- jmc@cvs.openbsd.org 2006/02/19 20:02:17

[sshd.8] sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
author: Damien Miller <djm@mindrot.org> 2006-03-15 11:36:18 +1100
committer: Damien Miller <djm@mindrot.org> 2006-03-15 11:36:18 +1100
commit: 445121fe8dc73601fc301de5be5b7c02b2d20bf9 (patch)
tree: c2fc4033a66d0e105f5899fb76573da681102407 /sshd.8
parent: fd725cf585d0f9aca648f177df35265b6abc10e6 (diff)
1 files changed, 8 insertions, 42 deletions
diff --git a/sshd.8 b/sshd.8
index 6df9d8aab..24c149975 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.226 2006/02/19 19:52:10 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.227 2006/02/19 20:02:17 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -708,43 +708,9 @@ Further details are described in
 .Xr hosts_access 5 .
 .Pp
 .It /etc/hosts.equiv
-This file is used during
+This file is for host-based authentication (see
-.Cm RhostsRSAAuthentication
+.Xr ssh 1 ) .
-and
+It should only be writable by root.
-.Cm HostbasedAuthentication
-authentication.
-In the simplest form, this file contains host names, one per line.
-Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.
-The host name may also be
-followed by a user name; such users are permitted to log in as
-.Em any
-user on this machine (except root).
-Additionally, the syntax
-.Dq +@group
-can be used to specify netgroups.
-Negated entries start with
-.Ql \&- .
-.Pp
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.
-Additionally, successful client host key authentication is required.
-This file must be writable only by root; it is recommended
-that it be world-readable.
-.Pp
-.Sy "Warning: It is almost never a good idea to use user names in"
-.Pa hosts.equiv .
-Beware that it really means that the named user(s) can log in as
-.Em anybody ,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.
-Using a user name practically grants the user root access.
-The only valid use for user names that I can think
-of is in negative entries.
-.Pp
-Note that this warning also applies to rsh/rlogin.
 .Pp
 .It /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
@@ -765,10 +731,10 @@ refused.
 The file should be world-readable.
 .Pp
 .It /etc/shosts.equiv
-This is processed exactly as
+This file is used in exactly the same way as
-.Pa /etc/hosts.equiv .
+.Pa hosts.equiv ,
-However, this file may be useful in environments that want to run both
+but allows host-based authentication without permitting login with
-rsh/rlogin and ssh.
+rlogin/rsh.
 .Pp
 .It /etc/ssh/ssh_known_hosts
 Systemwide list of known host keys.
author	Damien Miller <djm@mindrot.org>	2006-03-15 11:36:18 +1100
committer	Damien Miller <djm@mindrot.org>	2006-03-15 11:36:18 +1100
commit	445121fe8dc73601fc301de5be5b7c02b2d20bf9 (patch)
tree	c2fc4033a66d0e105f5899fb76573da681102407 /sshd.8
parent	fd725cf585d0f9aca648f177df35265b6abc10e6 (diff)

diff --git a/sshd.8 b/sshd.8 index 6df9d8aab..24c149975 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.226 2006/02/19 19:52:10 jmc Exp $	37	.\" $OpenBSD: sshd.8,v 1.227 2006/02/19 20:02:17 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -708,43 +708,9 @@ Further details are described in
708	.Xr hosts_access 5 .	708	.Xr hosts_access 5 .
709	.Pp	709	.Pp
710	.It /etc/hosts.equiv	710	.It /etc/hosts.equiv
711	This file is used during	711	This file is for host-based authentication (see
712	.Cm RhostsRSAAuthentication	712	.Xr ssh 1 ) .
713	and	713	It should only be writable by root.
714	.Cm HostbasedAuthentication
715	authentication.
716	In the simplest form, this file contains host names, one per line.
717	Users on
718	those hosts are permitted to log in without a password, provided they
719	have the same user name on both machines.
720	The host name may also be
721	followed by a user name; such users are permitted to log in as
722	.Em any
723	user on this machine (except root).
724	Additionally, the syntax
725	.Dq +@group
726	can be used to specify netgroups.
727	Negated entries start with
728	.Ql \&- .
729	.Pp
730	If the client host/user is successfully matched in this file, login is
731	automatically permitted provided the client and server user names are the
732	same.
733	Additionally, successful client host key authentication is required.
734	This file must be writable only by root; it is recommended
735	that it be world-readable.
736	.Pp
737	.Sy "Warning: It is almost never a good idea to use user names in"
738	.Pa hosts.equiv .
739	Beware that it really means that the named user(s) can log in as
740	.Em anybody ,
741	which includes bin, daemon, adm, and other accounts that own critical
742	binaries and directories.
743	Using a user name practically grants the user root access.
744	The only valid use for user names that I can think
745	of is in negative entries.
746	.Pp
747	Note that this warning also applies to rsh/rlogin.
748	.Pp	714	.Pp
749	.It /etc/moduli	715	.It /etc/moduli
750	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".	716	Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
@@ -765,10 +731,10 @@ refused.
765	The file should be world-readable.	731	The file should be world-readable.
766	.Pp	732	.Pp
767	.It /etc/shosts.equiv	733	.It /etc/shosts.equiv
768	This is processed exactly as	734	This file is used in exactly the same way as
769	.Pa /etc/hosts.equiv .	735	.Pa hosts.equiv ,
770	However, this file may be useful in environments that want to run both	736	but allows host-based authentication without permitting login with
771	rsh/rlogin and ssh.	737	rlogin/rsh.
772	.Pp	738	.Pp
773	.It /etc/ssh/ssh_known_hosts	739	.It /etc/ssh/ssh_known_hosts
774	Systemwide list of known host keys.	740	Systemwide list of known host keys.