summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--moduli.54
-rw-r--r--ssh-keygen.112
-rw-r--r--ssh.14
-rw-r--r--sshd.85
-rw-r--r--sshd_config.53
5 files changed, 13 insertions, 15 deletions
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
21.Nd Diffie-Hellman moduli 21.Nd Diffie-Hellman moduli
22.Sh DESCRIPTION 22.Sh DESCRIPTION
23The 23The
24.Pa /etc/moduli 24.Pa /etc/ssh/moduli
25file contains prime numbers and generators for use by 25file contains prime numbers and generators for use by
26.Xr sshd 8 26.Xr sshd 8
27in the Diffie-Hellman Group Exchange key exchange method. 27in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
110Diffie-Hellman output to sufficiently key the selected symmetric cipher. 110Diffie-Hellman output to sufficiently key the selected symmetric cipher.
111.Xr sshd 8 111.Xr sshd 8
112then randomly selects a modulus from 112then randomly selects a modulus from
113.Fa /etc/moduli 113.Fa /etc/ssh/moduli
114that best meets the size requirement. 114that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 7af564297..d6a7870e0 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -196,9 +196,7 @@ key in
196.Pa ~/.ssh/id_ed25519_sk 196.Pa ~/.ssh/id_ed25519_sk
197or 197or
198.Pa ~/.ssh/id_rsa . 198.Pa ~/.ssh/id_rsa .
199Additionally, the system administrator may use this to generate host keys, 199Additionally, the system administrator may use this to generate host keys.
200as seen in
201.Pa /etc/rc .
202.Pp 200.Pp
203Normally this program generates the key and asks for a file in which 201Normally this program generates the key and asks for a file in which
204to store the private key. 202to store the private key.
@@ -261,9 +259,7 @@ If
261.Fl f 259.Fl f
262has also been specified, its argument is used as a prefix to the 260has also been specified, its argument is used as a prefix to the
263default path for the resulting host key files. 261default path for the resulting host key files.
264This is used by 262This is used by system administration scripts to generate new host keys.
265.Pa /etc/rc
266to generate new host keys.
267.It Fl a Ar rounds 263.It Fl a Ar rounds
268When saving a private key, this option specifies the number of KDF 264When saving a private key, this option specifies the number of KDF
269(key derivation function) rounds used. 265(key derivation function) rounds used.
@@ -783,7 +779,7 @@ option.
783Valid generator values are 2, 3, and 5. 779Valid generator values are 2, 3, and 5.
784.Pp 780.Pp
785Screened DH groups may be installed in 781Screened DH groups may be installed in
786.Pa /etc/moduli . 782.Pa /etc/ssh/moduli .
787It is important that this file contains moduli of a range of bit lengths and 783It is important that this file contains moduli of a range of bit lengths and
788that both ends of a connection share common moduli. 784that both ends of a connection share common moduli.
789.Pp 785.Pp
@@ -1154,7 +1150,7 @@ on all machines
1154where the user wishes to log in using public key authentication. 1150where the user wishes to log in using public key authentication.
1155There is no need to keep the contents of this file secret. 1151There is no need to keep the contents of this file secret.
1156.Pp 1152.Pp
1157.It Pa /etc/moduli 1153.It Pa /etc/ssh/moduli
1158Contains Diffie-Hellman groups used for DH-GEX. 1154Contains Diffie-Hellman groups used for DH-GEX.
1159The file format is described in 1155The file format is described in
1160.Xr moduli 5 . 1156.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index cf991e4ee..17b0e984f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -887,6 +887,10 @@ implements public key authentication protocol automatically,
887using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 887using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
888The HISTORY section of 888The HISTORY section of
889.Xr ssl 8 889.Xr ssl 8
890(on non-OpenBSD systems, see
891.nh
892http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
893.hy
890contains a brief discussion of the DSA and RSA algorithms. 894contains a brief discussion of the DSA and RSA algorithms.
891.Pp 895.Pp
892The file 896The file
diff --git a/sshd.8 b/sshd.8
index 730520231..5ce0ea4fa 100644
--- a/sshd.8
+++ b/sshd.8
@@ -65,7 +65,7 @@ over an insecure network.
65.Nm 65.Nm
66listens for connections from clients. 66listens for connections from clients.
67It is normally started at boot from 67It is normally started at boot from
68.Pa /etc/rc . 68.Pa /etc/init.d/ssh .
69It forks a new 69It forks a new
70daemon for each incoming connection. 70daemon for each incoming connection.
71The forked daemons handle 71The forked daemons handle
@@ -904,7 +904,7 @@ This file is for host-based authentication (see
904.Xr ssh 1 ) . 904.Xr ssh 1 ) .
905It should only be writable by root. 905It should only be writable by root.
906.Pp 906.Pp
907.It Pa /etc/moduli 907.It Pa /etc/ssh/moduli
908Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 908Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
909key exchange method. 909key exchange method.
910The file format is described in 910The file format is described in
@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
1002.Xr ssh-keyscan 1 , 1002.Xr ssh-keyscan 1 ,
1003.Xr chroot 2 , 1003.Xr chroot 2 ,
1004.Xr hosts_access 5 , 1004.Xr hosts_access 5 ,
1005.Xr login.conf 5 ,
1006.Xr moduli 5 , 1005.Xr moduli 5 ,
1007.Xr sshd_config 5 , 1006.Xr sshd_config 5 ,
1008.Xr inetd 8 , 1007.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index c926f584c..25f4b8117 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for
387public key or host-based authentication. 387public key or host-based authentication.
388.It Cm ChallengeResponseAuthentication 388.It Cm ChallengeResponseAuthentication
389Specifies whether challenge-response authentication is allowed (e.g. via 389Specifies whether challenge-response authentication is allowed (e.g. via
390PAM or through authentication styles supported in 390PAM).
391.Xr login.conf 5 )
392The default is 391The default is
393.Cm yes . 392.Cm yes .
394.It Cm ChrootDirectory 393.It Cm ChrootDirectory