- markus@cvs.openbsd.org 2004/08/26 16:00:55

[ssh.1 sshd.8] get rid of references to rhosts authentication; with jmc@
author: Darren Tucker <dtucker@zip.com.au> 2004-08-29 16:37:24 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2004-08-29 16:37:24 +1000
commit: db693908178e1e2390d2bbfc34fe709eb23ea039 (patch)
tree: 59504c4b6f9daac326f510097daeda07b150b43d /ssh.1
parent: 34620d6f710f97bddc6f7730cee5c6404c4153ba (diff)
1 files changed, 30 insertions, 40 deletions
diff --git a/ssh.1 b/ssh.1
index 0ff77ea29..b9ee4c62b 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
+.\" $OpenBSD: ssh.1,v 1.195 2004/08/26 16:00:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -103,35 +103,25 @@ is specified,
 .Ar command
 is executed on the remote host instead of a login shell.
 .Ss SSH protocol version 1
-First, if the machine the user logs in from is listed in
+The first authentication method is the
+.Em rhosts
+or
+.Em hosts.equiv
+method combined with RSA-based host authentication.
+If the machine the user logs in from is listed in
 .Pa /etc/hosts.equiv
 or
 .Pa /etc/shosts.equiv
 on the remote machine, and the user names are
-the same on both sides, the user is immediately permitted to log in.
+the same on both sides, or if the files
-Second, if
+.Pa $HOME/.rhosts
-.Pa .rhosts
 or
-.Pa .shosts
+.Pa $HOME/.shosts
-exists in the user's home directory on the
+exist in the user's home directory on the
-remote machine and contains a line containing the name of the client
+remote machine and contain a line containing the name of the client
 machine and the name of the user on that machine, the user is
-permitted to log in.
+considered for log in.
-This form of authentication alone is normally not
+Additionally, if the server can verify the client's
-allowed by the server because it is not secure.
-.Pp
-The second authentication method is the
-.Em rhosts
-or
-.Em hosts.equiv
-method combined with RSA-based host authentication.
-It means that if the login would be permitted by
-.Pa $HOME/.rhosts ,
-.Pa $HOME/.shosts ,
-.Pa /etc/hosts.equiv ,
-or
-.Pa /etc/shosts.equiv ,
-and if additionally the server can verify the client's
 host key (see
 .Pa /etc/ssh/ssh_known_hosts
 and
@@ -147,7 +137,7 @@ spoofing, DNS spoofing and routing spoofing.
 and the rlogin/rsh protocol in general, are inherently insecure and should be
 disabled if security is desired.]
 .Pp
-As a third authentication method,
+As a second authentication method,
 .Nm
 supports RSA based authentication.
 The scheme is based on public-key cryptography: there are cryptosystems
@@ -195,9 +185,6 @@ file corresponds to the conventional
 file, and has one key
 per line, though the lines can be very long).
 After this, the user can log in without giving the password.
-RSA authentication is much more secure than
-.Em rhosts
-authentication.
 .Pp
 The most convenient way to use RSA authentication may be with an
 authentication agent.
@@ -1012,7 +999,9 @@ By default
 is not setuid root.
 .It Pa $HOME/.rhosts
 This file is used in
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
 authentication to list the
 host/user pairs that are permitted to log in.
 (Note that this file is
@@ -1031,12 +1020,10 @@ The recommended
 permission for most machines is read/write for the user, and not
 accessible by others.
 .Pp
-Note that by default
+Note that
 .Xr sshd 8
-will be installed so that it requires successful RSA host
+allows authentication only in combination with client host key
-authentication before permitting
+authentication before permitting log in.
-.Em rhosts
-authentication.
 If the server machine does not have the client's host key in
 .Pa /etc/ssh/ssh_known_hosts ,
 it can be stored in
@@ -1049,15 +1036,19 @@ will automatically add the host key to
 This file is used exactly the same way as
 .Pa .rhosts .
 The purpose for
-having this file is to be able to use rhosts authentication with
+having this file is to be able to use
-.Nm
+.Cm RhostsRSAAuthentication
-without permitting login with
+and
+.Cm HostbasedAuthentication
+authentication without permitting login with
 .Xr rlogin
 or
 .Xr rsh 1 .
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
 authentication.
 It contains
 canonical hosts names, one per line (the full format is described in the
@@ -1066,8 +1057,7 @@ manual page).
 If the client host is found in this file, login is
 automatically permitted provided client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally
+Additionally, successful client host key authentication is required.
-required.
 This file should only be writable by root.
 .It Pa /etc/shosts.equiv
 This file is processed exactly as
author	Darren Tucker <dtucker@zip.com.au>	2004-08-29 16:37:24 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2004-08-29 16:37:24 +1000
commit	db693908178e1e2390d2bbfc34fe709eb23ea039 (patch)
tree	59504c4b6f9daac326f510097daeda07b150b43d /ssh.1
parent	34620d6f710f97bddc6f7730cee5c6404c4153ba (diff)

diff --git a/ssh.1 b/ssh.1 index 0ff77ea29..b9ee4c62b 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $	37	.\" $OpenBSD: ssh.1,v 1.195 2004/08/26 16:00:55 markus Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -103,35 +103,25 @@ is specified,
103	.Ar command	103	.Ar command
104	is executed on the remote host instead of a login shell.	104	is executed on the remote host instead of a login shell.
105	.Ss SSH protocol version 1	105	.Ss SSH protocol version 1
106	First, if the machine the user logs in from is listed in	106	The first authentication method is the
		107	.Em rhosts
		108	or
		109	.Em hosts.equiv
		110	method combined with RSA-based host authentication.
		111	If the machine the user logs in from is listed in
107	.Pa /etc/hosts.equiv	112	.Pa /etc/hosts.equiv
108	or	113	or
109	.Pa /etc/shosts.equiv	114	.Pa /etc/shosts.equiv
110	on the remote machine, and the user names are	115	on the remote machine, and the user names are
111	the same on both sides, the user is immediately permitted to log in.	116	the same on both sides, or if the files
112	Second, if	117	.Pa $HOME/.rhosts
113	.Pa .rhosts
114	or	118	or
115	.Pa .shosts	119	.Pa $HOME/.shosts
116	exists in the user's home directory on the	120	exist in the user's home directory on the
117	remote machine and contains a line containing the name of the client	121	remote machine and contain a line containing the name of the client
118	machine and the name of the user on that machine, the user is	122	machine and the name of the user on that machine, the user is
119	permitted to log in.	123	considered for log in.
120	This form of authentication alone is normally not	124	Additionally, if the server can verify the client's
121	allowed by the server because it is not secure.
122	.Pp
123	The second authentication method is the
124	.Em rhosts
125	or
126	.Em hosts.equiv
127	method combined with RSA-based host authentication.
128	It means that if the login would be permitted by
129	.Pa $HOME/.rhosts ,
130	.Pa $HOME/.shosts ,
131	.Pa /etc/hosts.equiv ,
132	or
133	.Pa /etc/shosts.equiv ,
134	and if additionally the server can verify the client's
135	host key (see	125	host key (see
136	.Pa /etc/ssh/ssh_known_hosts	126	.Pa /etc/ssh/ssh_known_hosts
137	and	127	and
@@ -147,7 +137,7 @@ spoofing, DNS spoofing and routing spoofing.
147	and the rlogin/rsh protocol in general, are inherently insecure and should be	137	and the rlogin/rsh protocol in general, are inherently insecure and should be
148	disabled if security is desired.]	138	disabled if security is desired.]
149	.Pp	139	.Pp
150	As a third authentication method,	140	As a second authentication method,
151	.Nm	141	.Nm
152	supports RSA based authentication.	142	supports RSA based authentication.
153	The scheme is based on public-key cryptography: there are cryptosystems	143	The scheme is based on public-key cryptography: there are cryptosystems
@@ -195,9 +185,6 @@ file corresponds to the conventional
195	file, and has one key	185	file, and has one key
196	per line, though the lines can be very long).	186	per line, though the lines can be very long).
197	After this, the user can log in without giving the password.	187	After this, the user can log in without giving the password.
198	RSA authentication is much more secure than
199	.Em rhosts
200	authentication.
201	.Pp	188	.Pp
202	The most convenient way to use RSA authentication may be with an	189	The most convenient way to use RSA authentication may be with an
203	authentication agent.	190	authentication agent.
@@ -1012,7 +999,9 @@ By default
1012	is not setuid root.	999	is not setuid root.
1013	.It Pa $HOME/.rhosts	1000	.It Pa $HOME/.rhosts
1014	This file is used in	1001	This file is used in
1015	.Em rhosts	1002	.Cm RhostsRSAAuthentication
		1003	and
		1004	.Cm HostbasedAuthentication
1016	authentication to list the	1005	authentication to list the
1017	host/user pairs that are permitted to log in.	1006	host/user pairs that are permitted to log in.
1018	(Note that this file is	1007	(Note that this file is
@@ -1031,12 +1020,10 @@ The recommended
1031	permission for most machines is read/write for the user, and not	1020	permission for most machines is read/write for the user, and not
1032	accessible by others.	1021	accessible by others.
1033	.Pp	1022	.Pp
1034	Note that by default	1023	Note that
1035	.Xr sshd 8	1024	.Xr sshd 8
1036	will be installed so that it requires successful RSA host	1025	allows authentication only in combination with client host key
1037	authentication before permitting	1026	authentication before permitting log in.
1038	.Em rhosts
1039	authentication.
1040	If the server machine does not have the client's host key in	1027	If the server machine does not have the client's host key in
1041	.Pa /etc/ssh/ssh_known_hosts ,	1028	.Pa /etc/ssh/ssh_known_hosts ,
1042	it can be stored in	1029	it can be stored in
@@ -1049,15 +1036,19 @@ will automatically add the host key to
1049	This file is used exactly the same way as	1036	This file is used exactly the same way as
1050	.Pa .rhosts .	1037	.Pa .rhosts .
1051	The purpose for	1038	The purpose for
1052	having this file is to be able to use rhosts authentication with	1039	having this file is to be able to use
1053	.Nm	1040	.Cm RhostsRSAAuthentication
1054	without permitting login with	1041	and
		1042	.Cm HostbasedAuthentication
		1043	authentication without permitting login with
1055	.Xr rlogin	1044	.Xr rlogin
1056	or	1045	or
1057	.Xr rsh 1 .	1046	.Xr rsh 1 .
1058	.It Pa /etc/hosts.equiv	1047	.It Pa /etc/hosts.equiv
1059	This file is used during	1048	This file is used during
1060	.Em rhosts	1049	.Cm RhostsRSAAuthentication
		1050	and
		1051	.Cm HostbasedAuthentication
1061	authentication.	1052	authentication.
1062	It contains	1053	It contains
1063	canonical hosts names, one per line (the full format is described in the	1054	canonical hosts names, one per line (the full format is described in the
@@ -1066,8 +1057,7 @@ manual page).
1066	If the client host is found in this file, login is	1057	If the client host is found in this file, login is
1067	automatically permitted provided client and server user names are the	1058	automatically permitted provided client and server user names are the
1068	same.	1059	same.
1069	Additionally, successful RSA host authentication is normally	1060	Additionally, successful client host key authentication is required.
1070	required.
1071	This file should only be writable by root.	1061	This file should only be writable by root.
1072	.It Pa /etc/shosts.equiv	1062	.It Pa /etc/shosts.equiv
1073	This file is processed exactly as	1063	This file is processed exactly as