diff options
author | djm@openbsd.org <djm@openbsd.org> | 2014-12-22 07:51:30 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-12-22 19:06:52 +1100 |
commit | f69b69b8625be447b8826b21d87713874dac25a6 (patch) | |
tree | ad29e7621445860c76e02f7f2384b0198bfc27e5 /sshd_config.5 | |
parent | 46ac2ed4677968224c4ca825bc98fc68dae183f0 (diff) |
upstream commit
remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ pubkeys.
ok markus@
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 938ba2f1a..d2ab28136 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.184 2014/12/21 23:35:14 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.185 2014/12/22 07:51:30 djm Exp $ |
37 | .Dd $Mdocdate: December 21 2014 $ | 37 | .Dd $Mdocdate: December 22 2014 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -210,6 +210,18 @@ would restrict keyboard interactive authentication to the | |||
210 | .Dq bsdauth | 210 | .Dq bsdauth |
211 | device. | 211 | device. |
212 | .Pp | 212 | .Pp |
213 | If the | ||
214 | .Dq publickey | ||
215 | method is listed more than one, | ||
216 | .Xr sshd 8 | ||
217 | verifies that keys that have been used successfully are not reused for | ||
218 | subsequent authentications. | ||
219 | For example, an | ||
220 | .Cm AuthenticationMethods | ||
221 | of | ||
222 | .Dq publickey,publickey | ||
223 | will require successful authentication using two different public keys. | ||
224 | .Pp | ||
213 | This option is only available for SSH protocol 2 and will yield a fatal | 225 | This option is only available for SSH protocol 2 and will yield a fatal |
214 | error if enabled if protocol 1 is also enabled. | 226 | error if enabled if protocol 1 is also enabled. |
215 | Note that each authentication method listed should also be explicitly enabled | 227 | Note that each authentication method listed should also be explicitly enabled |