- (djm) OpenBSD CVS Sync

- jmc@cvs.openbsd.org 2006/02/01 09:06:50 [sshd.8] - merge sections on protocols 1 and 2 into a single section - remove configuration file section ok markus
author: Damien Miller <djm@mindrot.org> 2006-02-01 22:05:25 +1100
committer: Damien Miller <djm@mindrot.org> 2006-02-01 22:05:25 +1100
commit: 8bbdf90f3333a148eb655993e47b0168d907693d (patch)
tree: eb484b8d4c83186e887c5050ab4e9371275ba153 /sshd.8
parent: e682cb07803f71ec01e15394ac8445431cfda176 (diff)
1 files changed, 35 insertions, 46 deletions
diff --git a/sshd.8 b/sshd.8
index 15c7651ba..0bc5f820a 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.213 2006/01/25 09:07:22 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.214 2006/02/01 09:06:50 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -227,20 +227,26 @@ USER@HOST pattern in
 or
 .Cm DenyUsers .
 .El
-.Pp
+.Sh AUTHENTICATION
-This implementation of
+The OpenSSH SSH daemon supports SSH protocols 1 and 2.
-.Nm
+Both protocols are supported by default,
-supports both SSH protocol version 1 and 2 simultaneously.
+though this can be changed via the
-.Nm
+.Cm Protocol
-works as follows:
+option in
-.Sh SSH PROTOCOL VERSION 1
+.Xr sshd_config 5 .
-Each host has a host-specific RSA key
+Protocol 2 supports both RSA and DSA keys;
-(normally 2048 bits) used to identify the host.
+protocol 1 only supports RSA keys.
-Additionally, when
+For both protocols,
-the daemon starts, it generates a server RSA key (normally 768 bits).
+each host has a host-specific key,
+normally 2048 bits,
+used to identify the host.
+.Pp
+Forward security for protocol 1 is provided through
+an additional server key,
+normally 768 bits,
+generated when the server starts.
 This key is normally regenerated every hour if it has been used, and
 is never stored on disk.
-.Pp
 Whenever a client connects, the daemon responds with its public
 host and server keys.
 The client compares the
@@ -258,12 +264,23 @@ being used by default.
 The client selects the encryption algorithm
 to use from those offered by the server.
 .Pp
-Next, the server and the client enter an authentication dialog.
+For protocol 2,
+forward security is provided through a Diffie-Hellman key agreement.
+This key agreement results in a shared session key.
+The rest of the session is encrypted using a symmetric cipher, currently
+128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
+The client selects the encryption algorithm
+to use from those offered by the server.
+Additionally, session integrity is provided
+through a cryptographic message authentication code
+(hmac-sha1 or hmac-md5).
+.Pp
+Finally, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
-.Em rhosts
+host-based authentication,
-authentication combined with RSA host
+public key authentication,
-authentication, RSA challenge-response authentication, or password
+challenge-response authentication,
-based authentication.
+or password authentication.
 .Pp
 Regardless of the authentication type, the account is checked to
 ensure that it is accessible.  An account is not accessible if it is
@@ -301,25 +318,6 @@ are disabled (thus completely disabling
 and
 .Xr rsh
 into the machine).
-.Sh SSH PROTOCOL VERSION 2
-Version 2 works similarly:
-Each host has a host-specific key (RSA or DSA) used to identify the host.
-However, when the daemon starts, it does not generate a server key.
-Forward security is provided through a Diffie-Hellman key agreement.
-This key agreement results in a shared session key.
-.Pp
-The rest of the session is encrypted using a symmetric cipher, currently
-128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
-The client selects the encryption algorithm
-to use from those offered by the server.
-Additionally, session integrity is provided
-through a cryptographic message authentication code
-(hmac-sha1 or hmac-md5).
-.Pp
-Protocol version 2 provides a public key based
-user (PubkeyAuthentication) or
-client host (HostbasedAuthentication) authentication method,
-conventional password authentication and challenge response based methods.
 .Sh COMMAND EXECUTION AND DATA FORWARDING
 If the client successfully authenticates itself, a dialog for
 preparing the session is entered.
@@ -337,15 +335,6 @@ command on the server side, and the user terminal in the client side.
 When the user program terminates and all forwarded X11 and other
 connections have been closed, the server sends command exit status to
 the client, and both sides exit.
-.Sh CONFIGURATION FILE
-.Nm
-reads configuration data from
-.Pa /etc/ssh/sshd_config
-(or the file specified with
-.Fl f
-on the command line).
-The file format and configuration options are described in
-.Xr sshd_config 5 .
 .Sh LOGIN PROCESS
 When a user successfully logs in,
 .Nm
author	Damien Miller <djm@mindrot.org>	2006-02-01 22:05:25 +1100
committer	Damien Miller <djm@mindrot.org>	2006-02-01 22:05:25 +1100
commit	8bbdf90f3333a148eb655993e47b0168d907693d (patch)
tree	eb484b8d4c83186e887c5050ab4e9371275ba153 /sshd.8
parent	e682cb07803f71ec01e15394ac8445431cfda176 (diff)

diff --git a/sshd.8 b/sshd.8 index 15c7651ba..0bc5f820a 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.213 2006/01/25 09:07:22 jmc Exp $	37	.\" $OpenBSD: sshd.8,v 1.214 2006/02/01 09:06:50 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -227,20 +227,26 @@ USER@HOST pattern in
227	or	227	or
228	.Cm DenyUsers .	228	.Cm DenyUsers .
229	.El	229	.El
230	.Pp	230	.Sh AUTHENTICATION
231	This implementation of	231	The OpenSSH SSH daemon supports SSH protocols 1 and 2.
232	.Nm	232	Both protocols are supported by default,
233	supports both SSH protocol version 1 and 2 simultaneously.	233	though this can be changed via the
234	.Nm	234	.Cm Protocol
235	works as follows:	235	option in
236	.Sh SSH PROTOCOL VERSION 1	236	.Xr sshd_config 5 .
237	Each host has a host-specific RSA key	237	Protocol 2 supports both RSA and DSA keys;
238	(normally 2048 bits) used to identify the host.	238	protocol 1 only supports RSA keys.
239	Additionally, when	239	For both protocols,
240	the daemon starts, it generates a server RSA key (normally 768 bits).	240	each host has a host-specific key,
		241	normally 2048 bits,
		242	used to identify the host.
		243	.Pp
		244	Forward security for protocol 1 is provided through
		245	an additional server key,
		246	normally 768 bits,
		247	generated when the server starts.
241	This key is normally regenerated every hour if it has been used, and	248	This key is normally regenerated every hour if it has been used, and
242	is never stored on disk.	249	is never stored on disk.
243	.Pp
244	Whenever a client connects, the daemon responds with its public	250	Whenever a client connects, the daemon responds with its public
245	host and server keys.	251	host and server keys.
246	The client compares the	252	The client compares the
@@ -258,12 +264,23 @@ being used by default.
258	The client selects the encryption algorithm	264	The client selects the encryption algorithm
259	to use from those offered by the server.	265	to use from those offered by the server.
260	.Pp	266	.Pp
261	Next, the server and the client enter an authentication dialog.	267	For protocol 2,
		268	forward security is provided through a Diffie-Hellman key agreement.
		269	This key agreement results in a shared session key.
		270	The rest of the session is encrypted using a symmetric cipher, currently
		271	128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
		272	The client selects the encryption algorithm
		273	to use from those offered by the server.
		274	Additionally, session integrity is provided
		275	through a cryptographic message authentication code
		276	(hmac-sha1 or hmac-md5).
		277	.Pp
		278	Finally, the server and the client enter an authentication dialog.
262	The client tries to authenticate itself using	279	The client tries to authenticate itself using
263	.Em rhosts	280	host-based authentication,
264	authentication combined with RSA host	281	public key authentication,
265	authentication, RSA challenge-response authentication, or password	282	challenge-response authentication,
266	based authentication.	283	or password authentication.
267	.Pp	284	.Pp
268	Regardless of the authentication type, the account is checked to	285	Regardless of the authentication type, the account is checked to
269	ensure that it is accessible. An account is not accessible if it is	286	ensure that it is accessible. An account is not accessible if it is
@@ -301,25 +318,6 @@ are disabled (thus completely disabling
301	and	318	and
302	.Xr rsh	319	.Xr rsh
303	into the machine).	320	into the machine).
304	.Sh SSH PROTOCOL VERSION 2
305	Version 2 works similarly:
306	Each host has a host-specific key (RSA or DSA) used to identify the host.
307	However, when the daemon starts, it does not generate a server key.
308	Forward security is provided through a Diffie-Hellman key agreement.
309	This key agreement results in a shared session key.
310	.Pp
311	The rest of the session is encrypted using a symmetric cipher, currently
312	128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
313	The client selects the encryption algorithm
314	to use from those offered by the server.
315	Additionally, session integrity is provided
316	through a cryptographic message authentication code
317	(hmac-sha1 or hmac-md5).
318	.Pp
319	Protocol version 2 provides a public key based
320	user (PubkeyAuthentication) or
321	client host (HostbasedAuthentication) authentication method,
322	conventional password authentication and challenge response based methods.
323	.Sh COMMAND EXECUTION AND DATA FORWARDING	321	.Sh COMMAND EXECUTION AND DATA FORWARDING
324	If the client successfully authenticates itself, a dialog for	322	If the client successfully authenticates itself, a dialog for
325	preparing the session is entered.	323	preparing the session is entered.
@@ -337,15 +335,6 @@ command on the server side, and the user terminal in the client side.
337	When the user program terminates and all forwarded X11 and other	335	When the user program terminates and all forwarded X11 and other
338	connections have been closed, the server sends command exit status to	336	connections have been closed, the server sends command exit status to
339	the client, and both sides exit.	337	the client, and both sides exit.
340	.Sh CONFIGURATION FILE
341	.Nm
342	reads configuration data from
343	.Pa /etc/ssh/sshd_config
344	(or the file specified with
345	.Fl f
346	on the command line).
347	The file format and configuration options are described in
348	.Xr sshd_config 5 .
349	.Sh LOGIN PROCESS	338	.Sh LOGIN PROCESS
350	When a user successfully logs in,	339	When a user successfully logs in,
351	.Nm	340	.Nm