diff options
author | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
commit | b7e40fa9da0b5491534a429dadb321eab5a77558 (patch) | |
tree | bed1da11e9f829925797aa093e379fc0b5868ecd /sshd.8 | |
parent | 4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff) | |
parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) |
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 556 |
1 files changed, 272 insertions, 284 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.215 2006/02/01 09:11:41 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -81,7 +81,7 @@ configuration file. | |||
81 | .Nm | 81 | .Nm |
82 | rereads its configuration file when it receives a hangup signal, | 82 | rereads its configuration file when it receives a hangup signal, |
83 | .Dv SIGHUP , | 83 | .Dv SIGHUP , |
84 | by executing itself with the name and options it was started with, e.g., | 84 | by executing itself with the name and options it was started with, e.g.\& |
85 | .Pa /usr/sbin/sshd . | 85 | .Pa /usr/sbin/sshd . |
86 | .Pp | 86 | .Pp |
87 | The options are as follows: | 87 | The options are as follows: |
@@ -154,7 +154,7 @@ is normally not run | |||
154 | from inetd because it needs to generate the server key before it can | 154 | from inetd because it needs to generate the server key before it can |
155 | respond to the client, and this may take tens of seconds. | 155 | respond to the client, and this may take tens of seconds. |
156 | Clients would have to wait too long if the key was regenerated every time. | 156 | Clients would have to wait too long if the key was regenerated every time. |
157 | However, with small key sizes (e.g., 512) using | 157 | However, with small key sizes (e.g. 512) using |
158 | .Nm | 158 | .Nm |
159 | from inetd may | 159 | from inetd may |
160 | be feasible. | 160 | be feasible. |
@@ -311,17 +311,6 @@ or | |||
311 | .Ql \&*NP\&* | 311 | .Ql \&*NP\&* |
312 | ). | 312 | ). |
313 | .Pp | 313 | .Pp |
314 | System security is not improved unless | ||
315 | .Nm rshd , | ||
316 | .Nm rlogind , | ||
317 | and | ||
318 | .Nm rexecd | ||
319 | are disabled (thus completely disabling | ||
320 | .Xr rlogin | ||
321 | and | ||
322 | .Xr rsh | ||
323 | into the machine). | ||
324 | .Sh COMMAND EXECUTION AND DATA FORWARDING | ||
325 | If the client successfully authenticates itself, a dialog for | 314 | If the client successfully authenticates itself, a dialog for |
326 | preparing the session is entered. | 315 | preparing the session is entered. |
327 | At this time the client may request | 316 | At this time the client may request |
@@ -329,7 +318,7 @@ things like allocating a pseudo-tty, forwarding X11 connections, | |||
329 | forwarding TCP connections, or forwarding the authentication agent | 318 | forwarding TCP connections, or forwarding the authentication agent |
330 | connection over the secure channel. | 319 | connection over the secure channel. |
331 | .Pp | 320 | .Pp |
332 | Finally, the client either requests a shell or execution of a command. | 321 | After this, the client either requests a shell or execution of a command. |
333 | The sides then enter session mode. | 322 | The sides then enter session mode. |
334 | In this mode, either side may send | 323 | In this mode, either side may send |
335 | data at any time, and such data is forwarded to/from the shell or | 324 | data at any time, and such data is forwarded to/from the shell or |
@@ -384,31 +373,73 @@ The | |||
384 | .Dq rc | 373 | .Dq rc |
385 | files are given the X11 | 374 | files are given the X11 |
386 | authentication protocol and cookie in standard input. | 375 | authentication protocol and cookie in standard input. |
376 | See | ||
377 | .Sx SSHRC , | ||
378 | below. | ||
387 | .It | 379 | .It |
388 | Runs user's shell or command. | 380 | Runs user's shell or command. |
389 | .El | 381 | .El |
382 | .Sh SSHRC | ||
383 | If the file | ||
384 | .Pa ~/.ssh/rc | ||
385 | exists, | ||
386 | .Xr sh 1 | ||
387 | runs it after reading the | ||
388 | environment files but before starting the user's shell or command. | ||
389 | It must not produce any output on stdout; stderr must be used | ||
390 | instead. | ||
391 | If X11 forwarding is in use, it will receive the "proto cookie" pair in | ||
392 | its standard input (and | ||
393 | .Ev DISPLAY | ||
394 | in its environment). | ||
395 | The script must call | ||
396 | .Xr xauth 1 | ||
397 | because | ||
398 | .Nm | ||
399 | will not run xauth automatically to add X11 cookies. | ||
400 | .Pp | ||
401 | The primary purpose of this file is to run any initialization routines | ||
402 | which may be needed before the user's home directory becomes | ||
403 | accessible; AFS is a particular example of such an environment. | ||
404 | .Pp | ||
405 | This file will probably contain some initialization code followed by | ||
406 | something similar to: | ||
407 | .Bd -literal -offset 3n | ||
408 | if read proto cookie && [ -n "$DISPLAY" ]; then | ||
409 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | ||
410 | # X11UseLocalhost=yes | ||
411 | echo add unix:`echo $DISPLAY | | ||
412 | cut -c11-` $proto $cookie | ||
413 | else | ||
414 | # X11UseLocalhost=no | ||
415 | echo add $DISPLAY $proto $cookie | ||
416 | fi | xauth -q - | ||
417 | fi | ||
418 | .Ed | ||
419 | .Pp | ||
420 | If this file does not exist, | ||
421 | .Pa /etc/ssh/sshrc | ||
422 | is run, and if that | ||
423 | does not exist either, xauth is used to add the cookie. | ||
390 | .Sh AUTHORIZED_KEYS FILE FORMAT | 424 | .Sh AUTHORIZED_KEYS FILE FORMAT |
391 | .Pa ~/.ssh/authorized_keys | ||
392 | is the default file that lists the public keys that are | ||
393 | permitted for RSA authentication in protocol version 1 | ||
394 | and for public key authentication (PubkeyAuthentication) | ||
395 | in protocol version 2. | ||
396 | .Cm AuthorizedKeysFile | 425 | .Cm AuthorizedKeysFile |
397 | may be used to specify an alternative file. | 426 | specifies the file containing public keys for |
398 | .Pp | 427 | public key authentication; |
428 | if none is specified, the default is | ||
429 | .Pa ~/.ssh/authorized_keys . | ||
399 | Each line of the file contains one | 430 | Each line of the file contains one |
400 | key (empty lines and lines starting with a | 431 | key (empty lines and lines starting with a |
401 | .Ql # | 432 | .Ql # |
402 | are ignored as | 433 | are ignored as |
403 | comments). | 434 | comments). |
404 | Each RSA public key consists of the following fields, separated by | 435 | Protocol 1 public keys consist of the following space-separated fields: |
405 | spaces: options, bits, exponent, modulus, comment. | 436 | options, bits, exponent, modulus, comment. |
406 | Each protocol version 2 public key consists of: | 437 | Protocol 2 public key consist of: |
407 | options, keytype, base64 encoded key, comment. | 438 | options, keytype, base64-encoded key, comment. |
408 | The options field | 439 | The options field is optional; |
409 | is optional; its presence is determined by whether the line starts | 440 | its presence is determined by whether the line starts |
410 | with a number or not (the options field never starts with a number). | 441 | with a number or not (the options field never starts with a number). |
411 | The bits, exponent, modulus and comment fields give the RSA key for | 442 | The bits, exponent, modulus, and comment fields give the RSA key for |
412 | protocol version 1; the | 443 | protocol version 1; the |
413 | comment field is not used for anything (but may be convenient for the | 444 | comment field is not used for anything (but may be convenient for the |
414 | user to identify the key). | 445 | user to identify the key). |
@@ -423,7 +454,7 @@ Note that lines in this file are usually several hundred bytes long | |||
423 | keys up to 16 kilobits. | 454 | keys up to 16 kilobits. |
424 | You don't want to type them in; instead, copy the | 455 | You don't want to type them in; instead, copy the |
425 | .Pa identity.pub , | 456 | .Pa identity.pub , |
426 | .Pa id_dsa.pub | 457 | .Pa id_dsa.pub , |
427 | or the | 458 | or the |
428 | .Pa id_rsa.pub | 459 | .Pa id_rsa.pub |
429 | file and edit it. | 460 | file and edit it. |
@@ -438,26 +469,6 @@ No spaces are permitted, except within double quotes. | |||
438 | The following option specifications are supported (note | 469 | The following option specifications are supported (note |
439 | that option keywords are case-insensitive): | 470 | that option keywords are case-insensitive): |
440 | .Bl -tag -width Ds | 471 | .Bl -tag -width Ds |
441 | .It Cm from="pattern-list" | ||
442 | Specifies that in addition to public key authentication, the canonical name | ||
443 | of the remote host must be present in the comma-separated list of | ||
444 | patterns | ||
445 | .Pf ( Ql \&* | ||
446 | and | ||
447 | .Ql \&? | ||
448 | serve as wildcards). | ||
449 | The list may also contain | ||
450 | patterns negated by prefixing them with | ||
451 | .Ql \&! ; | ||
452 | if the canonical host name matches a negated pattern, the key is not accepted. | ||
453 | The purpose | ||
454 | of this option is to optionally increase security: public key authentication | ||
455 | by itself does not trust the network or name servers or anything (but | ||
456 | the key); however, if somebody somehow steals the key, the key | ||
457 | permits an intruder to log in from anywhere in the world. | ||
458 | This additional option makes using a stolen key more difficult (name | ||
459 | servers and/or routers would have to be compromised in addition to | ||
460 | just the key). | ||
461 | .It Cm command="command" | 472 | .It Cm command="command" |
462 | Specifies that the command is executed whenever this key is used for | 473 | Specifies that the command is executed whenever this key is used for |
463 | authentication. | 474 | authentication. |
@@ -473,6 +484,9 @@ to restrict certain public keys to perform just a specific operation. | |||
473 | An example might be a key that permits remote backups but nothing else. | 484 | An example might be a key that permits remote backups but nothing else. |
474 | Note that the client may specify TCP and/or X11 | 485 | Note that the client may specify TCP and/or X11 |
475 | forwarding unless they are explicitly prohibited. | 486 | forwarding unless they are explicitly prohibited. |
487 | The command originally supplied by the client is available in the | ||
488 | .Ev SSH_ORIGINAL_COMMAND | ||
489 | environment variable. | ||
476 | Note that this option applies to shell, command or subsystem execution. | 490 | Note that this option applies to shell, command or subsystem execution. |
477 | .It Cm environment="NAME=value" | 491 | .It Cm environment="NAME=value" |
478 | Specifies that the string is to be added to the environment when | 492 | Specifies that the string is to be added to the environment when |
@@ -487,20 +501,38 @@ option. | |||
487 | This option is automatically disabled if | 501 | This option is automatically disabled if |
488 | .Cm UseLogin | 502 | .Cm UseLogin |
489 | is enabled. | 503 | is enabled. |
504 | .It Cm from="pattern-list" | ||
505 | Specifies that in addition to public key authentication, the canonical name | ||
506 | of the remote host must be present in the comma-separated list of | ||
507 | patterns. | ||
508 | The purpose | ||
509 | of this option is to optionally increase security: public key authentication | ||
510 | by itself does not trust the network or name servers or anything (but | ||
511 | the key); however, if somebody somehow steals the key, the key | ||
512 | permits an intruder to log in from anywhere in the world. | ||
513 | This additional option makes using a stolen key more difficult (name | ||
514 | servers and/or routers would have to be compromised in addition to | ||
515 | just the key). | ||
516 | .Pp | ||
517 | See | ||
518 | .Sx PATTERNS | ||
519 | in | ||
520 | .Xr ssh_config 5 | ||
521 | for more information on patterns. | ||
522 | .It Cm no-agent-forwarding | ||
523 | Forbids authentication agent forwarding when this key is used for | ||
524 | authentication. | ||
490 | .It Cm no-port-forwarding | 525 | .It Cm no-port-forwarding |
491 | Forbids TCP forwarding when this key is used for authentication. | 526 | Forbids TCP forwarding when this key is used for authentication. |
492 | Any port forward requests by the client will return an error. | 527 | Any port forward requests by the client will return an error. |
493 | This might be used, e.g., in connection with the | 528 | This might be used, e.g. in connection with the |
494 | .Cm command | 529 | .Cm command |
495 | option. | 530 | option. |
531 | .It Cm no-pty | ||
532 | Prevents tty allocation (a request to allocate a pty will fail). | ||
496 | .It Cm no-X11-forwarding | 533 | .It Cm no-X11-forwarding |
497 | Forbids X11 forwarding when this key is used for authentication. | 534 | Forbids X11 forwarding when this key is used for authentication. |
498 | Any X11 forward requests by the client will return an error. | 535 | Any X11 forward requests by the client will return an error. |
499 | .It Cm no-agent-forwarding | ||
500 | Forbids authentication agent forwarding when this key is used for | ||
501 | authentication. | ||
502 | .It Cm no-pty | ||
503 | Prevents tty allocation (a request to allocate a pty will fail). | ||
504 | .It Cm permitopen="host:port" | 536 | .It Cm permitopen="host:port" |
505 | Limit local | 537 | Limit local |
506 | .Li ``ssh -L'' | 538 | .Li ``ssh -L'' |
@@ -520,16 +552,20 @@ device on the server. | |||
520 | Without this option, the next available device will be used if | 552 | Without this option, the next available device will be used if |
521 | the client requests a tunnel. | 553 | the client requests a tunnel. |
522 | .El | 554 | .El |
523 | .Ss Examples | ||
524 | 1024 33 12121...312314325 ylo@foo.bar | ||
525 | .Pp | 555 | .Pp |
526 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula | 556 | An example authorized_keys file: |
527 | .Pp | 557 | .Bd -literal -offset 3n |
528 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi | 558 | # Comments allowed at start of line |
529 | .Pp | 559 | ssh-rsa AAAAB3Nza...LiPk== user@example.net |
530 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 560 | from="*.sales.example.net,!pc.sales.example.net" ssh-rsa |
531 | .Pp | 561 | AAAAB2...19Q== john@example.net |
532 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org | 562 | command="dump /home",no-pty,no-port-forwarding ssh-dss |
563 | AAAAC3...51R== example.net | ||
564 | permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | ||
565 | AAAAB5...21S== | ||
566 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | ||
567 | jane@example.net | ||
568 | .Ed | ||
533 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 569 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
534 | The | 570 | The |
535 | .Pa /etc/ssh/ssh_known_hosts | 571 | .Pa /etc/ssh/ssh_known_hosts |
@@ -538,7 +574,7 @@ and | |||
538 | files contain host public keys for all known hosts. | 574 | files contain host public keys for all known hosts. |
539 | The global file should | 575 | The global file should |
540 | be prepared by the administrator (optional), and the per-user file is | 576 | be prepared by the administrator (optional), and the per-user file is |
541 | maintained automatically: whenever the user connects from an unknown host | 577 | maintained automatically: whenever the user connects from an unknown host, |
542 | its key is added to the per-user file. | 578 | its key is added to the per-user file. |
543 | .Pp | 579 | .Pp |
544 | Each line in these files contains the following fields: hostnames, | 580 | Each line in these files contains the following fields: hostnames, |
@@ -546,7 +582,7 @@ bits, exponent, modulus, comment. | |||
546 | The fields are separated by spaces. | 582 | The fields are separated by spaces. |
547 | .Pp | 583 | .Pp |
548 | Hostnames is a comma-separated list of patterns | 584 | Hostnames is a comma-separated list of patterns |
549 | .Pf ( Ql \&* | 585 | .Pf ( Ql * |
550 | and | 586 | and |
551 | .Ql \&? | 587 | .Ql \&? |
552 | act as | 588 | act as |
@@ -558,6 +594,13 @@ A pattern may also be preceded by | |||
558 | to indicate negation: if the host name matches a negated | 594 | to indicate negation: if the host name matches a negated |
559 | pattern, it is not accepted (by that line) even if it matched another | 595 | pattern, it is not accepted (by that line) even if it matched another |
560 | pattern on the line. | 596 | pattern on the line. |
597 | A hostname or address may optionally be enclosed within | ||
598 | .Ql \&[ | ||
599 | and | ||
600 | .Ql \&] | ||
601 | brackets then followed by | ||
602 | .Ql \&: | ||
603 | and a non-standard port number. | ||
561 | .Pp | 604 | .Pp |
562 | Alternately, hostnames may be stored in a hashed form which hides host names | 605 | Alternately, hostnames may be stored in a hashed form which hides host names |
563 | and addresses should the file's contents be disclosed. | 606 | and addresses should the file's contents be disclosed. |
@@ -568,7 +611,7 @@ Only one hashed hostname may appear on a single line and none of the above | |||
568 | negation or wildcard operators may be applied. | 611 | negation or wildcard operators may be applied. |
569 | .Pp | 612 | .Pp |
570 | Bits, exponent, and modulus are taken directly from the RSA host key; they | 613 | Bits, exponent, and modulus are taken directly from the RSA host key; they |
571 | can be obtained, e.g., from | 614 | can be obtained, for example, from |
572 | .Pa /etc/ssh/ssh_host_key.pub . | 615 | .Pa /etc/ssh/ssh_host_key.pub . |
573 | The optional comment field continues to the end of the line, and is not used. | 616 | The optional comment field continues to the end of the line, and is not used. |
574 | .Pp | 617 | .Pp |
@@ -593,88 +636,19 @@ Rather, generate them by a script | |||
593 | or by taking | 636 | or by taking |
594 | .Pa /etc/ssh/ssh_host_key.pub | 637 | .Pa /etc/ssh/ssh_host_key.pub |
595 | and adding the host names at the front. | 638 | and adding the host names at the front. |
596 | .Ss Examples | 639 | .Pp |
597 | .Bd -literal | 640 | An example ssh_known_hosts file: |
598 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 641 | .Bd -literal -offset 3n |
599 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 642 | # Comments allowed at start of line |
600 | .Ed | 643 | closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net |
601 | .Bd -literal | 644 | cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= |
602 | # A hashed hostname | 645 | # A hashed hostname |
603 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | 646 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
604 | AAAA1234.....= | 647 | AAAA1234.....= |
605 | .Ed | 648 | .Ed |
606 | .Sh FILES | 649 | .Sh FILES |
607 | .Bl -tag -width Ds | 650 | .Bl -tag -width Ds -compact |
608 | .It Pa /etc/ssh/sshd_config | 651 | .It ~/.hushlogin |
609 | Contains configuration data for | ||
610 | .Nm sshd . | ||
611 | The file format and configuration options are described in | ||
612 | .Xr sshd_config 5 . | ||
613 | .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key | ||
614 | These three files contain the private parts of the host keys. | ||
615 | These files should only be owned by root, readable only by root, and not | ||
616 | accessible to others. | ||
617 | Note that | ||
618 | .Nm | ||
619 | does not start if this file is group/world-accessible. | ||
620 | .It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub | ||
621 | These three files contain the public parts of the host keys. | ||
622 | These files should be world-readable but writable only by | ||
623 | root. | ||
624 | Their contents should match the respective private parts. | ||
625 | These files are not | ||
626 | really used for anything; they are provided for the convenience of | ||
627 | the user so their contents can be copied to known hosts files. | ||
628 | These files are created using | ||
629 | .Xr ssh-keygen 1 . | ||
630 | .It Pa /etc/ssh/moduli | ||
631 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | ||
632 | The file format is described in | ||
633 | .Xr moduli 5 . | ||
634 | .It Pa /var/empty | ||
635 | .Xr chroot 2 | ||
636 | directory used by | ||
637 | .Nm | ||
638 | during privilege separation in the pre-authentication phase. | ||
639 | The directory should not contain any files and must be owned by root | ||
640 | and not group or world-writable. | ||
641 | .It Pa /var/run/sshd.pid | ||
642 | Contains the process ID of the | ||
643 | .Nm | ||
644 | listening for connections (if there are several daemons running | ||
645 | concurrently for different ports, this contains the process ID of the one | ||
646 | started last). | ||
647 | The content of this file is not sensitive; it can be world-readable. | ||
648 | .It Pa ~/.ssh/authorized_keys | ||
649 | Lists the public keys (RSA or DSA) that can be used to log into the user's account. | ||
650 | This file must be readable by root (which may on some machines imply | ||
651 | it being world-readable if the user's home directory resides on an NFS | ||
652 | volume). | ||
653 | It is recommended that it not be accessible by others. | ||
654 | The format of this file is described above. | ||
655 | Users will place the contents of their | ||
656 | .Pa identity.pub , | ||
657 | .Pa id_dsa.pub | ||
658 | and/or | ||
659 | .Pa id_rsa.pub | ||
660 | files into this file, as described in | ||
661 | .Xr ssh-keygen 1 . | ||
662 | .It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts" | ||
663 | These files are consulted when using rhosts with RSA host | ||
664 | authentication or protocol version 2 hostbased authentication | ||
665 | to check the public key of the host. | ||
666 | The key must be listed in one of these files to be accepted. | ||
667 | The client uses the same files | ||
668 | to verify that it is connecting to the correct remote host. | ||
669 | These files should be writable only by root/the owner. | ||
670 | .Pa /etc/ssh/ssh_known_hosts | ||
671 | should be world-readable, and | ||
672 | .Pa ~/.ssh/known_hosts | ||
673 | can, but need not be, world-readable. | ||
674 | .It Pa /etc/motd | ||
675 | See | ||
676 | .Xr motd 5 . | ||
677 | .It Pa ~/.hushlogin | ||
678 | This file is used to suppress printing the last login time and | 652 | This file is used to suppress printing the last login time and |
679 | .Pa /etc/motd , | 653 | .Pa /etc/motd , |
680 | if | 654 | if |
@@ -685,86 +659,49 @@ respectively, | |||
685 | are enabled. | 659 | are enabled. |
686 | It does not suppress printing of the banner specified by | 660 | It does not suppress printing of the banner specified by |
687 | .Cm Banner . | 661 | .Cm Banner . |
688 | .It Pa /etc/nologin | 662 | .Pp |
689 | If this file exists, | 663 | .It ~/.rhosts |
664 | This file is used for host-based authentication (see | ||
665 | .Xr ssh 1 | ||
666 | for more information). | ||
667 | On some machines this file may need to be | ||
668 | world-readable if the user's home directory is on an NFS partition, | ||
669 | because | ||
690 | .Nm | 670 | .Nm |
691 | refuses to let anyone except root log in. | 671 | reads it as root. |
692 | The contents of the file | 672 | Additionally, this file must be owned by the user, |
693 | are displayed to anyone trying to log in, and non-root connections are | 673 | and must not have write permissions for anyone else. |
694 | refused. | 674 | The recommended |
695 | The file should be world-readable. | 675 | permission for most machines is read/write for the user, and not |
696 | .It Pa /etc/hosts.allow, /etc/hosts.deny | ||
697 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
698 | Further details are described in | ||
699 | .Xr hosts_access 5 . | ||
700 | .It Pa ~/.rhosts | ||
701 | This file is used during | ||
702 | .Cm RhostsRSAAuthentication | ||
703 | and | ||
704 | .Cm HostbasedAuthentication | ||
705 | and contains host-username pairs, separated by a space, one per | ||
706 | line. | ||
707 | The given user on the corresponding host is permitted to log in | ||
708 | without a password. | ||
709 | The same file is used by rlogind and rshd. | ||
710 | The file must | ||
711 | be writable only by the user; it is recommended that it not be | ||
712 | accessible by others. | 676 | accessible by others. |
713 | .Pp | 677 | .Pp |
714 | It is also possible to use netgroups in the file. | 678 | .It ~/.shosts |
715 | Either host or user | 679 | This file is used in exactly the same way as |
716 | name may be of the form +@groupname to specify all hosts or all users | 680 | .Pa .rhosts , |
717 | in the group. | 681 | but allows host-based authentication without permitting login with |
718 | .It Pa ~/.shosts | 682 | rlogin/rsh. |
719 | For ssh, | 683 | .Pp |
720 | this file is exactly the same as for | 684 | .It ~/.ssh/authorized_keys |
721 | .Pa .rhosts . | 685 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. |
722 | However, this file is | 686 | The format of this file is described above. |
723 | not used by rlogin and rshd, so using this permits access using SSH only. | 687 | The content of the file is not highly sensitive, but the recommended |
724 | .It Pa /etc/hosts.equiv | 688 | permissions are read/write for the user, and not accessible by others. |
725 | This file is used during | 689 | .Pp |
726 | .Cm RhostsRSAAuthentication | 690 | If this file, the |
727 | and | 691 | .Pa ~/.ssh |
728 | .Cm HostbasedAuthentication | 692 | directory, or the user's home directory are writable |
729 | authentication. | 693 | by other users, then the file could be modified or replaced by unauthorized |
730 | In the simplest form, this file contains host names, one per line. | 694 | users. |
731 | Users on | 695 | In this case, |
732 | those hosts are permitted to log in without a password, provided they | 696 | .Nm |
733 | have the same user name on both machines. | 697 | will not allow it to be used unless the |
734 | The host name may also be | 698 | .Cm StrictModes |
735 | followed by a user name; such users are permitted to log in as | 699 | option has been set to |
736 | .Em any | 700 | .Dq no . |
737 | user on this machine (except root). | 701 | The recommended permissions can be set by executing |
738 | Additionally, the syntax | 702 | .Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys . |
739 | .Dq +@group | 703 | .Pp |
740 | can be used to specify netgroups. | 704 | .It ~/.ssh/environment |
741 | Negated entries start with | ||
742 | .Ql \&- . | ||
743 | .Pp | ||
744 | If the client host/user is successfully matched in this file, login is | ||
745 | automatically permitted provided the client and server user names are the | ||
746 | same. | ||
747 | Additionally, successful client host key authentication is required. | ||
748 | This file must be writable only by root; it is recommended | ||
749 | that it be world-readable. | ||
750 | .Pp | ||
751 | .Sy "Warning: It is almost never a good idea to use user names in" | ||
752 | .Pa hosts.equiv . | ||
753 | Beware that it really means that the named user(s) can log in as | ||
754 | .Em anybody , | ||
755 | which includes bin, daemon, adm, and other accounts that own critical | ||
756 | binaries and directories. | ||
757 | Using a user name practically grants the user root access. | ||
758 | The only valid use for user names that I can think | ||
759 | of is in negative entries. | ||
760 | .Pp | ||
761 | Note that this warning also applies to rsh/rlogin. | ||
762 | .It Pa /etc/shosts.equiv | ||
763 | This is processed exactly as | ||
764 | .Pa /etc/hosts.equiv . | ||
765 | However, this file may be useful in environments that want to run both | ||
766 | rsh/rlogin and ssh. | ||
767 | .It Pa ~/.ssh/environment | ||
768 | This file is read into the environment at login (if it exists). | 705 | This file is read into the environment at login (if it exists). |
769 | It can only contain empty lines, comment lines (that start with | 706 | It can only contain empty lines, comment lines (that start with |
770 | .Ql # ) , | 707 | .Ql # ) , |
@@ -775,55 +712,115 @@ Environment processing is disabled by default and is | |||
775 | controlled via the | 712 | controlled via the |
776 | .Cm PermitUserEnvironment | 713 | .Cm PermitUserEnvironment |
777 | option. | 714 | option. |
778 | .It Pa ~/.ssh/rc | 715 | .Pp |
779 | If this file exists, it is run with | 716 | .It ~/.ssh/known_hosts |
780 | .Pa /bin/sh | 717 | Contains a list of host keys for all hosts the user has logged into |
781 | after reading the | 718 | that are not already in the systemwide list of known host keys. |
782 | environment files but before starting the user's shell or command. | 719 | The format of this file is described above. |
783 | It must not produce any output on stdout; stderr must be used | 720 | This file should be writable only by root/the owner and |
784 | instead. | 721 | can, but need not be, world-readable. |
785 | If X11 forwarding is in use, it will receive the "proto cookie" pair in | 722 | .Pp |
786 | its standard input (and | 723 | .It ~/.ssh/rc |
787 | .Ev DISPLAY | 724 | Contains initialization routines to be run before |
788 | in its environment). | 725 | the user's home directory becomes accessible. |
789 | The script must call | 726 | This file should be writable only by the user, and need not be |
790 | .Xr xauth 1 | 727 | readable by anyone else. |
791 | because | 728 | .Pp |
729 | .It /etc/hosts.allow | ||
730 | .It /etc/hosts.deny | ||
731 | Access controls that should be enforced by tcp-wrappers are defined here. | ||
732 | Further details are described in | ||
733 | .Xr hosts_access 5 . | ||
734 | .Pp | ||
735 | .It /etc/hosts.equiv | ||
736 | This file is for host-based authentication (see | ||
737 | .Xr ssh 1 ) . | ||
738 | It should only be writable by root. | ||
739 | .Pp | ||
740 | .It /etc/ssh/moduli | ||
741 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | ||
742 | The file format is described in | ||
743 | .Xr moduli 5 . | ||
744 | .Pp | ||
745 | .It /etc/motd | ||
746 | See | ||
747 | .Xr motd 5 . | ||
748 | .Pp | ||
749 | .It /etc/nologin | ||
750 | If this file exists, | ||
792 | .Nm | 751 | .Nm |
793 | will not run xauth automatically to add X11 cookies. | 752 | refuses to let anyone except root log in. |
753 | The contents of the file | ||
754 | are displayed to anyone trying to log in, and non-root connections are | ||
755 | refused. | ||
756 | The file should be world-readable. | ||
794 | .Pp | 757 | .Pp |
795 | The primary purpose of this file is to run any initialization routines | 758 | .It /etc/shosts.equiv |
796 | which may be needed before the user's home directory becomes | 759 | This file is used in exactly the same way as |
797 | accessible; AFS is a particular example of such an environment. | 760 | .Pa hosts.equiv , |
761 | but allows host-based authentication without permitting login with | ||
762 | rlogin/rsh. | ||
763 | .Pp | ||
764 | .It /etc/ssh/ssh_known_hosts | ||
765 | Systemwide list of known host keys. | ||
766 | This file should be prepared by the | ||
767 | system administrator to contain the public host keys of all machines in the | ||
768 | organization. | ||
769 | The format of this file is described above. | ||
770 | This file should be writable only by root/the owner and | ||
771 | should be world-readable. | ||
798 | .Pp | 772 | .Pp |
799 | This file will probably contain some initialization code followed by | 773 | .It /etc/ssh/ssh_host_key |
800 | something similar to: | 774 | .It /etc/ssh/ssh_host_dsa_key |
801 | .Bd -literal | 775 | .It /etc/ssh/ssh_host_rsa_key |
802 | if read proto cookie && [ -n "$DISPLAY" ]; then | 776 | These three files contain the private parts of the host keys. |
803 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | 777 | These files should only be owned by root, readable only by root, and not |
804 | # X11UseLocalhost=yes | 778 | accessible to others. |
805 | echo add unix:`echo $DISPLAY | | 779 | Note that |
806 | cut -c11-` $proto $cookie | 780 | .Nm |
807 | else | 781 | does not start if these files are group/world-accessible. |
808 | # X11UseLocalhost=no | ||
809 | echo add $DISPLAY $proto $cookie | ||
810 | fi | xauth -q - | ||
811 | fi | ||
812 | .Ed | ||
813 | .Pp | 782 | .Pp |
814 | If this file does not exist, | 783 | .It /etc/ssh/ssh_host_key.pub |
815 | .Pa /etc/ssh/sshrc | 784 | .It /etc/ssh/ssh_host_dsa_key.pub |
816 | is run, and if that | 785 | .It /etc/ssh/ssh_host_rsa_key.pub |
817 | does not exist either, xauth is used to add the cookie. | 786 | These three files contain the public parts of the host keys. |
787 | These files should be world-readable but writable only by | ||
788 | root. | ||
789 | Their contents should match the respective private parts. | ||
790 | These files are not | ||
791 | really used for anything; they are provided for the convenience of | ||
792 | the user so their contents can be copied to known hosts files. | ||
793 | These files are created using | ||
794 | .Xr ssh-keygen 1 . | ||
818 | .Pp | 795 | .Pp |
819 | This file should be writable only by the user, and need not be | 796 | .It /etc/ssh/sshd_config |
820 | readable by anyone else. | 797 | Contains configuration data for |
821 | .It Pa /etc/ssh/sshrc | 798 | .Nm sshd . |
822 | Like | 799 | The file format and configuration options are described in |
823 | .Pa ~/.ssh/rc . | 800 | .Xr sshd_config 5 . |
824 | This can be used to specify | 801 | .Pp |
802 | .It /etc/ssh/sshrc | ||
803 | Similar to | ||
804 | .Pa ~/.ssh/rc , | ||
805 | it can be used to specify | ||
825 | machine-specific login-time initializations globally. | 806 | machine-specific login-time initializations globally. |
826 | This file should be writable only by root, and should be world-readable. | 807 | This file should be writable only by root, and should be world-readable. |
808 | .Pp | ||
809 | .It /var/empty | ||
810 | .Xr chroot 2 | ||
811 | directory used by | ||
812 | .Nm | ||
813 | during privilege separation in the pre-authentication phase. | ||
814 | The directory should not contain any files and must be owned by root | ||
815 | and not group or world-writable. | ||
816 | .Pp | ||
817 | .It /var/run/sshd.pid | ||
818 | Contains the process ID of the | ||
819 | .Nm | ||
820 | listening for connections (if there are several daemons running | ||
821 | concurrently for different ports, this contains the process ID of the one | ||
822 | started last). | ||
823 | The content of this file is not sensitive; it can be world-readable. | ||
827 | .El | 824 | .El |
828 | .Sh SEE ALSO | 825 | .Sh SEE ALSO |
829 | .Xr scp 1 , | 826 | .Xr scp 1 , |
@@ -839,26 +836,6 @@ This file should be writable only by root, and should be world-readable. | |||
839 | .Xr sshd_config 5 , | 836 | .Xr sshd_config 5 , |
840 | .Xr inetd 8 , | 837 | .Xr inetd 8 , |
841 | .Xr sftp-server 8 | 838 | .Xr sftp-server 8 |
842 | .Rs | ||
843 | .%A T. Ylonen | ||
844 | .%A T. Kivinen | ||
845 | .%A M. Saarinen | ||
846 | .%A T. Rinne | ||
847 | .%A S. Lehtinen | ||
848 | .%T "SSH Protocol Architecture" | ||
849 | .%N draft-ietf-secsh-architecture-12.txt | ||
850 | .%D January 2002 | ||
851 | .%O work in progress material | ||
852 | .Re | ||
853 | .Rs | ||
854 | .%A M. Friedl | ||
855 | .%A N. Provos | ||
856 | .%A W. A. Simpson | ||
857 | .%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" | ||
858 | .%N draft-ietf-secsh-dh-group-exchange-02.txt | ||
859 | .%D January 2002 | ||
860 | .%O work in progress material | ||
861 | .Re | ||
862 | .Sh AUTHORS | 839 | .Sh AUTHORS |
863 | OpenSSH is a derivative of the original and free | 840 | OpenSSH is a derivative of the original and free |
864 | ssh 1.2.12 release by Tatu Ylonen. | 841 | ssh 1.2.12 release by Tatu Ylonen. |
@@ -870,3 +847,14 @@ Markus Friedl contributed the support for SSH | |||
870 | protocol versions 1.5 and 2.0. | 847 | protocol versions 1.5 and 2.0. |
871 | Niels Provos and Markus Friedl contributed support | 848 | Niels Provos and Markus Friedl contributed support |
872 | for privilege separation. | 849 | for privilege separation. |
850 | .Sh CAVEATS | ||
851 | System security is not improved unless | ||
852 | .Nm rshd , | ||
853 | .Nm rlogind , | ||
854 | and | ||
855 | .Nm rexecd | ||
856 | are disabled (thus completely disabling | ||
857 | .Xr rlogin | ||
858 | and | ||
859 | .Xr rsh | ||
860 | into the machine). | ||