Module Name: src Committed By: kim Date: Sun Mar 1 08:21:38 UTC 2020
Modified Files: src/crypto/external/bsd/openssh/dist: ssh_config sshd_config Log Message: Sync with OpenSSH 8.2p1 sample configs - Add GSSAPIAuthentication and related options - Add KerberosAuthentication and related options - Bring in the lengthy but useful comment block about the side-effect of UsePAM with regards to PermitRootLogin. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/crypto/external/bsd/openssh/dist/ssh_config cvs rdiff -u -r1.24 -r1.25 src/crypto/external/bsd/openssh/dist/sshd_config Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssh/dist/ssh_config diff -u src/crypto/external/bsd/openssh/dist/ssh_config:1.13 src/crypto/external/bsd/openssh/dist/ssh_config:1.14 --- src/crypto/external/bsd/openssh/dist/ssh_config:1.13 Fri Feb 28 10:41:48 2020 +++ src/crypto/external/bsd/openssh/dist/ssh_config Sun Mar 1 08:21:38 2020 @@ -1,4 +1,4 @@ -# $NetBSD: ssh_config,v 1.13 2020/02/28 10:41:48 kim Exp $ +# $NetBSD: ssh_config,v 1.14 2020/03/01 08:21:38 kim Exp $ # $OpenBSD: ssh_config,v 1.34 2019/02/04 02:39:42 dtucker Exp $ # This is the ssh client system-wide configuration file. See @@ -27,6 +27,8 @@ Host *.netbsd.org *.NetBSD.org # ForwardX11 no # PasswordAuthentication yes # HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any Index: src/crypto/external/bsd/openssh/dist/sshd_config diff -u src/crypto/external/bsd/openssh/dist/sshd_config:1.24 src/crypto/external/bsd/openssh/dist/sshd_config:1.25 --- src/crypto/external/bsd/openssh/dist/sshd_config:1.24 Fri Feb 28 10:59:58 2020 +++ src/crypto/external/bsd/openssh/dist/sshd_config Sun Mar 1 08:21:38 2020 @@ -1,4 +1,4 @@ -# $NetBSD: sshd_config,v 1.24 2020/02/28 10:59:58 kim Exp $ +# $NetBSD: sshd_config,v 1.25 2020/03/01 08:21:38 kim Exp $ # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See @@ -60,6 +60,27 @@ AuthorizedKeysFile .ssh/authorized_keys # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no @@ -72,7 +93,6 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -UsePAM yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0