summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--moduli.54
-rw-r--r--ssh-keygen.112
-rw-r--r--ssh.14
-rw-r--r--sshd.85
-rw-r--r--sshd_config.53
5 files changed, 13 insertions, 15 deletions
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
21.Nd Diffie-Hellman moduli 21.Nd Diffie-Hellman moduli
22.Sh DESCRIPTION 22.Sh DESCRIPTION
23The 23The
24.Pa /etc/moduli 24.Pa /etc/ssh/moduli
25file contains prime numbers and generators for use by 25file contains prime numbers and generators for use by
26.Xr sshd 8 26.Xr sshd 8
27in the Diffie-Hellman Group Exchange key exchange method. 27in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
110Diffie-Hellman output to sufficiently key the selected symmetric cipher. 110Diffie-Hellman output to sufficiently key the selected symmetric cipher.
111.Xr sshd 8 111.Xr sshd 8
112then randomly selects a modulus from 112then randomly selects a modulus from
113.Fa /etc/moduli 113.Fa /etc/ssh/moduli
114that best meets the size requirement. 114that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 37a4fc2b2..24bed5f61 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -178,9 +178,7 @@ key in
178.Pa ~/.ssh/id_ed25519 178.Pa ~/.ssh/id_ed25519
179or 179or
180.Pa ~/.ssh/id_rsa . 180.Pa ~/.ssh/id_rsa .
181Additionally, the system administrator may use this to generate host keys, 181Additionally, the system administrator may use this to generate host keys.
182as seen in
183.Pa /etc/rc .
184.Pp 182.Pp
185Normally this program generates the key and asks for a file in which 183Normally this program generates the key and asks for a file in which
186to store the private key. 184to store the private key.
@@ -227,9 +225,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
227for which host keys 225for which host keys
228do not exist, generate the host keys with the default key file path, 226do not exist, generate the host keys with the default key file path,
229an empty passphrase, default bits for the key type, and default comment. 227an empty passphrase, default bits for the key type, and default comment.
230This is used by 228This is used by system administration scripts to generate new host keys.
231.Pa /etc/rc
232to generate new host keys.
233.It Fl a Ar rounds 229.It Fl a Ar rounds
234When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 230When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
2352 key when the 2312 key when the
@@ -642,7 +638,7 @@ option.
642Valid generator values are 2, 3, and 5. 638Valid generator values are 2, 3, and 5.
643.Pp 639.Pp
644Screened DH groups may be installed in 640Screened DH groups may be installed in
645.Pa /etc/moduli . 641.Pa /etc/ssh/moduli .
646It is important that this file contains moduli of a range of bit lengths and 642It is important that this file contains moduli of a range of bit lengths and
647that both ends of a connection share common moduli. 643that both ends of a connection share common moduli.
648.Sh CERTIFICATES 644.Sh CERTIFICATES
@@ -841,7 +837,7 @@ on all machines
841where the user wishes to log in using public key authentication. 837where the user wishes to log in using public key authentication.
842There is no need to keep the contents of this file secret. 838There is no need to keep the contents of this file secret.
843.Pp 839.Pp
844.It Pa /etc/moduli 840.It Pa /etc/ssh/moduli
845Contains Diffie-Hellman groups used for DH-GEX. 841Contains Diffie-Hellman groups used for DH-GEX.
846The file format is described in 842The file format is described in
847.Xr moduli 5 . 843.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index feb0e8919..41e0aabd2 100644
--- a/ssh.1
+++ b/ssh.1
@@ -852,6 +852,10 @@ implements public key authentication protocol automatically,
852using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 852using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
853The HISTORY section of 853The HISTORY section of
854.Xr ssl 8 854.Xr ssl 8
855(on non-OpenBSD systems, see
856.nh
857http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
858.hy
855contains a brief discussion of the DSA and RSA algorithms. 859contains a brief discussion of the DSA and RSA algorithms.
856.Pp 860.Pp
857The file 861The file
diff --git a/sshd.8 b/sshd.8
index 589841fcc..58eefe911 100644
--- a/sshd.8
+++ b/sshd.8
@@ -67,7 +67,7 @@ over an insecure network.
67.Nm 67.Nm
68listens for connections from clients. 68listens for connections from clients.
69It is normally started at boot from 69It is normally started at boot from
70.Pa /etc/rc . 70.Pa /etc/init.d/ssh .
71It forks a new 71It forks a new
72daemon for each incoming connection. 72daemon for each incoming connection.
73The forked daemons handle 73The forked daemons handle
@@ -891,7 +891,7 @@ This file is for host-based authentication (see
891.Xr ssh 1 ) . 891.Xr ssh 1 ) .
892It should only be writable by root. 892It should only be writable by root.
893.Pp 893.Pp
894.It Pa /etc/moduli 894.It Pa /etc/ssh/moduli
895Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 895Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
896key exchange method. 896key exchange method.
897The file format is described in 897The file format is described in
@@ -993,7 +993,6 @@ The content of this file is not sensitive; it can be world-readable.
993.Xr ssh-keyscan 1 , 993.Xr ssh-keyscan 1 ,
994.Xr chroot 2 , 994.Xr chroot 2 ,
995.Xr hosts_access 5 , 995.Xr hosts_access 5 ,
996.Xr login.conf 5 ,
997.Xr moduli 5 , 996.Xr moduli 5 ,
998.Xr sshd_config 5 , 997.Xr sshd_config 5 ,
999.Xr inetd 8 , 998.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index b56564044..4d255e5ce 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -375,8 +375,7 @@ then no banner is displayed.
375By default, no banner is displayed. 375By default, no banner is displayed.
376.It Cm ChallengeResponseAuthentication 376.It Cm ChallengeResponseAuthentication
377Specifies whether challenge-response authentication is allowed (e.g. via 377Specifies whether challenge-response authentication is allowed (e.g. via
378PAM or through authentication styles supported in 378PAM).
379.Xr login.conf 5 )
380The default is 379The default is
381.Dq yes . 380.Dq yes .
382.It Cm ChrootDirectory 381.It Cm ChrootDirectory