diff options
author | Colin Watson <cjwatson@debian.org> | 2005-05-25 11:01:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2005-05-25 11:01:01 +0000 |
commit | e88de75a1a236779a10e8ccbcc51d25308be8840 (patch) | |
tree | 7495477a2a7d0cac17a9fcded020b6ea816182ef /sshd.8 | |
parent | 30a0f9443782cd9d7308acd09430bf586186aa55 (diff) | |
parent | 5d05471f6657646d1d6500c7c43134462c407ee6 (diff) |
Merge 4.0p1 to the trunk.
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 52 |
1 files changed, 40 insertions, 12 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -106,8 +106,6 @@ to use from those offered by the server. | |||
106 | Next, the server and the client enter an authentication dialog. | 106 | Next, the server and the client enter an authentication dialog. |
107 | The client tries to authenticate itself using | 107 | The client tries to authenticate itself using |
108 | .Em .rhosts | 108 | .Em .rhosts |
109 | authentication, | ||
110 | .Em .rhosts | ||
111 | authentication combined with RSA host | 109 | authentication combined with RSA host |
112 | authentication, RSA challenge-response authentication, or password | 110 | authentication, RSA challenge-response authentication, or password |
113 | based authentication. | 111 | based authentication. |
@@ -135,11 +133,6 @@ or | |||
135 | .Ql \&*NP\&* | 133 | .Ql \&*NP\&* |
136 | ). | 134 | ). |
137 | .Pp | 135 | .Pp |
138 | .Em rhosts | ||
139 | authentication is normally disabled | ||
140 | because it is fundamentally insecure, but can be enabled in the server | ||
141 | configuration file if desired. | ||
142 | System security is not improved unless | ||
143 | .Nm rshd , | 136 | .Nm rshd , |
144 | .Nm rlogind , | 137 | .Nm rlogind , |
145 | and | 138 | and |
@@ -430,7 +423,9 @@ or | |||
430 | .Dq ssh-rsa . | 423 | .Dq ssh-rsa . |
431 | .Pp | 424 | .Pp |
432 | Note that lines in this file are usually several hundred bytes long | 425 | Note that lines in this file are usually several hundred bytes long |
433 | (because of the size of the public key encoding). | 426 | (because of the size of the public key encoding) up to a limit of |
427 | 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA | ||
428 | keys up to 16 kilobits. | ||
434 | You don't want to type them in; instead, copy the | 429 | You don't want to type them in; instead, copy the |
435 | .Pa identity.pub , | 430 | .Pa identity.pub , |
436 | .Pa id_dsa.pub | 431 | .Pa id_dsa.pub |
@@ -561,6 +556,14 @@ to indicate negation: if the host name matches a negated | |||
561 | pattern, it is not accepted (by that line) even if it matched another | 556 | pattern, it is not accepted (by that line) even if it matched another |
562 | pattern on the line. | 557 | pattern on the line. |
563 | .Pp | 558 | .Pp |
559 | Alternately, hostnames may be stored in a hashed form which hides host names | ||
560 | and addresses should the file's contents be disclosed. | ||
561 | Hashed hostnames start with a | ||
562 | .Ql | | ||
563 | character. | ||
564 | Only one hashed hostname may appear on a single line and none of the above | ||
565 | negation or wildcard operators may be applied. | ||
566 | .Pp | ||
564 | Bits, exponent, and modulus are taken directly from the RSA host key; they | 567 | Bits, exponent, and modulus are taken directly from the RSA host key; they |
565 | can be obtained, e.g., from | 568 | can be obtained, e.g., from |
566 | .Pa /etc/ssh/ssh_host_key.pub . | 569 | .Pa /etc/ssh/ssh_host_key.pub . |
@@ -592,6 +595,11 @@ and adding the host names at the front. | |||
592 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 595 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
593 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 596 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
594 | .Ed | 597 | .Ed |
598 | .Bd -literal | ||
599 | # A hashed hostname | ||
600 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
601 | AAAA1234.....= | ||
602 | .Ed | ||
595 | .Sh FILES | 603 | .Sh FILES |
596 | .Bl -tag -width Ds | 604 | .Bl -tag -width Ds |
597 | .It Pa /etc/ssh/sshd_config | 605 | .It Pa /etc/ssh/sshd_config |
@@ -660,6 +668,20 @@ These files should be writable only by root/the owner. | |||
660 | should be world-readable, and | 668 | should be world-readable, and |
661 | .Pa $HOME/.ssh/known_hosts | 669 | .Pa $HOME/.ssh/known_hosts |
662 | can, but need not be, world-readable. | 670 | can, but need not be, world-readable. |
671 | .It Pa /etc/motd | ||
672 | See | ||
673 | .Xr motd 5 . | ||
674 | .It Pa $HOME/.hushlogin | ||
675 | This file is used to suppress printing the last login time and | ||
676 | .Pa /etc/motd , | ||
677 | if | ||
678 | .Cm PrintLastLog | ||
679 | and | ||
680 | .Cm PrintMotd , | ||
681 | respectively, | ||
682 | are enabled. | ||
683 | It does not suppress printing of the banner specified by | ||
684 | .Cm Banner . | ||
663 | .It Pa /etc/nologin | 685 | .It Pa /etc/nologin |
664 | If this file exists, | 686 | If this file exists, |
665 | .Nm | 687 | .Nm |
@@ -673,7 +695,11 @@ Access controls that should be enforced by tcp-wrappers are defined here. | |||
673 | Further details are described in | 695 | Further details are described in |
674 | .Xr hosts_access 5 . | 696 | .Xr hosts_access 5 . |
675 | .It Pa $HOME/.rhosts | 697 | .It Pa $HOME/.rhosts |
676 | This file contains host-username pairs, separated by a space, one per | 698 | This file is used during |
699 | .Cm RhostsRSAAuthentication | ||
700 | and | ||
701 | .Cm HostbasedAuthentication | ||
702 | and contains host-username pairs, separated by a space, one per | ||
677 | line. | 703 | line. |
678 | The given user on the corresponding host is permitted to log in | 704 | The given user on the corresponding host is permitted to log in |
679 | without a password. | 705 | without a password. |
@@ -694,7 +720,9 @@ However, this file is | |||
694 | not used by rlogin and rshd, so using this permits access using SSH only. | 720 | not used by rlogin and rshd, so using this permits access using SSH only. |
695 | .It Pa /etc/hosts.equiv | 721 | .It Pa /etc/hosts.equiv |
696 | This file is used during | 722 | This file is used during |
697 | .Em rhosts | 723 | .Cm RhostsRSAAuthentication |
724 | and | ||
725 | .Cm HostbasedAuthentication | ||
698 | authentication. | 726 | authentication. |
699 | In the simplest form, this file contains host names, one per line. | 727 | In the simplest form, this file contains host names, one per line. |
700 | Users on | 728 | Users on |
@@ -713,7 +741,7 @@ Negated entries start with | |||
713 | If the client host/user is successfully matched in this file, login is | 741 | If the client host/user is successfully matched in this file, login is |
714 | automatically permitted provided the client and server user names are the | 742 | automatically permitted provided the client and server user names are the |
715 | same. | 743 | same. |
716 | Additionally, successful RSA host authentication is normally required. | 744 | Additionally, successful client host key authentication is required. |
717 | This file must be writable only by root; it is recommended | 745 | This file must be writable only by root; it is recommended |
718 | that it be world-readable. | 746 | that it be world-readable. |
719 | .Pp | 747 | .Pp |