Home | History | Annotate | only in /external/openssh
Up to higher level directory
NameDateSize
aclocal.m408-Oct-20155.3K
addrmatch.c08-Oct-201510.9K
Android.mk08-Oct-20156.1K
atomicio.c08-Oct-20154.4K
atomicio.h08-Oct-20152.1K
audit-bsm.c08-Oct-201511.9K
audit-linux.c08-Oct-20153.5K
audit.c08-Oct-20155.7K
audit.h08-Oct-20152.3K
auth-bsdauth.c08-Oct-20153.6K
auth-chall.c08-Oct-20153.6K
auth-krb5.c08-Oct-20156.9K
auth-options.c08-Oct-201515.9K
auth-options.h08-Oct-20151.2K
auth-pam.c08-Oct-201530.8K
auth-pam.h08-Oct-20152K
auth-passwd.c08-Oct-20156.2K
auth-rh-rsa.c08-Oct-20153K
auth-rhosts.c08-Oct-20159.3K
auth-rsa.c08-Oct-20159.1K
auth-shadow.c08-Oct-20154.2K
auth-sia.c08-Oct-20153.1K
auth-sia.h08-Oct-20151.4K
auth-skey.c08-Oct-20152.8K
auth.c08-Oct-201519.6K
auth.h08-Oct-20157.4K
auth1.c08-Oct-201510.1K
auth2-chall.c08-Oct-20159.1K
auth2-gss.c08-Oct-20158K
auth2-hostbased.c08-Oct-20157.3K
auth2-kbdint.c08-Oct-20152.1K
auth2-none.c08-Oct-20152.3K
auth2-passwd.c08-Oct-20152.5K
auth2-pubkey.c08-Oct-201519.5K
auth2.c08-Oct-201515.9K
authfd.c08-Oct-201517.6K
authfd.h08-Oct-20153K
authfile.c08-Oct-201513.8K
authfile.h08-Oct-20152.3K
bitmap.c08-Oct-20154.4K
bitmap.h08-Oct-20151.8K
blocks.c08-Oct-20156.5K
bufaux.c08-Oct-20155.1K
bufbn.c08-Oct-20152.5K
bufec.c08-Oct-20151.9K
buffer.c08-Oct-20152.6K
buffer.h08-Oct-20153.5K
buildpkg.sh.in08-Oct-201517.6K
canohost.c08-Oct-201511.2K
canohost.h08-Oct-20151,000
chacha.c08-Oct-20155.3K
chacha.h08-Oct-2015975
ChangeLog08-Oct-2015294.9K
channels.c08-Oct-2015112.2K
channels.h08-Oct-201511.6K
cipher-3des1.c08-Oct-20154.2K
cipher-aes.c08-Oct-20154.5K
cipher-aesctr.c08-Oct-20152.1K
cipher-aesctr.h08-Oct-20151.3K
cipher-bf1.c08-Oct-20152.7K
cipher-chachapoly.c08-Oct-20153.7K
cipher-chachapoly.h08-Oct-20151.6K
cipher-ctr.c08-Oct-20153.6K
cipher.c08-Oct-201517K
cipher.h08-Oct-20154.4K
cleanup.c08-Oct-20151K
clientloop.c08-Oct-201573K
clientloop.h08-Oct-20153.5K
compat.c08-Oct-20158K
compat.h08-Oct-20152.8K
config.guess08-Oct-201543.9K
config.h08-Oct-201543.5K
config.h.in08-Oct-201544.1K
config.sub08-Oct-201534.9K
configure08-Oct-2015936K
configure.ac08-Oct-2015134.3K
contrib/08-Oct-2015
crc32.c08-Oct-20154.9K
crc32.h08-Oct-20151.4K
CREDITS08-Oct-20155.4K
crypto_api.h08-Oct-20151.3K
deattack.c08-Oct-20154.1K
deattack.h08-Oct-20151K
defines.h08-Oct-201520.9K
dh.c08-Oct-20159.4K
dh.h08-Oct-20152.4K
digest-libc.c08-Oct-20155.9K
digest-openssl.c08-Oct-20155K
digest.h08-Oct-20152.5K
dispatch.c08-Oct-20154.1K
dispatch.h08-Oct-20152.3K
dns.c08-Oct-20159.2K
dns.h08-Oct-20152K
ed25519.c08-Oct-20153.1K
entropy.c08-Oct-20156.1K
entropy.h08-Oct-20151.5K
fatal.c08-Oct-20151.6K
fe25519.c08-Oct-20158.1K
fe25519.h08-Oct-20152.3K
fixalgorithms08-Oct-2015422
fixpaths08-Oct-2015499
fixprogs08-Oct-20151.6K
ge25519.c08-Oct-201511K
ge25519.h08-Oct-20151.4K
ge25519_base.data08-Oct-2015164.6K
groupaccess.c08-Oct-20153.4K
groupaccess.h08-Oct-20151.5K
gss-genr.c08-Oct-20157.3K
gss-serv-krb5.c08-Oct-20155.6K
gss-serv.c08-Oct-20159.9K
hash.c08-Oct-20151.8K
hmac.c08-Oct-20155.1K
hmac.h08-Oct-20151.6K
hostfile.c08-Oct-201522.3K
hostfile.h08-Oct-20153.8K
includes.h08-Oct-20154K
INSTALL08-Oct-20158.9K
install-sh08-Oct-20155.5K
kex.c08-Oct-201520.8K
kex.h08-Oct-20156.8K
kexc25519.c08-Oct-20154.4K
kexc25519c.c08-Oct-20155.1K
kexc25519s.c08-Oct-20155K
kexdh.c08-Oct-20153.2K
kexdhc.c08-Oct-20155.8K
kexdhs.c08-Oct-20155.9K
kexecdh.c08-Oct-20153.5K
kexecdhc.c08-Oct-20156.3K
kexecdhs.c08-Oct-20156K
kexgex.c08-Oct-20153.6K
kexgexc.c08-Oct-20157.8K
kexgexs.c08-Oct-20157.8K
key.c08-Oct-20158.4K
key.h08-Oct-20154.1K
krl.c08-Oct-201534.1K
krl.h08-Oct-20152.6K
LICENCE08-Oct-201515.7K
log.c08-Oct-201510.4K
log.h08-Oct-20152.5K
loginrec.c08-Oct-201541.9K
loginrec.h08-Oct-20154.6K
logintest.c08-Oct-20158.6K
mac.c08-Oct-20157.1K
mac.h08-Oct-20151.9K
Makefile.in08-Oct-201523.6K
match.c08-Oct-20157.2K
match.h08-Oct-20151.1K
md-sha256.c08-Oct-20152.2K
md5crypt.c08-Oct-20154K
md5crypt.h08-Oct-2015803
mdoc2man.awk08-Oct-20158.4K
misc.c08-Oct-201523K
misc.h08-Oct-20154.4K
mkinstalldirs08-Oct-2015691
moduli08-Oct-2015236.5K
moduli.008-Oct-20153.4K
moduli.508-Oct-20153.6K
moduli.c08-Oct-201520.5K
monitor.c08-Oct-201550.1K
monitor.h08-Oct-20154K
monitor_fdpass.c08-Oct-20154.7K
monitor_fdpass.h08-Oct-20151.5K
monitor_mm.c08-Oct-20158.5K
monitor_mm.h08-Oct-20152.2K
monitor_wrap.c08-Oct-201524.7K
monitor_wrap.h08-Oct-20154K
msg.c08-Oct-20152.8K
msg.h08-Oct-20151.5K
mux.c08-Oct-201557.3K
myproposal.h08-Oct-20155.5K
nchan.c08-Oct-201512.8K
nchan.ms08-Oct-20153.9K
nchan2.ms08-Oct-20153.4K
opacket.c08-Oct-20156K
opacket.h08-Oct-20156.6K
openbsd-compat/08-Oct-2015
openssh.xml.in08-Oct-20152.8K
opensshd.init.in08-Oct-20152K
OVERVIEW08-Oct-20156.6K
packet.c08-Oct-201578.6K
packet.h08-Oct-20157K
pathnames.h08-Oct-20156K
pkcs11.h08-Oct-201541.4K
platform.c08-Oct-20154.9K
platform.h08-Oct-20151.3K
poly1305.c08-Oct-20154.5K
poly1305.h08-Oct-2015645
progressmeter.c08-Oct-20157.4K
progressmeter.h08-Oct-20151.4K
PROTOCOL08-Oct-201516.4K
PROTOCOL.agent08-Oct-201517.6K
PROTOCOL.certkeys08-Oct-201510.4K
PROTOCOL.chacha20poly130508-Oct-20154.4K
PROTOCOL.key08-Oct-20151.5K
PROTOCOL.krl08-Oct-20155K
PROTOCOL.mux08-Oct-20155.9K
readconf.c08-Oct-201568.7K
readconf.h08-Oct-20157.1K
README08-Oct-20152.7K
README.dns08-Oct-20151.6K
README.platform08-Oct-20153.9K
README.privsep08-Oct-20152.6K
README.tun08-Oct-20154.8K
readpass.c08-Oct-20155K
rijndael.c08-Oct-201551.6K
rijndael.h08-Oct-20152.1K
roaming.h08-Oct-20151.7K
roaming_client.c08-Oct-20157K
roaming_common.c08-Oct-20155.4K
roaming_dummy.c08-Oct-20151.5K
roaming_serv.c08-Oct-20151K
rsa.c08-Oct-20155K
rsa.h08-Oct-2015864
sandbox-capsicum.c08-Oct-20153.3K
sandbox-darwin.c08-Oct-20152.5K
sandbox-null.c08-Oct-20151.6K
sandbox-rlimit.c08-Oct-20152.4K
sandbox-seccomp-filter.c08-Oct-20156.8K
sandbox-systrace.c08-Oct-20156.1K
sc25519.c08-Oct-20157.2K
sc25519.h08-Oct-20152.8K
scp.008-Oct-20156K
scp.108-Oct-20155K
scp.c08-Oct-201531.3K
servconf.c08-Oct-201566K
servconf.h08-Oct-20159.6K
serverloop.c08-Oct-201539.5K
serverloop.h08-Oct-20151,016
session.c08-Oct-201566.5K
session.h08-Oct-20152.5K
sftp-client.c08-Oct-201548.7K
sftp-client.h08-Oct-20154.2K
sftp-common.c08-Oct-20156.8K
sftp-common.h08-Oct-20152K
sftp-glob.c08-Oct-20153.4K
sftp-server-main.c08-Oct-20151.4K
sftp-server.008-Oct-20154.2K
sftp-server.808-Oct-20155K
sftp-server.c08-Oct-201542.3K
sftp.008-Oct-201515.2K
sftp.108-Oct-201514.4K
sftp.c08-Oct-201556.7K
sftp.h08-Oct-20153.3K
smult_curve25519_ref.c08-Oct-20156.7K
ssh-add.008-Oct-20155.3K
ssh-add.108-Oct-20156.6K
ssh-add.c08-Oct-201515.7K
ssh-agent.008-Oct-20154.9K
ssh-agent.108-Oct-20156.5K
ssh-agent.c08-Oct-201534K
ssh-dss.c08-Oct-20155.8K
ssh-ecdsa.c08-Oct-20155.2K
ssh-ed25519.c08-Oct-20154.2K
ssh-gss.h08-Oct-20154.6K
ssh-keygen.008-Oct-201527.1K
ssh-keygen.108-Oct-201525.8K
ssh-keygen.c08-Oct-201571.6K
ssh-keyscan.008-Oct-20154.5K
ssh-keyscan.108-Oct-20154.2K
ssh-keyscan.c08-Oct-201517.7K
ssh-keysign.008-Oct-20151.8K
ssh-keysign.808-Oct-20153K
ssh-keysign.c08-Oct-20158K
ssh-pkcs11-client.c08-Oct-20155.2K
ssh-pkcs11-helper.008-Oct-2015642
ssh-pkcs11-helper.808-Oct-20151.3K
ssh-pkcs11-helper.c08-Oct-20158K
ssh-pkcs11.c08-Oct-201517.7K
ssh-pkcs11.h08-Oct-20151.1K
ssh-rsa.c08-Oct-20156.8K
ssh-sandbox.h08-Oct-20151.1K
ssh.008-Oct-201547.1K
ssh.108-Oct-201543K
ssh.c08-Oct-201557.9K
ssh.h08-Oct-20152.7K
ssh1.h08-Oct-20154.1K
ssh2.h08-Oct-20155.8K
ssh_api.c08-Oct-201513.5K
ssh_api.h08-Oct-20154.3K
ssh_config08-Oct-20151.5K
ssh_config.008-Oct-201555.9K
ssh_config.508-Oct-201545.7K
sshbuf-getput-basic.c08-Oct-20159.2K
sshbuf-getput-crypto.c08-Oct-20155.6K
sshbuf-misc.c08-Oct-20153K
sshbuf.c08-Oct-20159.1K
sshbuf.h08-Oct-201511.3K
sshconnect.c08-Oct-201540.7K
sshconnect.h08-Oct-20152.6K
sshconnect1.c08-Oct-201522.1K
sshconnect2.c08-Oct-201547.7K
sshd.008-Oct-201532.8K
sshd.808-Oct-201530.6K
sshd.c08-Oct-201569.8K
sshd_config08-Oct-20153.6K
sshd_config.008-Oct-201551.5K
sshd_config.508-Oct-201543.3K
sshd_config.android08-Oct-20153.3K
ssherr.c08-Oct-20154.8K
ssherr.h08-Oct-20153.2K
sshkey.c08-Oct-201597.1K
sshkey.h08-Oct-20158K
sshlogin.c08-Oct-20155.1K
sshlogin.h08-Oct-2015935
sshpty.c08-Oct-20156K
sshpty.h08-Oct-20151,009
sshtty.c08-Oct-20152.9K
start-ssh08-Oct-2015998
survey.sh.in08-Oct-20151.7K
TODO08-Oct-20152.7K
ttymodes.c08-Oct-201510.4K
ttymodes.h08-Oct-20155.2K
uidswap.c08-Oct-20158.9K
uidswap.h08-Oct-2015716
umac.c08-Oct-201545.8K
umac.h08-Oct-20154.6K
umac128.c08-Oct-2015522
uuencode.c08-Oct-20152.9K
uuencode.h08-Oct-20151.5K
verify.c08-Oct-2015668
version.h08-Oct-2015170
xmalloc.c08-Oct-20152.2K
xmalloc.h08-Oct-20151,016

README

      1 See http://www.openssh.com/txt/release-6.8 for the release notes.
      2 
      3 - A Japanese translation of this document and of the OpenSSH FAQ is
      4 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
      5 - Thanks to HARUYAMA Seigo <haruyama (a] unixuser.org>
      6 
      7 This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
      8 Unices.
      9 
     10 OpenSSH is based on the last free version of Tatu Ylonen's sample
     11 implementation with all patent-encumbered algorithms removed (to
     12 external libraries), all known security bugs fixed, new features
     13 reintroduced and many other clean-ups.  OpenSSH has been created by
     14 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
     15 and Dug Song. It has a homepage at http://www.openssh.com/
     16 
     17 This port consists of the re-introduction of autoconf support, PAM
     18 support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
     19 functions that are (regrettably) absent from other unices. This port
     20 has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
     21 NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
     22 
     23 This version actively tracks changes in the OpenBSD CVS repository.
     24 
     25 The PAM support is now more functional than the popular packages of
     26 commercial ssh-1.2.x. It checks "account" and "session" modules for
     27 all logins, not just when using password authentication.
     28 
     29 OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
     30 
     31 There is now several mailing lists for this port of OpenSSH. Please
     32 refer to http://www.openssh.com/list.html for details on how to join.
     33 
     34 Please send bug reports and patches to the mailing list
     35 openssh-unix-dev (a] mindrot.org. The list is open to posting by
     36 unsubscribed users.Code contribution are welcomed, but please follow the 
     37 OpenBSD style guidelines[6].
     38 
     39 Please refer to the INSTALL document for information on how to install
     40 OpenSSH on your system. There are a number of differences between this
     41 port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
     42 for details and general tips.
     43 
     44 Damien Miller <djm (a] mindrot.org>
     45 
     46 Miscellania -
     47 
     48 This version of OpenSSH is based upon code retrieved from the OpenBSD
     49 CVS repository which in turn was based on the last free sample
     50 implementation released by Tatu Ylonen.
     51 
     52 References -
     53 
     54 [0] http://www.openssh.com/faq.html
     55 [1] http://www.lothar.com/tech/crypto/
     56 [2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
     57 [3] http://www.gzip.org/zlib/
     58 [4] http://www.openssl.org/
     59 [5] http://www.openpam.org
     60     http://www.kernel.org/pub/linux/libs/pam/ 
     61     (PAM also is standard on Solaris and HP-UX 11)
     62 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
     63 [7] http://www.openssh.com/faq.html
     64 
     65 $Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
     66 

README.dns

      1 How to verify host keys using OpenSSH and DNS
      2 ---------------------------------------------
      3 
      4 OpenSSH contains support for verifying host keys using DNS as described in
      5 draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
      6 on how to use this feature. Configuring DNS is out of the scope of this
      7 document.
      8 
      9 
     10 (1) Server: Generate and publish the DNS RR
     11 
     12 To create a DNS resource record (RR) containing a fingerprint of the
     13 public host key, use the following command:
     14 
     15 	ssh-keygen -r hostname -f keyfile -g
     16 
     17 where "hostname" is your fully qualified hostname and "keyfile" is the
     18 file containing the public host key file. If you have multiple keys,
     19 you should generate one RR for each key.
     20 
     21 In the example above, ssh-keygen will print the fingerprint in a
     22 generic DNS RR format parsable by most modern name server
     23 implementations. If your nameserver has support for the SSHFP RR
     24 you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
     25 
     26 To publish the fingerprint using the DNS you must add the generated RR
     27 to your DNS zone file and sign your zone.
     28 
     29 
     30 (2) Client: Enable ssh to verify host keys using DNS
     31 
     32 To enable the ssh client to verify host keys using DNS, you have to
     33 add the following option to the ssh configuration file
     34 ($HOME/.ssh/config or /etc/ssh/ssh_config):
     35 
     36     VerifyHostKeyDNS yes
     37 
     38 Upon connection the client will try to look up the fingerprint RR
     39 using DNS. If the fingerprint received from the DNS server matches
     40 the remote host key, the user will be notified.
     41 
     42 
     43 	Jakob Schlyter
     44 	Wesley Griffin
     45 
     46 
     47 $OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
     48 

README.platform

      1 This file contains notes about OpenSSH on specific platforms.
      2 
      3 AIX
      4 ---
      5 As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
      6 settings, where previously it did not.  Because of this, it's possible for
      7 sites that have used OpenSSH's sshd exclusively to have accounts which
      8 have passwords expired longer than the inactive time (ie the "Weeks between
      9 password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
     10 chuser attribute).
     11 
     12 Accounts in this state must have their passwords reset manually by the
     13 administrator.  As a precaution, it is recommended that the administrative
     14 passwords be reset before upgrading from OpenSSH <3.8.
     15 
     16 As of OpenSSH 4.0, configure will attempt to detect if your version
     17 and maintenance level of AIX has a working getaddrinfo, and will use it
     18 if found.  This will enable IPv6 support.  If for some reason configure
     19 gets it wrong, or if you want to build binaries to work on earlier MLs
     20 than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
     21 to force the previous IPv4-only behaviour.
     22 
     23 IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
     24 IPv6 known broken: 4.3.3ML11 5.1ML4
     25 
     26 If you wish to use dynamic libraries that aren't in the normal system
     27 locations (eg IBM's OpenSSL and zlib packages) then you will need to
     28 define the environment variable blibpath before running configure, eg
     29 
     30 blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
     31   --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
     32 
     33 If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
     34 by default) then sshd checks that users are permitted via the
     35 loginrestrictions() function, in particular that the user has the
     36 "rlogin" attribute set.  This check is not done for the root account,
     37 instead the PermitRootLogin setting in sshd_config is used.
     38 
     39 
     40 Cygwin
     41 ------
     42 To build on Cygwin, OpenSSH requires the following packages:
     43 gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
     44 openssl-devel, zlib, minres, minires-devel.
     45 
     46 
     47 Darwin and MacOS X
     48 ------------------
     49 Darwin does not provide a tun(4) driver required for OpenSSH-based
     50 virtual private networks. The BSD manpage still exists, but the driver
     51 has been removed in recent releases of Darwin and MacOS X.
     52 
     53 Nevertheless, tunnel support is known to work with Darwin 8 and
     54 MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
     55 using a third party driver. More information is available at:
     56 	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
     57 
     58 
     59 Linux
     60 -----
     61 
     62 Some Linux distributions (including Red Hat/Fedora/CentOS) include
     63 headers and library links in the -devel RPMs rather than the main
     64 binary RPMs. If you get an error about headers, or complaining about a
     65 missing prerequisite then you may need to install the equivalent
     66 development packages.  On Redhat based distros these may be openssl-devel,
     67 zlib-devel and pam-devel, on Debian based distros these may be
     68 libssl-dev, libz-dev and libpam-dev.
     69 
     70 
     71 Solaris
     72 -------
     73 If you enable BSM auditing on Solaris, you need to update audit_event(4)
     74 for praudit(1m) to give sensible output.  The following line needs to be
     75 added to /etc/security/audit_event:
     76 
     77 	32800:AUE_openssh:OpenSSH login:lo
     78 
     79 The BSM audit event range available for third party TCB applications is
     80 32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
     81 There is no official registry of 3rd party event numbers, so if this
     82 number is already in use on your system, you may change it at build time
     83 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
     84 
     85 
     86 Platforms using PAM
     87 -------------------
     88 As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
     89 PAM is enabled.  To maintain existing behaviour, pam_nologin should be
     90 added to sshd's session stack which will prevent users from starting shell
     91 sessions.  Alternatively, pam_nologin can be added to either the auth or
     92 account stacks which will prevent authentication entirely, but will still
     93 return the output from pam_nologin to the client.
     94 
     95 
     96 $Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
     97 

README.privsep

      1 Privilege separation, or privsep, is method in OpenSSH by which
      2 operations that require root privilege are performed by a separate
      3 privileged monitor process.  Its purpose is to prevent privilege
      4 escalation by containing corruption to an unprivileged process.
      5 More information is available at:
      6 	http://www.citi.umich.edu/u/provos/ssh/privsep.html
      7 
      8 Privilege separation is now enabled by default; see the
      9 UsePrivilegeSeparation option in sshd_config(5).
     10 
     11 On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
     12 compression must be disabled in order for privilege separation to
     13 function.
     14 
     15 When privsep is enabled, during the pre-authentication phase sshd will
     16 chroot(2) to "/var/empty" and change its privileges to the "sshd" user
     17 and its primary group.  sshd is a pseudo-account that should not be
     18 used by other daemons, and must be locked and should contain a
     19 "nologin" or invalid shell.
     20 
     21 You should do something like the following to prepare the privsep
     22 preauth environment:
     23 
     24 	# mkdir /var/empty
     25 	# chown root:sys /var/empty
     26 	# chmod 755 /var/empty
     27 	# groupadd sshd
     28 	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
     29 
     30 /var/empty should not contain any files.
     31 
     32 configure supports the following options to change the default
     33 privsep user and chroot directory:
     34 
     35   --with-privsep-path=xxx Path for privilege separation chroot
     36   --with-privsep-user=user Specify non-privileged user for privilege separation
     37 
     38 Privsep requires operating system support for file descriptor passing.
     39 Compression will be disabled on systems without a working mmap MAP_ANON.
     40 
     41 PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
     42 HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
     43 
     44 On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
     45 part of privsep is supported.  Post-authentication privsep is disabled
     46 automatically (so you won't see the additional process mentioned below).
     47 
     48 Note that for a normal interactive login with a shell, enabling privsep
     49 will require 1 additional process per login session.
     50 
     51 Given the following process listing (from HP-UX):
     52 
     53      UID   PID  PPID  C    STIME TTY       TIME COMMAND
     54     root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
     55     root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
     56  stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
     57  stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
     58 
     59 process 1005 is the sshd process listening for new connections.
     60 process 6917 is the privileged monitor process, 6919 is the user owned
     61 sshd process and 6921 is the shell process.
     62 
     63 $Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
     64 

README.tun

      1 How to use OpenSSH-based virtual private networks
      2 -------------------------------------------------
      3 
      4 OpenSSH contains support for VPN tunneling using the tun(4) network
      5 tunnel pseudo-device which is available on most platforms, either for
      6 layer 2 or 3 traffic.
      7 
      8 The following brief instructions on how to use this feature use
      9 a network configuration specific to the OpenBSD operating system.
     10 
     11 (1) Server: Enable support for SSH tunneling
     12 
     13 To enable the ssh server to accept tunnel requests from the client, you
     14 have to add the following option to the ssh server configuration file
     15 (/etc/ssh/sshd_config):
     16 
     17 	PermitTunnel yes
     18 
     19 Restart the server or send the hangup signal (SIGHUP) to let the server
     20 reread it's configuration.
     21 
     22 (2) Server: Restrict client access and assign the tunnel
     23 
     24 The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
     25 restrict the client to connect to a specified tunnel and to
     26 automatically start the related interface configuration command. These
     27 settings are optional but recommended:
     28 
     29 	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk (a] openbsd.org
     30 
     31 (3) Client: Configure the local network tunnel interface
     32 
     33 Use the hostname.if(5) interface-specific configuration file to set up
     34 the network tunnel configuration with OpenBSD. For example, use the
     35 following configuration in /etc/hostname.tun0 to set up the layer 3
     36 tunnel on the client:
     37 
     38 	inet 192.168.5.1 255.255.255.252 192.168.5.2
     39 
     40 OpenBSD also supports layer 2 tunneling over the tun device by adding
     41 the link0 flag:
     42 
     43 	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
     44 
     45 Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
     46 interface, like the following example for /etc/bridgename.bridge0:
     47 
     48 	add tun0
     49 	add sis0
     50 	up
     51 
     52 (4) Client: Configure the OpenSSH client
     53 
     54 To establish tunnel forwarding for connections to a specified
     55 remote host by default, use the following ssh client configuration for
     56 the privileged user (in /root/.ssh/config):
     57 
     58 	Host sshgateway
     59 		Tunnel yes
     60 		TunnelDevice 0:any
     61 		PermitLocalCommand yes
     62 	        LocalCommand sh /etc/netstart tun0
     63 
     64 A more complicated configuration is possible to establish a tunnel to
     65 a remote host which is not directly accessible by the client.
     66 The following example describes a client configuration to connect to
     67 the remote host over two ssh hops in between. It uses the OpenSSH
     68 ProxyCommand in combination with the nc(1) program to forward the final
     69 ssh tunnel destination over multiple ssh sessions.
     70 
     71 	Host access.somewhere.net
     72 	        User puffy
     73 	Host dmzgw
     74 	        User puffy
     75 	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
     76 	Host sshgateway
     77 	        Tunnel Ethernet
     78 	        TunnelDevice 0:any
     79 	        PermitLocalCommand yes
     80 	        LocalCommand sh /etc/netstart tun0
     81 	        ProxyCommand ssh dmzgw nc sshgateway 22
     82 
     83 The following network plan illustrates the previous configuration in
     84 combination with layer 2 tunneling and Ethernet bridging.
     85 
     86 +--------+       (          )      +----------------------+
     87 | Client |------(  Internet  )-----| access.somewhere.net |
     88 +--------+       (          )      +----------------------+
     89     : 192.168.1.78                             |
     90     :.............................         +-------+
     91      Forwarded ssh connection    :         | dmzgw |
     92      Layer 2 tunnel              :         +-------+
     93                                  :             |
     94                                  :             |
     95                                  :      +------------+
     96                                  :......| sshgateway |
     97                                       | +------------+
     98 --- real connection                 Bridge ->  |          +----------+
     99 ... "virtual connection"                     [ X ]--------| somehost |
    100 [X] switch                                                +----------+
    101                                                           192.168.1.25
    102 
    103 (5) Client: Connect to the server and establish the tunnel
    104 
    105 Finally connect to the OpenSSH server to establish the tunnel by using
    106 the following command:
    107 
    108 	ssh sshgateway
    109 
    110 It is also possible to tell the client to fork into the background after
    111 the connection has been successfully established:
    112 
    113 	ssh -f sshgateway true
    114 
    115 Without the ssh configuration done in step (4), it is also possible
    116 to use the following command lines:
    117 
    118 	ssh -fw 0:1 sshgateway true
    119 	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
    120 
    121 Using OpenSSH tunnel forwarding is a simple way to establish secure
    122 and ad hoc virtual private networks. Possible fields of application
    123 could be wireless networks or administrative VPN tunnels.
    124 
    125 Nevertheless, ssh tunneling requires some packet header overhead and
    126 runs on top of TCP. It is still suggested to use the IP Security
    127 Protocol (IPSec) for robust and permanent VPN connections and to
    128 interconnect corporate networks.
    129 
    130 	Reyk Floeter
    131 
    132 $OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
    133