diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
commit | d59fd3e421aa81b8e5e118f3f806081df2aca879 (patch) | |
tree | 356a4e607edc979c625bb33db63c656d771478bd /sshd.8 | |
parent | 7505658c58e96b8d270f1928a0e1fa7f3e0c266b (diff) | |
parent | 45431c9b4677608680cd071768cbf156b316a7e8 (diff) |
Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this will
work.
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 68 |
1 files changed, 47 insertions, 21 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -114,6 +114,29 @@ authentication combined with RSA host | |||
114 | authentication, RSA challenge-response authentication, or password | 114 | authentication, RSA challenge-response authentication, or password |
115 | based authentication. | 115 | based authentication. |
116 | .Pp | 116 | .Pp |
117 | Regardless of the authentication type, the account is checked to | ||
118 | ensure that it is accessible. An account is not accessible if it is | ||
119 | locked, listed in | ||
120 | .Cm DenyUsers | ||
121 | or its group is listed in | ||
122 | .Cm DenyGroups | ||
123 | \&. The definition of a locked account is system dependant. Some platforms | ||
124 | have their own account database (eg AIX) and some modify the passwd field ( | ||
125 | .Ql \&*LK\&* | ||
126 | on Solaris, | ||
127 | .Ql \&* | ||
128 | on HP-UX, containing | ||
129 | .Ql Nologin | ||
130 | on Tru64 and a leading | ||
131 | .Ql \&!! | ||
132 | on Linux). If there is a requirement to disable password authentication | ||
133 | for the account while allowing still public-key, then the passwd field | ||
134 | should be set to something other than these values (eg | ||
135 | .Ql NP | ||
136 | or | ||
137 | .Ql \&*NP\&* | ||
138 | ). | ||
139 | .Pp | ||
117 | Rhosts authentication is normally disabled | 140 | Rhosts authentication is normally disabled |
118 | because it is fundamentally insecure, but can be enabled in the server | 141 | because it is fundamentally insecure, but can be enabled in the server |
119 | configuration file if desired. | 142 | configuration file if desired. |
@@ -295,7 +318,6 @@ may also be used to prevent | |||
295 | from making DNS requests unless the authentication | 318 | from making DNS requests unless the authentication |
296 | mechanism or configuration requires it. | 319 | mechanism or configuration requires it. |
297 | Authentication mechanisms that may require DNS include | 320 | Authentication mechanisms that may require DNS include |
298 | .Cm RhostsAuthentication , | ||
299 | .Cm RhostsRSAAuthentication , | 321 | .Cm RhostsRSAAuthentication , |
300 | .Cm HostbasedAuthentication | 322 | .Cm HostbasedAuthentication |
301 | and using a | 323 | and using a |
@@ -432,13 +454,13 @@ that option keywords are case-insensitive): | |||
432 | Specifies that in addition to public key authentication, the canonical name | 454 | Specifies that in addition to public key authentication, the canonical name |
433 | of the remote host must be present in the comma-separated list of | 455 | of the remote host must be present in the comma-separated list of |
434 | patterns | 456 | patterns |
435 | .Pf ( Ql * | 457 | .Pf ( Ql \&* |
436 | and | 458 | and |
437 | .Ql ? | 459 | .Ql \&? |
438 | serve as wildcards). | 460 | serve as wildcards). |
439 | The list may also contain | 461 | The list may also contain |
440 | patterns negated by prefixing them with | 462 | patterns negated by prefixing them with |
441 | .Ql ! ; | 463 | .Ql \&! ; |
442 | if the canonical host name matches a negated pattern, the key is not accepted. | 464 | if the canonical host name matches a negated pattern, the key is not accepted. |
443 | The purpose | 465 | The purpose |
444 | of this option is to optionally increase security: public key authentication | 466 | of this option is to optionally increase security: public key authentication |
@@ -500,9 +522,9 @@ IPv6 addresses can be specified with an alternative syntax: | |||
500 | .Ar host/port . | 522 | .Ar host/port . |
501 | Multiple | 523 | Multiple |
502 | .Cm permitopen | 524 | .Cm permitopen |
503 | options may be applied separated by commas. No pattern matching is | 525 | options may be applied separated by commas. |
504 | performed on the specified hostnames, they must be literal domains or | 526 | No pattern matching is performed on the specified hostnames, |
505 | addresses. | 527 | they must be literal domains or addresses. |
506 | .El | 528 | .El |
507 | .Ss Examples | 529 | .Ss Examples |
508 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar | 530 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
@@ -527,12 +549,16 @@ Each line in these files contains the following fields: hostnames, | |||
527 | bits, exponent, modulus, comment. | 549 | bits, exponent, modulus, comment. |
528 | The fields are separated by spaces. | 550 | The fields are separated by spaces. |
529 | .Pp | 551 | .Pp |
530 | Hostnames is a comma-separated list of patterns ('*' and '?' act as | 552 | Hostnames is a comma-separated list of patterns |
553 | .Pf ( Ql \&* | ||
554 | and | ||
555 | .Ql \&? | ||
556 | act as | ||
531 | wildcards); each pattern in turn is matched against the canonical host | 557 | wildcards); each pattern in turn is matched against the canonical host |
532 | name (when authenticating a client) or against the user-supplied | 558 | name (when authenticating a client) or against the user-supplied |
533 | name (when authenticating a server). | 559 | name (when authenticating a server). |
534 | A pattern may also be preceded by | 560 | A pattern may also be preceded by |
535 | .Ql ! | 561 | .Ql \&! |
536 | to indicate negation: if the host name matches a negated | 562 | to indicate negation: if the host name matches a negated |
537 | pattern, it is not accepted (by that line) even if it matched another | 563 | pattern, it is not accepted (by that line) even if it matched another |
538 | pattern on the line. | 564 | pattern on the line. |
@@ -770,17 +796,6 @@ This can be used to specify | |||
770 | machine-specific login-time initializations globally. | 796 | machine-specific login-time initializations globally. |
771 | This file should be writable only by root, and should be world-readable. | 797 | This file should be writable only by root, and should be world-readable. |
772 | .El | 798 | .El |
773 | .Sh AUTHORS | ||
774 | OpenSSH is a derivative of the original and free | ||
775 | ssh 1.2.12 release by Tatu Ylonen. | ||
776 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | ||
777 | Theo de Raadt and Dug Song | ||
778 | removed many bugs, re-added newer features and | ||
779 | created OpenSSH. | ||
780 | Markus Friedl contributed the support for SSH | ||
781 | protocol versions 1.5 and 2.0. | ||
782 | Niels Provos and Markus Friedl contributed support | ||
783 | for privilege separation. | ||
784 | .Sh SEE ALSO | 799 | .Sh SEE ALSO |
785 | .Xr scp 1 , | 800 | .Xr scp 1 , |
786 | .Xr sftp 1 , | 801 | .Xr sftp 1 , |
@@ -812,3 +827,14 @@ for privilege separation. | |||
812 | .%D January 2002 | 827 | .%D January 2002 |
813 | .%O work in progress material | 828 | .%O work in progress material |
814 | .Re | 829 | .Re |
830 | .Sh AUTHORS | ||
831 | OpenSSH is a derivative of the original and free | ||
832 | ssh 1.2.12 release by Tatu Ylonen. | ||
833 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | ||
834 | Theo de Raadt and Dug Song | ||
835 | removed many bugs, re-added newer features and | ||
836 | created OpenSSH. | ||
837 | Markus Friedl contributed the support for SSH | ||
838 | protocol versions 1.5 and 2.0. | ||
839 | Niels Provos and Markus Friedl contributed support | ||
840 | for privilege separation. | ||