diff options
author | Colin Watson <cjwatson@debian.org> | 2011-01-24 11:46:57 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-01-24 11:46:57 +0000 |
commit | 0970072c89b079b022538e3c366fbfa2c53fc821 (patch) | |
tree | b7024712d74234bb5a8b036ccbc9109e2e211296 /sshd.8 | |
parent | 4e8aa4da57000c7bba8e5c49163bc0c0ca383f78 (diff) | |
parent | 478ff799463ca926a8dfbabf058f4e84aaffc65a (diff) |
merge 5.7p1
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 73 |
1 files changed, 40 insertions, 33 deletions
@@ -1,4 +1,3 @@ | |||
1 | .\" -*- nroff -*- | ||
2 | .\" | 1 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 2 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -34,8 +33,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 35 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.257 2010/08/04 05:37:01 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $ |
38 | .Dd $Mdocdate: August 4 2010 $ | 37 | .Dd $Mdocdate: October 28 2010 $ |
39 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
40 | .Os | 39 | .Os |
41 | .Sh NAME | 40 | .Sh NAME |
@@ -170,9 +169,10 @@ host key files are normally not readable by anyone but root). | |||
170 | The default is | 169 | The default is |
171 | .Pa /etc/ssh/ssh_host_key | 170 | .Pa /etc/ssh/ssh_host_key |
172 | for protocol version 1, and | 171 | for protocol version 1, and |
173 | .Pa /etc/ssh/ssh_host_rsa_key | 172 | .Pa /etc/ssh/ssh_host_dsa_key , |
173 | .Pa /etc/ssh/ssh_host_ecdsa_key | ||
174 | and | 174 | and |
175 | .Pa /etc/ssh/ssh_host_dsa_key | 175 | .Pa /etc/ssh/ssh_host_rsa_key |
176 | for protocol version 2. | 176 | for protocol version 2. |
177 | It is possible to have multiple host key files for | 177 | It is possible to have multiple host key files for |
178 | the different protocol versions and host key algorithms. | 178 | the different protocol versions and host key algorithms. |
@@ -275,7 +275,7 @@ though this can be changed via the | |||
275 | .Cm Protocol | 275 | .Cm Protocol |
276 | option in | 276 | option in |
277 | .Xr sshd_config 5 . | 277 | .Xr sshd_config 5 . |
278 | Protocol 2 supports both RSA and DSA keys; | 278 | Protocol 2 supports DSA, ECDSA and RSA keys; |
279 | protocol 1 only supports RSA keys. | 279 | protocol 1 only supports RSA keys. |
280 | For both protocols, | 280 | For both protocols, |
281 | each host has a host-specific key, | 281 | each host has a host-specific key, |
@@ -483,6 +483,9 @@ protocol version 1; the | |||
483 | comment field is not used for anything (but may be convenient for the | 483 | comment field is not used for anything (but may be convenient for the |
484 | user to identify the key). | 484 | user to identify the key). |
485 | For protocol version 2 the keytype is | 485 | For protocol version 2 the keytype is |
486 | .Dq ecdsa-sha2-nistp256 , | ||
487 | .Dq ecdsa-sha2-nistp384 , | ||
488 | .Dq ecdsa-sha2-nistp521 , | ||
486 | .Dq ssh-dss | 489 | .Dq ssh-dss |
487 | or | 490 | or |
488 | .Dq ssh-rsa . | 491 | .Dq ssh-rsa . |
@@ -494,6 +497,7 @@ keys up to 16 kilobits. | |||
494 | You don't want to type them in; instead, copy the | 497 | You don't want to type them in; instead, copy the |
495 | .Pa identity.pub , | 498 | .Pa identity.pub , |
496 | .Pa id_dsa.pub , | 499 | .Pa id_dsa.pub , |
500 | .Pa id_ecdsa.pub , | ||
497 | or the | 501 | or the |
498 | .Pa id_rsa.pub | 502 | .Pa id_rsa.pub |
499 | file and edit it. | 503 | file and edit it. |
@@ -751,7 +755,7 @@ AAAA1234.....= | |||
751 | .Ed | 755 | .Ed |
752 | .Sh FILES | 756 | .Sh FILES |
753 | .Bl -tag -width Ds -compact | 757 | .Bl -tag -width Ds -compact |
754 | .It ~/.hushlogin | 758 | .It Pa ~/.hushlogin |
755 | This file is used to suppress printing the last login time and | 759 | This file is used to suppress printing the last login time and |
756 | .Pa /etc/motd , | 760 | .Pa /etc/motd , |
757 | if | 761 | if |
@@ -763,7 +767,7 @@ are enabled. | |||
763 | It does not suppress printing of the banner specified by | 767 | It does not suppress printing of the banner specified by |
764 | .Cm Banner . | 768 | .Cm Banner . |
765 | .Pp | 769 | .Pp |
766 | .It ~/.rhosts | 770 | .It Pa ~/.rhosts |
767 | This file is used for host-based authentication (see | 771 | This file is used for host-based authentication (see |
768 | .Xr ssh 1 | 772 | .Xr ssh 1 |
769 | for more information). | 773 | for more information). |
@@ -778,21 +782,22 @@ The recommended | |||
778 | permission for most machines is read/write for the user, and not | 782 | permission for most machines is read/write for the user, and not |
779 | accessible by others. | 783 | accessible by others. |
780 | .Pp | 784 | .Pp |
781 | .It ~/.shosts | 785 | .It Pa ~/.shosts |
782 | This file is used in exactly the same way as | 786 | This file is used in exactly the same way as |
783 | .Pa .rhosts , | 787 | .Pa .rhosts , |
784 | but allows host-based authentication without permitting login with | 788 | but allows host-based authentication without permitting login with |
785 | rlogin/rsh. | 789 | rlogin/rsh. |
786 | .Pp | 790 | .Pp |
787 | .It ~/.ssh/ | 791 | .It Pa ~/.ssh/ |
788 | This directory is the default location for all user-specific configuration | 792 | This directory is the default location for all user-specific configuration |
789 | and authentication information. | 793 | and authentication information. |
790 | There is no general requirement to keep the entire contents of this directory | 794 | There is no general requirement to keep the entire contents of this directory |
791 | secret, but the recommended permissions are read/write/execute for the user, | 795 | secret, but the recommended permissions are read/write/execute for the user, |
792 | and not accessible by others. | 796 | and not accessible by others. |
793 | .Pp | 797 | .Pp |
794 | .It ~/.ssh/authorized_keys | 798 | .It Pa ~/.ssh/authorized_keys |
795 | Lists the public keys (RSA/DSA) that can be used for logging in as this user. | 799 | Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in |
800 | as this user. | ||
796 | The format of this file is described above. | 801 | The format of this file is described above. |
797 | The content of the file is not highly sensitive, but the recommended | 802 | The content of the file is not highly sensitive, but the recommended |
798 | permissions are read/write for the user, and not accessible by others. | 803 | permissions are read/write for the user, and not accessible by others. |
@@ -809,7 +814,7 @@ will not allow it to be used unless the | |||
809 | option has been set to | 814 | option has been set to |
810 | .Dq no . | 815 | .Dq no . |
811 | .Pp | 816 | .Pp |
812 | .It ~/.ssh/environment | 817 | .It Pa ~/.ssh/environment |
813 | This file is read into the environment at login (if it exists). | 818 | This file is read into the environment at login (if it exists). |
814 | It can only contain empty lines, comment lines (that start with | 819 | It can only contain empty lines, comment lines (that start with |
815 | .Ql # ) , | 820 | .Ql # ) , |
@@ -821,40 +826,40 @@ controlled via the | |||
821 | .Cm PermitUserEnvironment | 826 | .Cm PermitUserEnvironment |
822 | option. | 827 | option. |
823 | .Pp | 828 | .Pp |
824 | .It ~/.ssh/known_hosts | 829 | .It Pa ~/.ssh/known_hosts |
825 | Contains a list of host keys for all hosts the user has logged into | 830 | Contains a list of host keys for all hosts the user has logged into |
826 | that are not already in the systemwide list of known host keys. | 831 | that are not already in the systemwide list of known host keys. |
827 | The format of this file is described above. | 832 | The format of this file is described above. |
828 | This file should be writable only by root/the owner and | 833 | This file should be writable only by root/the owner and |
829 | can, but need not be, world-readable. | 834 | can, but need not be, world-readable. |
830 | .Pp | 835 | .Pp |
831 | .It ~/.ssh/rc | 836 | .It Pa ~/.ssh/rc |
832 | Contains initialization routines to be run before | 837 | Contains initialization routines to be run before |
833 | the user's home directory becomes accessible. | 838 | the user's home directory becomes accessible. |
834 | This file should be writable only by the user, and need not be | 839 | This file should be writable only by the user, and need not be |
835 | readable by anyone else. | 840 | readable by anyone else. |
836 | .Pp | 841 | .Pp |
837 | .It /etc/hosts.allow | 842 | .It Pa /etc/hosts.allow |
838 | .It /etc/hosts.deny | 843 | .It Pa /etc/hosts.deny |
839 | Access controls that should be enforced by tcp-wrappers are defined here. | 844 | Access controls that should be enforced by tcp-wrappers are defined here. |
840 | Further details are described in | 845 | Further details are described in |
841 | .Xr hosts_access 5 . | 846 | .Xr hosts_access 5 . |
842 | .Pp | 847 | .Pp |
843 | .It /etc/hosts.equiv | 848 | .It Pa /etc/hosts.equiv |
844 | This file is for host-based authentication (see | 849 | This file is for host-based authentication (see |
845 | .Xr ssh 1 ) . | 850 | .Xr ssh 1 ) . |
846 | It should only be writable by root. | 851 | It should only be writable by root. |
847 | .Pp | 852 | .Pp |
848 | .It /etc/moduli | 853 | .It Pa /etc/moduli |
849 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 854 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
850 | The file format is described in | 855 | The file format is described in |
851 | .Xr moduli 5 . | 856 | .Xr moduli 5 . |
852 | .Pp | 857 | .Pp |
853 | .It /etc/motd | 858 | .It Pa /etc/motd |
854 | See | 859 | See |
855 | .Xr motd 5 . | 860 | .Xr motd 5 . |
856 | .Pp | 861 | .Pp |
857 | .It /etc/nologin | 862 | .It Pa /etc/nologin |
858 | If this file exists, | 863 | If this file exists, |
859 | .Nm | 864 | .Nm |
860 | refuses to let anyone except root log in. | 865 | refuses to let anyone except root log in. |
@@ -863,15 +868,16 @@ are displayed to anyone trying to log in, and non-root connections are | |||
863 | refused. | 868 | refused. |
864 | The file should be world-readable. | 869 | The file should be world-readable. |
865 | .Pp | 870 | .Pp |
866 | .It /etc/shosts.equiv | 871 | .It Pa /etc/shosts.equiv |
867 | This file is used in exactly the same way as | 872 | This file is used in exactly the same way as |
868 | .Pa hosts.equiv , | 873 | .Pa hosts.equiv , |
869 | but allows host-based authentication without permitting login with | 874 | but allows host-based authentication without permitting login with |
870 | rlogin/rsh. | 875 | rlogin/rsh. |
871 | .Pp | 876 | .Pp |
872 | .It /etc/ssh/ssh_host_key | 877 | .It Pa /etc/ssh/ssh_host_key |
873 | .It /etc/ssh/ssh_host_dsa_key | 878 | .It Pa /etc/ssh/ssh_host_dsa_key |
874 | .It /etc/ssh/ssh_host_rsa_key | 879 | .It Pa /etc/ssh/ssh_host_ecdsa_key |
880 | .It Pa /etc/ssh/ssh_host_rsa_key | ||
875 | These three files contain the private parts of the host keys. | 881 | These three files contain the private parts of the host keys. |
876 | These files should only be owned by root, readable only by root, and not | 882 | These files should only be owned by root, readable only by root, and not |
877 | accessible to others. | 883 | accessible to others. |
@@ -879,9 +885,10 @@ Note that | |||
879 | .Nm | 885 | .Nm |
880 | does not start if these files are group/world-accessible. | 886 | does not start if these files are group/world-accessible. |
881 | .Pp | 887 | .Pp |
882 | .It /etc/ssh/ssh_host_key.pub | 888 | .It Pa /etc/ssh/ssh_host_key.pub |
883 | .It /etc/ssh/ssh_host_dsa_key.pub | 889 | .It Pa /etc/ssh/ssh_host_dsa_key.pub |
884 | .It /etc/ssh/ssh_host_rsa_key.pub | 890 | .It Pa /etc/ssh/ssh_host_ecdsa_key.pub |
891 | .It Pa /etc/ssh/ssh_host_rsa_key.pub | ||
885 | These three files contain the public parts of the host keys. | 892 | These three files contain the public parts of the host keys. |
886 | These files should be world-readable but writable only by | 893 | These files should be world-readable but writable only by |
887 | root. | 894 | root. |
@@ -892,7 +899,7 @@ the user so their contents can be copied to known hosts files. | |||
892 | These files are created using | 899 | These files are created using |
893 | .Xr ssh-keygen 1 . | 900 | .Xr ssh-keygen 1 . |
894 | .Pp | 901 | .Pp |
895 | .It /etc/ssh/ssh_known_hosts | 902 | .It Pa /etc/ssh/ssh_known_hosts |
896 | Systemwide list of known host keys. | 903 | Systemwide list of known host keys. |
897 | This file should be prepared by the | 904 | This file should be prepared by the |
898 | system administrator to contain the public host keys of all machines in the | 905 | system administrator to contain the public host keys of all machines in the |
@@ -901,20 +908,20 @@ The format of this file is described above. | |||
901 | This file should be writable only by root/the owner and | 908 | This file should be writable only by root/the owner and |
902 | should be world-readable. | 909 | should be world-readable. |
903 | .Pp | 910 | .Pp |
904 | .It /etc/ssh/sshd_config | 911 | .It Pa /etc/ssh/sshd_config |
905 | Contains configuration data for | 912 | Contains configuration data for |
906 | .Nm sshd . | 913 | .Nm sshd . |
907 | The file format and configuration options are described in | 914 | The file format and configuration options are described in |
908 | .Xr sshd_config 5 . | 915 | .Xr sshd_config 5 . |
909 | .Pp | 916 | .Pp |
910 | .It /etc/ssh/sshrc | 917 | .It Pa /etc/ssh/sshrc |
911 | Similar to | 918 | Similar to |
912 | .Pa ~/.ssh/rc , | 919 | .Pa ~/.ssh/rc , |
913 | it can be used to specify | 920 | it can be used to specify |
914 | machine-specific login-time initializations globally. | 921 | machine-specific login-time initializations globally. |
915 | This file should be writable only by root, and should be world-readable. | 922 | This file should be writable only by root, and should be world-readable. |
916 | .Pp | 923 | .Pp |
917 | .It /var/empty | 924 | .It Pa /var/empty |
918 | .Xr chroot 2 | 925 | .Xr chroot 2 |
919 | directory used by | 926 | directory used by |
920 | .Nm | 927 | .Nm |
@@ -922,7 +929,7 @@ during privilege separation in the pre-authentication phase. | |||
922 | The directory should not contain any files and must be owned by root | 929 | The directory should not contain any files and must be owned by root |
923 | and not group or world-writable. | 930 | and not group or world-writable. |
924 | .Pp | 931 | .Pp |
925 | .It /var/run/sshd.pid | 932 | .It Pa /var/run/sshd.pid |
926 | Contains the process ID of the | 933 | Contains the process ID of the |
927 | .Nm | 934 | .Nm |
928 | listening for connections (if there are several daemons running | 935 | listening for connections (if there are several daemons running |