diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-23 13:02:16 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-23 13:02:16 +0000 |
commit | c65e6a0fec9d96722d268003c2b89c2a8906aee9 (patch) | |
tree | 6fe9ae19926c5300895e21212aa5a40a37eae7ff /ssh.1 | |
parent | 2857d9cf771ffa561e6e6e535632bd7ef74c0f7d (diff) |
- markus@cvs.openbsd.org 2001/04/22 23:58:36
[ssh-keygen.1 ssh.1 sshd.8]
document hostbased and other cleanup
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 100 |
1 files changed, 63 insertions, 37 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.106 2001/04/22 13:32:27 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.107 2001/04/22 23:58:36 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -110,7 +110,7 @@ permitted to log in. | |||
110 | This form of authentication alone is normally not | 110 | This form of authentication alone is normally not |
111 | allowed by the server because it is not secure. | 111 | allowed by the server because it is not secure. |
112 | .Pp | 112 | .Pp |
113 | The second (and primary) authentication method is the | 113 | The second authentication method is the |
114 | .Pa rhosts | 114 | .Pa rhosts |
115 | or | 115 | or |
116 | .Pa hosts.equiv | 116 | .Pa hosts.equiv |
@@ -205,13 +205,18 @@ the password cannot be seen by someone listening on the network. | |||
205 | .Ss SSH protocol version 2 | 205 | .Ss SSH protocol version 2 |
206 | .Pp | 206 | .Pp |
207 | When a user connects using the protocol version 2 | 207 | When a user connects using the protocol version 2 |
208 | different authentication methods are available: | 208 | different authentication methods are available. |
209 | At first, the client attempts to authenticate using the public key method. | 209 | Using the default values for |
210 | If this method fails password authentication is tried. | 210 | .Cm PreferredAuthentications , |
211 | the client will try to authenticate first using the public key method; | ||
212 | if this method fails password authentication is attempted, | ||
213 | and finally if this method fails keyboard-interactive authentication | ||
214 | is attempted. | ||
215 | If this method fails password authentication is | ||
216 | tried. | ||
211 | .Pp | 217 | .Pp |
212 | The public key method is similar to RSA authentication described | 218 | The public key method is similar to RSA authentication described |
213 | in the previous section except that the DSA or RSA algorithm is used | 219 | in the previous section and allows the RSA or DSA algorithm to be used: |
214 | instead. | ||
215 | The client uses his private key, | 220 | The client uses his private key, |
216 | .Pa $HOME/.ssh/id_dsa | 221 | .Pa $HOME/.ssh/id_dsa |
217 | or | 222 | or |
@@ -225,8 +230,10 @@ and is only known to the client and the server. | |||
225 | .Pp | 230 | .Pp |
226 | If public key authentication fails or is not available a password | 231 | If public key authentication fails or is not available a password |
227 | can be sent encrypted to the remote host for proving the user's identity. | 232 | can be sent encrypted to the remote host for proving the user's identity. |
228 | This protocol 2 implementation does not yet support Kerberos or | 233 | .Pp |
229 | S/Key authentication. | 234 | Additionally, |
235 | .Nm | ||
236 | supports hostbased or challenge response authentication. | ||
230 | .Pp | 237 | .Pp |
231 | Protocol 2 provides additional mechanisms for confidentiality | 238 | Protocol 2 provides additional mechanisms for confidentiality |
232 | (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) | 239 | (the traffic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) |
@@ -286,7 +293,7 @@ Background ssh | |||
286 | List forwarded connections | 293 | List forwarded connections |
287 | .It Cm ~& | 294 | .It Cm ~& |
288 | Background ssh at logout when waiting for forwarded connection / X11 sessions | 295 | Background ssh at logout when waiting for forwarded connection / X11 sessions |
289 | to terminate (this does not currently work for SSH protocol version 2) | 296 | to terminate (protocol version 1 only) |
290 | .It Cm ~? | 297 | .It Cm ~? |
291 | Display a list of escape characters | 298 | Display a list of escape characters |
292 | .It Cm ~R | 299 | .It Cm ~R |
@@ -573,6 +580,8 @@ from the local machine. | |||
573 | Port forwardings can also be specified in the configuration file. | 580 | Port forwardings can also be specified in the configuration file. |
574 | Privileged ports can be forwarded only when | 581 | Privileged ports can be forwarded only when |
575 | logging in as root on the remote machine. | 582 | logging in as root on the remote machine. |
583 | IPv6 addresses can be specified with an alternative syntax: | ||
584 | .Ar port/host/hostport | ||
576 | .It Fl 1 | 585 | .It Fl 1 |
577 | Forces | 586 | Forces |
578 | .Nm | 587 | .Nm |
@@ -645,6 +654,7 @@ The argument to this keyword must be | |||
645 | .Dq yes | 654 | .Dq yes |
646 | or | 655 | or |
647 | .Dq no . | 656 | .Dq no . |
657 | This option applies to protocol version 1 only. | ||
648 | .It Cm BatchMode | 658 | .It Cm BatchMode |
649 | If set to | 659 | If set to |
650 | .Dq yes , | 660 | .Dq yes , |
@@ -687,8 +697,7 @@ The default is | |||
687 | .Pp | 697 | .Pp |
688 | .Bd -literal | 698 | .Bd -literal |
689 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, | 699 | ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
690 | aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc, | 700 | aes192-cbc,aes256-cbc'' |
691 | rijndael256-cbc,rijndael-cbc@lysator.liu.se'' | ||
692 | .Ed | 701 | .Ed |
693 | .It Cm Compression | 702 | .It Cm Compression |
694 | Specifies whether to use compression. | 703 | Specifies whether to use compression. |
@@ -704,21 +713,13 @@ The argument must be an integer from 1 (fast) to 9 (slow, best). | |||
704 | The default level is 6, which is good for most applications. | 713 | The default level is 6, which is good for most applications. |
705 | The meaning of the values is the same as in | 714 | The meaning of the values is the same as in |
706 | .Xr gzip 1 . | 715 | .Xr gzip 1 . |
716 | Note that this option applies to protocol version 1 only. | ||
707 | .It Cm ConnectionAttempts | 717 | .It Cm ConnectionAttempts |
708 | Specifies the number of tries (one per second) to make before falling | 718 | Specifies the number of tries (one per second) to make before falling |
709 | back to rsh or exiting. | 719 | back to rsh or exiting. |
710 | The argument must be an integer. | 720 | The argument must be an integer. |
711 | This may be useful in scripts if the connection sometimes fails. | 721 | This may be useful in scripts if the connection sometimes fails. |
712 | The default is 4. | 722 | The default is 4. |
713 | .It Cm PubkeyAuthentication | ||
714 | Specifies whether to try public key authentication. | ||
715 | The argument to this keyword must be | ||
716 | .Dq yes | ||
717 | or | ||
718 | .Dq no . | ||
719 | The default is | ||
720 | .Dq yes . | ||
721 | Note that this option applies to protocol version 2 only. | ||
722 | .It Cm EscapeChar | 723 | .It Cm EscapeChar |
723 | Sets the escape character (default: | 724 | Sets the escape character (default: |
724 | .Ql ~ ) . | 725 | .Ql ~ ) . |
@@ -783,17 +784,29 @@ host key database instead of | |||
783 | Specifies a file to use for the protocol version 2 global | 784 | Specifies a file to use for the protocol version 2 global |
784 | host key database instead of | 785 | host key database instead of |
785 | .Pa /etc/ssh_known_hosts2 . | 786 | .Pa /etc/ssh_known_hosts2 . |
786 | .It Cm HostKeyAlias | 787 | .It Cm HostbasedAuthentication |
787 | Specifies an alias that should be used instead of the | 788 | Specifies whether to try rhosts based authentication with public key |
788 | real host name when looking up or saving the host key | 789 | authentication. |
789 | in the known_hosts files. | 790 | The argument must be |
790 | This option is useful for tunneling ssh connections | 791 | .Dq yes |
791 | or if you have multiple servers running on a single host. | 792 | or |
793 | .Dq no . | ||
794 | The default is | ||
795 | .Dq yes . | ||
796 | This option applies to protocol version 2 only and | ||
797 | is similar to | ||
798 | .Cm RhostsRSAAuthentication . | ||
792 | .It Cm HostKeyAlgorithms | 799 | .It Cm HostKeyAlgorithms |
793 | Specfies the protocol version 2 host key algorithms | 800 | Specfies the protocol version 2 host key algorithms |
794 | that the client wants to use in order of preference. | 801 | that the client wants to use in order of preference. |
795 | The default for this option is: | 802 | The default for this option is: |
796 | .Dq ssh-rsa,ssh-dss | 803 | .Dq ssh-rsa,ssh-dss |
804 | .It Cm HostKeyAlias | ||
805 | Specifies an alias that should be used instead of the | ||
806 | real host name when looking up or saving the host key | ||
807 | in the host key database files. | ||
808 | This option is useful for tunneling ssh connections | ||
809 | or if you have multiple servers running on a single host. | ||
797 | .It Cm HostName | 810 | .It Cm HostName |
798 | Specifies the real host name to log into. | 811 | Specifies the real host name to log into. |
799 | This can be used to specify nicknames or abbreviations for hosts. | 812 | This can be used to specify nicknames or abbreviations for hosts. |
@@ -802,7 +815,7 @@ Numeric IP addresses are also permitted (both on the command line and in | |||
802 | .Cm HostName | 815 | .Cm HostName |
803 | specifications). | 816 | specifications). |
804 | .It Cm IdentityFile | 817 | .It Cm IdentityFile |
805 | Specifies the file from which the user's RSA authentication identity | 818 | Specifies the file from which the user's RSA or DSA authentication identity |
806 | is read (default | 819 | is read (default |
807 | .Pa $HOME/.ssh/identity | 820 | .Pa $HOME/.ssh/identity |
808 | in the user's home directory). | 821 | in the user's home directory). |
@@ -882,7 +895,6 @@ or | |||
882 | .Dq no . | 895 | .Dq no . |
883 | The default is | 896 | The default is |
884 | .Dq yes . | 897 | .Dq yes . |
885 | Note that this option applies to both protocol version 1 and 2. | ||
886 | .It Cm Port | 898 | .It Cm Port |
887 | Specifies the port number to connect on the remote host. | 899 | Specifies the port number to connect on the remote host. |
888 | Default is 22. | 900 | Default is 22. |
@@ -934,6 +946,15 @@ Note that | |||
934 | .Cm CheckHostIP | 946 | .Cm CheckHostIP |
935 | is not available for connects with a proxy command. | 947 | is not available for connects with a proxy command. |
936 | .Pp | 948 | .Pp |
949 | .It Cm PubkeyAuthentication | ||
950 | Specifies whether to try public key authentication. | ||
951 | The argument to this keyword must be | ||
952 | .Dq yes | ||
953 | or | ||
954 | .Dq no . | ||
955 | The default is | ||
956 | .Dq yes . | ||
957 | This option applies to protocol version 2 only. | ||
937 | .It Cm RemoteForward | 958 | .It Cm RemoteForward |
938 | Specifies that a TCP/IP port on the remote machine be forwarded over | 959 | Specifies that a TCP/IP port on the remote machine be forwarded over |
939 | the secure channel to given host:port from the local machine. | 960 | the secure channel to given host:port from the local machine. |
@@ -951,13 +972,15 @@ Disabling rhosts authentication may reduce | |||
951 | authentication time on slow connections when rhosts authentication is | 972 | authentication time on slow connections when rhosts authentication is |
952 | not used. | 973 | not used. |
953 | Most servers do not permit RhostsAuthentication because it | 974 | Most servers do not permit RhostsAuthentication because it |
954 | is not secure (see RhostsRSAAuthentication). | 975 | is not secure (see |
976 | .Cm RhostsRSAAuthentication ). | ||
955 | The argument to this keyword must be | 977 | The argument to this keyword must be |
956 | .Dq yes | 978 | .Dq yes |
957 | or | 979 | or |
958 | .Dq no . | 980 | .Dq no . |
959 | The default is | 981 | The default is |
960 | .Dq yes . | 982 | .Dq yes . |
983 | This option applies to protocol version 1 only. | ||
961 | .It Cm RhostsRSAAuthentication | 984 | .It Cm RhostsRSAAuthentication |
962 | Specifies whether to try rhosts based authentication with RSA host | 985 | Specifies whether to try rhosts based authentication with RSA host |
963 | authentication. | 986 | authentication. |
@@ -967,6 +990,7 @@ or | |||
967 | .Dq no . | 990 | .Dq no . |
968 | The default is | 991 | The default is |
969 | .Dq yes . | 992 | .Dq yes . |
993 | This option applies to protocol version 1 only. | ||
970 | .It Cm RSAAuthentication | 994 | .It Cm RSAAuthentication |
971 | Specifies whether to try RSA authentication. | 995 | Specifies whether to try RSA authentication. |
972 | The argument to this keyword must be | 996 | The argument to this keyword must be |
@@ -1037,13 +1061,13 @@ or | |||
1037 | .Dq no . | 1061 | .Dq no . |
1038 | The default is | 1062 | The default is |
1039 | .Dq no . | 1063 | .Dq no . |
1040 | Note that setting this option to | 1064 | Note that you need to set this option to |
1041 | .Dq no | 1065 | .Dq yes |
1042 | turns off | 1066 | if you want to use |
1043 | .Cm RhostsAuthentication | 1067 | .Cm RhostsAuthentication |
1044 | and | 1068 | and |
1045 | .Cm RhostsRSAAuthentication | 1069 | .Cm RhostsRSAAuthentication |
1046 | for older servers. | 1070 | with older servers. |
1047 | .It Cm User | 1071 | .It Cm User |
1048 | Specifies the user to log in as. | 1072 | Specifies the user to log in as. |
1049 | This can be useful if you have a different user name on different machines. | 1073 | This can be useful if you have a different user name on different machines. |
@@ -1097,7 +1121,9 @@ the host where the shell runs, and n is an integer >= 1. | |||
1097 | .Nm | 1121 | .Nm |
1098 | uses this special value to forward X11 connections over the secure | 1122 | uses this special value to forward X11 connections over the secure |
1099 | channel. | 1123 | channel. |
1100 | The user should normally not set DISPLAY explicitly, as that | 1124 | The user should normally not set |
1125 | .Ev DISPLAY | ||
1126 | explicitly, as that | ||
1101 | will render the X11 connection insecure (and will require the user to | 1127 | will render the X11 connection insecure (and will require the user to |
1102 | manually copy any required authorization cookies). | 1128 | manually copy any required authorization cookies). |
1103 | .It Ev HOME | 1129 | .It Ev HOME |
@@ -1211,7 +1237,7 @@ spaces). | |||
1211 | This file is not highly sensitive, but the recommended | 1237 | This file is not highly sensitive, but the recommended |
1212 | permissions are read/write for the user, and not accessible by others. | 1238 | permissions are read/write for the user, and not accessible by others. |
1213 | .It Pa $HOME/.ssh/authorized_keys2 | 1239 | .It Pa $HOME/.ssh/authorized_keys2 |
1214 | Lists the public keys (DSA/RSA) that can be used for logging in as this user. | 1240 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
1215 | This file is not highly sensitive, but the recommended | 1241 | This file is not highly sensitive, but the recommended |
1216 | permissions are read/write for the user, and not accessible by others. | 1242 | permissions are read/write for the user, and not accessible by others. |
1217 | .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 | 1243 | .It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 |
@@ -1219,7 +1245,7 @@ Systemwide list of known host keys. | |||
1219 | .Pa /etc/ssh_known_hosts | 1245 | .Pa /etc/ssh_known_hosts |
1220 | contains RSA and | 1246 | contains RSA and |
1221 | .Pa /etc/ssh_known_hosts2 | 1247 | .Pa /etc/ssh_known_hosts2 |
1222 | contains DSA or RSA keys for protocol version 2. | 1248 | contains RSA or DSA keys for protocol version 2. |
1223 | These files should be prepared by the | 1249 | These files should be prepared by the |
1224 | system administrator to contain the public host keys of all machines in the | 1250 | system administrator to contain the public host keys of all machines in the |
1225 | organization. | 1251 | organization. |