- jmc@cvs.openbsd.org 2005/12/20 21:59:43

[ssh.1] merge the sections on protocols 1 and 2 into one section on authentication; feedback djm dtucker ok deraadt markus dtucker
author: Damien Miller <djm@mindrot.org> 2005-12-24 14:52:13 +1100
committer: Damien Miller <djm@mindrot.org> 2005-12-24 14:52:13 +1100
commit: c93a813802cc2a339bcf1dc41c60878a5b1c0373 (patch)
tree: 877fcc7632cdfd01990bcf276632fe0fe229e546 /ssh.1
parent: e9a9b71c6b7927ea0f875cde42dffc1f4b195011 (diff)
1 files changed, 90 insertions, 75 deletions
diff --git a/ssh.1 b/ssh.1
index 31b614b1d..84bd62eb3 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.221 2005/12/16 18:14:40 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.222 2005/12/20 21:59:43 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -613,12 +613,38 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .El
-.Ss SSH protocol version 1
+.Sh AUTHENTICATION
-The first authentication method is the
+The OpenSSH SSH client supports OpenSSH protocols 1 and 2.
-.Em rhosts
+Protocol 2 is the default, with
-or
+.Nm
-.Em hosts.equiv
+falling back to protocol 1 if it detects protocol 2 is unsupported.
-method combined with RSA-based host authentication.
+These settings may be altered using the
+.Cm Protocol
+option in
+.Xr ssh_config 5 ,
+or enforced using the
+.Fl 1
+and
+.Fl 2
+options (see above).
+Both protocols support similar authentication methods,
+but protocol 2 is preferred since
+it provides additional mechanisms for confidentiality
+(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
+and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
+Protocol 1 lacks a strong mechanism for ensuring the
+integrity of the connection.
+.Pp
+The methods available for authentication are:
+host-based authentication,
+public key authentication,
+challenge-response authentication,
+and password authentication.
+Authentication methods are tried in the order specified above,
+though protocol 2 has a configuration option to change the default order:
+.Cm PreferredAuthentications .
+.Pp
+Host-based authentication works as follows:
 If the machine the user logs in from is listed in
 .Pa /etc/hosts.equiv
 or
@@ -631,33 +657,42 @@ or
 exist in the user's home directory on the
 remote machine and contain a line containing the name of the client
 machine and the name of the user on that machine, the user is
-considered for log in.
+considered for login.
-Additionally, if the server can verify the client's
+Additionally, the server
-host key (see
+.Em must
+be able to verify the client's
+host key (see the description of
 .Pa /etc/ssh/ssh_known_hosts
 and
-.Pa ~/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts ,
-in the
+below)
-.Sx FILES
+for login to be permitted.
-section), only then is login permitted.
 This authentication method closes security holes due to IP
-spoofing, DNS spoofing and routing spoofing.
+spoofing, DNS spoofing, and routing spoofing.
 [Note to the administrator:
 .Pa /etc/hosts.equiv ,
 .Pa ~/.rhosts ,
 and the rlogin/rsh protocol in general, are inherently insecure and should be
 disabled if security is desired.]
 .Pp
-As a second authentication method,
+Public key authentication works as follows:
-.Nm
+The scheme is based on public-key cryptography,
-supports RSA based authentication.
+using cryptosystems
-The scheme is based on public-key cryptography: there are cryptosystems
+where encryption and decryption are done using separate keys,
-where encryption and decryption are done using separate keys, and it
+and it is unfeasible to derive the decryption key from the encryption key.
-is not possible to derive the decryption key from the encryption key.
-RSA is one such system.
 The idea is that each user creates a public/private
 key pair for authentication purposes.
 The server knows the public key, and only the user knows the private key.
+.Nm
+implements public key authentication protocol automatically,
+using either the RSA or DSA algorithms.
+Protocol 1 is restricted to using only RSA keys,
+but protocol 2 may use either.
+The
+.Sx HISTORY
+section of
+.Xr ssl 8
+contains a brief discussion of the two algorithms.
 .Pp
 The file
 .Pa ~/.ssh/authorized_keys
@@ -666,84 +701,64 @@ When the user logs in, the
 .Nm
 program tells the server which key pair it would like to use for
 authentication.
-The server checks if this key is permitted, and if so,
+The client proves that it has access to the private key
-sends the user (actually the
+and the server checks that the corresponding public key
-.Nm
+is authorized to accept the account.
-program running on behalf of the user) a challenge, a random number,
-encrypted by the user's public key.
-The challenge can only be decrypted using the proper private key.
-The user's client then decrypts the challenge using the private key,
-proving that he/she knows the private key
-but without disclosing it to the server.
 .Pp
-.Nm
+The user creates his/her key pair by running
-implements the RSA authentication protocol automatically.
-The user creates his/her RSA key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
 .Pa ~/.ssh/identity
+(protocol 1),
+.Pa ~/.ssh/id_dsa
+(protocol 2 DSA),
+or
+.Pa ~/.ssh/id_rsa
+(protocol 2 RSA)
 and stores the public key in
 .Pa ~/.ssh/identity.pub
+(protocol 1),
+.Pa ~/.ssh/id_dsa.pub
+(protocol 2 DSA),
+or
+.Pa ~/.ssh/id_rsa.pub
+(protocol 2 RSA)
 in the user's home directory.
-The user should then copy the
+The user should then copy the public key
-.Pa identity.pub
 to
 .Pa ~/.ssh/authorized_keys
-in his/her home directory on the remote machine (the
+in his/her home directory on the remote machine.
+The
 .Pa authorized_keys
 file corresponds to the conventional
 .Pa ~/.rhosts
 file, and has one key
-per line, though the lines can be very long).
+per line, though the lines can be very long.
 After this, the user can log in without giving the password.
 .Pp
-The most convenient way to use RSA authentication may be with an
+The most convenient way to use public key authentication may be with an
 authentication agent.
 See
 .Xr ssh-agent 1
 for more information.
 .Pp
-If other authentication methods fail,
+Challenge-response authentication works as follows:
+The server sends an arbitrary
+.Qq challenge
+text, and prompts for a response.
+Protocol 2 allows multiple challenges and responses;
+protocol 1 is restricted to just one challenge/response.
+Examples of challenge-response authentication include
+BSD Authentication (see
+.Xr login.conf 5 )
+and PAM (some non-OpenBSD systems).
+.Pp
+Finally, if other authentication methods fail,
 .Nm
 prompts the user for a password.
 The password is sent to the remote
 host for checking; however, since all communications are encrypted,
 the password cannot be seen by someone listening on the network.
-.Ss SSH protocol version 2
-When a user connects using protocol version 2,
-similar authentication methods are available.
-Using the default values for
-.Cm PreferredAuthentications ,
-the client will try to authenticate first using the hostbased method;
-if this method fails, public key authentication is attempted,
-and finally if this method fails, keyboard-interactive and
-password authentication are tried.
-.Pp
-The public key method is similar to RSA authentication described
-in the previous section and allows the RSA or DSA algorithm to be used:
-The client uses his private key,
-.Pa ~/.ssh/id_dsa
-or
-.Pa ~/.ssh/id_rsa ,
-to sign the session identifier and sends the result to the server.
-The server checks whether the matching public key is listed in
-.Pa ~/.ssh/authorized_keys
-and grants access if both the key is found and the signature is correct.
-The session identifier is derived from a shared Diffie-Hellman value
-and is only known to the client and the server.
-.Pp
-If public key authentication fails or is not available, a password
-can be sent encrypted to the remote host to prove the user's identity.
-.Pp
-Additionally,
-.Nm
-supports hostbased or challenge response authentication.
-.Pp
-Protocol 2 provides additional mechanisms for confidentiality
-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
-and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
-Note that protocol 1 lacks a strong mechanism for ensuring the
-integrity of the connection.
 .Ss Login session and remote execution
 When the user's identity has been accepted by the server, the server
 either executes the given command, or logs into the machine and gives
author	Damien Miller <djm@mindrot.org>	2005-12-24 14:52:13 +1100
committer	Damien Miller <djm@mindrot.org>	2005-12-24 14:52:13 +1100
commit	c93a813802cc2a339bcf1dc41c60878a5b1c0373 (patch)
tree	877fcc7632cdfd01990bcf276632fe0fe229e546 /ssh.1
parent	e9a9b71c6b7927ea0f875cde42dffc1f4b195011 (diff)

diff --git a/ssh.1 b/ssh.1 index 31b614b1d..84bd62eb3 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.221 2005/12/16 18:14:40 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.222 2005/12/20 21:59:43 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -613,12 +613,38 @@ Enables trusted X11 forwarding.
613	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	613	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
614	controls.	614	controls.
615	.El	615	.El
616	.Ss SSH protocol version 1	616	.Sh AUTHENTICATION
617	The first authentication method is the	617	The OpenSSH SSH client supports OpenSSH protocols 1 and 2.
618	.Em rhosts	618	Protocol 2 is the default, with
619	or	619	.Nm
620	.Em hosts.equiv	620	falling back to protocol 1 if it detects protocol 2 is unsupported.
621	method combined with RSA-based host authentication.	621	These settings may be altered using the
		622	.Cm Protocol
		623	option in
		624	.Xr ssh_config 5 ,
		625	or enforced using the
		626	.Fl 1
		627	and
		628	.Fl 2
		629	options (see above).
		630	Both protocols support similar authentication methods,
		631	but protocol 2 is preferred since
		632	it provides additional mechanisms for confidentiality
		633	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
		634	and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
		635	Protocol 1 lacks a strong mechanism for ensuring the
		636	integrity of the connection.
		637	.Pp
		638	The methods available for authentication are:
		639	host-based authentication,
		640	public key authentication,
		641	challenge-response authentication,
		642	and password authentication.
		643	Authentication methods are tried in the order specified above,
		644	though protocol 2 has a configuration option to change the default order:
		645	.Cm PreferredAuthentications .
		646	.Pp
		647	Host-based authentication works as follows:
622	If the machine the user logs in from is listed in	648	If the machine the user logs in from is listed in
623	.Pa /etc/hosts.equiv	649	.Pa /etc/hosts.equiv
624	or	650	or
@@ -631,33 +657,42 @@ or
631	exist in the user's home directory on the	657	exist in the user's home directory on the
632	remote machine and contain a line containing the name of the client	658	remote machine and contain a line containing the name of the client
633	machine and the name of the user on that machine, the user is	659	machine and the name of the user on that machine, the user is
634	considered for log in.	660	considered for login.
635	Additionally, if the server can verify the client's	661	Additionally, the server
636	host key (see	662	.Em must
		663	be able to verify the client's
		664	host key (see the description of
637	.Pa /etc/ssh/ssh_known_hosts	665	.Pa /etc/ssh/ssh_known_hosts
638	and	666	and
639	.Pa ~/.ssh/known_hosts	667	.Pa ~/.ssh/known_hosts ,
640	in the	668	below)
641	.Sx FILES	669	for login to be permitted.
642	section), only then is login permitted.
643	This authentication method closes security holes due to IP	670	This authentication method closes security holes due to IP
644	spoofing, DNS spoofing and routing spoofing.	671	spoofing, DNS spoofing, and routing spoofing.
645	[Note to the administrator:	672	[Note to the administrator:
646	.Pa /etc/hosts.equiv ,	673	.Pa /etc/hosts.equiv ,
647	.Pa ~/.rhosts ,	674	.Pa ~/.rhosts ,
648	and the rlogin/rsh protocol in general, are inherently insecure and should be	675	and the rlogin/rsh protocol in general, are inherently insecure and should be
649	disabled if security is desired.]	676	disabled if security is desired.]
650	.Pp	677	.Pp
651	As a second authentication method,	678	Public key authentication works as follows:
652	.Nm	679	The scheme is based on public-key cryptography,
653	supports RSA based authentication.	680	using cryptosystems
654	The scheme is based on public-key cryptography: there are cryptosystems	681	where encryption and decryption are done using separate keys,
655	where encryption and decryption are done using separate keys, and it	682	and it is unfeasible to derive the decryption key from the encryption key.
656	is not possible to derive the decryption key from the encryption key.
657	RSA is one such system.
658	The idea is that each user creates a public/private	683	The idea is that each user creates a public/private
659	key pair for authentication purposes.	684	key pair for authentication purposes.
660	The server knows the public key, and only the user knows the private key.	685	The server knows the public key, and only the user knows the private key.
		686	.Nm
		687	implements public key authentication protocol automatically,
		688	using either the RSA or DSA algorithms.
		689	Protocol 1 is restricted to using only RSA keys,
		690	but protocol 2 may use either.
		691	The
		692	.Sx HISTORY
		693	section of
		694	.Xr ssl 8
		695	contains a brief discussion of the two algorithms.
661	.Pp	696	.Pp
662	The file	697	The file
663	.Pa ~/.ssh/authorized_keys	698	.Pa ~/.ssh/authorized_keys
@@ -666,84 +701,64 @@ When the user logs in, the
666	.Nm	701	.Nm
667	program tells the server which key pair it would like to use for	702	program tells the server which key pair it would like to use for
668	authentication.	703	authentication.
669	The server checks if this key is permitted, and if so,	704	The client proves that it has access to the private key
670	sends the user (actually the	705	and the server checks that the corresponding public key
671	.Nm	706	is authorized to accept the account.
672	program running on behalf of the user) a challenge, a random number,
673	encrypted by the user's public key.
674	The challenge can only be decrypted using the proper private key.
675	The user's client then decrypts the challenge using the private key,
676	proving that he/she knows the private key
677	but without disclosing it to the server.
678	.Pp	707	.Pp
679	.Nm	708	The user creates his/her key pair by running
680	implements the RSA authentication protocol automatically.
681	The user creates his/her RSA key pair by running
682	.Xr ssh-keygen 1 .	709	.Xr ssh-keygen 1 .
683	This stores the private key in	710	This stores the private key in
684	.Pa ~/.ssh/identity	711	.Pa ~/.ssh/identity
		712	(protocol 1),
		713	.Pa ~/.ssh/id_dsa
		714	(protocol 2 DSA),
		715	or
		716	.Pa ~/.ssh/id_rsa
		717	(protocol 2 RSA)
685	and stores the public key in	718	and stores the public key in
686	.Pa ~/.ssh/identity.pub	719	.Pa ~/.ssh/identity.pub
		720	(protocol 1),
		721	.Pa ~/.ssh/id_dsa.pub
		722	(protocol 2 DSA),
		723	or
		724	.Pa ~/.ssh/id_rsa.pub
		725	(protocol 2 RSA)
687	in the user's home directory.	726	in the user's home directory.
688	The user should then copy the	727	The user should then copy the public key
689	.Pa identity.pub
690	to	728	to
691	.Pa ~/.ssh/authorized_keys	729	.Pa ~/.ssh/authorized_keys
692	in his/her home directory on the remote machine (the	730	in his/her home directory on the remote machine.
		731	The
693	.Pa authorized_keys	732	.Pa authorized_keys
694	file corresponds to the conventional	733	file corresponds to the conventional
695	.Pa ~/.rhosts	734	.Pa ~/.rhosts
696	file, and has one key	735	file, and has one key
697	per line, though the lines can be very long).	736	per line, though the lines can be very long.
698	After this, the user can log in without giving the password.	737	After this, the user can log in without giving the password.
699	.Pp	738	.Pp
700	The most convenient way to use RSA authentication may be with an	739	The most convenient way to use public key authentication may be with an
701	authentication agent.	740	authentication agent.
702	See	741	See
703	.Xr ssh-agent 1	742	.Xr ssh-agent 1
704	for more information.	743	for more information.
705	.Pp	744	.Pp
706	If other authentication methods fail,	745	Challenge-response authentication works as follows:
		746	The server sends an arbitrary
		747	.Qq challenge
		748	text, and prompts for a response.
		749	Protocol 2 allows multiple challenges and responses;
		750	protocol 1 is restricted to just one challenge/response.
		751	Examples of challenge-response authentication include
		752	BSD Authentication (see
		753	.Xr login.conf 5 )
		754	and PAM (some non-OpenBSD systems).
		755	.Pp
		756	Finally, if other authentication methods fail,
707	.Nm	757	.Nm
708	prompts the user for a password.	758	prompts the user for a password.
709	The password is sent to the remote	759	The password is sent to the remote
710	host for checking; however, since all communications are encrypted,	760	host for checking; however, since all communications are encrypted,
711	the password cannot be seen by someone listening on the network.	761	the password cannot be seen by someone listening on the network.
712	.Ss SSH protocol version 2
713	When a user connects using protocol version 2,
714	similar authentication methods are available.
715	Using the default values for
716	.Cm PreferredAuthentications ,
717	the client will try to authenticate first using the hostbased method;
718	if this method fails, public key authentication is attempted,
719	and finally if this method fails, keyboard-interactive and
720	password authentication are tried.
721	.Pp
722	The public key method is similar to RSA authentication described
723	in the previous section and allows the RSA or DSA algorithm to be used:
724	The client uses his private key,
725	.Pa ~/.ssh/id_dsa
726	or
727	.Pa ~/.ssh/id_rsa ,
728	to sign the session identifier and sends the result to the server.
729	The server checks whether the matching public key is listed in
730	.Pa ~/.ssh/authorized_keys
731	and grants access if both the key is found and the signature is correct.
732	The session identifier is derived from a shared Diffie-Hellman value
733	and is only known to the client and the server.
734	.Pp
735	If public key authentication fails or is not available, a password
736	can be sent encrypted to the remote host to prove the user's identity.
737	.Pp
738	Additionally,
739	.Nm
740	supports hostbased or challenge response authentication.
741	.Pp
742	Protocol 2 provides additional mechanisms for confidentiality
743	(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour)
744	and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
745	Note that protocol 1 lacks a strong mechanism for ensuring the
746	integrity of the connection.
747	.Ss Login session and remote execution	762	.Ss Login session and remote execution
748	When the user's identity has been accepted by the server, the server	763	When the user's identity has been accepted by the server, the server
749	either executes the given command, or logs into the machine and gives	764	either executes the given command, or logs into the machine and gives