- djm@cvs.openbsd.org 2008/06/10 23:06:19

[auth-options.c match.c servconf.c addrmatch.c sshd.8] support CIDR address matching in .ssh/authorized_keys from="..." stanzas ok and extensive testing dtucker@
author: Darren Tucker <dtucker@zip.com.au> 2008-06-11 09:34:46 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2008-06-11 09:34:46 +1000
commit: 896ad5a4e40c48fa9bea71624830cc9cc3ce4fe0 (patch)
tree: aa6eaa6f9ce31379b0843fed78b7487c87e0f7f3 /sshd.8
parent: 8901fa9c88d52ac1f099e7a3ce5bd75089e7e731 (diff)
1 files changed, 17 insertions, 13 deletions
diff --git a/sshd.8 b/sshd.8
index 1ec135ca9..0ae02ea3e 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $
 .Dd $Mdocdate: June 10 2008 $
 .Dt SSHD 8
 .Os
@@ -531,23 +531,27 @@ This option is automatically disabled if
 .Cm UseLogin
 is enabled.
 .It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
+Specifies that in addition to public key authentication, either the canonical
-of the remote host must be present in the comma-separated list of
+name of the remote host or its IP address must be present in the 
-patterns.
+comma-separated list of patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
 See
 .Sx PATTERNS
 in
 .Xr ssh_config 5
 for more information on patterns.
+.Pp
+In addition to the wildcard matching that may be applied to hostnames or
+addresses, a
+.Cm from
+stanza may match IP addressess using CIDR address/masklen notation.
+.Pp
+The purpose of this option is to optionally increase security: public key
+authentication by itself does not trust the network or name servers or
+anything (but the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
 .It Cm no-agent-forwarding
 Forbids authentication agent forwarding when this key is used for
 authentication.
author	Darren Tucker <dtucker@zip.com.au>	2008-06-11 09:34:46 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2008-06-11 09:34:46 +1000
commit	896ad5a4e40c48fa9bea71624830cc9cc3ce4fe0 (patch)
tree	aa6eaa6f9ce31379b0843fed78b7487c87e0f7f3 /sshd.8
parent	8901fa9c88d52ac1f099e7a3ce5bd75089e7e731 (diff)

diff --git a/sshd.8 b/sshd.8 index 1ec135ca9..0ae02ea3e 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $	37	.\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $
38	.Dd $Mdocdate: June 10 2008 $	38	.Dd $Mdocdate: June 10 2008 $
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -531,23 +531,27 @@ This option is automatically disabled if
531	.Cm UseLogin	531	.Cm UseLogin
532	is enabled.	532	is enabled.
533	.It Cm from="pattern-list"	533	.It Cm from="pattern-list"
534	Specifies that in addition to public key authentication, the canonical name	534	Specifies that in addition to public key authentication, either the canonical
535	of the remote host must be present in the comma-separated list of	535	name of the remote host or its IP address must be present in the
536	patterns.	536	comma-separated list of patterns.
537	The purpose
538	of this option is to optionally increase security: public key authentication
539	by itself does not trust the network or name servers or anything (but
540	the key); however, if somebody somehow steals the key, the key
541	permits an intruder to log in from anywhere in the world.
542	This additional option makes using a stolen key more difficult (name
543	servers and/or routers would have to be compromised in addition to
544	just the key).
545	.Pp
546	See	537	See
547	.Sx PATTERNS	538	.Sx PATTERNS
548	in	539	in
549	.Xr ssh_config 5	540	.Xr ssh_config 5
550	for more information on patterns.	541	for more information on patterns.
		542	.Pp
		543	In addition to the wildcard matching that may be applied to hostnames or
		544	addresses, a
		545	.Cm from
		546	stanza may match IP addressess using CIDR address/masklen notation.
		547	.Pp
		548	The purpose of this option is to optionally increase security: public key
		549	authentication by itself does not trust the network or name servers or
		550	anything (but the key); however, if somebody somehow steals the key, the key
		551	permits an intruder to log in from anywhere in the world.
		552	This additional option makes using a stolen key more difficult (name
		553	servers and/or routers would have to be compromised in addition to
		554	just the key).
551	.It Cm no-agent-forwarding	555	.It Cm no-agent-forwarding
552	Forbids authentication agent forwarding when this key is used for	556	Forbids authentication agent forwarding when this key is used for
553	authentication.	557	authentication.