summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--ssh.135
-rw-r--r--sshd.850
3 files changed, 48 insertions, 41 deletions
diff --git a/ChangeLog b/ChangeLog
index f8e1d0e2e..c441b2013 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,10 @@
12 - djm@cvs.openbsd.org 2010/03/04 23:17:25 12 - djm@cvs.openbsd.org 2010/03/04 23:17:25
13 [sshd_config.5] 13 [sshd_config.5]
14 missing word; spotted by jmc@ 14 missing word; spotted by jmc@
15 - djm@cvs.openbsd.org 2010/03/04 23:19:29
16 [ssh.1 sshd.8]
17 move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
18 format section and rework it a bit; requested by jmc@
15 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older 19 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
16 compilers. OK djm@ 20 compilers. OK djm@
17 21
diff --git a/ssh.1 b/ssh.1
index 8c53d4b07..b201d87de 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.298 2010/03/04 12:51:25 jmc Exp $ 37.\" $OpenBSD: ssh.1,v 1.299 2010/03/04 23:19:29 djm Exp $
38.Dd $Mdocdate: March 4 2010 $ 38.Dd $Mdocdate: March 4 2010 $
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -1104,39 +1104,6 @@ option in
1104.Xr ssh_config 5 1104.Xr ssh_config 5
1105for more information. 1105for more information.
1106.Pp 1106.Pp
1107Host keys may also be presented as certificates signed by a trusted
1108certification authority (CA).
1109In this case, trust of the CA key alone is sufficient for the host key
1110to be accepted.
1111To specify a public key as a trusted CA key in a known hosts file,
1112it should be added after a
1113.Dq @cert-authority
1114tag and a set of one or more domain-name wildcards separated by commas.
1115For example:
1116.Pp
1117.Dl @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
1118.Pp
1119See the
1120.Sx CERTIFICATES
1121section of
1122.Xr ssh-keygen 1
1123for more details.
1124.Pp
1125Keys may also be marked as revoked using the
1126.Dq @revoked
1127marker.
1128Revoked keys will always trigger a warning when encountered and the host
1129that presented them will be treated as untrusted.
1130For example:
1131.Pp
1132.Dl @revoked * ssh-rsa AAAAB5W...
1133.Pp
1134Revoking a key revokes it for direct use and as a certification authority.
1135Do not use both the
1136.Dq @cert-authority
1137and
1138.Dq @revoked
1139markers on the same line.
1140.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS 1107.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1141.Nm 1108.Nm
1142contains support for Virtual Private Network (VPN) tunnelling 1109contains support for Virtual Private Network (VPN) tunnelling
diff --git a/sshd.8 b/sshd.8
index d31538176..577d19940 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.253 2010/03/03 22:49:50 djm Exp $ 37.\" $OpenBSD: sshd.8,v 1.254 2010/03/04 23:19:29 djm Exp $
38.Dd $Mdocdate: March 3 2010 $ 38.Dd $Mdocdate: March 4 2010 $
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -634,10 +634,19 @@ be prepared by the administrator (optional), and the per-user file is
634maintained automatically: whenever the user connects from an unknown host, 634maintained automatically: whenever the user connects from an unknown host,
635its key is added to the per-user file. 635its key is added to the per-user file.
636.Pp 636.Pp
637Each line in these files contains the following fields: hostnames, 637Each line in these files contains the following fields: markers (optional),
638bits, exponent, modulus, comment. 638hostnames, bits, exponent, modulus, comment.
639The fields are separated by spaces. 639The fields are separated by spaces.
640.Pp 640.Pp
641The marker is optional, but if it is present then it must be one of
642.Dq @cert-authority ,
643to indicate that the line contains a certification authority (CA) key,
644or
645.Dq @revoked ,
646to indicate that the key contained on the line is revoked and must not ever
647be accepted.
648Only one marker should be used on a key line.
649.Pp
641Hostnames is a comma-separated list of patterns 650Hostnames is a comma-separated list of patterns
642.Pf ( Ql * 651.Pf ( Ql *
643and 652and
@@ -677,8 +686,25 @@ Lines starting with
677and empty lines are ignored as comments. 686and empty lines are ignored as comments.
678.Pp 687.Pp
679When performing host authentication, authentication is accepted if any 688When performing host authentication, authentication is accepted if any
680matching line has the proper key. 689matching line has the proper key; either one that matches exactly or,
681It is thus permissible (but not 690if the server has presented a certificate for authentication, the key
691of the certification authority that signed the certificate.
692For a key to be trusted as a certification authority, it must use the
693.Dq @cert-authority
694marker described above.
695.Pp
696The known hosts file also provides a facility to mark keys as revoked,
697for example when it is known that the associated private key has been
698stolen.
699Revoked keys are specified by including the
700.Dq @revoked
701marker at the beginning of the key line, and are never accepted for
702authentication or as certification authorities, but instead will
703produce a warning from
704.Xr ssh 1
705when they are encountered.
706.Pp
707It is permissible (but not
682recommended) to have several lines or different host keys for the same 708recommended) to have several lines or different host keys for the same
683names. 709names.
684This will inevitably happen when short forms of host names 710This will inevitably happen when short forms of host names
@@ -689,10 +715,16 @@ accepted if valid information can be found from either file.
689.Pp 715.Pp
690Note that the lines in these files are typically hundreds of characters 716Note that the lines in these files are typically hundreds of characters
691long, and you definitely don't want to type in the host keys by hand. 717long, and you definitely don't want to type in the host keys by hand.
692Rather, generate them by a script 718Rather, generate them by a script,
719.Xr ssh-keyscan 1
693or by taking 720or by taking
694.Pa /etc/ssh/ssh_host_key.pub 721.Pa /etc/ssh/ssh_host_key.pub
695and adding the host names at the front. 722and adding the host names at the front.
723.Xr ssh-keygen 1
724also offers some basic automated editing for
725.Pa ~/.ssh/known_hosts
726including removing hosts matching a host name and converting all host
727names to their hashed representations.
696.Pp 728.Pp
697An example ssh_known_hosts file: 729An example ssh_known_hosts file:
698.Bd -literal -offset 3n 730.Bd -literal -offset 3n
@@ -702,6 +734,10 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
702# A hashed hostname 734# A hashed hostname
703|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa 735|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
704AAAA1234.....= 736AAAA1234.....=
737# A revoked key
738@revoked * ssh-rsa AAAAB5W...
739# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
740@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
705.Ed 741.Ed
706.Sh FILES 742.Sh FILES
707.Bl -tag -width Ds -compact 743.Bl -tag -width Ds -compact