- (djm) OpenBSD CVS Sync

- jmc@cvs.openbsd.org 2005/12/31 10:46:17 [ssh.1] merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER AUTHENTICATION" sections into "AUTHENTICATION"; some rewording done to make the text read better, plus some improvements from djm; ok djm
author: Damien Miller <djm@mindrot.org> 2006-01-02 23:38:00 +1100
committer: Damien Miller <djm@mindrot.org> 2006-01-02 23:38:00 +1100
commit: 48c94abf5b4d262ce4572c5b26d0ffdff8d25a87 (patch)
tree: f8e75c5676aef26aeb5fafc0fbd9675ef26c2658
parent: 90cd1c549b4e6be1c5a664ca4d4646a3d3768c2f (diff)
2 files changed, 40 insertions, 33 deletions
diff --git a/ChangeLog b/ChangeLog
index 972b172ad..e5ec073ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 20060102
 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2005/12/31 10:46:17
+     [ssh.1]
+     merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
+     AUTHENTICATION" sections into "AUTHENTICATION";
+     some rewording done to make the text read better, plus some
+     improvements from djm;
+     ok djm
 20060101
 - (djm) [Makefile.in configure.ac includes.h misc.c]
@@ -3590,4 +3598,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4063 2006/01/02 09:23:18 djm Exp $
+$Id: ChangeLog,v 1.4064 2006/01/02 12:38:00 djm Exp $
diff --git a/ssh.1 b/ssh.1
index 5ce1cfe70..ce1eeb49a 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -788,7 +788,36 @@ prompts the user for a password.
 The password is sent to the remote
 host for checking; however, since all communications are encrypted,
 the password cannot be seen by someone listening on the network.
-.Sh LOGIN SESSION AND REMOTE EXECUTION
+.Pp
+.Nm
+automatically maintains and checks a database containing
+identification for all hosts it has ever been used with.
+Host keys are stored in
+.Pa ~/.ssh/known_hosts
+in the user's home directory.
+Additionally, the file
+.Pa /etc/ssh/ssh_known_hosts
+is automatically checked for known hosts.
+Any new hosts are automatically added to the user's file.
+If a host's identification ever changes,
+.Nm
+warns about this and disables password authentication to prevent
+server spoofing or man-in-the-middle attacks,
+which could otherwise be used to circumvent the encryption.
+The
+.Cm StrictHostKeyChecking
+option can be used to control logins to machines whose
+host key is not known or has changed.
+.Pp
+.Nm
+can be configured to verify host identification using fingerprint resource
+records (SSHFP) published in DNS.
+The
+.Cm VerifyHostKeyDNS
+option can be used to control how DNS lookups are performed.
+SSHFP resource records can be generated using
+.Xr ssh-keygen 1 .
+.Pp
 When the user's identity has been accepted by the server, the server
 either executes the given command, or logs into the machine and gives
 the user a normal shell on the remote machine.
@@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can
 be specified either on the command line or in a configuration file.
 One possible application of TCP/IP forwarding is a secure connection to an
 electronic purse; another is going through firewalls.
-.Sh SERVER AUTHENTICATION
-.Nm
-automatically maintains and checks a database containing
-identifications for all hosts it has ever been used with.
-Host keys are stored in
-.Pa ~/.ssh/known_hosts
-in the user's home directory.
-Additionally, the file
-.Pa /etc/ssh/ssh_known_hosts
-is automatically checked for known hosts.
-Any new hosts are automatically added to the user's file.
-If a host's identification ever changes,
-.Nm
-warns about this and disables password authentication to prevent a
-trojan horse from getting the user's password.
-Another purpose of this mechanism is to prevent man-in-the-middle attacks
-which could otherwise be used to circumvent the encryption.
-The
-.Cm StrictHostKeyChecking
-option can be used to prevent logins to machines whose
-host key is not known or has changed.
-.Pp
-.Nm
-can be configured to verify host identification using fingerprint resource
-records (SSHFP) published in DNS.
-The
-.Cm VerifyHostKeyDNS
-option can be used to control how DNS lookups are performed.
-SSHFP resource records can be generated using
-.Xr ssh-keygen 1 .
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
author	Damien Miller <djm@mindrot.org>	2006-01-02 23:38:00 +1100
committer	Damien Miller <djm@mindrot.org>	2006-01-02 23:38:00 +1100
commit	48c94abf5b4d262ce4572c5b26d0ffdff8d25a87 (patch)
tree	f8e75c5676aef26aeb5fafc0fbd9675ef26c2658
parent	90cd1c549b4e6be1c5a664ca4d4646a3d3768c2f (diff)

diff --git a/ChangeLog b/ChangeLog index 972b172ad..e5ec073ba 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,5 +1,13 @@
1	20060102	1	20060102
2	- (djm) [README.tun] Add README.tun, missed during sync of tun(4) support	2	- (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
		3	- (djm) OpenBSD CVS Sync
		4	- jmc@cvs.openbsd.org 2005/12/31 10:46:17
		5	[ssh.1]
		6	merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
		7	AUTHENTICATION" sections into "AUTHENTICATION";
		8	some rewording done to make the text read better, plus some
		9	improvements from djm;
		10	ok djm
3		11
4	20060101	12	20060101
5	- (djm) [Makefile.in configure.ac includes.h misc.c]	13	- (djm) [Makefile.in configure.ac includes.h misc.c]
@@ -3590,4 +3598,4 @@
3590	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	3598	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
3591	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	3599	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3592		3600
3593	$Id: ChangeLog,v 1.4063 2006/01/02 09:23:18 djm Exp $	3601	$Id: ChangeLog,v 1.4064 2006/01/02 12:38:00 djm Exp $


diff --git a/ssh.1 b/ssh.1 index 5ce1cfe70..ce1eeb49a 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $	37	.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -788,7 +788,36 @@ prompts the user for a password.
788	The password is sent to the remote	788	The password is sent to the remote
789	host for checking; however, since all communications are encrypted,	789	host for checking; however, since all communications are encrypted,
790	the password cannot be seen by someone listening on the network.	790	the password cannot be seen by someone listening on the network.
791	.Sh LOGIN SESSION AND REMOTE EXECUTION	791	.Pp
		792	.Nm
		793	automatically maintains and checks a database containing
		794	identification for all hosts it has ever been used with.
		795	Host keys are stored in
		796	.Pa ~/.ssh/known_hosts
		797	in the user's home directory.
		798	Additionally, the file
		799	.Pa /etc/ssh/ssh_known_hosts
		800	is automatically checked for known hosts.
		801	Any new hosts are automatically added to the user's file.
		802	If a host's identification ever changes,
		803	.Nm
		804	warns about this and disables password authentication to prevent
		805	server spoofing or man-in-the-middle attacks,
		806	which could otherwise be used to circumvent the encryption.
		807	The
		808	.Cm StrictHostKeyChecking
		809	option can be used to control logins to machines whose
		810	host key is not known or has changed.
		811	.Pp
		812	.Nm
		813	can be configured to verify host identification using fingerprint resource
		814	records (SSHFP) published in DNS.
		815	The
		816	.Cm VerifyHostKeyDNS
		817	option can be used to control how DNS lookups are performed.
		818	SSHFP resource records can be generated using
		819	.Xr ssh-keygen 1 .
		820	.Pp
792	When the user's identity has been accepted by the server, the server	821	When the user's identity has been accepted by the server, the server
793	either executes the given command, or logs into the machine and gives	822	either executes the given command, or logs into the machine and gives
794	the user a normal shell on the remote machine.	823	the user a normal shell on the remote machine.
@@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can
924	be specified either on the command line or in a configuration file.	953	be specified either on the command line or in a configuration file.
925	One possible application of TCP/IP forwarding is a secure connection to an	954	One possible application of TCP/IP forwarding is a secure connection to an
926	electronic purse; another is going through firewalls.	955	electronic purse; another is going through firewalls.
927	.Sh SERVER AUTHENTICATION
928	.Nm
929	automatically maintains and checks a database containing
930	identifications for all hosts it has ever been used with.
931	Host keys are stored in
932	.Pa ~/.ssh/known_hosts
933	in the user's home directory.
934	Additionally, the file
935	.Pa /etc/ssh/ssh_known_hosts
936	is automatically checked for known hosts.
937	Any new hosts are automatically added to the user's file.
938	If a host's identification ever changes,
939	.Nm
940	warns about this and disables password authentication to prevent a
941	trojan horse from getting the user's password.
942	Another purpose of this mechanism is to prevent man-in-the-middle attacks
943	which could otherwise be used to circumvent the encryption.
944	The
945	.Cm StrictHostKeyChecking
946	option can be used to prevent logins to machines whose
947	host key is not known or has changed.
948	.Pp
949	.Nm
950	can be configured to verify host identification using fingerprint resource
951	records (SSHFP) published in DNS.
952	The
953	.Cm VerifyHostKeyDNS
954	option can be used to control how DNS lookups are performed.
955	SSHFP resource records can be generated using
956	.Xr ssh-keygen 1 .
957	.Sh ENVIRONMENT	956	.Sh ENVIRONMENT
958	.Nm	957	.Nm
959	will normally set the following environment variables:	958	will normally set the following environment variables: