diff options
author | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:34:46 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:34:46 +1000 |
commit | 896ad5a4e40c48fa9bea71624830cc9cc3ce4fe0 (patch) | |
tree | aa6eaa6f9ce31379b0843fed78b7487c87e0f7f3 /sshd.8 | |
parent | 8901fa9c88d52ac1f099e7a3ce5bd75089e7e731 (diff) |
- djm@cvs.openbsd.org 2008/06/10 23:06:19
[auth-options.c match.c servconf.c addrmatch.c sshd.8]
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 30 |
1 files changed, 17 insertions, 13 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $ |
38 | .Dd $Mdocdate: June 10 2008 $ | 38 | .Dd $Mdocdate: June 10 2008 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -531,23 +531,27 @@ This option is automatically disabled if | |||
531 | .Cm UseLogin | 531 | .Cm UseLogin |
532 | is enabled. | 532 | is enabled. |
533 | .It Cm from="pattern-list" | 533 | .It Cm from="pattern-list" |
534 | Specifies that in addition to public key authentication, the canonical name | 534 | Specifies that in addition to public key authentication, either the canonical |
535 | of the remote host must be present in the comma-separated list of | 535 | name of the remote host or its IP address must be present in the |
536 | patterns. | 536 | comma-separated list of patterns. |
537 | The purpose | ||
538 | of this option is to optionally increase security: public key authentication | ||
539 | by itself does not trust the network or name servers or anything (but | ||
540 | the key); however, if somebody somehow steals the key, the key | ||
541 | permits an intruder to log in from anywhere in the world. | ||
542 | This additional option makes using a stolen key more difficult (name | ||
543 | servers and/or routers would have to be compromised in addition to | ||
544 | just the key). | ||
545 | .Pp | ||
546 | See | 537 | See |
547 | .Sx PATTERNS | 538 | .Sx PATTERNS |
548 | in | 539 | in |
549 | .Xr ssh_config 5 | 540 | .Xr ssh_config 5 |
550 | for more information on patterns. | 541 | for more information on patterns. |
542 | .Pp | ||
543 | In addition to the wildcard matching that may be applied to hostnames or | ||
544 | addresses, a | ||
545 | .Cm from | ||
546 | stanza may match IP addressess using CIDR address/masklen notation. | ||
547 | .Pp | ||
548 | The purpose of this option is to optionally increase security: public key | ||
549 | authentication by itself does not trust the network or name servers or | ||
550 | anything (but the key); however, if somebody somehow steals the key, the key | ||
551 | permits an intruder to log in from anywhere in the world. | ||
552 | This additional option makes using a stolen key more difficult (name | ||
553 | servers and/or routers would have to be compromised in addition to | ||
554 | just the key). | ||
551 | .It Cm no-agent-forwarding | 555 | .It Cm no-agent-forwarding |
552 | Forbids authentication agent forwarding when this key is used for | 556 | Forbids authentication agent forwarding when this key is used for |
553 | authentication. | 557 | authentication. |