summaryrefslogtreecommitdiff
path: root/sshd.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2020-02-21 11:57:14 +0000
committerColin Watson <cjwatson@debian.org>2020-02-21 11:57:14 +0000
commitf0de78bd4f29fa688c5df116f3f9cd43543a76d0 (patch)
tree856b0dee3f2764c13a32dad5ffe2424fab7fef41 /sshd.0
parent4213eec74e74de6310c27a40c3e9759a08a73996 (diff)
parent8aa3455b16fddea4c0144a7c4a1edb10ec67dcc8 (diff)
Import openssh_8.2p1.orig.tar.gz
Diffstat (limited to 'sshd.0')
-rw-r--r--sshd.052
1 files changed, 33 insertions, 19 deletions
diff --git a/sshd.0 b/sshd.0
index 1b0d5ce2e..15ef5dd3b 100644
--- a/sshd.0
+++ b/sshd.0
@@ -1,7 +1,7 @@
1SSHD(8) System Manager's Manual SSHD(8) 1SSHD(8) System Manager's Manual SSHD(8)
2 2
3NAME 3NAME
4 sshd M-bM-^@M-^S OpenSSH SSH daemon 4 sshd M-bM-^@M-^S OpenSSH daemon
5 5
6SYNOPSIS 6SYNOPSIS
7 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] 7 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
@@ -128,14 +128,12 @@ AUTHENTICATION
128 host-specific key, used to identify the host. Whenever a client 128 host-specific key, used to identify the host. Whenever a client
129 connects, the daemon responds with its public host key. The client 129 connects, the daemon responds with its public host key. The client
130 compares the host key against its own database to verify that it has not 130 compares the host key against its own database to verify that it has not
131 changed. Forward security is provided through a Diffie-Hellman key 131 changed. Forward secrecy is provided through a Diffie-Hellman key
132 agreement. This key agreement results in a shared session key. The rest 132 agreement. This key agreement results in a shared session key. The rest
133 of the session is encrypted using a symmetric cipher, currently 128-bit 133 of the session is encrypted using a symmetric cipher. The client selects
134 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The 134 the encryption algorithm to use from those offered by the server.
135 client selects the encryption algorithm to use from those offered by the 135 Additionally, session integrity is provided through a cryptographic
136 server. Additionally, session integrity is provided through a 136 message authentication code (MAC).
137 cryptographic message authentication code (hmac-md5, hmac-sha1, umac-64,
138 umac-128, hmac-sha2-256 or hmac-sha2-512).
139 137
140 Finally, the server and the client enter an authentication dialog. The 138 Finally, the server and the client enter an authentication dialog. The
141 client tries to authenticate itself using host-based authentication, 139 client tries to authenticate itself using host-based authentication,
@@ -237,16 +235,25 @@ AUTHORIZED_KEYS FILE FORMAT
237 file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are 235 file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
238 ignored as comments). Public keys consist of the following space- 236 ignored as comments). Public keys consist of the following space-
239 separated fields: options, keytype, base64-encoded key, comment. The 237 separated fields: options, keytype, base64-encoded key, comment. The
240 options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], 238 options field is optional. The supported key types are:
241 M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or 239
242 M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be 240 sk-ecdsa-sha2-nistp256@openssh.com
243 convenient for the user to identify the key). 241 ecdsa-sha2-nistp256
242 ecdsa-sha2-nistp384
243 ecdsa-sha2-nistp521
244 sk-ssh-ed25519@openssh.com
245 ssh-ed25519
246 ssh-dss
247 ssh-rsa
248
249 The comment field is not used for anything (but may be convenient for the
250 user to identify the key).
244 251
245 Note that lines in this file can be several hundred bytes long (because 252 Note that lines in this file can be several hundred bytes long (because
246 of the size of the public key encoding) up to a limit of 8 kilobytes, 253 of the size of the public key encoding) up to a limit of 8 kilobytes,
247 which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. 254 which permits RSA keys up to 16 kilobits. You don't want to type them
248 You don't want to type them in; instead, copy the id_dsa.pub, 255 in; instead, copy the id_dsa.pub, id_ecdsa.pub, id_ecdsa_sk.pub,
249 id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it. 256 id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it.
250 257
251 sshd enforces a minimum RSA key modulus size of 1024 bits. 258 sshd enforces a minimum RSA key modulus size of 1024 bits.
252 259
@@ -360,9 +367,9 @@ AUTHORIZED_KEYS FILE FORMAT
360 it may only connect to the specified host and port. IPv6 367 it may only connect to the specified host and port. IPv6
361 addresses can be specified by enclosing the address in square 368 addresses can be specified by enclosing the address in square
362 brackets. Multiple permitopen options may be applied separated 369 brackets. Multiple permitopen options may be applied separated
363 by commas. No pattern matching is performed on the specified 370 by commas. No pattern matching or name lookup is performed on
364 hostnames, they must be literal domains or addresses. A port 371 the specified hostnames, they must be literal host names and/or
365 specification of * matches any port. 372 addresses. A port specification of * matches any port.
366 373
367 port-forwarding 374 port-forwarding
368 Enable port forwarding previously disabled by the restrict 375 Enable port forwarding previously disabled by the restrict
@@ -379,6 +386,11 @@ AUTHORIZED_KEYS FILE FORMAT
379 pty Permits tty allocation previously disabled by the restrict 386 pty Permits tty allocation previously disabled by the restrict
380 option. 387 option.
381 388
389 no-touch-required
390 Do not require demonstration of user presence for signatures made
391 using this key. This option only makes sense for the FIDO
392 authenticator algorithms ecdsa-sk and ed25519-sk.
393
382 restrict 394 restrict
383 Enable all restrictions, i.e. disable port, agent and X11 395 Enable all restrictions, i.e. disable port, agent and X11
384 forwarding, as well as disabling PTY allocation and execution of 396 forwarding, as well as disabling PTY allocation and execution of
@@ -416,6 +428,8 @@ AUTHORIZED_KEYS FILE FORMAT
416 user@example.net 428 user@example.net
417 restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== 429 restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
418 user@example.net 430 user@example.net
431 no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
432 user@example.net
419 433
420SSH_KNOWN_HOSTS FILE FORMAT 434SSH_KNOWN_HOSTS FILE FORMAT
421 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host 435 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
@@ -650,4 +664,4 @@ AUTHORS
650 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 664 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
651 for privilege separation. 665 for privilege separation.
652 666
653OpenBSD 6.6 July 22, 2018 OpenBSD 6.6 667OpenBSD 6.6 January 25, 2020 OpenBSD 6.6