diff options
author | Colin Watson <cjwatson@debian.org> | 2011-01-24 12:43:25 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-01-24 12:43:25 +0000 |
commit | 626f1d986ff72aa514da63e34744e1de9cf21b9a (patch) | |
tree | d215a5280bc2e57251e4a9e08bfd3674ad824a94 /sshd.0 | |
parent | 6ed622cb6fe8f71bbe0d998cdd12280410bfb420 (diff) | |
parent | 0970072c89b079b022538e3c366fbfa2c53fc821 (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.7):
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
offer better performance than plain DH and DSA at the same equivalent
symmetric key length, as well as much shorter keys.
- sftp(1)/sftp-server(8): add a protocol extension to support a hard
link operation. It is available through the "ln" command in the
client. The old "ln" behaviour of creating a symlink is available
using its "-s" option or through the preexisting "symlink" command.
- scp(1): Add a new -3 option to scp: Copies between two remote hosts
are transferred through the local host (closes: #508613).
- ssh(1): "atomically" create the listening mux socket by binding it on
a temporary name and then linking it into position after listen() has
succeeded. This allows the mux clients to determine that the server
socket is either ready or stale without races (closes: #454784).
Stale server sockets are now automatically removed (closes: #523250).
- ssh(1): install a SIGCHLD handler to reap expired child process
(closes: #594687).
- ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
temporary directories (closes: #357469, although only if you arrange
for ssh-agent to actually see $TMPDIR since the setgid bit will cause
it to be stripped off).
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 32 |
1 files changed, 18 insertions, 14 deletions
@@ -78,10 +78,10 @@ DESCRIPTION | |||
78 | be given if sshd is not run as root (as the normal host key files | 78 | be given if sshd is not run as root (as the normal host key files |
79 | are normally not readable by anyone but root). The default is | 79 | are normally not readable by anyone but root). The default is |
80 | /etc/ssh/ssh_host_key for protocol version 1, and | 80 | /etc/ssh/ssh_host_key for protocol version 1, and |
81 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for | 81 | /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and |
82 | protocol version 2. It is possible to have multiple host key | 82 | /etc/ssh/ssh_host_rsa_key for protocol version 2. It is possible |
83 | files for the different protocol versions and host key | 83 | to have multiple host key files for the different protocol |
84 | algorithms. | 84 | versions and host key algorithms. |
85 | 85 | ||
86 | -i Specifies that sshd is being run from inetd(8). sshd is normally | 86 | -i Specifies that sshd is being run from inetd(8). sshd is normally |
87 | not run from inetd because it needs to generate the server key | 87 | not run from inetd because it needs to generate the server key |
@@ -143,8 +143,8 @@ DESCRIPTION | |||
143 | AUTHENTICATION | 143 | AUTHENTICATION |
144 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to | 144 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to |
145 | use protocol 2 only, though this can be changed via the Protocol option | 145 | use protocol 2 only, though this can be changed via the Protocol option |
146 | in sshd_config(5). Protocol 2 supports both RSA and DSA keys; protocol 1 | 146 | in sshd_config(5). Protocol 2 supports DSA, ECDSA and RSA keys; protocol |
147 | only supports RSA keys. For both protocols, each host has a host- | 147 | 1 only supports RSA keys. For both protocols, each host has a host- |
148 | specific key, normally 2048 bits, used to identify the host. | 148 | specific key, normally 2048 bits, used to identify the host. |
149 | 149 | ||
150 | Forward security for protocol 1 is provided through an additional server | 150 | Forward security for protocol 1 is provided through an additional server |
@@ -273,13 +273,15 @@ AUTHORIZED_KEYS FILE FORMAT | |||
273 | exponent, modulus, and comment fields give the RSA key for protocol | 273 | exponent, modulus, and comment fields give the RSA key for protocol |
274 | version 1; the comment field is not used for anything (but may be | 274 | version 1; the comment field is not used for anything (but may be |
275 | convenient for the user to identify the key). For protocol version 2 the | 275 | convenient for the user to identify the key). For protocol version 2 the |
276 | keytype is ``ssh-dss'' or ``ssh-rsa''. | 276 | keytype is ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'', |
277 | ``ecdsa-sha2-nistp521'', ``ssh-dss'' or ``ssh-rsa''. | ||
277 | 278 | ||
278 | Note that lines in this file are usually several hundred bytes long | 279 | Note that lines in this file are usually several hundred bytes long |
279 | (because of the size of the public key encoding) up to a limit of 8 | 280 | (because of the size of the public key encoding) up to a limit of 8 |
280 | kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 | 281 | kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 |
281 | kilobits. You don't want to type them in; instead, copy the | 282 | kilobits. You don't want to type them in; instead, copy the |
282 | identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. | 283 | identity.pub, id_dsa.pub, id_ecdsa.pub, or the id_rsa.pub file and edit |
284 | it. | ||
283 | 285 | ||
284 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | 286 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol |
285 | 2 keys of 768 bits. | 287 | 2 keys of 768 bits. |
@@ -504,11 +506,11 @@ FILES | |||
504 | for the user, and not accessible by others. | 506 | for the user, and not accessible by others. |
505 | 507 | ||
506 | ~/.ssh/authorized_keys | 508 | ~/.ssh/authorized_keys |
507 | Lists the public keys (RSA/DSA) that can be used for logging in | 509 | Lists the public keys (DSA/ECDSA/RSA) that can be used for |
508 | as this user. The format of this file is described above. The | 510 | logging in as this user. The format of this file is described |
509 | content of the file is not highly sensitive, but the recommended | 511 | above. The content of the file is not highly sensitive, but the |
510 | permissions are read/write for the user, and not accessible by | 512 | recommended permissions are read/write for the user, and not |
511 | others. | 513 | accessible by others. |
512 | 514 | ||
513 | If this file, the ~/.ssh directory, or the user's home directory | 515 | If this file, the ~/.ssh directory, or the user's home directory |
514 | are writable by other users, then the file could be modified or | 516 | are writable by other users, then the file could be modified or |
@@ -565,6 +567,7 @@ FILES | |||
565 | 567 | ||
566 | /etc/ssh/ssh_host_key | 568 | /etc/ssh/ssh_host_key |
567 | /etc/ssh/ssh_host_dsa_key | 569 | /etc/ssh/ssh_host_dsa_key |
570 | /etc/ssh/ssh_host_ecdsa_key | ||
568 | /etc/ssh/ssh_host_rsa_key | 571 | /etc/ssh/ssh_host_rsa_key |
569 | These three files contain the private parts of the host keys. | 572 | These three files contain the private parts of the host keys. |
570 | These files should only be owned by root, readable only by root, | 573 | These files should only be owned by root, readable only by root, |
@@ -573,6 +576,7 @@ FILES | |||
573 | 576 | ||
574 | /etc/ssh/ssh_host_key.pub | 577 | /etc/ssh/ssh_host_key.pub |
575 | /etc/ssh/ssh_host_dsa_key.pub | 578 | /etc/ssh/ssh_host_dsa_key.pub |
579 | /etc/ssh/ssh_host_ecdsa_key.pub | ||
576 | /etc/ssh/ssh_host_rsa_key.pub | 580 | /etc/ssh/ssh_host_rsa_key.pub |
577 | These three files contain the public parts of the host keys. | 581 | These three files contain the public parts of the host keys. |
578 | These files should be world-readable but writable only by root. | 582 | These files should be world-readable but writable only by root. |
@@ -627,4 +631,4 @@ CAVEATS | |||
627 | System security is not improved unless rshd, rlogind, and rexecd are | 631 | System security is not improved unless rshd, rlogind, and rexecd are |
628 | disabled (thus completely disabling rlogin and rsh into the machine). | 632 | disabled (thus completely disabling rlogin and rsh into the machine). |
629 | 633 | ||
630 | OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 | 634 | OpenBSD 4.8 October 28, 2010 OpenBSD 4.8 |