- jmc@cvs.openbsd.org 2006/02/16 09:05:34

[sshd.8] sync some of the FILES entries w/ ssh.1;
author: Damien Miller <djm@mindrot.org> 2006-03-15 11:35:27 +1100
committer: Damien Miller <djm@mindrot.org> 2006-03-15 11:35:27 +1100
commit: adc35b9583944203906ef1fd8b078316213e35d5 (patch)
tree: 0a74b4bf4d9c132f78af128940b4302b89acce5a
parent: bc1936ad8735cc5f4949eb18172869352e2c5c1c (diff)
2 files changed, 37 insertions, 46 deletions
diff --git a/ChangeLog b/ChangeLog
index b12e1f03f..4c24caccd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -116,6 +116,9 @@
   - jmc@cvs.openbsd.org 2006/02/15 16:55:33
     [sshd.8]
     remove ietf draft references; RFC list now maintained in ssh.1;
+   - jmc@cvs.openbsd.org 2006/02/16 09:05:34
+     [sshd.8]
+     sync some of the FILES entries w/ ssh.1;
 20060313
 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -4017,4 +4020,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4172 2006/03/15 00:35:05 djm Exp $
+$Id: ChangeLog,v 1.4173 2006/03/15 00:35:27 djm Exp $
diff --git a/sshd.8 b/sshd.8
index aed8b60d1..6d79f175c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.224 2006/02/15 16:55:33 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.225 2006/02/16 09:05:34 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -605,45 +605,31 @@ It does not suppress printing of the banner specified by
 .Cm Banner .
 .Pp
 .It ~/.rhosts
-This file is used during
+This file is used for host-based authentication (see
-.Cm RhostsRSAAuthentication
+.Xr ssh 1
-and
+for more information).
-.Cm HostbasedAuthentication
+On some machines this file may need to be
-and contains host-username pairs, separated by a space, one per
+world-readable if the user's home directory is on an NFS partition,
-line.
+because
-The given user on the corresponding host is permitted to log in
+.Nm
-without a password.
+reads it as root.
-The same file is used by rlogind and rshd.
+Additionally, this file must be owned by the user,
-The file must
+and must not have write permissions for anyone else.
-be writable only by the user; it is recommended that it not be
+The recommended
+permission for most machines is read/write for the user, and not
 accessible by others.
 .Pp
-It is also possible to use netgroups in the file.
-Either host or user
-name may be of the form +@groupname to specify all hosts or all users
-in the group.
-.Pp
 .It ~/.shosts
-For ssh,
+This file is used in exactly the same way as
-this file is exactly the same as for
+.Pa .rhosts ,
-.Pa .rhosts .
+but allows host-based authentication without permitting login with
-However, this file is
+rlogin/rsh.
-not used by rlogin and rshd, so using this permits access using SSH only.
 .Pp
 .It ~/.ssh/authorized_keys
-Lists the public keys (RSA or DSA) that can be used to log into the user's account.
+Lists the public keys (RSA/DSA) that can be used for logging in as this user.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).
-It is recommended that it not be accessible by others.
 The format of this file is described above.
-Users will place the contents of their
+This file is not highly sensitive, but the recommended
-.Pa identity.pub ,
+permissions are read/write for the user, and not accessible by others.
-.Pa id_dsa.pub
-and/or
-.Pa id_rsa.pub
-files into this file, as described in
-.Xr ssh-keygen 1 .
 .Pp
 .It ~/.ssh/environment
 This file is read into the environment at login (if it exists).
@@ -658,17 +644,10 @@ controlled via the
 option.
 .Pp
 .It ~/.ssh/known_hosts
-.It /etc/ssh/ssh_known_hosts
+Contains a list of host keys for all hosts the user has logged into
-These files are consulted when using rhosts with RSA host
+that are not already in the systemwide list of known host keys.
-authentication or protocol version 2 hostbased authentication
+The format of this file is described above.
-to check the public key of the host.
+This file should be writable only by root/the owner and
-The key must be listed in one of these files to be accepted.
-The client uses the same files
-to verify that it is connecting to the correct remote host.
-These files should be writable only by root/the owner.
-.Pa /etc/ssh/ssh_known_hosts
-should be world-readable, and
-.Pa ~/.ssh/known_hosts
 can, but need not be, world-readable.
 .Pp
 .It ~/.ssh/rc
@@ -784,6 +763,15 @@ This is processed exactly as
 However, this file may be useful in environments that want to run both
 rsh/rlogin and ssh.
 .Pp
+.It /etc/ssh/ssh_known_hosts
+Systemwide list of known host keys.
+This file should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+The format of this file is described above.
+This file should be writable only by root/the owner and
+should be world-readable.
+.Pp
 .It /etc/ssh/ssh_host_key
 .It /etc/ssh/ssh_host_dsa_key
 .It /etc/ssh/ssh_host_rsa_key
author	Damien Miller <djm@mindrot.org>	2006-03-15 11:35:27 +1100
committer	Damien Miller <djm@mindrot.org>	2006-03-15 11:35:27 +1100
commit	adc35b9583944203906ef1fd8b078316213e35d5 (patch)
tree	0a74b4bf4d9c132f78af128940b4302b89acce5a
parent	bc1936ad8735cc5f4949eb18172869352e2c5c1c (diff)

diff --git a/ChangeLog b/ChangeLog index b12e1f03f..4c24caccd 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -116,6 +116,9 @@
116	- jmc@cvs.openbsd.org 2006/02/15 16:55:33	116	- jmc@cvs.openbsd.org 2006/02/15 16:55:33
117	[sshd.8]	117	[sshd.8]
118	remove ietf draft references; RFC list now maintained in ssh.1;	118	remove ietf draft references; RFC list now maintained in ssh.1;
		119	- jmc@cvs.openbsd.org 2006/02/16 09:05:34
		120	[sshd.8]
		121	sync some of the FILES entries w/ ssh.1;
119		122
120	20060313	123	20060313
121	- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)	124	- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -4017,4 +4020,4 @@
4017	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	4020	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
4018	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	4021	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4019		4022
4020	$Id: ChangeLog,v 1.4172 2006/03/15 00:35:05 djm Exp $	4023	$Id: ChangeLog,v 1.4173 2006/03/15 00:35:27 djm Exp $


diff --git a/sshd.8 b/sshd.8 index aed8b60d1..6d79f175c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.224 2006/02/15 16:55:33 jmc Exp $	37	.\" $OpenBSD: sshd.8,v 1.225 2006/02/16 09:05:34 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -605,45 +605,31 @@ It does not suppress printing of the banner specified by
605	.Cm Banner .	605	.Cm Banner .
606	.Pp	606	.Pp
607	.It ~/.rhosts	607	.It ~/.rhosts
608	This file is used during	608	This file is used for host-based authentication (see
609	.Cm RhostsRSAAuthentication	609	.Xr ssh 1
610	and	610	for more information).
611	.Cm HostbasedAuthentication	611	On some machines this file may need to be
612	and contains host-username pairs, separated by a space, one per	612	world-readable if the user's home directory is on an NFS partition,
613	line.	613	because
614	The given user on the corresponding host is permitted to log in	614	.Nm
615	without a password.	615	reads it as root.
616	The same file is used by rlogind and rshd.	616	Additionally, this file must be owned by the user,
617	The file must	617	and must not have write permissions for anyone else.
618	be writable only by the user; it is recommended that it not be	618	The recommended
		619	permission for most machines is read/write for the user, and not
619	accessible by others.	620	accessible by others.
620	.Pp	621	.Pp
621	It is also possible to use netgroups in the file.
622	Either host or user
623	name may be of the form +@groupname to specify all hosts or all users
624	in the group.
625	.Pp
626	.It ~/.shosts	622	.It ~/.shosts
627	For ssh,	623	This file is used in exactly the same way as
628	this file is exactly the same as for	624	.Pa .rhosts ,
629	.Pa .rhosts .	625	but allows host-based authentication without permitting login with
630	However, this file is	626	rlogin/rsh.
631	not used by rlogin and rshd, so using this permits access using SSH only.
632	.Pp	627	.Pp
633	.It ~/.ssh/authorized_keys	628	.It ~/.ssh/authorized_keys
634	Lists the public keys (RSA or DSA) that can be used to log into the user's account.	629	Lists the public keys (RSA/DSA) that can be used for logging in as this user.
635	This file must be readable by root (which may on some machines imply
636	it being world-readable if the user's home directory resides on an NFS
637	volume).
638	It is recommended that it not be accessible by others.
639	The format of this file is described above.	630	The format of this file is described above.
640	Users will place the contents of their	631	This file is not highly sensitive, but the recommended
641	.Pa identity.pub ,	632	permissions are read/write for the user, and not accessible by others.
642	.Pa id_dsa.pub
643	and/or
644	.Pa id_rsa.pub
645	files into this file, as described in
646	.Xr ssh-keygen 1 .
647	.Pp	633	.Pp
648	.It ~/.ssh/environment	634	.It ~/.ssh/environment
649	This file is read into the environment at login (if it exists).	635	This file is read into the environment at login (if it exists).
@@ -658,17 +644,10 @@ controlled via the
658	option.	644	option.
659	.Pp	645	.Pp
660	.It ~/.ssh/known_hosts	646	.It ~/.ssh/known_hosts
661	.It /etc/ssh/ssh_known_hosts	647	Contains a list of host keys for all hosts the user has logged into
662	These files are consulted when using rhosts with RSA host	648	that are not already in the systemwide list of known host keys.
663	authentication or protocol version 2 hostbased authentication	649	The format of this file is described above.
664	to check the public key of the host.	650	This file should be writable only by root/the owner and
665	The key must be listed in one of these files to be accepted.
666	The client uses the same files
667	to verify that it is connecting to the correct remote host.
668	These files should be writable only by root/the owner.
669	.Pa /etc/ssh/ssh_known_hosts
670	should be world-readable, and
671	.Pa ~/.ssh/known_hosts
672	can, but need not be, world-readable.	651	can, but need not be, world-readable.
673	.Pp	652	.Pp
674	.It ~/.ssh/rc	653	.It ~/.ssh/rc
@@ -784,6 +763,15 @@ This is processed exactly as
784	However, this file may be useful in environments that want to run both	763	However, this file may be useful in environments that want to run both
785	rsh/rlogin and ssh.	764	rsh/rlogin and ssh.
786	.Pp	765	.Pp
		766	.It /etc/ssh/ssh_known_hosts
		767	Systemwide list of known host keys.
		768	This file should be prepared by the
		769	system administrator to contain the public host keys of all machines in the
		770	organization.
		771	The format of this file is described above.
		772	This file should be writable only by root/the owner and
		773	should be world-readable.
		774	.Pp
787	.It /etc/ssh/ssh_host_key	775	.It /etc/ssh/ssh_host_key
788	.It /etc/ssh/ssh_host_dsa_key	776	.It /etc/ssh/ssh_host_dsa_key
789	.It /etc/ssh/ssh_host_rsa_key	777	.It /etc/ssh/ssh_host_rsa_key