diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /sshd.8 | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 55 |
1 files changed, 44 insertions, 11 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $ |
37 | .Dd $Mdocdate: July 3 2015 $ | 37 | .Dd $Mdocdate: February 17 2016 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -278,14 +278,12 @@ though this can be changed via the | |||
278 | .Cm Protocol | 278 | .Cm Protocol |
279 | option in | 279 | option in |
280 | .Xr sshd_config 5 . | 280 | .Xr sshd_config 5 . |
281 | Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; | 281 | Protocol 1 should not be used |
282 | protocol 1 only supports RSA keys. | 282 | and is only offered to support legacy devices. |
283 | For both protocols, | ||
284 | each host has a host-specific key, | ||
285 | normally 2048 bits, | ||
286 | used to identify the host. | ||
287 | .Pp | 283 | .Pp |
288 | Forward security for protocol 1 is provided through | 284 | Each host has a host-specific key, |
285 | used to identify the host. | ||
286 | Partial forward security for protocol 1 is provided through | ||
289 | an additional server key, | 287 | an additional server key, |
290 | normally 1024 bits, | 288 | normally 1024 bits, |
291 | generated when the server starts. | 289 | generated when the server starts. |
@@ -473,7 +471,7 @@ does not exist either, xauth is used to add the cookie. | |||
473 | .Cm AuthorizedKeysFile | 471 | .Cm AuthorizedKeysFile |
474 | specifies the files containing public keys for | 472 | specifies the files containing public keys for |
475 | public key authentication; | 473 | public key authentication; |
476 | if none is specified, the default is | 474 | if this option is not specified, the default is |
477 | .Pa ~/.ssh/authorized_keys | 475 | .Pa ~/.ssh/authorized_keys |
478 | and | 476 | and |
479 | .Pa ~/.ssh/authorized_keys2 . | 477 | .Pa ~/.ssh/authorized_keys2 . |
@@ -525,6 +523,10 @@ No spaces are permitted, except within double quotes. | |||
525 | The following option specifications are supported (note | 523 | The following option specifications are supported (note |
526 | that option keywords are case-insensitive): | 524 | that option keywords are case-insensitive): |
527 | .Bl -tag -width Ds | 525 | .Bl -tag -width Ds |
526 | .It Cm agent-forwarding | ||
527 | Enable authentication agent forwarding previously disabled by the | ||
528 | .Cm restrict | ||
529 | option. | ||
528 | .It Cm cert-authority | 530 | .It Cm cert-authority |
529 | Specifies that the listed key is a certification authority (CA) that is | 531 | Specifies that the listed key is a certification authority (CA) that is |
530 | trusted to validate signed certificates for user authentication. | 532 | trusted to validate signed certificates for user authentication. |
@@ -619,6 +621,9 @@ they must be literal domains or addresses. | |||
619 | A port specification of | 621 | A port specification of |
620 | .Cm * | 622 | .Cm * |
621 | matches any port. | 623 | matches any port. |
624 | .It Cm port-forwarding | ||
625 | Enable port forwarding previously disabled by the | ||
626 | .Cm restrict | ||
622 | .It Cm principals="principals" | 627 | .It Cm principals="principals" |
623 | On a | 628 | On a |
624 | .Cm cert-authority | 629 | .Cm cert-authority |
@@ -630,12 +635,33 @@ This option is ignored for keys that are not marked as trusted certificate | |||
630 | signers using the | 635 | signers using the |
631 | .Cm cert-authority | 636 | .Cm cert-authority |
632 | option. | 637 | option. |
638 | .It Cm pty | ||
639 | Permits tty allocation previously disabled by the | ||
640 | .Cm restrict | ||
641 | option. | ||
642 | .It Cm restrict | ||
643 | Enable all restrictions, i.e. disable port, agent and X11 forwarding, | ||
644 | as well as disabling PTY allocation | ||
645 | and execution of | ||
646 | .Pa ~/.ssh/rc . | ||
647 | If any future restriction capabilities are added to authorized_keys files | ||
648 | they will be included in this set. | ||
633 | .It Cm tunnel="n" | 649 | .It Cm tunnel="n" |
634 | Force a | 650 | Force a |
635 | .Xr tun 4 | 651 | .Xr tun 4 |
636 | device on the server. | 652 | device on the server. |
637 | Without this option, the next available device will be used if | 653 | Without this option, the next available device will be used if |
638 | the client requests a tunnel. | 654 | the client requests a tunnel. |
655 | .It Cm user-rc | ||
656 | Enables execution of | ||
657 | .Pa ~/.ssh/rc | ||
658 | previously disabled by the | ||
659 | .Cm restrict | ||
660 | option. | ||
661 | .It Cm X11-forwarding | ||
662 | Permits X11 forwarding previously disabled by the | ||
663 | .Cm restrict | ||
664 | option. | ||
639 | .El | 665 | .El |
640 | .Pp | 666 | .Pp |
641 | An example authorized_keys file: | 667 | An example authorized_keys file: |
@@ -650,6 +676,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | |||
650 | AAAAB5...21S== | 676 | AAAAB5...21S== |
651 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 677 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
652 | jane@example.net | 678 | jane@example.net |
679 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | ||
680 | user@example.net | ||
681 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | ||
682 | user@example.net | ||
653 | .Ed | 683 | .Ed |
654 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 684 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
655 | The | 685 | The |
@@ -865,9 +895,12 @@ This file is for host-based authentication (see | |||
865 | It should only be writable by root. | 895 | It should only be writable by root. |
866 | .Pp | 896 | .Pp |
867 | .It Pa /etc/ssh/moduli | 897 | .It Pa /etc/ssh/moduli |
868 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 898 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" |
899 | key exchange method. | ||
869 | The file format is described in | 900 | The file format is described in |
870 | .Xr moduli 5 . | 901 | .Xr moduli 5 . |
902 | If no usable groups are found in this file then fixed internal groups will | ||
903 | be used. | ||
871 | .Pp | 904 | .Pp |
872 | .It Pa /etc/motd | 905 | .It Pa /etc/motd |
873 | See | 906 | See |