diff options
author | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2020-02-21 11:57:14 +0000 |
commit | f0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch) | |
tree | 856b0dee3f2764c13a32dad5ffe2424fab7fef41 /sshd.0 | |
parent | 4213eec74e74de6310c27a40c3e9759a08a73996 (diff) | |
parent | 8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff) |
Import openssh_8.2p1.orig.tar.gz
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 52 |
1 files changed, 33 insertions, 19 deletions
@@ -1,7 +1,7 @@ | |||
1 | SSHD(8) System Manager's Manual SSHD(8) | 1 | SSHD(8) System Manager's Manual SSHD(8) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd M-bM-^@M-^S OpenSSH SSH daemon | 4 | sshd M-bM-^@M-^S OpenSSH daemon |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] | 7 | sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] |
@@ -128,14 +128,12 @@ AUTHENTICATION | |||
128 | host-specific key, used to identify the host. Whenever a client | 128 | host-specific key, used to identify the host. Whenever a client |
129 | connects, the daemon responds with its public host key. The client | 129 | connects, the daemon responds with its public host key. The client |
130 | compares the host key against its own database to verify that it has not | 130 | compares the host key against its own database to verify that it has not |
131 | changed. Forward security is provided through a Diffie-Hellman key | 131 | changed. Forward secrecy is provided through a Diffie-Hellman key |
132 | agreement. This key agreement results in a shared session key. The rest | 132 | agreement. This key agreement results in a shared session key. The rest |
133 | of the session is encrypted using a symmetric cipher, currently 128-bit | 133 | of the session is encrypted using a symmetric cipher. The client selects |
134 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The | 134 | the encryption algorithm to use from those offered by the server. |
135 | client selects the encryption algorithm to use from those offered by the | 135 | Additionally, session integrity is provided through a cryptographic |
136 | server. Additionally, session integrity is provided through a | 136 | message authentication code (MAC). |
137 | cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64, | ||
138 | umac-128, hmac-sha2-256 or hmac-sha2-512). | ||
139 | 137 | ||
140 | Finally, the server and the client enter an authentication dialog. The | 138 | Finally, the server and the client enter an authentication dialog. The |
141 | client tries to authenticate itself using host-based authentication, | 139 | client tries to authenticate itself using host-based authentication, |
@@ -237,16 +235,25 @@ AUTHORIZED_KEYS FILE FORMAT | |||
237 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are | 235 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are |
238 | ignored as comments). Public keys consist of the following space- | 236 | ignored as comments). Public keys consist of the following space- |
239 | separated fields: options, keytype, base64-encoded key, comment. The | 237 | separated fields: options, keytype, base64-encoded key, comment. The |
240 | options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], | 238 | options field is optional. The supported key types are: |
241 | M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or | 239 | |
242 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be | 240 | sk-ecdsa-sha2-nistp256@openssh.com |
243 | convenient for the user to identify the key). | 241 | ecdsa-sha2-nistp256 |
242 | ecdsa-sha2-nistp384 | ||
243 | ecdsa-sha2-nistp521 | ||
244 | sk-ssh-ed25519@openssh.com | ||
245 | ssh-ed25519 | ||
246 | ssh-dss | ||
247 | ssh-rsa | ||
248 | |||
249 | The comment field is not used for anything (but may be convenient for the | ||
250 | user to identify the key). | ||
244 | 251 | ||
245 | Note that lines in this file can be several hundred bytes long (because | 252 | Note that lines in this file can be several hundred bytes long (because |
246 | of the size of the public key encoding) up to a limit of 8 kilobytes, | 253 | of the size of the public key encoding) up to a limit of 8 kilobytes, |
247 | which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. | 254 | which permits RSA keys up to 16 kilobits. You don't want to type them |
248 | You don't want to type them in; instead, copy the id_dsa.pub, | 255 | in; instead, copy the id_dsa.pub, id_ecdsa.pub, id_ecdsa_sk.pub, |
249 | id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it. | 256 | id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it. |
250 | 257 | ||
251 | sshd enforces a minimum RSA key modulus size of 1024 bits. | 258 | sshd enforces a minimum RSA key modulus size of 1024 bits. |
252 | 259 | ||
@@ -360,9 +367,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
360 | it may only connect to the specified host and port. IPv6 | 367 | it may only connect to the specified host and port. IPv6 |
361 | addresses can be specified by enclosing the address in square | 368 | addresses can be specified by enclosing the address in square |
362 | brackets. Multiple permitopen options may be applied separated | 369 | brackets. Multiple permitopen options may be applied separated |
363 | by commas. No pattern matching is performed on the specified | 370 | by commas. No pattern matching or name lookup is performed on |
364 | hostnames, they must be literal domains or addresses. A port | 371 | the specified hostnames, they must be literal host names and/or |
365 | specification of * matches any port. | 372 | addresses. A port specification of * matches any port. |
366 | 373 | ||
367 | port-forwarding | 374 | port-forwarding |
368 | Enable port forwarding previously disabled by the restrict | 375 | Enable port forwarding previously disabled by the restrict |
@@ -379,6 +386,11 @@ AUTHORIZED_KEYS FILE FORMAT | |||
379 | pty Permits tty allocation previously disabled by the restrict | 386 | pty Permits tty allocation previously disabled by the restrict |
380 | option. | 387 | option. |
381 | 388 | ||
389 | no-touch-required | ||
390 | Do not require demonstration of user presence for signatures made | ||
391 | using this key. This option only makes sense for the FIDO | ||
392 | authenticator algorithms ecdsa-sk and ed25519-sk. | ||
393 | |||
382 | restrict | 394 | restrict |
383 | Enable all restrictions, i.e. disable port, agent and X11 | 395 | Enable all restrictions, i.e. disable port, agent and X11 |
384 | forwarding, as well as disabling PTY allocation and execution of | 396 | forwarding, as well as disabling PTY allocation and execution of |
@@ -416,6 +428,8 @@ AUTHORIZED_KEYS FILE FORMAT | |||
416 | user@example.net | 428 | user@example.net |
417 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | 429 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== |
418 | user@example.net | 430 | user@example.net |
431 | no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== | ||
432 | user@example.net | ||
419 | 433 | ||
420 | SSH_KNOWN_HOSTS FILE FORMAT | 434 | SSH_KNOWN_HOSTS FILE FORMAT |
421 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host | 435 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host |
@@ -650,4 +664,4 @@ AUTHORS | |||
650 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 664 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
651 | for privilege separation. | 665 | for privilege separation. |
652 | 666 | ||
653 | OpenBSD 6.6 July 22, 2018 OpenBSD 6.6 | 667 | OpenBSD 6.6 January 25, 2020 OpenBSD 6.6 |