1131 lines
44 KiB
Plaintext
1131 lines
44 KiB
Plaintext
From 46915de10e3c246f048e26aaf5648206928bfc38 Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch sshd_config.patch
|
|
|
|
|
|
diff --git a/sshd_config b/sshd_config
|
|
index c423eba..d1fd881 100644
|
|
--- a/sshd_config
|
|
+++ b/sshd_config
|
|
@@ -38,7 +38,7 @@
|
|
|
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
-AuthorizedKeysFile .ssh/authorized_keys
|
|
+AuthorizedKeysFile config/settings/ssh/authorized_keys
|
|
|
|
#AuthorizedPrincipalsFile none
|
|
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From 427a97a45b7e0e6fe9fb0c6f6c91da7ffd5ac498 Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch pathnames.patch
|
|
|
|
|
|
diff --git a/pathnames.h b/pathnames.h
|
|
index f7ca5a7..828e43e 100644
|
|
--- a/pathnames.h
|
|
+++ b/pathnames.h
|
|
@@ -57,7 +57,7 @@
|
|
* The directory in user's home directory in which the files reside. The
|
|
* directory should be world-readable (though not all files are).
|
|
*/
|
|
-#define _PATH_SSH_USER_DIR ".ssh"
|
|
+#define _PATH_SSH_USER_DIR "config/settings/ssh"
|
|
|
|
/*
|
|
* Per-user file containing host keys of known hosts. This file need not be
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From d223b7eaffa27233846f6a92dec9c7ba66aafd9d Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch bzero.patch
|
|
|
|
|
|
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
|
|
index 68cd2c1..7f746e2 100644
|
|
--- a/openbsd-compat/explicit_bzero.c
|
|
+++ b/openbsd-compat/explicit_bzero.c
|
|
@@ -35,6 +35,24 @@ explicit_bzero(void *p, size_t n)
|
|
|
|
#else /* HAVE_MEMSET_S */
|
|
|
|
+#ifdef __HAIKU__
|
|
+/* Haiku defines bzero(x, y) but not bzero */
|
|
+
|
|
+/*
|
|
+ * Indirect memset through a volatile pointer to hopefully avoid
|
|
+ * dead-store optimisation eliminating the call.
|
|
+ */
|
|
+static void (* volatile ssh_memset)(void *, int, size_t) = memset;
|
|
+
|
|
+void
|
|
+explicit_bzero(void *p, size_t n)
|
|
+{
|
|
+ ssh_memset(p, 0, n);
|
|
+}
|
|
+
|
|
+
|
|
+#else
|
|
+
|
|
/*
|
|
* Indirect bzero through a volatile pointer to hopefully avoid
|
|
* dead-store optimisation eliminating the call.
|
|
@@ -60,6 +78,8 @@ explicit_bzero(void *p, size_t n)
|
|
ssh_bzero(p, n);
|
|
}
|
|
|
|
+#endif
|
|
+
|
|
#endif /* HAVE_MEMSET_S */
|
|
|
|
#endif /* HAVE_EXPLICIT_BZERO */
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From e577a38f6e070c1b0f0f81804f6f6636b2a07ce9 Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch ssh-copy-id.patch
|
|
|
|
|
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
old mode 100644
|
|
new mode 100755
|
|
index cd122de..e5a320c
|
|
--- a/contrib/ssh-copy-id
|
|
+++ b/contrib/ssh-copy-id
|
|
@@ -61,7 +61,7 @@ then
|
|
fi
|
|
|
|
# shellcheck disable=SC2010
|
|
-DEFAULT_PUB_ID_FILE=$(ls -t "${HOME}"/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
|
+DEFAULT_PUB_ID_FILE=$(ls -t `finddir B_USER_SETTINGS_DIRECTORY`/ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
|
SSH="ssh -a -x"
|
|
umask 0177
|
|
|
|
@@ -296,7 +296,7 @@ installkeys_via_sftp() {
|
|
|
|
|
|
# create a scratch dir for any temporary files needed
|
|
-if SCRATCH_DIR=$(mktemp -d ~/.ssh/ssh-copy-id.XXXXXXXXXX) &&
|
|
+if SCRATCH_DIR=$(mktemp -d `finddir B_USER_SETTINGS_DIRECTORY`/ssh/ssh-copy-id.XXXXXXXXXX) &&
|
|
[ "$SCRATCH_DIR" ] && [ -d "$SCRATCH_DIR" ]
|
|
then
|
|
chmod 0700 "$SCRATCH_DIR"
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From 1c1afde767b7eb55247d2a6ae20aeb063ce4733b Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch sha2-gcc2-build-fix.patch
|
|
|
|
|
|
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
|
|
index 4f2ad8f..8946d87 100644
|
|
--- a/openbsd-compat/sha2.c
|
|
+++ b/openbsd-compat/sha2.c
|
|
@@ -616,11 +616,13 @@ SHA256Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context)
|
|
SHA256Pad(context);
|
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
|
+{
|
|
int i;
|
|
|
|
/* Convert TO host byte order */
|
|
for (i = 0; i < 8; i++)
|
|
BE_32_TO_8(digest + i * 4, context->state.st32[i]);
|
|
+}
|
|
#else
|
|
memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
|
|
#endif
|
|
@@ -897,11 +899,13 @@ SHA512Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context)
|
|
SHA512Pad(context);
|
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
|
+{
|
|
int i;
|
|
|
|
/* Convert TO host byte order */
|
|
for (i = 0; i < 8; i++)
|
|
BE_64_TO_8(digest + i * 8, context->state.st64[i]);
|
|
+}
|
|
#else
|
|
memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
|
|
#endif
|
|
@@ -954,11 +958,13 @@ SHA384Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *context)
|
|
SHA384Pad(context);
|
|
|
|
#if BYTE_ORDER == LITTLE_ENDIAN
|
|
+{
|
|
int i;
|
|
|
|
/* Convert TO host byte order */
|
|
for (i = 0; i < 6; i++)
|
|
BE_64_TO_8(digest + i * 8, context->state.st64[i]);
|
|
+}
|
|
#else
|
|
memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
|
|
#endif
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From acca4d10250a91add4e5fd650e4de30a3dc7209f Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 17:57:38 +0200
|
|
Subject: applying patch pkcs11-gcc2-build-fix.patch
|
|
|
|
|
|
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
|
|
index e724736..5a94d56 100644
|
|
--- a/ssh-pkcs11-client.c
|
|
+++ b/ssh-pkcs11-client.c
|
|
@@ -248,6 +248,7 @@ pkcs11_start_helper_methods(void)
|
|
return (0);
|
|
|
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
|
+ {
|
|
int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
|
|
unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
|
|
if (helper_ecdsa != NULL)
|
|
@@ -257,6 +258,7 @@ pkcs11_start_helper_methods(void)
|
|
return (-1);
|
|
EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
|
|
EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
|
|
+ }
|
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
|
|
|
if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From f084fc80a1a00b8024cd59134b055d6393e259b4 Mon Sep 17 00:00:00 2001
|
|
From: Adrien Destugues <pulkomandy@pulkomandy.tk>
|
|
Date: Thu, 16 Jul 2020 18:08:27 +0200
|
|
Subject: Fix configuration path in manpages
|
|
|
|
|
|
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
|
|
index c141a29..fd27f1d 100644
|
|
--- a/contrib/ssh-copy-id.1
|
|
+++ b/contrib/ssh-copy-id.1
|
|
@@ -54,7 +54,7 @@ this may result in you being repeatedly prompted for pass-phrases).
|
|
It then assembles a list of those that failed to log in, and using ssh,
|
|
enables logins with those keys on the remote server. By default it adds
|
|
the keys by appending them to the remote user's
|
|
-.Pa ~/.ssh/authorized_keys
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys
|
|
(creating the file, and directory, if necessary). It is also capable
|
|
of detecting if the remote system is a NetScreen, and using its
|
|
.Ql set ssh pka-dsa key ...
|
|
@@ -124,9 +124,9 @@ will be used.
|
|
The
|
|
.Ic default_ID_file
|
|
is the most recent file that matches:
|
|
-.Pa ~/.ssh/id*.pub ,
|
|
+.Pa ~/config/settings/settings/ssh/id*.pub ,
|
|
(excluding those that match
|
|
-.Pa ~/.ssh/*-cert.pub )
|
|
+.Pa ~/config/settings/settings/ssh/*-cert.pub )
|
|
so if you create a key that is not the one you want
|
|
.Nm
|
|
to use, just use
|
|
diff --git a/ssh-add.0 b/ssh-add.0
|
|
index d955d32..a2ae8fa 100644
|
|
--- a/ssh-add.0
|
|
+++ b/ssh-add.0
|
|
@@ -13,8 +13,8 @@ SYNOPSIS
|
|
DESCRIPTION
|
|
ssh-add adds private key identities to the authentication agent,
|
|
ssh-agent(1). When run without arguments, it adds the files
|
|
- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk,
|
|
- ~/.ssh/id_ed25519, and ~/.ssh/id_ed25519_sk. After loading a private
|
|
+ ~/config/settings/settings/ssh/id_rsa, ~/config/settings/settings/ssh/id_dsa, ~/config/settings/settings/ssh/id_ecdsa, ~/config/settings/settings/ssh/id_ecdsa_sk,
|
|
+ ~/config/settings/settings/ssh/id_ed25519, and ~/config/settings/settings/ssh/id_ed25519_sk. After loading a private
|
|
key, ssh-add will try to load corresponding certificate information from
|
|
the filename obtained by appending -cert.pub to the name of the private
|
|
key file. Alternative file names can be given on the command line.
|
|
@@ -122,12 +122,12 @@ ENVIRONMENT
|
|
the built-in USB HID support.
|
|
|
|
FILES
|
|
- ~/.ssh/id_dsa
|
|
- ~/.ssh/id_ecdsa
|
|
- ~/.ssh/id_ecdsa_sk
|
|
- ~/.ssh/id_ed25519
|
|
- ~/.ssh/id_ed25519_sk
|
|
- ~/.ssh/id_rsa
|
|
+ ~/config/settings/settings/ssh/id_dsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa_sk
|
|
+ ~/config/settings/settings/ssh/id_ed25519
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk
|
|
+ ~/config/settings/settings/ssh/id_rsa
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA authentication identity of
|
|
the user.
|
|
diff --git a/ssh-add.1 b/ssh-add.1
|
|
index 2786df5..7eaef93 100644
|
|
--- a/ssh-add.1
|
|
+++ b/ssh-add.1
|
|
@@ -60,13 +60,13 @@
|
|
adds private key identities to the authentication agent,
|
|
.Xr ssh-agent 1 .
|
|
When run without arguments, it adds the files
|
|
-.Pa ~/.ssh/id_rsa ,
|
|
-.Pa ~/.ssh/id_dsa ,
|
|
-.Pa ~/.ssh/id_ecdsa ,
|
|
-.Pa ~/.ssh/id_ecdsa_sk ,
|
|
-.Pa ~/.ssh/id_ed25519 ,
|
|
+.Pa ~/config/settings/settings/ssh/id_rsa ,
|
|
+.Pa ~/config/settings/settings/ssh/id_dsa ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ecdsa ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ecdsa_sk ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ed25519 ,
|
|
and
|
|
-.Pa ~/.ssh/id_ed25519_sk .
|
|
+.Pa ~/config/settings/settings/ssh/id_ed25519_sk .
|
|
After loading a private key,
|
|
.Nm
|
|
will try to load corresponding certificate information from the
|
|
@@ -226,12 +226,12 @@ the built-in USB HID support.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width Ds -compact
|
|
-.It Pa ~/.ssh/id_dsa
|
|
-.It Pa ~/.ssh/id_ecdsa
|
|
-.It Pa ~/.ssh/id_ecdsa_sk
|
|
-.It Pa ~/.ssh/id_ed25519
|
|
-.It Pa ~/.ssh/id_ed25519_sk
|
|
-.It Pa ~/.ssh/id_rsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_dsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519_sk
|
|
+.It Pa ~/config/settings/settings/ssh/id_rsa
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
|
.El
|
|
diff --git a/ssh-keygen.0 b/ssh-keygen.0
|
|
index 2027bdf..77fd8db 100644
|
|
--- a/ssh-keygen.0
|
|
+++ b/ssh-keygen.0
|
|
@@ -55,9 +55,9 @@ DESCRIPTION
|
|
KEY REVOCATION LISTS section for details.
|
|
|
|
Normally each user wishing to use SSH with public key authentication runs
|
|
- this once to create the authentication key in ~/.ssh/id_dsa,
|
|
- ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
|
|
- ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system
|
|
+ this once to create the authentication key in ~/config/settings/settings/ssh/id_dsa,
|
|
+ ~/config/settings/settings/ssh/id_ecdsa, ~/config/settings/settings/ssh/id_ecdsa_sk, ~/config/settings/settings/ssh/id_ed25519,
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk or ~/config/settings/settings/ssh/id_rsa. Additionally, the system
|
|
administrator may use this to generate host keys, as seen in /etc/rc.
|
|
|
|
Normally this program generates the key and asks for a file in which to
|
|
@@ -617,7 +617,7 @@ CERTIFICATES
|
|
no-pty Disable PTY allocation (permitted by default).
|
|
|
|
no-user-rc
|
|
- Disable execution of ~/.ssh/rc by sshd(8) (permitted by default).
|
|
+ Disable execution of ~/config/settings/settings/ssh/rc by sshd(8) (permitted by default).
|
|
|
|
no-x11-forwarding
|
|
Disable X11 forwarding (permitted by default).
|
|
@@ -632,7 +632,7 @@ CERTIFICATES
|
|
Allows PTY allocation.
|
|
|
|
permit-user-rc
|
|
- Allows execution of ~/.ssh/rc by sshd(8).
|
|
+ Allows execution of ~/config/settings/settings/ssh/rc by sshd(8).
|
|
|
|
permit-X11-forwarding
|
|
Allows X11 forwarding.
|
|
@@ -790,12 +790,12 @@ ENVIRONMENT
|
|
the built-in USB HID support.
|
|
|
|
FILES
|
|
- ~/.ssh/id_dsa
|
|
- ~/.ssh/id_ecdsa
|
|
- ~/.ssh/id_ecdsa_sk
|
|
- ~/.ssh/id_ed25519
|
|
- ~/.ssh/id_ed25519_sk
|
|
- ~/.ssh/id_rsa
|
|
+ ~/config/settings/settings/ssh/id_dsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa_sk
|
|
+ ~/config/settings/settings/ssh/id_ed25519
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk
|
|
+ ~/config/settings/settings/ssh/id_rsa
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA authentication identity of
|
|
the user. This file should not be readable by anyone but the
|
|
@@ -806,16 +806,16 @@ FILES
|
|
the private key. ssh(1) will read this file when a login attempt
|
|
is made.
|
|
|
|
- ~/.ssh/id_dsa.pub
|
|
- ~/.ssh/id_ecdsa.pub
|
|
- ~/.ssh/id_ecdsa_sk.pub
|
|
- ~/.ssh/id_ed25519.pub
|
|
- ~/.ssh/id_ed25519_sk.pub
|
|
- ~/.ssh/id_rsa.pub
|
|
+ ~/config/settings/settings/ssh/id_dsa.pub
|
|
+ ~/config/settings/settings/ssh/id_ecdsa.pub
|
|
+ ~/config/settings/settings/ssh/id_ecdsa_sk.pub
|
|
+ ~/config/settings/settings/ssh/id_ed25519.pub
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk.pub
|
|
+ ~/config/settings/settings/ssh/id_rsa.pub
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA public key for
|
|
authentication. The contents of this file should be added to
|
|
- ~/.ssh/authorized_keys on all machines where the user wishes to
|
|
+ ~/config/settings/settings/ssh/authorized_keys on all machines where the user wishes to
|
|
log in using public key authentication. There is no need to keep
|
|
the contents of this file secret.
|
|
|
|
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
|
index f83f515..aede975 100644
|
|
--- a/ssh-keygen.1
|
|
+++ b/ssh-keygen.1
|
|
@@ -200,13 +200,13 @@ section for details.
|
|
Normally each user wishing to use SSH
|
|
with public key authentication runs this once to create the authentication
|
|
key in
|
|
-.Pa ~/.ssh/id_dsa ,
|
|
-.Pa ~/.ssh/id_ecdsa ,
|
|
-.Pa ~/.ssh/id_ecdsa_sk ,
|
|
-.Pa ~/.ssh/id_ed25519 ,
|
|
-.Pa ~/.ssh/id_ed25519_sk
|
|
+.Pa ~/config/settings/settings/ssh/id_dsa ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ecdsa ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ecdsa_sk ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ed25519 ,
|
|
+.Pa ~/config/settings/settings/ssh/id_ed25519_sk
|
|
or
|
|
-.Pa ~/.ssh/id_rsa .
|
|
+.Pa ~/config/settings/settings/ssh/id_rsa .
|
|
Additionally, the system administrator may use this to generate host keys,
|
|
as seen in
|
|
.Pa /etc/rc .
|
|
@@ -967,7 +967,7 @@ Disable PTY allocation (permitted by default).
|
|
.Pp
|
|
.It Ic no-user-rc
|
|
Disable execution of
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
by
|
|
.Xr sshd 8
|
|
(permitted by default).
|
|
@@ -988,7 +988,7 @@ Allows PTY allocation.
|
|
.Pp
|
|
.It Ic permit-user-rc
|
|
Allows execution of
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
by
|
|
.Xr sshd 8 .
|
|
.Pp
|
|
@@ -1184,12 +1184,12 @@ the built-in USB HID support.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width Ds -compact
|
|
-.It Pa ~/.ssh/id_dsa
|
|
-.It Pa ~/.ssh/id_ecdsa
|
|
-.It Pa ~/.ssh/id_ecdsa_sk
|
|
-.It Pa ~/.ssh/id_ed25519
|
|
-.It Pa ~/.ssh/id_ed25519_sk
|
|
-.It Pa ~/.ssh/id_rsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_dsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519_sk
|
|
+.It Pa ~/config/settings/settings/ssh/id_rsa
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
|
This file should not be readable by anyone but the user.
|
|
@@ -1202,16 +1202,16 @@ but it is offered as the default file for the private key.
|
|
.Xr ssh 1
|
|
will read this file when a login attempt is made.
|
|
.Pp
|
|
-.It Pa ~/.ssh/id_dsa.pub
|
|
-.It Pa ~/.ssh/id_ecdsa.pub
|
|
-.It Pa ~/.ssh/id_ecdsa_sk.pub
|
|
-.It Pa ~/.ssh/id_ed25519.pub
|
|
-.It Pa ~/.ssh/id_ed25519_sk.pub
|
|
-.It Pa ~/.ssh/id_rsa.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_dsa.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_ed25519_sk.pub
|
|
+.It Pa ~/config/settings/settings/ssh/id_rsa.pub
|
|
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
|
authenticator-hosted Ed25519 or RSA public key for authentication.
|
|
The contents of this file should be added to
|
|
-.Pa ~/.ssh/authorized_keys
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys
|
|
on all machines
|
|
where the user wishes to log in using public key authentication.
|
|
There is no need to keep the contents of this file secret.
|
|
diff --git a/ssh.0 b/ssh.0
|
|
index 055bad3..c7df3ea 100644
|
|
--- a/ssh.0
|
|
+++ b/ssh.0
|
|
@@ -112,7 +112,7 @@ DESCRIPTION
|
|
Specifies an alternative per-user configuration file. If a
|
|
configuration file is given on the command line, the system-wide
|
|
configuration file (/etc/ssh/ssh_config) will be ignored. The
|
|
- default for the per-user configuration file is ~/.ssh/config. If
|
|
+ default for the per-user configuration file is ~/config/settings/ssh/config. If
|
|
set to M-bM-^@M-^\noneM-bM-^@M-^], no configuration files will be read.
|
|
|
|
-f Requests ssh to go to background just before command execution.
|
|
@@ -143,9 +143,9 @@ DESCRIPTION
|
|
key authentication is read. You can also specify a public key
|
|
file to use the corresponding private key that is loaded in
|
|
ssh-agent(1) when the private key file is not present locally.
|
|
- The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
|
|
- ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and
|
|
- ~/.ssh/id_rsa. Identity files may also be specified on a per-
|
|
+ The default is ~/config/settings/ssh/id_dsa, ~/config/settings/ssh/id_ecdsa,
|
|
+ ~/config/settings/ssh/id_ecdsa_sk, ~/config/settings/ssh/id_ed25519, ~/config/settings/ssh/id_ed25519_sk and
|
|
+ ~/config/settings/ssh/id_rsa. Identity files may also be specified on a per-
|
|
host basis in the configuration file. It is possible to have
|
|
multiple -i options (and multiple identities specified in
|
|
configuration files). If no certificates have been explicitly
|
|
@@ -161,7 +161,7 @@ DESCRIPTION
|
|
is a shortcut to specify a ProxyJump configuration directive.
|
|
Note that configuration directives supplied on the command-line
|
|
generally apply to the destination host and not any specified
|
|
- jump hosts. Use ~/.ssh/config to specify configuration for jump
|
|
+ jump hosts. Use ~/config/settings/settings/ssh/config to specify configuration for jump
|
|
hosts.
|
|
|
|
-K Enables GSSAPI-based authentication and forwarding (delegation)
|
|
@@ -481,7 +481,7 @@ AUTHENTICATION
|
|
the client machine and the name of the user on that machine, the user is
|
|
considered for login. Additionally, the server must be able to verify
|
|
the client's host key (see the description of /etc/ssh/ssh_known_hosts
|
|
- and ~/.ssh/known_hosts, below) for login to be permitted. This
|
|
+ and ~/config/settings/settings/ssh/known_hosts, below) for login to be permitted. This
|
|
authentication method closes security holes due to IP spoofing, DNS
|
|
spoofing, and routing spoofing. [Note to the administrator:
|
|
/etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are
|
|
@@ -497,7 +497,7 @@ AUTHENTICATION
|
|
one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of
|
|
ssl(8) contains a brief discussion of the DSA and RSA algorithms.
|
|
|
|
- The file ~/.ssh/authorized_keys lists the public keys that are permitted
|
|
+ The file ~/config/settings/settings/ssh/authorized_keys lists the public keys that are permitted
|
|
for logging in. When the user logs in, the ssh program tells the server
|
|
which key pair it would like to use for authentication. The client
|
|
proves that it has access to the private key and the server checks that
|
|
@@ -509,15 +509,15 @@ AUTHENTICATION
|
|
DEBUG or higher (e.g. by using the -v flag).
|
|
|
|
The user creates their key pair by running ssh-keygen(1). This stores
|
|
- the private key in ~/.ssh/id_dsa (DSA), ~/.ssh/id_ecdsa (ECDSA),
|
|
- ~/.ssh/id_ecdsa_sk (authenticator-hosted ECDSA), ~/.ssh/id_ed25519
|
|
- (Ed25519), ~/.ssh/id_ed25519_sk (authenticator-hosted Ed25519), or
|
|
- ~/.ssh/id_rsa (RSA) and stores the public key in ~/.ssh/id_dsa.pub (DSA),
|
|
- ~/.ssh/id_ecdsa.pub (ECDSA), ~/.ssh/id_ecdsa_sk.pub (authenticator-hosted
|
|
- ECDSA), ~/.ssh/id_ed25519.pub (Ed25519), ~/.ssh/id_ed25519_sk.pub
|
|
- (authenticator-hosted Ed25519), or ~/.ssh/id_rsa.pub (RSA) in the user's
|
|
+ the private key in ~/config/settings/ssh/id_dsa (DSA), ~/config/settings/ssh/id_ecdsa (ECDSA),
|
|
+ ~/config/settings/ssh/id_ecdsa_sk (authenticator-hosted ECDSA), ~/config/settings/ssh/id_ed25519
|
|
+ (Ed25519), ~/config/settings/ssh/id_ed25519_sk (authenticator-hosted Ed25519), or
|
|
+ ~/config/settings/ssh/id_rsa (RSA) and stores the public key in ~/config/settings/ssh/id_dsa.pub (DSA),
|
|
+ ~/config/settings/ssh/id_ecdsa.pub (ECDSA), ~/config/settings/ssh/id_ecdsa_sk.pub (authenticator-hosted
|
|
+ ECDSA), ~/config/settings/ssh/id_ed25519.pub (Ed25519), ~/config/settings/ssh/id_ed25519_sk.pub
|
|
+ (authenticator-hosted Ed25519), or ~/config/settings/ssh/id_rsa.pub (RSA) in the user's
|
|
home directory. The user should then copy the public key to
|
|
- ~/.ssh/authorized_keys in their home directory on the remote machine.
|
|
+ ~/config/settings/ssh/authorized_keys in their home directory on the remote machine.
|
|
The authorized_keys file corresponds to the conventional ~/.rhosts file,
|
|
and has one key per line, though the lines can be very long. After this,
|
|
the user can log in without giving the password.
|
|
@@ -545,7 +545,7 @@ AUTHENTICATION
|
|
|
|
ssh automatically maintains and checks a database containing
|
|
identification for all hosts it has ever been used with. Host keys are
|
|
- stored in ~/.ssh/known_hosts in the user's home directory. Additionally,
|
|
+ stored in ~/config/settings/settings/ssh/known_hosts in the user's home directory. Additionally,
|
|
the file /etc/ssh/ssh_known_hosts is automatically checked for known
|
|
hosts. Any new hosts are automatically added to the user's file. If a
|
|
host's identification ever changes, ssh warns about this and disables
|
|
@@ -700,7 +700,7 @@ VERIFYING HOST KEYS
|
|
To get a listing of the fingerprints along with their random art for all
|
|
known hosts, the following command line can be used:
|
|
|
|
- $ ssh-keygen -lv -f ~/.ssh/known_hosts
|
|
+ $ ssh-keygen -lv -f ~/config/settings/settings/ssh/known_hosts
|
|
|
|
If the fingerprint is unknown, an alternative method of verification is
|
|
available: SSH fingerprints verified by DNS. An additional resource
|
|
@@ -844,7 +844,7 @@ ENVIRONMENT
|
|
|
|
USER Set to the name of the user logging in.
|
|
|
|
- Additionally, ssh reads ~/.ssh/environment, and adds lines of the format
|
|
+ Additionally, ssh reads ~/config/settings/settings/ssh/environment, and adds lines of the format
|
|
M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and users are
|
|
allowed to change their environment. For more information, see the
|
|
PermitUserEnvironment option in sshd_config(5).
|
|
@@ -864,36 +864,36 @@ FILES
|
|
host-based authentication without permitting login with
|
|
rlogin/rsh.
|
|
|
|
- ~/.ssh/
|
|
+ ~/config/settings/settings/ssh/
|
|
This directory is the default location for all user-specific
|
|
configuration and authentication information. There is no
|
|
general requirement to keep the entire contents of this directory
|
|
secret, but the recommended permissions are read/write/execute
|
|
for the user, and not accessible by others.
|
|
|
|
- ~/.ssh/authorized_keys
|
|
+ ~/config/settings/settings/ssh/authorized_keys
|
|
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
|
|
for logging in as this user. The format of this file is
|
|
described in the sshd(8) manual page. This file is not highly
|
|
sensitive, but the recommended permissions are read/write for the
|
|
user, and not accessible by others.
|
|
|
|
- ~/.ssh/config
|
|
+ ~/config/settings/settings/ssh/config
|
|
This is the per-user configuration file. The file format and
|
|
configuration options are described in ssh_config(5). Because of
|
|
the potential for abuse, this file must have strict permissions:
|
|
read/write for the user, and not writable by others.
|
|
|
|
- ~/.ssh/environment
|
|
+ ~/config/settings/settings/ssh/environment
|
|
Contains additional definitions for environment variables; see
|
|
ENVIRONMENT, above.
|
|
|
|
- ~/.ssh/id_dsa
|
|
- ~/.ssh/id_ecdsa
|
|
- ~/.ssh/id_ecdsa_sk
|
|
- ~/.ssh/id_ed25519
|
|
- ~/.ssh/id_ed25519_sk
|
|
- ~/.ssh/id_rsa
|
|
+ ~/config/settings/settings/ssh/id_dsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa
|
|
+ ~/config/settings/settings/ssh/id_ecdsa_sk
|
|
+ ~/config/settings/settings/ssh/id_ed25519
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk
|
|
+ ~/config/settings/settings/ssh/id_rsa
|
|
Contains the private key for authentication. These files contain
|
|
sensitive data and should be readable by the user but not
|
|
accessible by others (read/write/execute). ssh will simply
|
|
@@ -902,22 +902,22 @@ FILES
|
|
will be used to encrypt the sensitive part of this file using
|
|
AES-128.
|
|
|
|
- ~/.ssh/id_dsa.pub
|
|
- ~/.ssh/id_ecdsa.pub
|
|
- ~/.ssh/id_ecdsa_sk.pub
|
|
- ~/.ssh/id_ed25519.pub
|
|
- ~/.ssh/id_ed25519_sk.pub
|
|
- ~/.ssh/id_rsa.pub
|
|
+ ~/config/settings/settings/ssh/id_dsa.pub
|
|
+ ~/config/settings/settings/ssh/id_ecdsa.pub
|
|
+ ~/config/settings/settings/ssh/id_ecdsa_sk.pub
|
|
+ ~/config/settings/settings/ssh/id_ed25519.pub
|
|
+ ~/config/settings/settings/ssh/id_ed25519_sk.pub
|
|
+ ~/config/settings/settings/ssh/id_rsa.pub
|
|
Contains the public key for authentication. These files are not
|
|
sensitive and can (but need not) be readable by anyone.
|
|
|
|
- ~/.ssh/known_hosts
|
|
+ ~/config/settings/settings/ssh/known_hosts
|
|
Contains a list of host keys for all hosts the user has logged
|
|
into that are not already in the systemwide list of known host
|
|
keys. See sshd(8) for further details of the format of this
|
|
file.
|
|
|
|
- ~/.ssh/rc
|
|
+ ~/config/settings/settings/ssh/rc
|
|
Commands in this file are executed by ssh when the user logs in,
|
|
just before the user's shell (or command) is started. See the
|
|
sshd(8) manual page for more information.
|
|
diff --git a/sshd.0 b/sshd.0
|
|
index 16e3105..57067f8 100644
|
|
--- a/sshd.0
|
|
+++ b/sshd.0
|
|
@@ -184,13 +184,13 @@ LOGIN PROCESS
|
|
|
|
5. Sets up basic environment.
|
|
|
|
- 6. Reads the file ~/.ssh/environment, if it exists, and users are
|
|
+ 6. Reads the file ~/config/settings/settings/ssh/environment, if it exists, and users are
|
|
allowed to change their environment. See the
|
|
PermitUserEnvironment option in sshd_config(5).
|
|
|
|
7. Changes to user's home directory.
|
|
|
|
- 8. If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option
|
|
+ 8. If ~/config/settings/settings/ssh/rc exists and the sshd_config(5) PermitUserRC option
|
|
is set, runs it; else if /etc/ssh/sshrc exists, runs it;
|
|
otherwise runs xauth(1). The M-bM-^@M-^\rcM-bM-^@M-^] files are given the X11
|
|
authentication protocol and cookie in standard input. See
|
|
@@ -201,7 +201,7 @@ LOGIN PROCESS
|
|
database.
|
|
|
|
SSHRC
|
|
- If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
|
|
+ If the file ~/config/settings/settings/ssh/rc exists, sh(1) runs it after reading the environment
|
|
files but before starting the user's shell or command. It must not
|
|
produce any output on stdout; stderr must be used instead. If X11
|
|
forwarding is in use, it will receive the "proto cookie" pair in its
|
|
@@ -233,7 +233,7 @@ SSHRC
|
|
AUTHORIZED_KEYS FILE FORMAT
|
|
AuthorizedKeysFile specifies the files containing public keys for public
|
|
key authentication; if this option is not specified, the default is
|
|
- ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
|
|
+ ~/config/settings/settings/ssh/authorized_keys and ~/config/settings/settings/ssh/authorized_keys2. Each line of the
|
|
file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
|
|
ignored as comments). Public keys consist of the following space-
|
|
separated fields: options, keytype, base64-encoded key, comment. The
|
|
@@ -344,7 +344,7 @@ AUTHORIZED_KEYS FILE FORMAT
|
|
no-pty Prevents tty allocation (a request to allocate a pty will fail).
|
|
|
|
no-user-rc
|
|
- Disables execution of ~/.ssh/rc.
|
|
+ Disables execution of ~/config/settings/settings/ssh/rc.
|
|
|
|
no-X11-forwarding
|
|
Forbids X11 forwarding when this key is used for authentication.
|
|
@@ -401,7 +401,7 @@ AUTHORIZED_KEYS FILE FORMAT
|
|
restrict
|
|
Enable all restrictions, i.e. disable port, agent and X11
|
|
forwarding, as well as disabling PTY allocation and execution of
|
|
- ~/.ssh/rc. If any future restriction capabilities are added to
|
|
+ ~/config/settings/settings/ssh/rc. If any future restriction capabilities are added to
|
|
authorized_keys files they will be included in this set.
|
|
|
|
tunnel="n"
|
|
@@ -410,7 +410,7 @@ AUTHORIZED_KEYS FILE FORMAT
|
|
tunnel.
|
|
|
|
user-rc
|
|
- Enables execution of ~/.ssh/rc previously disabled by the
|
|
+ Enables execution of ~/config/settings/settings/ssh/rc previously disabled by the
|
|
restrict option.
|
|
|
|
X11-forwarding
|
|
@@ -440,7 +440,7 @@ AUTHORIZED_KEYS FILE FORMAT
|
|
cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
|
|
|
|
SSH_KNOWN_HOSTS FILE FORMAT
|
|
- The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
|
|
+ The /etc/ssh/ssh_known_hosts and ~/config/settings/settings/ssh/known_hosts files contain host
|
|
public keys for all known hosts. The global file should be prepared by
|
|
the administrator (optional), and the per-user file is maintained
|
|
automatically: whenever the user connects to an unknown host, its key is
|
|
@@ -510,7 +510,7 @@ SSH_KNOWN_HOSTS FILE FORMAT
|
|
Rather, generate them by a script, ssh-keyscan(1) or by taking, for
|
|
example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
|
|
front. ssh-keygen(1) also offers some basic automated editing for
|
|
- ~/.ssh/known_hosts including removing hosts matching a host name and
|
|
+ ~/config/settings/settings/ssh/known_hosts including removing hosts matching a host name and
|
|
converting all host names to their hashed representations.
|
|
|
|
An example ssh_known_hosts file:
|
|
@@ -548,27 +548,27 @@ FILES
|
|
host-based authentication without permitting login with
|
|
rlogin/rsh.
|
|
|
|
- ~/.ssh/
|
|
+ ~/config/settings/settings/ssh/
|
|
This directory is the default location for all user-specific
|
|
configuration and authentication information. There is no
|
|
general requirement to keep the entire contents of this directory
|
|
secret, but the recommended permissions are read/write/execute
|
|
for the user, and not accessible by others.
|
|
|
|
- ~/.ssh/authorized_keys
|
|
+ ~/config/settings/settings/ssh/authorized_keys
|
|
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
|
|
for logging in as this user. The format of this file is
|
|
described above. The content of the file is not highly
|
|
sensitive, but the recommended permissions are read/write for the
|
|
user, and not accessible by others.
|
|
|
|
- If this file, the ~/.ssh directory, or the user's home directory
|
|
+ If this file, the ~/config/settings/settings/ssh directory, or the user's home directory
|
|
are writable by other users, then the file could be modified or
|
|
replaced by unauthorized users. In this case, sshd will not
|
|
allow it to be used unless the StrictModes option has been set to
|
|
M-bM-^@M-^\noM-bM-^@M-^].
|
|
|
|
- ~/.ssh/environment
|
|
+ ~/config/settings/settings/ssh/environment
|
|
This file is read into the environment at login (if it exists).
|
|
It can only contain empty lines, comment lines (that start with
|
|
M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file
|
|
@@ -576,14 +576,14 @@ FILES
|
|
anyone else. Environment processing is disabled by default and
|
|
is controlled via the PermitUserEnvironment option.
|
|
|
|
- ~/.ssh/known_hosts
|
|
+ ~/config/settings/settings/ssh/known_hosts
|
|
Contains a list of host keys for all hosts the user has logged
|
|
into that are not already in the systemwide list of known host
|
|
keys. The format of this file is described above. This file
|
|
should be writable only by root/the owner and can, but need not
|
|
be, world-readable.
|
|
|
|
- ~/.ssh/rc
|
|
+ ~/config/settings/settings/ssh/rc
|
|
Contains initialization routines to be run before the user's home
|
|
directory becomes accessible. This file should be writable only
|
|
by the user, and need not be readable by anyone else.
|
|
@@ -642,7 +642,7 @@ FILES
|
|
configuration options are described in sshd_config(5).
|
|
|
|
/etc/ssh/sshrc
|
|
- Similar to ~/.ssh/rc, it can be used to specify machine-specific
|
|
+ Similar to ~/config/settings/settings/ssh/rc, it can be used to specify machine-specific
|
|
login-time initializations globally. This file should be
|
|
writable only by root, and should be world-readable.
|
|
|
|
diff --git a/sshd.8 b/sshd.8
|
|
index ef38949..a1fc677 100644
|
|
--- a/sshd.8
|
|
+++ b/sshd.8
|
|
@@ -344,7 +344,7 @@ Changes to run with normal user privileges.
|
|
Sets up basic environment.
|
|
.It
|
|
Reads the file
|
|
-.Pa ~/.ssh/environment ,
|
|
+.Pa ~/config/settings/settings/ssh/environment ,
|
|
if it exists, and users are allowed to change their environment.
|
|
See the
|
|
.Cm PermitUserEnvironment
|
|
@@ -354,7 +354,7 @@ option in
|
|
Changes to user's home directory.
|
|
.It
|
|
If
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
exists and the
|
|
.Xr sshd_config 5
|
|
.Cm PermitUserRC
|
|
@@ -377,7 +377,7 @@ system password database.
|
|
.El
|
|
.Sh SSHRC
|
|
If the file
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
exists,
|
|
.Xr sh 1
|
|
runs it after reading the
|
|
@@ -422,9 +422,9 @@ does not exist either, xauth is used to add the cookie.
|
|
specifies the files containing public keys for
|
|
public key authentication;
|
|
if this option is not specified, the default is
|
|
-.Pa ~/.ssh/authorized_keys
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys
|
|
and
|
|
-.Pa ~/.ssh/authorized_keys2 .
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys2 .
|
|
Each line of the file contains one
|
|
key (empty lines and lines starting with a
|
|
.Ql #
|
|
@@ -568,7 +568,7 @@ option.
|
|
Prevents tty allocation (a request to allocate a pty will fail).
|
|
.It Cm no-user-rc
|
|
Disables execution of
|
|
-.Pa ~/.ssh/rc .
|
|
+.Pa ~/config/settings/settings/ssh/rc .
|
|
.It Cm no-X11-forwarding
|
|
Forbids X11 forwarding when this key is used for authentication.
|
|
Any X11 forward requests by the client will return an error.
|
|
@@ -649,7 +649,7 @@ and
|
|
Enable all restrictions, i.e. disable port, agent and X11 forwarding,
|
|
as well as disabling PTY allocation
|
|
and execution of
|
|
-.Pa ~/.ssh/rc .
|
|
+.Pa ~/config/settings/settings/ssh/rc .
|
|
If any future restriction capabilities are added to authorized_keys files
|
|
they will be included in this set.
|
|
.It Cm tunnel="n"
|
|
@@ -660,7 +660,7 @@ Without this option, the next available device will be used if
|
|
the client requests a tunnel.
|
|
.It Cm user-rc
|
|
Enables execution of
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
previously disabled by the
|
|
.Cm restrict
|
|
option.
|
|
@@ -696,7 +696,7 @@ cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
|
|
The
|
|
.Pa /etc/ssh/ssh_known_hosts
|
|
and
|
|
-.Pa ~/.ssh/known_hosts
|
|
+.Pa ~/config/settings/settings/ssh/known_hosts
|
|
files contain host public keys for all known hosts.
|
|
The global file should
|
|
be prepared by the administrator (optional), and the per-user file is
|
|
@@ -805,7 +805,7 @@ or by taking, for example,
|
|
and adding the host names at the front.
|
|
.Xr ssh-keygen 1
|
|
also offers some basic automated editing for
|
|
-.Pa ~/.ssh/known_hosts
|
|
+.Pa ~/config/settings/settings/ssh/known_hosts
|
|
including removing hosts matching a host name and converting all host
|
|
names to their hashed representations.
|
|
.Pp
|
|
@@ -857,14 +857,14 @@ This file is used in exactly the same way as
|
|
but allows host-based authentication without permitting login with
|
|
rlogin/rsh.
|
|
.Pp
|
|
-.It Pa ~/.ssh/
|
|
+.It Pa ~/config/settings/settings/ssh/
|
|
This directory is the default location for all user-specific configuration
|
|
and authentication information.
|
|
There is no general requirement to keep the entire contents of this directory
|
|
secret, but the recommended permissions are read/write/execute for the user,
|
|
and not accessible by others.
|
|
.Pp
|
|
-.It Pa ~/.ssh/authorized_keys
|
|
+.It Pa ~/config/settings/settings/ssh/authorized_keys
|
|
Lists the public keys (DSA, ECDSA, Ed25519, RSA)
|
|
that can be used for logging in as this user.
|
|
The format of this file is described above.
|
|
@@ -872,7 +872,7 @@ The content of the file is not highly sensitive, but the recommended
|
|
permissions are read/write for the user, and not accessible by others.
|
|
.Pp
|
|
If this file, the
|
|
-.Pa ~/.ssh
|
|
+.Pa ~/config/settings/settings/ssh
|
|
directory, or the user's home directory are writable
|
|
by other users, then the file could be modified or replaced by unauthorized
|
|
users.
|
|
@@ -883,7 +883,7 @@ will not allow it to be used unless the
|
|
option has been set to
|
|
.Dq no .
|
|
.Pp
|
|
-.It Pa ~/.ssh/environment
|
|
+.It Pa ~/config/settings/settings/ssh/environment
|
|
This file is read into the environment at login (if it exists).
|
|
It can only contain empty lines, comment lines (that start with
|
|
.Ql # ) ,
|
|
@@ -895,14 +895,14 @@ controlled via the
|
|
.Cm PermitUserEnvironment
|
|
option.
|
|
.Pp
|
|
-.It Pa ~/.ssh/known_hosts
|
|
+.It Pa ~/config/settings/settings/ssh/known_hosts
|
|
Contains a list of host keys for all hosts the user has logged into
|
|
that are not already in the systemwide list of known host keys.
|
|
The format of this file is described above.
|
|
This file should be writable only by root/the owner and
|
|
can, but need not be, world-readable.
|
|
.Pp
|
|
-.It Pa ~/.ssh/rc
|
|
+.It Pa ~/config/settings/settings/ssh/rc
|
|
Contains initialization routines to be run before
|
|
the user's home directory becomes accessible.
|
|
This file should be writable only by the user, and need not be
|
|
@@ -980,7 +980,7 @@ The file format and configuration options are described in
|
|
.Pp
|
|
.It Pa /etc/ssh/sshrc
|
|
Similar to
|
|
-.Pa ~/.ssh/rc ,
|
|
+.Pa ~/config/settings/settings/ssh/rc ,
|
|
it can be used to specify
|
|
machine-specific login-time initializations globally.
|
|
This file should be writable only by root, and should be world-readable.
|
|
diff --git a/sshd_config.5 b/sshd_config.5
|
|
index a8d0545..ebb1dba 100644
|
|
--- a/sshd_config.5
|
|
+++ b/sshd_config.5
|
|
@@ -359,7 +359,7 @@ Note that
|
|
is only used when authentication proceeds using a CA listed in
|
|
.Cm TrustedUserCAKeys
|
|
and is not consulted for certification authorities trusted via
|
|
-.Pa ~/.ssh/authorized_keys ,
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys ,
|
|
though the
|
|
.Cm principals=
|
|
key option offers a similar facility (see
|
|
@@ -604,7 +604,7 @@ The default is
|
|
Forces the execution of the command specified by
|
|
.Cm ForceCommand ,
|
|
ignoring any command supplied by the client and
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
if present.
|
|
The command is invoked by using the user's login shell with the -c option.
|
|
This applies to shell, command, or subsystem execution.
|
|
@@ -815,7 +815,7 @@ and
|
|
Specifies whether
|
|
.Xr sshd 8
|
|
should ignore the user's
|
|
-.Pa ~/.ssh/known_hosts
|
|
+.Pa ~/config/settings/settings/ssh/known_hosts
|
|
during
|
|
.Cm HostbasedAuthentication
|
|
and use only the system-wide known hosts file
|
|
@@ -1422,11 +1422,11 @@ Independent of this setting, the permissions of the selected
|
|
device must allow access to the user.
|
|
.It Cm PermitUserEnvironment
|
|
Specifies whether
|
|
-.Pa ~/.ssh/environment
|
|
+.Pa ~/config/settings/settings/ssh/environment
|
|
and
|
|
.Cm environment=
|
|
options in
|
|
-.Pa ~/.ssh/authorized_keys
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys
|
|
are processed by
|
|
.Xr sshd 8 .
|
|
Valid options are
|
|
@@ -1442,7 +1442,7 @@ restrictions in some configurations using mechanisms such as
|
|
.Ev LD_PRELOAD .
|
|
.It Cm PermitUserRC
|
|
Specifies whether any
|
|
-.Pa ~/.ssh/rc
|
|
+.Pa ~/config/settings/settings/ssh/rc
|
|
file is executed.
|
|
The default is
|
|
.Cm yes .
|
|
@@ -1744,7 +1744,7 @@ very same IP address.
|
|
If this option is set to
|
|
.Cm no
|
|
(the default) then only addresses and not host names may be used in
|
|
-.Pa ~/.ssh/authorized_keys
|
|
+.Pa ~/config/settings/settings/ssh/authorized_keys
|
|
.Cm from
|
|
and
|
|
.Nm
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From acebb4fd788c795133f2a07509e8ee78dc6b81c7 Mon Sep 17 00:00:00 2001
|
|
From: Zach Dykstra <dykstra.zachary@gmail.com>
|
|
Date: Sun, 27 Dec 2020 21:38:07 -0600
|
|
Subject: mux.c: use rename instead of unsupported hard link
|
|
|
|
|
|
diff --git a/mux.c b/mux.c
|
|
index 4c0eb42..b458b23 100644
|
|
--- a/mux.c
|
|
+++ b/mux.c
|
|
@@ -1310,9 +1310,9 @@ muxserver_listen(struct ssh *ssh)
|
|
}
|
|
|
|
/* Now atomically "move" the mux socket into position */
|
|
- if (link(options.control_path, orig_control_path) != 0) {
|
|
+ if (rename(options.control_path, orig_control_path) != 0) {
|
|
if (errno != EEXIST) {
|
|
- fatal_f("link mux listener %s => %s: %s",
|
|
+ fatal_f("rename mux listener %s => %s: %s",
|
|
options.control_path, orig_control_path,
|
|
strerror(errno));
|
|
}
|
|
@@ -1321,7 +1321,6 @@ muxserver_listen(struct ssh *ssh)
|
|
unlink(options.control_path);
|
|
goto disable_mux_master;
|
|
}
|
|
- unlink(options.control_path);
|
|
free(options.control_path);
|
|
options.control_path = orig_control_path;
|
|
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From 2d9e4b14b761ffa931dbd560009426b7851ad48d Mon Sep 17 00:00:00 2001
|
|
From: Jerome Duval <jerome.duval@gmail.com>
|
|
Date: Tue, 8 Jun 2021 14:25:15 +0200
|
|
Subject: gcc2 patch sntrup761.c
|
|
|
|
|
|
diff --git a/sntrup761.c b/sntrup761.c
|
|
index c63e600..d75e701 100644
|
|
--- a/sntrup761.c
|
|
+++ b/sntrup761.c
|
|
@@ -63,6 +63,7 @@ static void crypto_sort_int32(void *array,long long n)
|
|
for (q = top;q > p;q >>= 1) {
|
|
if (j != i) for (;;) {
|
|
if (j == n - q) goto done;
|
|
+{
|
|
int32 a = x[j + p];
|
|
for (r = q;r > p;r >>= 1)
|
|
int32_MINMAX(a,x[j + r]);
|
|
@@ -72,6 +73,7 @@ static void crypto_sort_int32(void *array,long long n)
|
|
i += 2 * p;
|
|
break;
|
|
}
|
|
+}
|
|
}
|
|
while (i + p <= n - q) {
|
|
for (j = i;j < i + p;++j) {
|
|
--
|
|
2.30.2
|
|
|
|
|
|
From b53c690bfa43bc294c3f333a0c96f1d85c1bce95 Mon Sep 17 00:00:00 2001
|
|
From: Sergei Reznikov <diver@gelios.net>
|
|
Date: Wed, 20 Oct 2021 16:57:50 +0300
|
|
Subject: Use a link to take a backup while replacing the known_hosts file
|
|
|
|
Based on https://github.com/termux/termux-packages/commit/e696010d8907854dd194311ce8a02da0ca77a121
|
|
|
|
diff --git a/hostfile.c b/hostfile.c
|
|
index ce00cd7..d929537 100644
|
|
--- a/hostfile.c
|
|
+++ b/hostfile.c
|
|
@@ -691,7 +691,11 @@ hostfile_replace_entries(const char *filename, const char *host, const char *ip,
|
|
r = SSH_ERR_SYSTEM_ERROR;
|
|
goto fail;
|
|
}
|
|
+#ifdef __HAIKU__
|
|
+ if (rename(filename, back) == -1) {
|
|
+#else
|
|
if (link(filename, back) == -1) {
|
|
+#endif
|
|
oerrno = errno;
|
|
error_f("link %.100s to %.100s: %s", filename,
|
|
back, strerror(errno));
|
|
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
index 4b40768..e85fd13 100644
|
|
--- a/ssh-keygen.c
|
|
+++ b/ssh-keygen.c
|
|
@@ -1366,7 +1366,11 @@ do_known_hosts(struct passwd *pw, const char *name, int find_host,
|
|
/* Backup existing file */
|
|
if (unlink(old) == -1 && errno != ENOENT)
|
|
fatal("unlink %.100s: %s", old, strerror(errno));
|
|
+#ifdef __HAIKU__
|
|
+ if (rename(identity_file, old) == -1)
|
|
+#else
|
|
if (link(identity_file, old) == -1)
|
|
+#endif
|
|
fatal("link %.100s to %.100s: %s", identity_file, old,
|
|
strerror(errno));
|
|
/* Move new one into place */
|
|
--
|
|
2.30.2
|
|
|