summaryrefslogtreecommitdiff
path: root/ssh.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2009-12-29 21:42:53 +0000
committerColin Watson <cjwatson@debian.org>2009-12-29 21:42:53 +0000
commit87552344215a38d3a2b0d4d63dc151e05978bbe1 (patch)
tree9f4b96055e6ccaa915e8d59d9f2805e9e119371d /ssh.0
parenta25ec0b132c44c9e341e08464ff830de06b81126 (diff)
parentef94e5613d37bcbf880f21ee6094e4b1c7683a4c (diff)
import openssh-5.1p1-gsskex-cjwatson-20080722.patch
Diffstat (limited to 'ssh.0')
-rw-r--r--ssh.048
1 files changed, 40 insertions, 8 deletions
diff --git a/ssh.0 b/ssh.0
index 8ec0bb397..21e5ac9a3 100644
--- a/ssh.0
+++ b/ssh.0
@@ -130,6 +130,11 @@ DESCRIPTION
130 The recommended way to start X11 programs at a remote site is 130 The recommended way to start X11 programs at a remote site is
131 with something like ssh -f host xterm. 131 with something like ssh -f host xterm.
132 132
133 If the ExitOnForwardFailure configuration option is set to
134 ``yes'', then a client started with -f will wait for all remote
135 port forwards to be successfully established before placing it-
136 self in the background.
137
133 -g Allows remote hosts to connect to local forwarded ports. 138 -g Allows remote hosts to connect to local forwarded ports.
134 139
135 -I smartcard_device 140 -I smartcard_device
@@ -274,13 +279,14 @@ DESCRIPTION
274 User 279 User
275 UserKnownHostsFile 280 UserKnownHostsFile
276 VerifyHostKeyDNS 281 VerifyHostKeyDNS
282 VisualHostKey
277 XAuthLocation 283 XAuthLocation
278 284
279 -p port 285 -p port
280 Port to connect to on the remote host. This can be specified on 286 Port to connect to on the remote host. This can be specified on
281 a per-host basis in the configuration file. 287 a per-host basis in the configuration file.
282 288
283 -q Quiet mode. Causes all warning and diagnostic messages to be 289 -q Quiet mode. Causes most warning and diagnostic messages to be
284 suppressed. 290 suppressed.
285 291
286 -R [bind_address:]port:host:hostport 292 -R [bind_address:]port:host:hostport
@@ -571,12 +577,27 @@ VERIFYING HOST KEYS
571 577
572 $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key 578 $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
573 579
574 If the fingerprint is already known, it can be matched and verified, and 580 If the fingerprint is already known, it can be matched and the key can be
575 the key can be accepted. If the fingerprint is unknown, an alternative 581 accepted or rejected. Because of the difficulty of comparing host keys
576 method of verification is available: SSH fingerprints verified by DNS. 582 just by looking at hex strings, there is also support to compare host
577 An additional resource record (RR), SSHFP, is added to a zonefile and the 583 keys visually, using random art. By setting the VisualHostKey option to
578 connecting client is able to match the fingerprint with that of the key 584 ``yes'', a small ASCII graphic gets displayed on every login to a server,
579 presented. 585 no matter if the session itself is interactive or not. By learning the
586 pattern a known server produces, a user can easily find out that the host
587 key has changed when a completely different pattern is displayed. Be-
588 cause these patterns are not unambiguous however, a pattern that looks
589 similar to the pattern remembered only gives a good probability that the
590 host key is the same, not guaranteed proof.
591
592 To get a listing of the fingerprints along with their random art for all
593 known hosts, the following command line can be used:
594
595 $ ssh-keygen -lv -f ~/.ssh/known_hosts
596
597 If the fingerprint is unknown, an alternative method of verification is
598 available: SSH fingerprints verified by DNS. An additional resource
599 record (RR), SSHFP, is added to a zonefile and the connecting client is
600 able to match the fingerprint with that of the key presented.
580 601
581 In this example, we are connecting a client to a server, 602 In this example, we are connecting a client to a server,
582 ``host.example.com''. The SSHFP resource records should first be added 603 ``host.example.com''. The SSHFP resource records should first be added
@@ -714,6 +735,13 @@ FILES
714 host-based authentication without permitting login with 735 host-based authentication without permitting login with
715 rlogin/rsh. 736 rlogin/rsh.
716 737
738 ~/.ssh/
739 This directory is the default location for all user-specific con-
740 figuration and authentication information. There is no general
741 requirement to keep the entire contents of this directory secret,
742 but the recommended permissions are read/write/execute for the
743 user, and not accessible by others.
744
717 ~/.ssh/authorized_keys 745 ~/.ssh/authorized_keys
718 Lists the public keys (RSA/DSA) that can be used for logging in 746 Lists the public keys (RSA/DSA) that can be used for logging in
719 as this user. The format of this file is described in the 747 as this user. The format of this file is described in the
@@ -825,6 +853,10 @@ SEE ALSO
825 853
826 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. 854 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
827 855
856 A. Perrig and D. Song, Hash Visualization: a New Technique to improve
857 Real-World Security, 1999, International Workshop on Cryptographic
858 Techniques and E-Commerce (CrypTEC '99).
859
828AUTHORS 860AUTHORS
829 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 861 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
830 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 862 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -832,4 +864,4 @@ AUTHORS
832 created OpenSSH. Markus Friedl contributed the support for SSH protocol 864 created OpenSSH. Markus Friedl contributed the support for SSH protocol
833 versions 1.5 and 2.0. 865 versions 1.5 and 2.0.
834 866
835OpenBSD 4.2 June 12, 2007 13 867OpenBSD 4.4 July 2, 2008 14