From c50a9a6562a14f3a9fbd2071e3b19eed8c9c9b4b Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 21 Oct 2015 17:25:42 +0200 Subject: ssh, public_key: random selection of diffie-hellman moduli Also tool (public_key:gen_moduli_hrl) to convert an openssh moduli file to erlang format. --- lib/ssh/doc/src/ssh.xml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 2b190c98b6..66f872490c 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -467,6 +467,8 @@ kex is implicit but public_key is set explicitly.

Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. See RFC 4419 for details.

+

The default list is fetched from the public_key application. +

If the parameter is {file,filename()}, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts.

-- cgit v1.2.3 From 961bb51d1b73c6ff2ad5f08e0a4c13fbfc2fbb98 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Fri, 23 Oct 2015 18:33:05 +0200 Subject: ssh: option dh_gex_groups with tag ssh_moduli_file Makes this existing option also accept a file in openssh format OTP-13052 --- lib/ssh/doc/src/ssh.xml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 66f872490c..1e4dd91eb6 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -462,7 +462,7 @@ kex is implicit but public_key is set explicitly.

- +

Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. See RFC 4419 for details. @@ -471,6 +471,8 @@ kex is implicit but public_key is set explicitly.

If the parameter is {file,filename()}, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts.

+

If the parameter is {ssh_moduli_file,filename()}, the file must exist and be in ssh-keygen moduli file format. The file is read when the daemon starts. +

boolean()}]]> -- cgit v1.2.3 From 18b9fc4c61f487007c8bff3bbb52f9466f3454ce Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Mon, 26 Oct 2015 15:56:13 +0100 Subject: ssh: extend 'dh_gex_limits' to server side OTP-13066 --- lib/ssh/doc/src/ssh.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 1e4dd91eb6..7c1b9ea0dc 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -475,6 +475,17 @@ kex is implicit but public_key is set explicitly.

+ + +

Limits what a client can ask for in diffie-hellman-group-exchange. The effective value will be + MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min). +

+

If MaxUsed < MinUses in a key exchange, it will fail with a disconnect. +

+

See RFC 4419 for the function of the max an min values. +

+ + boolean()}]]>

Provides a function for password validation. This function is called -- cgit v1.2.3 From 447a9b574f26cc81ed09be4ec1afafea8de924c5 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Tue, 3 Nov 2015 15:07:30 +0100 Subject: ssh: changes after doc review --- lib/ssh/doc/src/ssh.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 7c1b9ea0dc..06bc39f8fe 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -477,13 +477,14 @@ kex is implicit but public_key is set explicitly.

-

Limits what a client can ask for in diffie-hellman-group-exchange. The effective value will be +

Limits the key Sizes what a client can ask for in diffie-hellman-group-exchange. + The effective value will be MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min). + The default value is {0,infinity}.

-

If MaxUsed < MinUses in a key exchange, it will fail with a disconnect. -

-

See RFC 4419 for the function of the max an min values. +

If MaxUsed < MinUsed in a key exchange, it will fail with a disconnect.

+

See RFC 4419 for the function of the Max an Min values.

 boolean()}]]> -- cgit v1.2.3 From df622b62f72b6509505b32380fbb88203616868d Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Thu, 5 Nov 2015 17:39:46 +0100 Subject: ssh, public_key: updates after doc review --- lib/ssh/doc/src/ssh.xml | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 06bc39f8fe..43db63e7e6 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -464,27 +464,41 @@ kex is implicit but public_key is set explicitly.

-

Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. - See RFC 4419 for details. +

Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. + See RFC 4419 for details. The three variants of this option are:

-

The default list is fetched from the public_key application. -

-

If the parameter is {file,filename()}, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts. -

-

If the parameter is {ssh_moduli_file,filename()}, the file must exist and be in ssh-keygen moduli file format. The file is read when the daemon starts. + + {Size=integer(),G=integer(),P=integer()} + The groups are given explicitly in this list. There may be several elements with the same Size. + In such a case, the server will choose one randomly in the negotiated Size. + + {file,filename()} + The file must have one or more three-tuples {Size=integer(),G=integer(),P=integer()} + terminated by a dot. The file is read when the daemon starts. + + {ssh_moduli_file,filename()} + The file must be in + ssh-keygen moduli file format. + The file is read when the daemon starts. + + +

The default list is fetched from the + public_key application.

-

Limits the key Sizes what a client can ask for in diffie-hellman-group-exchange. - The effective value will be - MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min). - The default value is {0,infinity}. +

Limits what a client can ask for in diffie-hellman-group-exchange. + The limits will be + {MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)} where MaxClient and + MinClient are the values proposed by a connecting client. +

+

The default value is {0,infinity}.

If MaxUsed < MinUsed in a key exchange, it will fail with a disconnect.

-

See RFC 4419 for the function of the Max an Min values.

+

See RFC 4419 for the function of the Max and Min values.

 boolean()}]]> -- cgit v1.2.3 From 7adbd6ee24fa7f1bb3c26d5106e7e38446405f16 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Thu, 5 Nov 2015 18:27:05 +0100 Subject: ssh: correct a bad doc xref --- lib/ssh/doc/src/ssh.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/ssh/doc') diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 43db63e7e6..5c18c48f65 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -478,12 +478,12 @@ kex is implicit but public_key is set explicitly.

 {ssh_moduli_file,filename()} The file must be in - ssh-keygen moduli file format. + ssh-keygen moduli file format. The file is read when the daemon starts.

The default list is fetched from the - public_key application. + public_key application.

-- cgit v1.2.3