diff options
-rw-r--r-- | sshd.8 | 108 | ||||
-rw-r--r-- | sshd_config | 17 | ||||
-rw-r--r-- | sshd_config.5 | 72 |
3 files changed, 29 insertions, 168 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.285 2016/08/15 12:32:04 naddy Exp $ |
37 | .Dd $Mdocdate: February 17 2016 $ | 37 | .Dd $Mdocdate: August 15 2016 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -44,14 +44,12 @@ | |||
44 | .Nm sshd | 44 | .Nm sshd |
45 | .Bk -words | 45 | .Bk -words |
46 | .Op Fl 46DdeiqTt | 46 | .Op Fl 46DdeiqTt |
47 | .Op Fl b Ar bits | ||
48 | .Op Fl C Ar connection_spec | 47 | .Op Fl C Ar connection_spec |
49 | .Op Fl c Ar host_certificate_file | 48 | .Op Fl c Ar host_certificate_file |
50 | .Op Fl E Ar log_file | 49 | .Op Fl E Ar log_file |
51 | .Op Fl f Ar config_file | 50 | .Op Fl f Ar config_file |
52 | .Op Fl g Ar login_grace_time | 51 | .Op Fl g Ar login_grace_time |
53 | .Op Fl h Ar host_key_file | 52 | .Op Fl h Ar host_key_file |
54 | .Op Fl k Ar key_gen_time | ||
55 | .Op Fl o Ar option | 53 | .Op Fl o Ar option |
56 | .Op Fl p Ar port | 54 | .Op Fl p Ar port |
57 | .Op Fl u Ar len | 55 | .Op Fl u Ar len |
@@ -96,9 +94,6 @@ to use IPv4 addresses only. | |||
96 | Forces | 94 | Forces |
97 | .Nm | 95 | .Nm |
98 | to use IPv6 addresses only. | 96 | to use IPv6 addresses only. |
99 | .It Fl b Ar bits | ||
100 | Specifies the number of bits in the ephemeral protocol version 1 | ||
101 | server key (default 1024). | ||
102 | .It Fl C Ar connection_spec | 97 | .It Fl C Ar connection_spec |
103 | Specify the connection parameters to use for the | 98 | Specify the connection parameters to use for the |
104 | .Fl T | 99 | .Fl T |
@@ -169,36 +164,18 @@ This option must be given if | |||
169 | is not run as root (as the normal | 164 | is not run as root (as the normal |
170 | host key files are normally not readable by anyone but root). | 165 | host key files are normally not readable by anyone but root). |
171 | The default is | 166 | The default is |
172 | .Pa /etc/ssh/ssh_host_key | ||
173 | for protocol version 1, and | ||
174 | .Pa /etc/ssh/ssh_host_dsa_key , | 167 | .Pa /etc/ssh/ssh_host_dsa_key , |
175 | .Pa /etc/ssh/ssh_host_ecdsa_key . | 168 | .Pa /etc/ssh/ssh_host_ecdsa_key , |
176 | .Pa /etc/ssh/ssh_host_ed25519_key | 169 | .Pa /etc/ssh/ssh_host_ed25519_key |
177 | and | 170 | and |
178 | .Pa /etc/ssh/ssh_host_rsa_key | 171 | .Pa /etc/ssh/ssh_host_rsa_key . |
179 | for protocol version 2. | ||
180 | It is possible to have multiple host key files for | 172 | It is possible to have multiple host key files for |
181 | the different protocol versions and host key algorithms. | 173 | the different host key algorithms. |
182 | .It Fl i | 174 | .It Fl i |
183 | Specifies that | 175 | Specifies that |
184 | .Nm | 176 | .Nm |
185 | is being run from | 177 | is being run from |
186 | .Xr inetd 8 . | 178 | .Xr inetd 8 . |
187 | If SSH protocol 1 is enabled, | ||
188 | .Nm | ||
189 | should not normally be run | ||
190 | from inetd because it needs to generate the server key before it can | ||
191 | respond to the client, and this may take some time. | ||
192 | Clients may have to wait too long if the key was regenerated every time. | ||
193 | .It Fl k Ar key_gen_time | ||
194 | Specifies how often the ephemeral protocol version 1 server key is | ||
195 | regenerated (default 3600 seconds, or one hour). | ||
196 | The motivation for regenerating the key fairly | ||
197 | often is that the key is not stored anywhere, and after about an hour | ||
198 | it becomes impossible to recover the key for decrypting intercepted | ||
199 | communications even if the machine is cracked into or physically | ||
200 | seized. | ||
201 | A value of zero indicates that the key will never be regenerated. | ||
202 | .It Fl o Ar option | 179 | .It Fl o Ar option |
203 | Can be used to give options in the format used in the configuration file. | 180 | Can be used to give options in the format used in the configuration file. |
204 | This is useful for specifying options for which there is no separate | 181 | This is useful for specifying options for which there is no separate |
@@ -257,8 +234,7 @@ may also be used to prevent | |||
257 | from making DNS requests unless the authentication | 234 | from making DNS requests unless the authentication |
258 | mechanism or configuration requires it. | 235 | mechanism or configuration requires it. |
259 | Authentication mechanisms that may require DNS include | 236 | Authentication mechanisms that may require DNS include |
260 | .Cm RhostsRSAAuthentication , | 237 | .Cm HostbasedAuthentication |
261 | .Cm HostbasedAuthentication , | ||
262 | and using a | 238 | and using a |
263 | .Cm from="pattern-list" | 239 | .Cm from="pattern-list" |
264 | option in a key file. | 240 | option in a key file. |
@@ -269,42 +245,14 @@ or | |||
269 | .Cm DenyUsers . | 245 | .Cm DenyUsers . |
270 | .El | 246 | .El |
271 | .Sh AUTHENTICATION | 247 | .Sh AUTHENTICATION |
272 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. | 248 | The OpenSSH SSH daemon supports SSH protocol 2 only. |
273 | The default is to use protocol 2 only, | ||
274 | though this can be changed via the | ||
275 | .Cm Protocol | ||
276 | option in | ||
277 | .Xr sshd_config 5 . | ||
278 | Protocol 1 should not be used | ||
279 | and is only offered to support legacy devices. | ||
280 | .Pp | ||
281 | Each host has a host-specific key, | 249 | Each host has a host-specific key, |
282 | used to identify the host. | 250 | used to identify the host. |
283 | Partial forward security for protocol 1 is provided through | ||
284 | an additional server key, | ||
285 | normally 1024 bits, | ||
286 | generated when the server starts. | ||
287 | This key is normally regenerated every hour if it has been used, and | ||
288 | is never stored on disk. | ||
289 | Whenever a client connects, the daemon responds with its public | 251 | Whenever a client connects, the daemon responds with its public |
290 | host and server keys. | 252 | host key. |
291 | The client compares the | 253 | The client compares the |
292 | RSA host key against its own database to verify that it has not changed. | 254 | host key against its own database to verify that it has not changed. |
293 | The client then generates a 256-bit random number. | 255 | Forward security is provided through a Diffie-Hellman key agreement. |
294 | It encrypts this | ||
295 | random number using both the host key and the server key, and sends | ||
296 | the encrypted number to the server. | ||
297 | Both sides then use this | ||
298 | random number as a session key which is used to encrypt all further | ||
299 | communications in the session. | ||
300 | The rest of the session is encrypted | ||
301 | using a conventional cipher, currently Blowfish or 3DES, with 3DES | ||
302 | being used by default. | ||
303 | The client selects the encryption algorithm | ||
304 | to use from those offered by the server. | ||
305 | .Pp | ||
306 | For protocol 2, | ||
307 | forward security is provided through a Diffie-Hellman key agreement. | ||
308 | This key agreement results in a shared session key. | 256 | This key agreement results in a shared session key. |
309 | The rest of the session is encrypted using a symmetric cipher, currently | 257 | The rest of the session is encrypted using a symmetric cipher, currently |
310 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. | 258 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. |
@@ -477,32 +425,25 @@ key (empty lines and lines starting with a | |||
477 | .Ql # | 425 | .Ql # |
478 | are ignored as | 426 | are ignored as |
479 | comments). | 427 | comments). |
480 | Protocol 1 public keys consist of the following space-separated fields: | 428 | Public keys consist of the following space-separated fields: |
481 | options, bits, exponent, modulus, comment. | ||
482 | Protocol 2 public key consist of: | ||
483 | options, keytype, base64-encoded key, comment. | 429 | options, keytype, base64-encoded key, comment. |
484 | The options field is optional; | 430 | The options field is optional. |
485 | its presence is determined by whether the line starts | 431 | The keytype is |
486 | with a number or not (the options field never starts with a number). | ||
487 | The bits, exponent, modulus, and comment fields give the RSA key for | ||
488 | protocol version 1; the | ||
489 | comment field is not used for anything (but may be convenient for the | ||
490 | user to identify the key). | ||
491 | For protocol version 2 the keytype is | ||
492 | .Dq ecdsa-sha2-nistp256 , | 432 | .Dq ecdsa-sha2-nistp256 , |
493 | .Dq ecdsa-sha2-nistp384 , | 433 | .Dq ecdsa-sha2-nistp384 , |
494 | .Dq ecdsa-sha2-nistp521 , | 434 | .Dq ecdsa-sha2-nistp521 , |
495 | .Dq ssh-ed25519 , | 435 | .Dq ssh-ed25519 , |
496 | .Dq ssh-dss | 436 | .Dq ssh-dss |
497 | or | 437 | or |
498 | .Dq ssh-rsa . | 438 | .Dq ssh-rsa ; |
439 | the comment field is not used for anything (but may be convenient for the | ||
440 | user to identify the key). | ||
499 | .Pp | 441 | .Pp |
500 | Note that lines in this file are usually several hundred bytes long | 442 | Note that lines in this file can be several hundred bytes long |
501 | (because of the size of the public key encoding) up to a limit of | 443 | (because of the size of the public key encoding) up to a limit of |
502 | 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA | 444 | 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA |
503 | keys up to 16 kilobits. | 445 | keys up to 16 kilobits. |
504 | You don't want to type them in; instead, copy the | 446 | You don't want to type them in; instead, copy the |
505 | .Pa identity.pub , | ||
506 | .Pa id_dsa.pub , | 447 | .Pa id_dsa.pub , |
507 | .Pa id_ecdsa.pub , | 448 | .Pa id_ecdsa.pub , |
508 | .Pa id_ed25519.pub , | 449 | .Pa id_ed25519.pub , |
@@ -511,8 +452,7 @@ or the | |||
511 | file and edit it. | 452 | file and edit it. |
512 | .Pp | 453 | .Pp |
513 | .Nm | 454 | .Nm |
514 | enforces a minimum RSA key modulus size for protocol 1 | 455 | enforces a minimum RSA key modulus size of 768 bits. |
515 | and protocol 2 keys of 768 bits. | ||
516 | .Pp | 456 | .Pp |
517 | The options (if present) consist of comma-separated option | 457 | The options (if present) consist of comma-separated option |
518 | specifications. | 458 | specifications. |
@@ -690,7 +630,7 @@ maintained automatically: whenever the user connects from an unknown host, | |||
690 | its key is added to the per-user file. | 630 | its key is added to the per-user file. |
691 | .Pp | 631 | .Pp |
692 | Each line in these files contains the following fields: markers (optional), | 632 | Each line in these files contains the following fields: markers (optional), |
693 | hostnames, bits, exponent, modulus, comment. | 633 | hostnames, keytype, base64-encoded key, comment. |
694 | The fields are separated by spaces. | 634 | The fields are separated by spaces. |
695 | .Pp | 635 | .Pp |
696 | The marker is optional, but if it is present then it must be one of | 636 | The marker is optional, but if it is present then it must be one of |
@@ -731,9 +671,9 @@ character. | |||
731 | Only one hashed hostname may appear on a single line and none of the above | 671 | Only one hashed hostname may appear on a single line and none of the above |
732 | negation or wildcard operators may be applied. | 672 | negation or wildcard operators may be applied. |
733 | .Pp | 673 | .Pp |
734 | Bits, exponent, and modulus are taken directly from the RSA host key; they | 674 | The keytype and base64-encoded key are taken directly from the host key; they |
735 | can be obtained, for example, from | 675 | can be obtained, for example, from |
736 | .Pa /etc/ssh/ssh_host_key.pub . | 676 | .Pa /etc/ssh/ssh_host_rsa_key.pub . |
737 | The optional comment field continues to the end of the line, and is not used. | 677 | The optional comment field continues to the end of the line, and is not used. |
738 | .Pp | 678 | .Pp |
739 | Lines starting with | 679 | Lines starting with |
@@ -772,8 +712,8 @@ Note that the lines in these files are typically hundreds of characters | |||
772 | long, and you definitely don't want to type in the host keys by hand. | 712 | long, and you definitely don't want to type in the host keys by hand. |
773 | Rather, generate them by a script, | 713 | Rather, generate them by a script, |
774 | .Xr ssh-keyscan 1 | 714 | .Xr ssh-keyscan 1 |
775 | or by taking | 715 | or by taking, for example, |
776 | .Pa /etc/ssh/ssh_host_key.pub | 716 | .Pa /etc/ssh/ssh_host_rsa_key.pub |
777 | and adding the host names at the front. | 717 | and adding the host names at the front. |
778 | .Xr ssh-keygen 1 | 718 | .Xr ssh-keygen 1 |
779 | also offers some basic automated editing for | 719 | also offers some basic automated editing for |
@@ -912,7 +852,6 @@ This file is used in exactly the same way as | |||
912 | but allows host-based authentication without permitting login with | 852 | but allows host-based authentication without permitting login with |
913 | rlogin/rsh. | 853 | rlogin/rsh. |
914 | .Pp | 854 | .Pp |
915 | .It Pa /etc/ssh/ssh_host_key | ||
916 | .It Pa /etc/ssh/ssh_host_dsa_key | 855 | .It Pa /etc/ssh/ssh_host_dsa_key |
917 | .It Pa /etc/ssh/ssh_host_ecdsa_key | 856 | .It Pa /etc/ssh/ssh_host_ecdsa_key |
918 | .It Pa /etc/ssh/ssh_host_ed25519_key | 857 | .It Pa /etc/ssh/ssh_host_ed25519_key |
@@ -924,7 +863,6 @@ Note that | |||
924 | .Nm | 863 | .Nm |
925 | does not start if these files are group/world-accessible. | 864 | does not start if these files are group/world-accessible. |
926 | .Pp | 865 | .Pp |
927 | .It Pa /etc/ssh/ssh_host_key.pub | ||
928 | .It Pa /etc/ssh/ssh_host_dsa_key.pub | 866 | .It Pa /etc/ssh/ssh_host_dsa_key.pub |
929 | .It Pa /etc/ssh/ssh_host_ecdsa_key.pub | 867 | .It Pa /etc/ssh/ssh_host_ecdsa_key.pub |
930 | .It Pa /etc/ssh/ssh_host_ed25519_key.pub | 868 | .It Pa /etc/ssh/ssh_host_ed25519_key.pub |
diff --git a/sshd_config b/sshd_config index 75ae8e739..9f09e4a6e 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $ | 1 | # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -15,21 +15,11 @@ | |||
15 | #ListenAddress 0.0.0.0 | 15 | #ListenAddress 0.0.0.0 |
16 | #ListenAddress :: | 16 | #ListenAddress :: |
17 | 17 | ||
18 | # The default requires explicit activation of protocol 1 | ||
19 | #Protocol 2 | ||
20 | |||
21 | # HostKey for protocol version 1 | ||
22 | #HostKey /etc/ssh/ssh_host_key | ||
23 | # HostKeys for protocol version 2 | ||
24 | #HostKey /etc/ssh/ssh_host_rsa_key | 18 | #HostKey /etc/ssh/ssh_host_rsa_key |
25 | #HostKey /etc/ssh/ssh_host_dsa_key | 19 | #HostKey /etc/ssh/ssh_host_dsa_key |
26 | #HostKey /etc/ssh/ssh_host_ecdsa_key | 20 | #HostKey /etc/ssh/ssh_host_ecdsa_key |
27 | #HostKey /etc/ssh/ssh_host_ed25519_key | 21 | #HostKey /etc/ssh/ssh_host_ed25519_key |
28 | 22 | ||
29 | # Lifetime and size of ephemeral version 1 server key | ||
30 | #KeyRegenerationInterval 1h | ||
31 | #ServerKeyBits 1024 | ||
32 | |||
33 | # Ciphers and keying | 23 | # Ciphers and keying |
34 | #RekeyLimit default none | 24 | #RekeyLimit default none |
35 | 25 | ||
@@ -45,7 +35,6 @@ | |||
45 | #MaxAuthTries 6 | 35 | #MaxAuthTries 6 |
46 | #MaxSessions 10 | 36 | #MaxSessions 10 |
47 | 37 | ||
48 | #RSAAuthentication yes | ||
49 | #PubkeyAuthentication yes | 38 | #PubkeyAuthentication yes |
50 | 39 | ||
51 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | 40 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
@@ -58,11 +47,9 @@ AuthorizedKeysFile .ssh/authorized_keys | |||
58 | #AuthorizedKeysCommandUser nobody | 47 | #AuthorizedKeysCommandUser nobody |
59 | 48 | ||
60 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | 49 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
61 | #RhostsRSAAuthentication no | ||
62 | # similar for protocol version 2 | ||
63 | #HostbasedAuthentication no | 50 | #HostbasedAuthentication no |
64 | # Change to yes if you don't trust ~/.ssh/known_hosts for | 51 | # Change to yes if you don't trust ~/.ssh/known_hosts for |
65 | # RhostsRSAAuthentication and HostbasedAuthentication | 52 | # HostbasedAuthentication |
66 | #IgnoreUserKnownHosts no | 53 | #IgnoreUserKnownHosts no |
67 | # Don't read the user's ~/.rhosts and ~/.shosts files | 54 | # Don't read the user's ~/.rhosts and ~/.shosts files |
68 | #IgnoreRhosts yes | 55 | #IgnoreRhosts yes |
diff --git a/sshd_config.5 b/sshd_config.5 index b70c31307..d1a5d1d33 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.228 2016/08/12 19:19:04 jca Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.229 2016/08/15 12:32:04 naddy Exp $ |
37 | .Dd $Mdocdate: August 12 2016 $ | 37 | .Dd $Mdocdate: August 15 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -230,8 +230,6 @@ of | |||
230 | .Dq publickey,publickey | 230 | .Dq publickey,publickey |
231 | will require successful authentication using two different public keys. | 231 | will require successful authentication using two different public keys. |
232 | .Pp | 232 | .Pp |
233 | This option will yield a fatal | ||
234 | error if enabled if protocol 1 is also enabled. | ||
235 | Note that each authentication method listed should also be explicitly enabled | 233 | Note that each authentication method listed should also be explicitly enabled |
236 | in the configuration. | 234 | in the configuration. |
237 | The default | 235 | The default |
@@ -709,15 +707,12 @@ is not to load any certificates. | |||
709 | .It Cm HostKey | 707 | .It Cm HostKey |
710 | Specifies a file containing a private host key | 708 | Specifies a file containing a private host key |
711 | used by SSH. | 709 | used by SSH. |
712 | The default is | 710 | The defaults are |
713 | .Pa /etc/ssh/ssh_host_key | ||
714 | for protocol version 1, and | ||
715 | .Pa /etc/ssh/ssh_host_dsa_key , | 711 | .Pa /etc/ssh/ssh_host_dsa_key , |
716 | .Pa /etc/ssh/ssh_host_ecdsa_key , | 712 | .Pa /etc/ssh/ssh_host_ecdsa_key , |
717 | .Pa /etc/ssh/ssh_host_ed25519_key | 713 | .Pa /etc/ssh/ssh_host_ed25519_key |
718 | and | 714 | and |
719 | .Pa /etc/ssh/ssh_host_rsa_key | 715 | .Pa /etc/ssh/ssh_host_rsa_key . |
720 | for protocol version 2. | ||
721 | .Pp | 716 | .Pp |
722 | Note that | 717 | Note that |
723 | .Xr sshd 8 | 718 | .Xr sshd 8 |
@@ -728,14 +723,6 @@ option restricts which of the keys are actually used by | |||
728 | .Xr sshd 8 . | 723 | .Xr sshd 8 . |
729 | .Pp | 724 | .Pp |
730 | It is possible to have multiple host key files. | 725 | It is possible to have multiple host key files. |
731 | .Dq rsa1 | ||
732 | keys are used for version 1 and | ||
733 | .Dq dsa , | ||
734 | .Dq ecdsa , | ||
735 | .Dq ed25519 | ||
736 | or | ||
737 | .Dq rsa | ||
738 | are used for version 2 of the SSH protocol. | ||
739 | It is also possible to specify public host key files instead. | 726 | It is also possible to specify public host key files instead. |
740 | In this case operations on the private key will be delegated | 727 | In this case operations on the private key will be delegated |
741 | to an | 728 | to an |
@@ -774,8 +761,6 @@ Specifies that | |||
774 | and | 761 | and |
775 | .Pa .shosts | 762 | .Pa .shosts |
776 | files will not be used in | 763 | files will not be used in |
777 | .Cm RhostsRSAAuthentication | ||
778 | or | ||
779 | .Cm HostbasedAuthentication . | 764 | .Cm HostbasedAuthentication . |
780 | .Pp | 765 | .Pp |
781 | .Pa /etc/hosts.equiv | 766 | .Pa /etc/hosts.equiv |
@@ -790,8 +775,6 @@ Specifies whether | |||
790 | should ignore the user's | 775 | should ignore the user's |
791 | .Pa ~/.ssh/known_hosts | 776 | .Pa ~/.ssh/known_hosts |
792 | during | 777 | during |
793 | .Cm RhostsRSAAuthentication | ||
794 | or | ||
795 | .Cm HostbasedAuthentication . | 778 | .Cm HostbasedAuthentication . |
796 | The default is | 779 | The default is |
797 | .Dq no . | 780 | .Dq no . |
@@ -910,15 +893,6 @@ option of | |||
910 | .Xr ssh 1 | 893 | .Xr ssh 1 |
911 | with an argument of | 894 | with an argument of |
912 | .Dq kex . | 895 | .Dq kex . |
913 | .It Cm KeyRegenerationInterval | ||
914 | In protocol version 1, the ephemeral server key is automatically regenerated | ||
915 | after this many seconds (if it has been used). | ||
916 | The purpose of regeneration is to prevent | ||
917 | decrypting captured sessions by later breaking into the machine and | ||
918 | stealing the keys. | ||
919 | The key is never stored anywhere. | ||
920 | If the value is 0, the key is never regenerated. | ||
921 | The default is 3600 (seconds). | ||
922 | .It Cm ListenAddress | 896 | .It Cm ListenAddress |
923 | Specifies the local addresses | 897 | Specifies the local addresses |
924 | .Xr sshd 8 | 898 | .Xr sshd 8 |
@@ -1127,8 +1101,6 @@ Available keywords are | |||
1127 | .Cm PubkeyAuthentication , | 1101 | .Cm PubkeyAuthentication , |
1128 | .Cm RekeyLimit , | 1102 | .Cm RekeyLimit , |
1129 | .Cm RevokedKeys , | 1103 | .Cm RevokedKeys , |
1130 | .Cm RhostsRSAAuthentication , | ||
1131 | .Cm RSAAuthentication , | ||
1132 | .Cm StreamLocalBindMask , | 1104 | .Cm StreamLocalBindMask , |
1133 | .Cm StreamLocalBindUnlink , | 1105 | .Cm StreamLocalBindUnlink , |
1134 | .Cm TrustedUserCAKeys , | 1106 | .Cm TrustedUserCAKeys , |
@@ -1333,28 +1305,6 @@ when a user logs in interactively. | |||
1333 | or equivalent.) | 1305 | or equivalent.) |
1334 | The default is | 1306 | The default is |
1335 | .Dq yes . | 1307 | .Dq yes . |
1336 | .It Cm Protocol | ||
1337 | Specifies the protocol versions | ||
1338 | .Xr sshd 8 | ||
1339 | supports. | ||
1340 | The possible values are | ||
1341 | .Sq 1 | ||
1342 | and | ||
1343 | .Sq 2 . | ||
1344 | Multiple versions must be comma-separated. | ||
1345 | The default is | ||
1346 | .Sq 2 . | ||
1347 | Protocol 1 suffers from a number of cryptographic weaknesses and should | ||
1348 | not be used. | ||
1349 | It is only offered to support legacy devices. | ||
1350 | .Pp | ||
1351 | Note that the order of the protocol list does not indicate preference, | ||
1352 | because the client selects among multiple protocol versions offered | ||
1353 | by the server. | ||
1354 | Specifying | ||
1355 | .Dq 2,1 | ||
1356 | is identical to | ||
1357 | .Dq 1,2 . | ||
1358 | .It Cm PubkeyAcceptedKeyTypes | 1308 | .It Cm PubkeyAcceptedKeyTypes |
1359 | Specifies the key types that will be accepted for public key authentication | 1309 | Specifies the key types that will be accepted for public key authentication |
1360 | as a comma-separated pattern list. | 1310 | as a comma-separated pattern list. |
@@ -1419,20 +1369,6 @@ an OpenSSH Key Revocation List (KRL) as generated by | |||
1419 | .Xr ssh-keygen 1 . | 1369 | .Xr ssh-keygen 1 . |
1420 | For more information on KRLs, see the KEY REVOCATION LISTS section in | 1370 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1421 | .Xr ssh-keygen 1 . | 1371 | .Xr ssh-keygen 1 . |
1422 | .It Cm RhostsRSAAuthentication | ||
1423 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
1424 | with successful RSA host authentication is allowed. | ||
1425 | The default is | ||
1426 | .Dq no . | ||
1427 | This option applies to protocol version 1 only. | ||
1428 | .It Cm RSAAuthentication | ||
1429 | Specifies whether pure RSA authentication is allowed. | ||
1430 | The default is | ||
1431 | .Dq yes . | ||
1432 | This option applies to protocol version 1 only. | ||
1433 | .It Cm ServerKeyBits | ||
1434 | Defines the number of bits in the ephemeral protocol version 1 server key. | ||
1435 | The default and minimum value is 1024. | ||
1436 | .It Cm StreamLocalBindMask | 1372 | .It Cm StreamLocalBindMask |
1437 | Sets the octal file creation mode mask | 1373 | Sets the octal file creation mode mask |
1438 | .Pq umask | 1374 | .Pq umask |