset indent
kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
@@ -1232,9 +1237,11 @@ applied.
.Pp
The arguments to
.Cm Match
-are one or more criteria-pattern pairs or the single token
-.Cm All
-which matches all criteria.
+are one or more criteria-pattern pairs or one of the single token criteria:
+.Cm All ,
+which matches all criteria, or
+.Cm Invalid-User ,
+which matches when the requested user-name does not match any known account.
The available criteria are
.Cm User ,
.Cm Group ,
@@ -1319,6 +1326,7 @@ Available keywords are
.Cm PubkeyAcceptedAlgorithms ,
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthOptions ,
+.Cm RefuseConnection ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
@@ -1384,7 +1392,7 @@ The default is
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-.Cm sshd .
+.Cm yes .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
@@ -1586,7 +1594,7 @@ accumulated.
.Pp
Penalties are enabled by default with the default settings listed below
but may disabled using the
-.Cm off
+.Cm no
keyword.
The defaults may be overridden by specifying one or more of the keywords below,
separated by whitespace.
@@ -1599,6 +1607,11 @@ Specifies how long to refuse clients that cause a crash of
.It Cm authfail:duration
Specifies how long to refuse clients that disconnect after making one or more
unsuccessful authentication attempts (default: 5s).
+.It Cm refuseconnection:duration
+Specifies how long to refuse clients that were administratively prohibited
+connection via the
+.Cm RefuseConnection
+option (default: 10s).
.It Cm noauth:duration
Specifies how long to refuse clients that disconnect without attempting
authentication (default: 1s).
@@ -1608,7 +1621,7 @@ scanning tools such as
.It Cm grace-exceeded:duration
Specifies how long to refuse clients that fail to authenticate after
.Cm LoginGraceTime
-(default: 20s).
+(default: 10s).
.It Cm max:duration
Specifies the maximum time a particular source address range will be refused
access for (default: 10m).
@@ -1756,6 +1769,18 @@ options have any effect for other, non-FIDO, public key types.
Specifies whether public key authentication is allowed.
The default is
.Cm yes .
+.It Cm RefuseConnection
+Indicates that
+.Xr sshd 8
+should unconditionally terminate the connection.
+Additionally, a
+.Cm refuseconnection
+penalty may be recorded against the source of the connection if
+.Cm PerSourcePenalties
+are enabled.
+This option is only really useful in a
+.Cm Match
+block.
.It Cm RekeyLimit
Specifies the maximum amount of data that may be transmitted or received
before the session key is renegotiated, optionally followed by a maximum
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-12 22:54:14 +0000