diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | ssh-keygen.1 | 6 | ||||
-rw-r--r-- | ssh.1 | 13 | ||||
-rw-r--r-- | ssh_config.5 | 25 | ||||
-rw-r--r-- | sshd.8 | 14 | ||||
-rw-r--r-- | sshd_config.5 | 38 |
6 files changed, 57 insertions, 44 deletions
@@ -8,6 +8,9 @@ | |||
8 | - added .Xr's | 8 | - added .Xr's |
9 | - typos | 9 | - typos |
10 | ok djm@ | 10 | ok djm@ |
11 | - jmc@cvs.openbsd.org 2003/05/20 12:09:31 | ||
12 | [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] | ||
13 | new sentence, new line | ||
11 | 14 | ||
12 | 20030520 | 15 | 20030520 |
13 | - (djm) OpenBSD CVS Sync | 16 | - (djm) OpenBSD CVS Sync |
@@ -1596,4 +1599,4 @@ | |||
1596 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1599 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1597 | ok provos@ | 1600 | ok provos@ |
1598 | 1601 | ||
1599 | $Id: ChangeLog,v 1.2746 2003/05/23 08:44:04 djm Exp $ | 1602 | $Id: ChangeLog,v 1.2747 2003/05/23 08:44:23 djm Exp $ |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 613d71a07..1583384af 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.57 2003/05/14 18:16:20 jakob Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.58 2003/05/20 12:09:31 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -93,8 +93,8 @@ generates, manages and converts authentication keys for | |||
93 | .Xr ssh 1 . | 93 | .Xr ssh 1 . |
94 | .Nm | 94 | .Nm |
95 | can create RSA keys for use by SSH protocol version 1 and RSA or DSA | 95 | can create RSA keys for use by SSH protocol version 1 and RSA or DSA |
96 | keys for use by SSH protocol version 2. The type of key to be generated | 96 | keys for use by SSH protocol version 2. |
97 | is specified with the | 97 | The type of key to be generated is specified with the |
98 | .Fl t | 98 | .Fl t |
99 | option. | 99 | option. |
100 | .Pp | 100 | .Pp |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.171 2003/05/15 04:08:41 markus Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.172 2003/05/20 12:09:31 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -488,8 +488,8 @@ It is possible to have multiple | |||
488 | options (and multiple identities specified in | 488 | options (and multiple identities specified in |
489 | configuration files). | 489 | configuration files). |
490 | .It Fl I Ar smartcard_device | 490 | .It Fl I Ar smartcard_device |
491 | Specifies which smartcard device to use. The argument is | 491 | Specifies which smartcard device to use. |
492 | the device | 492 | The argument is the device |
493 | .Nm | 493 | .Nm |
494 | should use to communicate with a smartcard used for storing the user's | 494 | should use to communicate with a smartcard used for storing the user's |
495 | private RSA key. | 495 | private RSA key. |
@@ -542,9 +542,10 @@ per-host basis in the configuration file. | |||
542 | Quiet mode. | 542 | Quiet mode. |
543 | Causes all warning and diagnostic messages to be suppressed. | 543 | Causes all warning and diagnostic messages to be suppressed. |
544 | .It Fl s | 544 | .It Fl s |
545 | May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use | 545 | May be used to request invocation of a subsystem on the remote system. |
546 | of SSH as a secure transport for other applications (eg. sftp). The | 546 | Subsystems are a feature of the SSH2 protocol which facilitate the use |
547 | subsystem is specified as the remote command. | 547 | of SSH as a secure transport for other applications (eg. sftp). |
548 | The subsystem is specified as the remote command. | ||
548 | .It Fl t | 549 | .It Fl t |
549 | Force pseudo-tty allocation. | 550 | Force pseudo-tty allocation. |
550 | This can be used to execute arbitrary | 551 | This can be used to execute arbitrary |
diff --git a/ssh_config.5 b/ssh_config.5 index 67166b758..99050d38a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.10 2003/05/16 03:27:12 djm Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.11 2003/05/20 12:09:32 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -116,7 +116,8 @@ The host is the | |||
116 | argument given on the command line (i.e., the name is not converted to | 116 | argument given on the command line (i.e., the name is not converted to |
117 | a canonicalized host name before matching). | 117 | a canonicalized host name before matching). |
118 | .It Cm AddressFamily | 118 | .It Cm AddressFamily |
119 | Specifies which address family to use when connecting. Valid arguments are | 119 | Specifies which address family to use when connecting. |
120 | Valid arguments are | ||
120 | .Dq any , | 121 | .Dq any , |
121 | .Dq inet | 122 | .Dq inet |
122 | (Use IPv4 only) or | 123 | (Use IPv4 only) or |
@@ -236,9 +237,9 @@ This may be useful in scripts if the connection sometimes fails. | |||
236 | The default is 1. | 237 | The default is 1. |
237 | .It Cm ConnectTimeout | 238 | .It Cm ConnectTimeout |
238 | Specifies the timeout (in seconds) used when connecting to the ssh | 239 | Specifies the timeout (in seconds) used when connecting to the ssh |
239 | server, instead of using the default system TCP timeout. This value is | 240 | server, instead of using the default system TCP timeout. |
240 | used only when the target is down or really unreachable, not when it | 241 | This value is used only when the target is down or really unreachable, |
241 | refuses the connection. | 242 | not when it refuses the connection. |
242 | .It Cm DynamicForward | 243 | .It Cm DynamicForward |
243 | Specifies that a TCP/IP port on the local machine be forwarded | 244 | Specifies that a TCP/IP port on the local machine be forwarded |
244 | over the secure channel, and the application | 245 | over the secure channel, and the application |
@@ -351,7 +352,8 @@ Numeric IP addresses are also permitted (both on the command line and in | |||
351 | specifications). | 352 | specifications). |
352 | .It Cm IdentityFile | 353 | .It Cm IdentityFile |
353 | Specifies a file from which the user's RSA or DSA authentication identity | 354 | Specifies a file from which the user's RSA or DSA authentication identity |
354 | is read. The default is | 355 | is read. |
356 | The default is | ||
355 | .Pa $HOME/.ssh/identity | 357 | .Pa $HOME/.ssh/identity |
356 | for protocol version 1, and | 358 | for protocol version 1, and |
357 | .Pa $HOME/.ssh/id_rsa | 359 | .Pa $HOME/.ssh/id_rsa |
@@ -448,7 +450,8 @@ Specifies the port number to connect on the remote host. | |||
448 | Default is 22. | 450 | Default is 22. |
449 | .It Cm PreferredAuthentications | 451 | .It Cm PreferredAuthentications |
450 | Specifies the order in which the client should try protocol 2 | 452 | Specifies the order in which the client should try protocol 2 |
451 | authentication methods. This allows a client to prefer one method (e.g. | 453 | authentication methods. |
454 | This allows a client to prefer one method (e.g. | ||
452 | .Cm keyboard-interactive ) | 455 | .Cm keyboard-interactive ) |
453 | over another method (e.g. | 456 | over another method (e.g. |
454 | .Cm password ) | 457 | .Cm password ) |
@@ -561,12 +564,12 @@ The default is | |||
561 | .Dq yes . | 564 | .Dq yes . |
562 | Note that this option applies to protocol version 1 only. | 565 | Note that this option applies to protocol version 1 only. |
563 | .It Cm SmartcardDevice | 566 | .It Cm SmartcardDevice |
564 | Specifies which smartcard device to use. The argument to this keyword is | 567 | Specifies which smartcard device to use. |
565 | the device | 568 | The argument to this keyword is the device |
566 | .Nm ssh | 569 | .Nm ssh |
567 | should use to communicate with a smartcard used for storing the user's | 570 | should use to communicate with a smartcard used for storing the user's |
568 | private RSA key. By default, no device is specified and smartcard support | 571 | private RSA key. |
569 | is not activated. | 572 | By default, no device is specified and smartcard support is not activated. |
570 | .It Cm StrictHostKeyChecking | 573 | .It Cm StrictHostKeyChecking |
571 | If this flag is set to | 574 | If this flag is set to |
572 | .Dq yes , | 575 | .Dq yes , |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.196 2003/04/30 20:41:07 david Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.197 2003/05/20 12:09:32 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -497,9 +497,9 @@ IPv6 addresses can be specified with an alternative syntax: | |||
497 | .Ar host/port . | 497 | .Ar host/port . |
498 | Multiple | 498 | Multiple |
499 | .Cm permitopen | 499 | .Cm permitopen |
500 | options may be applied separated by commas. No pattern matching is | 500 | options may be applied separated by commas. |
501 | performed on the specified hostnames, they must be literal domains or | 501 | No pattern matching is performed on the specified hostnames, |
502 | addresses. | 502 | they must be literal domains or addresses. |
503 | .El | 503 | .El |
504 | .Ss Examples | 504 | .Ss Examples |
505 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar | 505 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
@@ -525,9 +525,9 @@ bits, exponent, modulus, comment. | |||
525 | The fields are separated by spaces. | 525 | The fields are separated by spaces. |
526 | .Pp | 526 | .Pp |
527 | Hostnames is a comma-separated list of patterns | 527 | Hostnames is a comma-separated list of patterns |
528 | .Pf ( Ql \&* | 528 | .Pf ( Ql \&* |
529 | and | 529 | and |
530 | .Ql \&? | 530 | .Ql \&? |
531 | act as | 531 | act as |
532 | wildcards); each pattern in turn is matched against the canonical host | 532 | wildcards); each pattern in turn is matched against the canonical host |
533 | name (when authenticating a client) or against the user-supplied | 533 | name (when authenticating a client) or against the user-supplied |
diff --git a/sshd_config.5 b/sshd_config.5 index 8250be8d6..86b3289a1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.16 2003/04/30 01:16:20 mouring Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -107,7 +107,8 @@ Specifies the file that contains the public keys that can be used | |||
107 | for user authentication. | 107 | for user authentication. |
108 | .Cm AuthorizedKeysFile | 108 | .Cm AuthorizedKeysFile |
109 | may contain tokens of the form %T which are substituted during connection | 109 | may contain tokens of the form %T which are substituted during connection |
110 | set-up. The following tokens are defined: %% is replaced by a literal '%', | 110 | set-up. |
111 | The following tokens are defined: %% is replaced by a literal '%', | ||
111 | %h is replaced by the home directory of the user being authenticated and | 112 | %h is replaced by the home directory of the user being authenticated and |
112 | %u is replaced by the username of that user. | 113 | %u is replaced by the username of that user. |
113 | After expansion, | 114 | After expansion, |
@@ -153,20 +154,24 @@ This option applies to protocol version 2 only. | |||
153 | Sets the number of client alive messages (see above) which may be | 154 | Sets the number of client alive messages (see above) which may be |
154 | sent without | 155 | sent without |
155 | .Nm sshd | 156 | .Nm sshd |
156 | receiving any messages back from the client. If this threshold is | 157 | receiving any messages back from the client. |
157 | reached while client alive messages are being sent, | 158 | If this threshold is reached while client alive messages are being sent, |
158 | .Nm sshd | 159 | .Nm sshd |
159 | will disconnect the client, terminating the session. It is important | 160 | will disconnect the client, terminating the session. |
160 | to note that the use of client alive messages is very different from | 161 | It is important to note that the use of client alive messages is very |
162 | different from | ||
161 | .Cm KeepAlive | 163 | .Cm KeepAlive |
162 | (below). The client alive messages are sent through the | 164 | (below). |
163 | encrypted channel and therefore will not be spoofable. The TCP keepalive | 165 | The client alive messages are sent through the encrypted channel |
164 | option enabled by | 166 | and therefore will not be spoofable. |
167 | The TCP keepalive option enabled by | ||
165 | .Cm KeepAlive | 168 | .Cm KeepAlive |
166 | is spoofable. The client alive mechanism is valuable when the client or | 169 | is spoofable. |
170 | The client alive mechanism is valuable when the client or | ||
167 | server depend on knowing when a connection has become inactive. | 171 | server depend on knowing when a connection has become inactive. |
168 | .Pp | 172 | .Pp |
169 | The default value is 3. If | 173 | The default value is 3. |
174 | If | ||
170 | .Cm ClientAliveInterval | 175 | .Cm ClientAliveInterval |
171 | (above) is set to 15, and | 176 | (above) is set to 15, and |
172 | .Cm ClientAliveCountMax | 177 | .Cm ClientAliveCountMax |
@@ -369,11 +374,12 @@ is not specified, | |||
369 | .Nm sshd | 374 | .Nm sshd |
370 | will listen on the address and all prior | 375 | will listen on the address and all prior |
371 | .Cm Port | 376 | .Cm Port |
372 | options specified. The default is to listen on all local | 377 | options specified. |
373 | addresses. | 378 | The default is to listen on all local addresses. |
374 | Multiple | 379 | Multiple |
375 | .Cm ListenAddress | 380 | .Cm ListenAddress |
376 | options are permitted. Additionally, any | 381 | options are permitted. |
382 | Additionally, any | ||
377 | .Cm Port | 383 | .Cm Port |
378 | options must precede this option for non port qualified addresses. | 384 | options must precede this option for non port qualified addresses. |
379 | .It Cm LoginGraceTime | 385 | .It Cm LoginGraceTime |
@@ -454,8 +460,8 @@ but only if the | |||
454 | .Ar command | 460 | .Ar command |
455 | option has been specified | 461 | option has been specified |
456 | (which may be useful for taking remote backups even if root login is | 462 | (which may be useful for taking remote backups even if root login is |
457 | normally not allowed). All other authentication methods are disabled | 463 | normally not allowed). |
458 | for root. | 464 | All other authentication methods are disabled for root. |
459 | .Pp | 465 | .Pp |
460 | If this option is set to | 466 | If this option is set to |
461 | .Dq no | 467 | .Dq no |