<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/ssh/sshd_config.j2, branch feature/T9082-codeql-cpp</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-01-15T15:25:45+00:00</updated>
<entry>
<title>ssh: T7483: Add fido2 PubkeyAuthOptions</title>
<updated>2026-01-15T15:25:45+00:00</updated>
<author>
<name>Chloe Surett</name>
<email>chloe@surett.me</email>
</author>
<published>2025-11-17T16:57:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2473e1bfdeeb0ea7cc47a14811c29cc4801c8038'/>
<id>urn:sha1:2473e1bfdeeb0ea7cc47a14811c29cc4801c8038</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ssh: T8098: rename "ciphers" CLI node to "cipher"</title>
<updated>2025-12-14T17:58:00+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-12-14T17:58:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ef13a6319a21c8030301aeebbeabf5148adb994c'/>
<id>urn:sha1:ef13a6319a21c8030301aeebbeabf5148adb994c</id>
<content type='text'>
Follow VyOS CLI best practices for using singular whenever possible to build a
CLI node. As we introduce a new migration 2 -&gt; 3 for SSH we can correct this
minor detail.
</content>
</entry>
<entry>
<title>ssh: T6013: rename trusted-user-ca-key -&gt; truster-user-ca</title>
<updated>2025-05-29T12:01:32+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-20T17:57:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4b4bbd73b84c2c478c7752f58e7f66ec6d90459e'/>
<id>urn:sha1:4b4bbd73b84c2c478c7752f58e7f66ec6d90459e</id>
<content type='text'>
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate &lt;foo&gt;" to define an X.509 certificate
from "set pki ca &lt;foo&gt; ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.

This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
</content>
</entry>
<entry>
<title>ssh: T6013: move principal name to "system login user &lt;name&gt; authentication"</title>
<updated>2025-05-29T11:57:48+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-20T17:49:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2'/>
<id>urn:sha1:81dfb64ebb3ea3c58c92e8f26e8610a46e4c50d2</id>
<content type='text'>
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.

set system login user &lt;name&gt; principal &lt;principal&gt;

The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
</content>
</entry>
<entry>
<title>ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-key</title>
<updated>2025-05-29T11:57:48+00:00</updated>
<author>
<name>Takeru Hayasaka</name>
<email>hayatake396@gmail.com</email>
</author>
<published>2024-12-28T19:58:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd'/>
<id>urn:sha1:6c3b1ef2fede1e3c2b6e89060d3d645c2ba744cd</id>
<content type='text'>
Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring
TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces
a new CLI node per user to support defining the authorized principals used by
any given PKI certificate. It is now possible to associate SSH login users with
their respective principals.

Authored-by: Takeru Hayasaka &lt;hayatake396@gmail.com&gt;
</content>
</entry>
<entry>
<title>T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys</title>
<updated>2024-12-23T09:13:14+00:00</updated>
<author>
<name>Takeru Hayasaka</name>
<email>hayatake396@gmail.com</email>
</author>
<published>2024-12-11T17:27:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e7cab89f9f81b2eeb456657d26dda8bd7d7fc428'/>
<id>urn:sha1:e7cab89f9f81b2eeb456657d26dda8bd7d7fc428</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option</title>
<updated>2024-06-28T07:42:54+00:00</updated>
<author>
<name>khramshinr</name>
<email>khramshinr@gmail.com</email>
</author>
<published>2024-06-25T10:37:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=06e6e011cdf12e8d10cf1f6d4d848fd5db51720d'/>
<id>urn:sha1:06e6e011cdf12e8d10cf1f6d4d848fd5db51720d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T5474: establish common file name pattern for XML conf mode commands</title>
<updated>2023-12-31T22:49:48+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-12-30T22:25:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4ef110fd2c501b718344c72d495ad7e16d2bd465'/>
<id>urn:sha1:4ef110fd2c501b718344c72d495ad7e16d2bd465</id>
<content type='text'>
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.

Example:
set interfaces ethernet -&gt; interfaces_ethernet.xml.in
set interfaces bond -&gt; interfaces_bond.xml.in
set service dhcp-server -&gt; service_dhcp-server-xml.in
</content>
</entry>
<entry>
<title>login: T4943: Fixed 2FA + RADIUS compatibility</title>
<updated>2023-02-24T18:07:18+00:00</updated>
<author>
<name>zsdc</name>
<email>taras@vyos.io</email>
</author>
<published>2023-02-24T18:07:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=32a4415191ca725be9b3ca4c5f664123a0e767eb'/>
<id>urn:sha1:32a4415191ca725be9b3ca4c5f664123a0e767eb</id>
<content type='text'>
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.

This commit:

* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input

As a result, local, RADIUS, and MFA work together.

Important change: MFA should be entered together with a password.

Before:

```
vyos login: &lt;USERNAME&gt;
Password: &lt;PASSWORD&gt;
Verification code: &lt;MFA&gt;
```

Now:
```
vyos login: &lt;USERNAME&gt;
Password &amp; verification code: &lt;PASSWORD&gt;&lt;MFA&gt;
```
</content>
</entry>
<entry>
<title>ssh: T4720: Ability to configure SSH-server HostKeyAlgorithms</title>
<updated>2022-10-17T12:15:22+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2022-10-17T12:15:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=85f04237160a6ea98eea4ec58f1ccab9f6bfc31a'/>
<id>urn:sha1:85f04237160a6ea98eea4ec58f1ccab9f6bfc31a</id>
<content type='text'>
Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
</content>
</entry>
</feed>
