diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2014-12-11 05:25:06 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-12-11 19:17:25 +1100 |
| commit | d663bea30a294d440fef4398e5cd816317bd4518 (patch) | |
| tree | e54be6782d3573e9d536cb4a0bd7441a705c9a82 | |
| parent | 17bf3d81e00f2abb414a4fd271118cf4913f049f (diff) | |
upstream commit
mention AuthorizedKeysCommandUser must be set for
AuthorizedKeysCommand to be run; bz#2287
| -rw-r--r-- | sshd_config.5 | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 78a8d00be..9f52cf441 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.180 2014/11/22 19:21:03 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.181 2014/12/11 05:25:06 djm Exp $ |
| 37 | .Dd $Mdocdate: November 22 2014 $ | 37 | .Dd $Mdocdate: December 11 2014 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -210,6 +210,18 @@ would restrict keyboard interactive authentication to the | |||
| 210 | .Dq bsdauth | 210 | .Dq bsdauth |
| 211 | device. | 211 | device. |
| 212 | .Pp | 212 | .Pp |
| 213 | If the | ||
| 214 | .Dq publickey | ||
| 215 | method is listed more than one, | ||
| 216 | .Xr sshd 8 | ||
| 217 | verifies that keys that have been successfully are not reused for subsequent | ||
| 218 | authentications. | ||
| 219 | For example, an | ||
| 220 | .Cm AuthenticationMethods | ||
| 221 | of | ||
| 222 | .Dq publickey,publickey | ||
| 223 | will require successful authentication using two different public keys. | ||
| 224 | .Pp | ||
| 213 | This option is only available for SSH protocol 2 and will yield a fatal | 225 | This option is only available for SSH protocol 2 and will yield a fatal |
| 214 | error if enabled if protocol 1 is also enabled. | 226 | error if enabled if protocol 1 is also enabled. |
| 215 | Note that each authentication method listed should also be explicitly enabled | 227 | Note that each authentication method listed should also be explicitly enabled |
| @@ -232,6 +244,9 @@ By default, no AuthorizedKeysCommand is run. | |||
| 232 | Specifies the user under whose account the AuthorizedKeysCommand is run. | 244 | Specifies the user under whose account the AuthorizedKeysCommand is run. |
| 233 | It is recommended to use a dedicated user that has no other role on the host | 245 | It is recommended to use a dedicated user that has no other role on the host |
| 234 | than running authorized keys commands. | 246 | than running authorized keys commands. |
| 247 | If no user is specified then | ||
| 248 | .Cm AuthorizedKeysCommand | ||
| 249 | is ignored. | ||
| 235 | .It Cm AuthorizedKeysFile | 250 | .It Cm AuthorizedKeysFile |
| 236 | Specifies the file that contains the public keys that can be used | 251 | Specifies the file that contains the public keys that can be used |
| 237 | for user authentication. | 252 | for user authentication. |