diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
| commit | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch) | |
| tree | 793395934013923b7b2426382c0676edcd4be3d4 /sshd.0 | |
| parent | eeff4de96f5d7365750dc56912c2c62b5c28db6b (diff) | |
| parent | 72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff) | |
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 44 |
1 files changed, 37 insertions, 7 deletions
| @@ -146,11 +146,11 @@ DESCRIPTION | |||
| 146 | AUTHENTICATION | 146 | AUTHENTICATION |
| 147 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to | 147 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to |
| 148 | use protocol 2 only, though this can be changed via the Protocol option | 148 | use protocol 2 only, though this can be changed via the Protocol option |
| 149 | in sshd_config(5). Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; | 149 | in sshd_config(5). Protocol 1 should not be used and is only offered to |
| 150 | protocol 1 only supports RSA keys. For both protocols, each host has a | 150 | support legacy devices. |
| 151 | host-specific key, normally 2048 bits, used to identify the host. | ||
| 152 | 151 | ||
| 153 | Forward security for protocol 1 is provided through an additional server | 152 | Each host has a host-specific key, used to identify the host. Partial |
| 153 | forward security for protocol 1 is provided through an additional server | ||
| 154 | key, normally 1024 bits, generated when the server starts. This key is | 154 | key, normally 1024 bits, generated when the server starts. This key is |
| 155 | normally regenerated every hour if it has been used, and is never stored | 155 | normally regenerated every hour if it has been used, and is never stored |
| 156 | on disk. Whenever a client connects, the daemon responds with its public | 156 | on disk. Whenever a client connects, the daemon responds with its public |
| @@ -268,7 +268,7 @@ SSHRC | |||
| 268 | 268 | ||
| 269 | AUTHORIZED_KEYS FILE FORMAT | 269 | AUTHORIZED_KEYS FILE FORMAT |
| 270 | AuthorizedKeysFile specifies the files containing public keys for public | 270 | AuthorizedKeysFile specifies the files containing public keys for public |
| 271 | key authentication; if none is specified, the default is | 271 | key authentication; if this option is not specified, the default is |
| 272 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the | 272 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the |
| 273 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are | 273 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are |
| 274 | ignored as comments). Protocol 1 public keys consist of the following | 274 | ignored as comments). Protocol 1 public keys consist of the following |
| @@ -298,6 +298,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 298 | The following option specifications are supported (note that option | 298 | The following option specifications are supported (note that option |
| 299 | keywords are case-insensitive): | 299 | keywords are case-insensitive): |
| 300 | 300 | ||
| 301 | agent-forwarding | ||
| 302 | Enable authentication agent forwarding previously disabled by the | ||
| 303 | restrict option. | ||
| 304 | |||
| 301 | cert-authority | 305 | cert-authority |
| 302 | Specifies that the listed key is a certification authority (CA) | 306 | Specifies that the listed key is a certification authority (CA) |
| 303 | that is trusted to validate signed certificates for user | 307 | that is trusted to validate signed certificates for user |
| @@ -378,6 +382,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 378 | must be literal domains or addresses. A port specification of * | 382 | must be literal domains or addresses. A port specification of * |
| 379 | matches any port. | 383 | matches any port. |
| 380 | 384 | ||
| 385 | port-forwarding | ||
| 386 | Enable port forwarding previously disabled by the restrict | ||
| 387 | |||
| 381 | principals="principals" | 388 | principals="principals" |
| 382 | On a cert-authority line, specifies allowed principals for | 389 | On a cert-authority line, specifies allowed principals for |
| 383 | certificate authentication as a comma-separated list. At least | 390 | certificate authentication as a comma-separated list. At least |
| @@ -386,11 +393,28 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 386 | ignored for keys that are not marked as trusted certificate | 393 | ignored for keys that are not marked as trusted certificate |
| 387 | signers using the cert-authority option. | 394 | signers using the cert-authority option. |
| 388 | 395 | ||
| 396 | pty Permits tty allocation previously disabled by the restrict | ||
| 397 | option. | ||
| 398 | |||
| 399 | restrict | ||
| 400 | Enable all restrictions, i.e. disable port, agent and X11 | ||
| 401 | forwarding, as well as disabling PTY allocation and execution of | ||
| 402 | ~/.ssh/rc. If any future restriction capabilities are added to | ||
| 403 | authorized_keys files they will be included in this set. | ||
| 404 | |||
| 389 | tunnel="n" | 405 | tunnel="n" |
| 390 | Force a tun(4) device on the server. Without this option, the | 406 | Force a tun(4) device on the server. Without this option, the |
| 391 | next available device will be used if the client requests a | 407 | next available device will be used if the client requests a |
| 392 | tunnel. | 408 | tunnel. |
| 393 | 409 | ||
| 410 | user-rc | ||
| 411 | Enables execution of ~/.ssh/rc previously disabled by the | ||
| 412 | restrict option. | ||
| 413 | |||
| 414 | X11-forwarding | ||
| 415 | Permits X11 forwarding previously disabled by the restrict | ||
| 416 | option. | ||
| 417 | |||
| 394 | An example authorized_keys file: | 418 | An example authorized_keys file: |
| 395 | 419 | ||
| 396 | # Comments allowed at start of line | 420 | # Comments allowed at start of line |
| @@ -403,6 +427,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 403 | AAAAB5...21S== | 427 | AAAAB5...21S== |
| 404 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 428 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
| 405 | jane@example.net | 429 | jane@example.net |
| 430 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | ||
| 431 | user@example.net | ||
| 432 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | ||
| 433 | user@example.net | ||
| 406 | 434 | ||
| 407 | SSH_KNOWN_HOSTS FILE FORMAT | 435 | SSH_KNOWN_HOSTS FILE FORMAT |
| 408 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host | 436 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host |
| @@ -552,7 +580,9 @@ FILES | |||
| 552 | 580 | ||
| 553 | /etc/moduli | 581 | /etc/moduli |
| 554 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | 582 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group |
| 555 | Exchange". The file format is described in moduli(5). | 583 | Exchange" key exchange method. The file format is described in |
| 584 | moduli(5). If no usable groups are found in this file then fixed | ||
| 585 | internal groups will be used. | ||
| 556 | 586 | ||
| 557 | /etc/motd | 587 | /etc/motd |
| 558 | See motd(5). | 588 | See motd(5). |
| @@ -632,4 +662,4 @@ AUTHORS | |||
| 632 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 662 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
| 633 | for privilege separation. | 663 | for privilege separation. |
| 634 | 664 | ||
| 635 | OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 | 665 | OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 |