diff options
author | Damien Miller <djm@mindrot.org> | 2010-02-27 07:55:05 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-02-27 07:55:05 +1100 |
commit | 0a80ca190a39943029719facf7edb990def7ae62 (patch) | |
tree | e423e30d8412de67170b8240ba919df10ed8e391 /sshd.8 | |
parent | d27d85d5320bb946d4bb734dcf45a8d20bad6020 (diff) |
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 25 |
1 files changed, 23 insertions, 2 deletions
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.250 2010/01/30 21:08:33 djm Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.251 2010/02/26 20:29:54 djm Exp $ |
38 | .Dd $Mdocdate: January 30 2010 $ | 38 | .Dd $Mdocdate: February 26 2010 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -47,6 +47,7 @@ | |||
47 | .Op Fl 46DdeiqTt | 47 | .Op Fl 46DdeiqTt |
48 | .Op Fl b Ar bits | 48 | .Op Fl b Ar bits |
49 | .Op Fl C Ar connection_spec | 49 | .Op Fl C Ar connection_spec |
50 | .Op Fl c Ar host_certificate_file | ||
50 | .Op Fl f Ar config_file | 51 | .Op Fl f Ar config_file |
51 | .Op Fl g Ar login_grace_time | 52 | .Op Fl g Ar login_grace_time |
52 | .Op Fl h Ar host_key_file | 53 | .Op Fl h Ar host_key_file |
@@ -101,6 +102,15 @@ to use IPv6 addresses only. | |||
101 | .It Fl b Ar bits | 102 | .It Fl b Ar bits |
102 | Specifies the number of bits in the ephemeral protocol version 1 | 103 | Specifies the number of bits in the ephemeral protocol version 1 |
103 | server key (default 1024). | 104 | server key (default 1024). |
105 | .It Fl c Ar host_certificate_file | ||
106 | Specifies a path to a certificate file to identify | ||
107 | .Nm | ||
108 | during key exchange. | ||
109 | The certificate file must match a host key file specified using the | ||
110 | .Fl -h | ||
111 | option or the | ||
112 | .Cm HostKey | ||
113 | configuration directive. | ||
104 | .It Fl C Ar connection_spec | 114 | .It Fl C Ar connection_spec |
105 | Specify the connection parameters to use for the | 115 | Specify the connection parameters to use for the |
106 | .Fl T | 116 | .Fl T |
@@ -498,6 +508,13 @@ No spaces are permitted, except within double quotes. | |||
498 | The following option specifications are supported (note | 508 | The following option specifications are supported (note |
499 | that option keywords are case-insensitive): | 509 | that option keywords are case-insensitive): |
500 | .Bl -tag -width Ds | 510 | .Bl -tag -width Ds |
511 | .It Cm from="cert-authority" | ||
512 | Specifies that the listed key is a certification authority (CA) that is | ||
513 | trusted to validate signed certificates for user authentication. | ||
514 | .Pp | ||
515 | Certificates may encode access restrictions similar to these key options. | ||
516 | If both certificate restrictions and key options are present, the most | ||
517 | restrictive union of the two is applied. | ||
501 | .It Cm command="command" | 518 | .It Cm command="command" |
502 | Specifies that the command is executed whenever this key is used for | 519 | Specifies that the command is executed whenever this key is used for |
503 | authentication. | 520 | authentication. |
@@ -517,6 +534,10 @@ The command originally supplied by the client is available in the | |||
517 | .Ev SSH_ORIGINAL_COMMAND | 534 | .Ev SSH_ORIGINAL_COMMAND |
518 | environment variable. | 535 | environment variable. |
519 | Note that this option applies to shell, command or subsystem execution. | 536 | Note that this option applies to shell, command or subsystem execution. |
537 | Also note that this command may be superseded by either a | ||
538 | .Xr sshd_config 5 | ||
539 | .Cm ForceCommand | ||
540 | directive or a command embedded in a certificate. | ||
520 | .It Cm environment="NAME=value" | 541 | .It Cm environment="NAME=value" |
521 | Specifies that the string is to be added to the environment when | 542 | Specifies that the string is to be added to the environment when |
522 | logging in using this key. | 543 | logging in using this key. |