- markus@cvs.openbsd.org 2004/08/26 16:00:55

[ssh.1 sshd.8] get rid of references to rhosts authentication; with jmc@
author: Darren Tucker <dtucker@zip.com.au> 2004-08-29 16:37:24 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2004-08-29 16:37:24 +1000
commit: db693908178e1e2390d2bbfc34fe709eb23ea039 (patch)
tree: 59504c4b6f9daac326f510097daeda07b150b43d /sshd.8
parent: 34620d6f710f97bddc6f7730cee5c6404c4153ba (diff)
1 files changed, 10 insertions, 11 deletions
diff --git a/sshd.8 b/sshd.8
index 233b00037..83d0f48d2 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.202 2004/08/26 16:00:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 .Em .rhosts
-authentication,
-.Em .rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
@@ -135,11 +133,6 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
-.Em rhosts
-authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.
-System security is not improved unless
 .Nm rshd ,
 .Nm rlogind ,
 and
@@ -670,7 +663,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+and contains host-username pairs, separated by a space, one per
 line.
 The given user on the corresponding host is permitted to log in
 without a password.
@@ -691,7 +688,9 @@ However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@@ -710,7 +709,7 @@ Negated entries start with
 If the client host/user is successfully matched in this file, login is
 automatically permitted provided the client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
 This file must be writable only by root; it is recommended
 that it be world-readable.
 .Pp
author	Darren Tucker <dtucker@zip.com.au>	2004-08-29 16:37:24 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2004-08-29 16:37:24 +1000
commit	db693908178e1e2390d2bbfc34fe709eb23ea039 (patch)
tree	59504c4b6f9daac326f510097daeda07b150b43d /sshd.8
parent	34620d6f710f97bddc6f7730cee5c6404c4153ba (diff)

diff --git a/sshd.8 b/sshd.8 index 233b00037..83d0f48d2 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $	37	.\" $OpenBSD: sshd.8,v 1.202 2004/08/26 16:00:55 markus Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
106	Next, the server and the client enter an authentication dialog.	106	Next, the server and the client enter an authentication dialog.
107	The client tries to authenticate itself using	107	The client tries to authenticate itself using
108	.Em .rhosts	108	.Em .rhosts
109	authentication,
110	.Em .rhosts
111	authentication combined with RSA host	109	authentication combined with RSA host
112	authentication, RSA challenge-response authentication, or password	110	authentication, RSA challenge-response authentication, or password
113	based authentication.	111	based authentication.
@@ -135,11 +133,6 @@ or
135	.Ql \&NP\&	133	.Ql \&NP\&
136	).	134	).
137	.Pp	135	.Pp
138	.Em rhosts
139	authentication is normally disabled
140	because it is fundamentally insecure, but can be enabled in the server
141	configuration file if desired.
142	System security is not improved unless
143	.Nm rshd ,	136	.Nm rshd ,
144	.Nm rlogind ,	137	.Nm rlogind ,
145	and	138	and
@@ -670,7 +663,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
670	Further details are described in	663	Further details are described in
671	.Xr hosts_access 5 .	664	.Xr hosts_access 5 .
672	.It Pa $HOME/.rhosts	665	.It Pa $HOME/.rhosts
673	This file contains host-username pairs, separated by a space, one per	666	This file is used during
		667	.Cm RhostsRSAAuthentication
		668	and
		669	.Cm HostbasedAuthentication
		670	and contains host-username pairs, separated by a space, one per
674	line.	671	line.
675	The given user on the corresponding host is permitted to log in	672	The given user on the corresponding host is permitted to log in
676	without a password.	673	without a password.
@@ -691,7 +688,9 @@ However, this file is
691	not used by rlogin and rshd, so using this permits access using SSH only.	688	not used by rlogin and rshd, so using this permits access using SSH only.
692	.It Pa /etc/hosts.equiv	689	.It Pa /etc/hosts.equiv
693	This file is used during	690	This file is used during
694	.Em rhosts	691	.Cm RhostsRSAAuthentication
		692	and
		693	.Cm HostbasedAuthentication
695	authentication.	694	authentication.
696	In the simplest form, this file contains host names, one per line.	695	In the simplest form, this file contains host names, one per line.
697	Users on	696	Users on
@@ -710,7 +709,7 @@ Negated entries start with
710	If the client host/user is successfully matched in this file, login is	709	If the client host/user is successfully matched in this file, login is
711	automatically permitted provided the client and server user names are the	710	automatically permitted provided the client and server user names are the
712	same.	711	same.
713	Additionally, successful RSA host authentication is normally required.	712	Additionally, successful client host key authentication is required.
714	This file must be writable only by root; it is recommended	713	This file must be writable only by root; it is recommended
715	that it be world-readable.	714	that it be world-readable.
716	.Pp	715	.Pp