diff options
-rw-r--r-- | ChangeLog | 13 | ||||
-rw-r--r-- | scp.1 | 4 | ||||
-rw-r--r-- | sftp.1 | 26 | ||||
-rw-r--r-- | ssh-add.1 | 9 | ||||
-rw-r--r-- | ssh-agent.1 | 7 | ||||
-rw-r--r-- | ssh-keygen.1 | 4 | ||||
-rw-r--r-- | ssh-keyscan.1 | 20 | ||||
-rw-r--r-- | ssh-keysign.8 | 6 | ||||
-rw-r--r-- | ssh.1 | 34 | ||||
-rw-r--r-- | ssh_config.5 | 48 | ||||
-rw-r--r-- | sshd_config.5 | 30 |
11 files changed, 122 insertions, 79 deletions
@@ -1,3 +1,14 @@ | |||
1 | 20030401 | ||
2 | - (djm) OpenBSD CVS Sync | ||
3 | - jmc@cvs.openbsd.org 2003/03/28 10:11:43 | ||
4 | [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] | ||
5 | [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] | ||
6 | - killed whitespace | ||
7 | - new sentence new line | ||
8 | - .Bk for arguments | ||
9 | ok markus@ | ||
10 | |||
11 | |||
1 | 20030326 | 12 | 20030326 |
2 | - (djm) OpenBSD CVS Sync | 13 | - (djm) OpenBSD CVS Sync |
3 | - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 | 14 | - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 |
@@ -1259,4 +1270,4 @@ | |||
1259 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1270 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1260 | ok provos@ | 1271 | ok provos@ |
1261 | 1272 | ||
1262 | $Id: ChangeLog,v 1.2642 2003/03/26 05:01:11 djm Exp $ | 1273 | $Id: ChangeLog,v 1.2643 2003/04/01 11:42:14 djm Exp $ |
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sun May 7 00:14:37 1995 ylo | 10 | .\" Created: Sun May 7 00:14:37 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $OpenBSD: scp.1,v 1.26 2003/01/28 17:24:51 stevesk Exp $ | 12 | .\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SCP 1 | 15 | .Dt SCP 1 |
@@ -19,6 +19,7 @@ | |||
19 | .Nd secure copy (remote file copy program) | 19 | .Nd secure copy (remote file copy program) |
20 | .Sh SYNOPSIS | 20 | .Sh SYNOPSIS |
21 | .Nm scp | 21 | .Nm scp |
22 | .Bk -words | ||
22 | .Op Fl pqrvBC1246 | 23 | .Op Fl pqrvBC1246 |
23 | .Op Fl F Ar ssh_config | 24 | .Op Fl F Ar ssh_config |
24 | .Op Fl S Ar program | 25 | .Op Fl S Ar program |
@@ -40,6 +41,7 @@ | |||
40 | .Ar host2 No : | 41 | .Ar host2 No : |
41 | .Oc Ar file2 | 42 | .Oc Ar file2 |
42 | .Sm on | 43 | .Sm on |
44 | .Ek | ||
43 | .Sh DESCRIPTION | 45 | .Sh DESCRIPTION |
44 | .Nm | 46 | .Nm |
45 | copies files between hosts on a network. | 47 | copies files between hosts on a network. |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: sftp.1,v 1.40 2003/01/10 08:19:07 fgsch Exp $ | 1 | .\" $OpenBSD: sftp.1,v 1.41 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2001 Damien Miller. All rights reserved. | 3 | .\" Copyright (c) 2001 Damien Miller. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -30,6 +30,7 @@ | |||
30 | .Nd Secure file transfer program | 30 | .Nd Secure file transfer program |
31 | .Sh SYNOPSIS | 31 | .Sh SYNOPSIS |
32 | .Nm sftp | 32 | .Nm sftp |
33 | .Bk -words | ||
33 | .Op Fl vC1 | 34 | .Op Fl vC1 |
34 | .Op Fl b Ar batchfile | 35 | .Op Fl b Ar batchfile |
35 | .Op Fl o Ar ssh_option | 36 | .Op Fl o Ar ssh_option |
@@ -40,10 +41,15 @@ | |||
40 | .Op Fl R Ar num_requests | 41 | .Op Fl R Ar num_requests |
41 | .Op Fl S Ar program | 42 | .Op Fl S Ar program |
42 | .Ar host | 43 | .Ar host |
44 | .Ek | ||
43 | .Nm sftp | 45 | .Nm sftp |
44 | .Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]] | 46 | .Oo Oo Ar user Ns No @ Oc Ns |
47 | .Ar host Ns Oo : Ns Ar file Oo | ||
48 | .Ar file Oc Oc Oc | ||
45 | .Nm sftp | 49 | .Nm sftp |
46 | .Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]] | 50 | .Oo Oo Ar user Ns No @ Oc Ns |
51 | .Ar host Ns Oo : Ns Ar dir Ns | ||
52 | .Oo Ar / Oc Oc Oc | ||
47 | .Sh DESCRIPTION | 53 | .Sh DESCRIPTION |
48 | .Nm | 54 | .Nm |
49 | is an interactive file transfer program, similar to | 55 | is an interactive file transfer program, similar to |
@@ -77,13 +83,13 @@ non-interactive authentication. | |||
77 | will abort if any of the following | 83 | will abort if any of the following |
78 | commands fail: | 84 | commands fail: |
79 | .Ic get , put , rename , ln , | 85 | .Ic get , put , rename , ln , |
80 | .Ic rm , mkdir , chdir , ls , | 86 | .Ic rm , mkdir , chdir , ls , |
81 | .Ic lchdir , chmod , chown , chgrp , lpwd | 87 | .Ic lchdir , chmod , chown , chgrp , lpwd |
82 | and | 88 | and |
83 | .Ic lmkdir . | 89 | .Ic lmkdir . |
84 | Termination on error can be suppressed on a command by command basis by | 90 | Termination on error can be suppressed on a command by command basis by |
85 | prefixing the command with a | 91 | prefixing the command with a |
86 | .Ic '-' | 92 | .Ic '-' |
87 | character (For example, | 93 | character (For example, |
88 | .Ic -rm /tmp/blah* | 94 | .Ic -rm /tmp/blah* |
89 | ). | 95 | ). |
@@ -95,19 +101,19 @@ in the format used in | |||
95 | This is useful for specifying options | 101 | This is useful for specifying options |
96 | for which there is no separate | 102 | for which there is no separate |
97 | .Nm sftp | 103 | .Nm sftp |
98 | command-line flag. For example, to specify an alternate | 104 | command-line flag. For example, to specify an alternate |
99 | port use: | 105 | port use: |
100 | .Ic sftp -oPort=24 . | 106 | .Ic sftp -oPort=24 . |
101 | .It Fl s Ar subsystem | sftp_server | 107 | .It Fl s Ar subsystem | sftp_server |
102 | Specifies the SSH2 subsystem or the path for an sftp server | 108 | Specifies the SSH2 subsystem or the path for an sftp server |
103 | on the remote host. A path is useful for using sftp over | 109 | on the remote host. A path is useful for using sftp over |
104 | protocol version 1, or when the remote | 110 | protocol version 1, or when the remote |
105 | .Nm sshd | 111 | .Nm sshd |
106 | does not have an sftp subsystem configured. | 112 | does not have an sftp subsystem configured. |
107 | .It Fl v | 113 | .It Fl v |
108 | Raise logging level. This option is also passed to ssh. | 114 | Raise logging level. This option is also passed to ssh. |
109 | .It Fl B Ar buffer_size | 115 | .It Fl B Ar buffer_size |
110 | Specify the size of the buffer that | 116 | Specify the size of the buffer that |
111 | .Nm | 117 | .Nm |
112 | uses when transferring files. Larger buffers require fewer round trips at | 118 | uses when transferring files. Larger buffers require fewer round trips at |
113 | the cost of higher memory consumption. The default is 32768 bytes. | 119 | the cost of higher memory consumption. The default is 32768 bytes. |
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-add.1,v 1.37 2003/02/10 11:51:47 markus Exp $ | 1 | .\" $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -95,10 +95,11 @@ specified in | |||
95 | .Xr sshd_config 5 . | 95 | .Xr sshd_config 5 . |
96 | .It Fl c | 96 | .It Fl c |
97 | Indicates that added identities should be subject to confirmation before | 97 | Indicates that added identities should be subject to confirmation before |
98 | being used for authentication. Confirmation is performed by the | 98 | being used for authentication. |
99 | Confirmation is performed by the | ||
99 | .Ev SSH_ASKPASS | 100 | .Ev SSH_ASKPASS |
100 | program mentioned below. Successful confirmation is signaled by a zero | 101 | program mentioned below. |
101 | exit status from the | 102 | Successful confirmation is signaled by a zero exit status from the |
102 | .Ev SSH_ASKPASS | 103 | .Ev SSH_ASKPASS |
103 | program, rather than text entered into the requester. | 104 | program, rather than text entered into the requester. |
104 | .It Fl s Ar reader | 105 | .It Fl s Ar reader |
diff --git a/ssh-agent.1 b/ssh-agent.1 index 98f9dc80d..fde4608bb 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-agent.1,v 1.36 2003/01/21 18:14:36 marc Exp $ | 1 | .\" $OpenBSD: ssh-agent.1,v 1.37 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -88,7 +88,7 @@ Kill the current agent (given by the | |||
88 | .Ev SSH_AGENT_PID | 88 | .Ev SSH_AGENT_PID |
89 | environment variable). | 89 | environment variable). |
90 | .It Fl t Ar life | 90 | .It Fl t Ar life |
91 | Set a default value for the maximum lifetime of identities added to the agent. | 91 | Set a default value for the maximum lifetime of identities added to the agent. |
92 | The lifetime may be specified in seconds or in a time format specified in | 92 | The lifetime may be specified in seconds or in a time format specified in |
93 | .Xr sshd 8 . | 93 | .Xr sshd 8 . |
94 | A lifetime specified for an identity with | 94 | A lifetime specified for an identity with |
@@ -96,7 +96,8 @@ A lifetime specified for an identity with | |||
96 | overrides this value. | 96 | overrides this value. |
97 | Without this option the default maximum lifetime is forever. | 97 | Without this option the default maximum lifetime is forever. |
98 | .It Fl d | 98 | .It Fl d |
99 | Debug mode. When this option is specified | 99 | Debug mode. |
100 | When this option is specified | ||
100 | .Nm | 101 | .Nm |
101 | will not fork. | 102 | will not fork. |
102 | .El | 103 | .El |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 78fdb496a..000e8ff2a 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.55 2002/11/26 02:35:30 stevesk Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -45,12 +45,14 @@ | |||
45 | .Nd authentication key generation, management and conversion | 45 | .Nd authentication key generation, management and conversion |
46 | .Sh SYNOPSIS | 46 | .Sh SYNOPSIS |
47 | .Nm ssh-keygen | 47 | .Nm ssh-keygen |
48 | .Bk -words | ||
48 | .Op Fl q | 49 | .Op Fl q |
49 | .Op Fl b Ar bits | 50 | .Op Fl b Ar bits |
50 | .Fl t Ar type | 51 | .Fl t Ar type |
51 | .Op Fl N Ar new_passphrase | 52 | .Op Fl N Ar new_passphrase |
52 | .Op Fl C Ar comment | 53 | .Op Fl C Ar comment |
53 | .Op Fl f Ar output_keyfile | 54 | .Op Fl f Ar output_keyfile |
55 | .Ek | ||
54 | .Nm ssh-keygen | 56 | .Nm ssh-keygen |
55 | .Fl p | 57 | .Fl p |
56 | .Op Fl P Ar old_passphrase | 58 | .Op Fl P Ar old_passphrase |
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index 2f33ddf20..f6596c481 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keyscan.1,v 1.14 2002/02/13 08:33:47 mpech Exp $ | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | 3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
4 | .\" | 4 | .\" |
@@ -14,6 +14,7 @@ | |||
14 | .Nd gather ssh public keys | 14 | .Nd gather ssh public keys |
15 | .Sh SYNOPSIS | 15 | .Sh SYNOPSIS |
16 | .Nm ssh-keyscan | 16 | .Nm ssh-keyscan |
17 | .Bk -words | ||
17 | .Op Fl v46 | 18 | .Op Fl v46 |
18 | .Op Fl p Ar port | 19 | .Op Fl p Ar port |
19 | .Op Fl T Ar timeout | 20 | .Op Fl T Ar timeout |
@@ -21,10 +22,12 @@ | |||
21 | .Op Fl f Ar file | 22 | .Op Fl f Ar file |
22 | .Op Ar host | addrlist namelist | 23 | .Op Ar host | addrlist namelist |
23 | .Op Ar ... | 24 | .Op Ar ... |
25 | .Ek | ||
24 | .Sh DESCRIPTION | 26 | .Sh DESCRIPTION |
25 | .Nm | 27 | .Nm |
26 | is a utility for gathering the public ssh host keys of a number of | 28 | is a utility for gathering the public ssh host keys of a number of |
27 | hosts. It was designed to aid in building and verifying | 29 | hosts. |
30 | It was designed to aid in building and verifying | ||
28 | .Pa ssh_known_hosts | 31 | .Pa ssh_known_hosts |
29 | files. | 32 | files. |
30 | .Nm | 33 | .Nm |
@@ -33,9 +36,11 @@ scripts. | |||
33 | .Pp | 36 | .Pp |
34 | .Nm | 37 | .Nm |
35 | uses non-blocking socket I/O to contact as many hosts as possible in | 38 | uses non-blocking socket I/O to contact as many hosts as possible in |
36 | parallel, so it is very efficient. The keys from a domain of 1,000 | 39 | parallel, so it is very efficient. |
40 | The keys from a domain of 1,000 | ||
37 | hosts can be collected in tens of seconds, even when some of those | 41 | hosts can be collected in tens of seconds, even when some of those |
38 | hosts are down or do not run ssh. For scanning, one does not need | 42 | hosts are down or do not run ssh. |
43 | For scanning, one does not need | ||
39 | login access to the machines that are being scanned, nor does the | 44 | login access to the machines that are being scanned, nor does the |
40 | scanning process involve any encryption. | 45 | scanning process involve any encryption. |
41 | .Pp | 46 | .Pp |
@@ -44,12 +49,13 @@ The options are as follows: | |||
44 | .It Fl p Ar port | 49 | .It Fl p Ar port |
45 | Port to connect to on the remote host. | 50 | Port to connect to on the remote host. |
46 | .It Fl T Ar timeout | 51 | .It Fl T Ar timeout |
47 | Set the timeout for connection attempts. If | 52 | Set the timeout for connection attempts. |
53 | If | ||
48 | .Pa timeout | 54 | .Pa timeout |
49 | seconds have elapsed since a connection was initiated to a host or since the | 55 | seconds have elapsed since a connection was initiated to a host or since the |
50 | last time anything was read from that host, then the connection is | 56 | last time anything was read from that host, then the connection is |
51 | closed and the host in question considered unavailable. Default is 5 | 57 | closed and the host in question considered unavailable. |
52 | seconds. | 58 | Default is 5 seconds. |
53 | .It Fl t Ar type | 59 | .It Fl t Ar type |
54 | Specifies the type of the key to fetch from the scanned hosts. | 60 | Specifies the type of the key to fetch from the scanned hosts. |
55 | The possible values are | 61 | The possible values are |
diff --git a/ssh-keysign.8 b/ssh-keysign.8 index 99d373406..2e3f8ff3e 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keysign.8,v 1.5 2002/11/24 21:46:24 stevesk Exp $ | 1 | .\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright (c) 2002 Markus Friedl. All rights reserved. | 3 | .\" Copyright (c) 2002 Markus Friedl. All rights reserved. |
4 | .\" | 4 | .\" |
@@ -62,8 +62,8 @@ Controls whether | |||
62 | is enabled. | 62 | is enabled. |
63 | .It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key | 63 | .It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
64 | These files contain the private parts of the host keys used to | 64 | These files contain the private parts of the host keys used to |
65 | generate the digital signature. They | 65 | generate the digital signature. |
66 | should be owned by root, readable only by root, and not | 66 | They should be owned by root, readable only by root, and not |
67 | accessible to others. | 67 | accessible to others. |
68 | Since they are readable only by root, | 68 | Since they are readable only by root, |
69 | .Nm | 69 | .Nm |
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -48,6 +48,7 @@ | |||
48 | .Op Ar command | 48 | .Op Ar command |
49 | .Pp | 49 | .Pp |
50 | .Nm ssh | 50 | .Nm ssh |
51 | .Bk -words | ||
51 | .Op Fl afgknqstvxACNTX1246 | 52 | .Op Fl afgknqstvxACNTX1246 |
52 | .Op Fl b Ar bind_address | 53 | .Op Fl b Ar bind_address |
53 | .Op Fl c Ar cipher_spec | 54 | .Op Fl c Ar cipher_spec |
@@ -66,6 +67,8 @@ | |||
66 | .Sm on | 67 | .Sm on |
67 | .Xc | 68 | .Xc |
68 | .Oc | 69 | .Oc |
70 | .Ek | ||
71 | .Bk -words | ||
69 | .Oo Fl R Xo | 72 | .Oo Fl R Xo |
70 | .Sm off | 73 | .Sm off |
71 | .Ar port : | 74 | .Ar port : |
@@ -77,6 +80,7 @@ | |||
77 | .Op Fl D Ar port | 80 | .Op Fl D Ar port |
78 | .Ar hostname | user@hostname | 81 | .Ar hostname | user@hostname |
79 | .Op Ar command | 82 | .Op Ar command |
83 | .Ek | ||
80 | .Sh DESCRIPTION | 84 | .Sh DESCRIPTION |
81 | .Nm | 85 | .Nm |
82 | (SSH client) is a program for logging into a remote machine and for | 86 | (SSH client) is a program for logging into a remote machine and for |
@@ -361,7 +365,7 @@ variable is set to | |||
361 | .Fl A | 365 | .Fl A |
362 | and | 366 | and |
363 | .Fl a | 367 | .Fl a |
364 | options described later) and | 368 | options described later) and |
365 | the user is using an authentication agent, the connection to the agent | 369 | the user is using an authentication agent, the connection to the agent |
366 | is automatically forwarded to the remote side. | 370 | is automatically forwarded to the remote side. |
367 | .Pp | 371 | .Pp |
@@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection. | |||
403 | Enables forwarding of the authentication agent connection. | 407 | Enables forwarding of the authentication agent connection. |
404 | This can also be specified on a per-host basis in a configuration file. | 408 | This can also be specified on a per-host basis in a configuration file. |
405 | .Pp | 409 | .Pp |
406 | Agent forwarding should be enabled with caution. Users with the | 410 | Agent forwarding should be enabled with caution. |
407 | ability to bypass file permissions on the remote host (for the agent's | 411 | Users with the ability to bypass file permissions on the remote host |
408 | Unix-domain socket) can access the local agent through the forwarded | 412 | (for the agent's Unix-domain socket) |
409 | connection. An attacker cannot obtain key material from the agent, | 413 | can access the local agent through the forwarded connection. |
414 | An attacker cannot obtain key material from the agent, | ||
410 | however they can perform operations on the keys that enable them to | 415 | however they can perform operations on the keys that enable them to |
411 | authenticate using the identities loaded into the agent. | 416 | authenticate using the identities loaded into the agent. |
412 | .It Fl b Ar bind_address | 417 | .It Fl b Ar bind_address |
@@ -428,8 +433,8 @@ is only supported in the | |||
428 | client for interoperability with legacy protocol 1 implementations | 433 | client for interoperability with legacy protocol 1 implementations |
429 | that do not support the | 434 | that do not support the |
430 | .Ar 3des | 435 | .Ar 3des |
431 | cipher. Its use is strongly discouraged due to cryptographic | 436 | cipher. |
432 | weaknesses. | 437 | Its use is strongly discouraged due to cryptographic weaknesses. |
433 | .It Fl c Ar cipher_spec | 438 | .It Fl c Ar cipher_spec |
434 | Additionally, for protocol version 2 a comma-separated list of ciphers can | 439 | Additionally, for protocol version 2 a comma-separated list of ciphers can |
435 | be specified in order of preference. | 440 | be specified in order of preference. |
@@ -566,11 +571,11 @@ Disables X11 forwarding. | |||
566 | Enables X11 forwarding. | 571 | Enables X11 forwarding. |
567 | This can also be specified on a per-host basis in a configuration file. | 572 | This can also be specified on a per-host basis in a configuration file. |
568 | .Pp | 573 | .Pp |
569 | X11 forwarding should be enabled with caution. Users with the ability | 574 | X11 forwarding should be enabled with caution. |
570 | to bypass file permissions on the remote host (for the user's X | 575 | Users with the ability to bypass file permissions on the remote host |
571 | authorization database) can access the local X11 display through the | 576 | (for the user's X authorization database) |
572 | forwarded connection. An attacker may then be able to perform | 577 | can access the local X11 display through the forwarded connection. |
573 | activities such as keystroke monitoring. | 578 | An attacker may then be able to perform activities such as keystroke monitoring. |
574 | .It Fl C | 579 | .It Fl C |
575 | Requests compression of all data (including stdin, stdout, stderr, and | 580 | Requests compression of all data (including stdin, stdout, stderr, and |
576 | data for forwarded X11 and TCP/IP connections). | 581 | data for forwarded X11 and TCP/IP connections). |
@@ -637,7 +642,8 @@ This works by allocating a socket to listen to | |||
637 | on the local side, and whenever a connection is made to this port, the | 642 | on the local side, and whenever a connection is made to this port, the |
638 | connection is forwarded over the secure channel, and the application | 643 | connection is forwarded over the secure channel, and the application |
639 | protocol is then used to determine where to connect to from the | 644 | protocol is then used to determine where to connect to from the |
640 | remote machine. Currently the SOCKS4 protocol is supported, and | 645 | remote machine. |
646 | Currently the SOCKS4 protocol is supported, and | ||
641 | .Nm | 647 | .Nm |
642 | will act as a SOCKS4 server. | 648 | will act as a SOCKS4 server. |
643 | Only root can forward privileged ports. | 649 | Only root can forward privileged ports. |
diff --git a/ssh_config.5 b/ssh_config.5 index 710c068c5..44208b431 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh_config.5,v 1.6 2003/02/06 09:27:29 markus Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -176,8 +176,8 @@ is only supported in the | |||
176 | client for interoperability with legacy protocol 1 implementations | 176 | client for interoperability with legacy protocol 1 implementations |
177 | that do not support the | 177 | that do not support the |
178 | .Ar 3des | 178 | .Ar 3des |
179 | cipher. Its use is strongly discouraged due to cryptographic | 179 | cipher. |
180 | weaknesses. | 180 | Its use is strongly discouraged due to cryptographic weaknesses. |
181 | The default is | 181 | The default is |
182 | .Dq 3des . | 182 | .Dq 3des . |
183 | .It Cm Ciphers | 183 | .It Cm Ciphers |
@@ -193,7 +193,8 @@ The default is | |||
193 | .It Cm ClearAllForwardings | 193 | .It Cm ClearAllForwardings |
194 | Specifies that all local, remote and dynamic port forwardings | 194 | Specifies that all local, remote and dynamic port forwardings |
195 | specified in the configuration files or on the command line be | 195 | specified in the configuration files or on the command line be |
196 | cleared. This option is primarily useful when used from the | 196 | cleared. |
197 | This option is primarily useful when used from the | ||
197 | .Nm ssh | 198 | .Nm ssh |
198 | command line to clear port forwardings set in | 199 | command line to clear port forwardings set in |
199 | configuration files, and is automatically set by | 200 | configuration files, and is automatically set by |
@@ -230,13 +231,14 @@ The default is 1. | |||
230 | Specifies that a TCP/IP port on the local machine be forwarded | 231 | Specifies that a TCP/IP port on the local machine be forwarded |
231 | over the secure channel, and the application | 232 | over the secure channel, and the application |
232 | protocol is then used to determine where to connect to from the | 233 | protocol is then used to determine where to connect to from the |
233 | remote machine. The argument must be a port number. | 234 | remote machine. |
235 | The argument must be a port number. | ||
234 | Currently the SOCKS4 protocol is supported, and | 236 | Currently the SOCKS4 protocol is supported, and |
235 | .Nm ssh | 237 | .Nm ssh |
236 | will act as a SOCKS4 server. | 238 | will act as a SOCKS4 server. |
237 | Multiple forwardings may be specified, and | 239 | Multiple forwardings may be specified, and |
238 | additional forwardings can be given on the command line. Only | 240 | additional forwardings can be given on the command line. |
239 | the superuser can forward privileged ports. | 241 | Only the superuser can forward privileged ports. |
240 | .It Cm EscapeChar | 242 | .It Cm EscapeChar |
241 | Sets the escape character (default: | 243 | Sets the escape character (default: |
242 | .Ql ~ ) . | 244 | .Ql ~ ) . |
@@ -259,10 +261,11 @@ or | |||
259 | The default is | 261 | The default is |
260 | .Dq no . | 262 | .Dq no . |
261 | .Pp | 263 | .Pp |
262 | Agent forwarding should be enabled with caution. Users with the | 264 | Agent forwarding should be enabled with caution. |
263 | ability to bypass file permissions on the remote host (for the agent's | 265 | Users with the ability to bypass file permissions on the remote host |
264 | Unix-domain socket) can access the local agent through the forwarded | 266 | (for the agent's Unix-domain socket) |
265 | connection. An attacker cannot obtain key material from the agent, | 267 | can access the local agent through the forwarded connection. |
268 | An attacker cannot obtain key material from the agent, | ||
266 | however they can perform operations on the keys that enable them to | 269 | however they can perform operations on the keys that enable them to |
267 | authenticate using the identities loaded into the agent. | 270 | authenticate using the identities loaded into the agent. |
268 | .It Cm ForwardX11 | 271 | .It Cm ForwardX11 |
@@ -277,18 +280,18 @@ or | |||
277 | The default is | 280 | The default is |
278 | .Dq no . | 281 | .Dq no . |
279 | .Pp | 282 | .Pp |
280 | X11 forwarding should be enabled with caution. Users with the ability | 283 | X11 forwarding should be enabled with caution. |
281 | to bypass file permissions on the remote host (for the user's X | 284 | Users with the ability to bypass file permissions on the remote host |
282 | authorization database) can access the local X11 display through the | 285 | (for the user's X authorization database) |
283 | forwarded connection. An attacker may then be able to perform | 286 | can access the local X11 display through the forwarded connection. |
284 | activities such as keystroke monitoring. | 287 | An attacker may then be able to perform activities such as keystroke monitoring. |
285 | .It Cm GatewayPorts | 288 | .It Cm GatewayPorts |
286 | Specifies whether remote hosts are allowed to connect to local | 289 | Specifies whether remote hosts are allowed to connect to local |
287 | forwarded ports. | 290 | forwarded ports. |
288 | By default, | 291 | By default, |
289 | .Nm ssh | 292 | .Nm ssh |
290 | binds local port forwardings to the loopback address. This | 293 | binds local port forwardings to the loopback address. |
291 | prevents other remote hosts from connecting to forwarded ports. | 294 | This prevents other remote hosts from connecting to forwarded ports. |
292 | .Cm GatewayPorts | 295 | .Cm GatewayPorts |
293 | can be used to specify that | 296 | can be used to specify that |
294 | .Nm ssh | 297 | .Nm ssh |
@@ -395,8 +398,9 @@ Gives the verbosity level that is used when logging messages from | |||
395 | .Nm ssh . | 398 | .Nm ssh . |
396 | The possible values are: | 399 | The possible values are: |
397 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. | 400 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
398 | The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 | 401 | The default is INFO. |
399 | and DEBUG3 each specify higher levels of verbose output. | 402 | DEBUG and DEBUG1 are equivalent. |
403 | DEBUG2 and DEBUG3 each specify higher levels of verbose output. | ||
400 | .It Cm MACs | 404 | .It Cm MACs |
401 | Specifies the MAC (message authentication code) algorithms | 405 | Specifies the MAC (message authentication code) algorithms |
402 | in order of preference. | 406 | in order of preference. |
@@ -474,8 +478,8 @@ somewhere. | |||
474 | Host key management will be done using the | 478 | Host key management will be done using the |
475 | HostName of the host being connected (defaulting to the name typed by | 479 | HostName of the host being connected (defaulting to the name typed by |
476 | the user). | 480 | the user). |
477 | Setting the command to | 481 | Setting the command to |
478 | .Dq none | 482 | .Dq none |
479 | disables this option entirely. | 483 | disables this option entirely. |
480 | Note that | 484 | Note that |
481 | .Cm CheckHostIP | 485 | .Cm CheckHostIP |
diff --git a/sshd_config.5 b/sshd_config.5 index 23ac0e96d..6f38a260a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -211,8 +211,8 @@ Specifies whether remote hosts are allowed to connect to ports | |||
211 | forwarded for the client. | 211 | forwarded for the client. |
212 | By default, | 212 | By default, |
213 | .Nm sshd | 213 | .Nm sshd |
214 | binds remote port forwardings to the loopback address. This | 214 | binds remote port forwardings to the loopback address. |
215 | prevents other remote hosts from connecting to forwarded ports. | 215 | This prevents other remote hosts from connecting to forwarded ports. |
216 | .Cm GatewayPorts | 216 | .Cm GatewayPorts |
217 | can be used to specify that | 217 | can be used to specify that |
218 | .Nm sshd | 218 | .Nm sshd |
@@ -370,7 +370,8 @@ is not specified, | |||
370 | will listen on the address and all prior | 370 | will listen on the address and all prior |
371 | .Cm Port | 371 | .Cm Port |
372 | options specified. The default is to listen on all local | 372 | options specified. The default is to listen on all local |
373 | addresses. Multiple | 373 | addresses. |
374 | Multiple | ||
374 | .Cm ListenAddress | 375 | .Cm ListenAddress |
375 | options are permitted. Additionally, any | 376 | options are permitted. Additionally, any |
376 | .Cm Port | 377 | .Cm Port |
@@ -385,10 +386,10 @@ Gives the verbosity level that is used when logging messages from | |||
385 | .Nm sshd . | 386 | .Nm sshd . |
386 | The possible values are: | 387 | The possible values are: |
387 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. | 388 | QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
388 | The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 | 389 | The default is INFO. |
389 | and DEBUG3 each specify higher levels of debugging output. | 390 | DEBUG and DEBUG1 are equivalent. |
390 | Logging with a DEBUG level violates the privacy of users | 391 | DEBUG2 and DEBUG3 each specify higher levels of debugging output. |
391 | and is not recommended. | 392 | Logging with a DEBUG level violates the privacy of users and is not recommended. |
392 | .It Cm MACs | 393 | .It Cm MACs |
393 | Specifies the available MAC (message authentication code) algorithms. | 394 | Specifies the available MAC (message authentication code) algorithms. |
394 | The MAC algorithm is used in protocol version 2 | 395 | The MAC algorithm is used in protocol version 2 |
@@ -599,16 +600,18 @@ will be disabled because | |||
599 | .Xr login 1 | 600 | .Xr login 1 |
600 | does not know how to handle | 601 | does not know how to handle |
601 | .Xr xauth 1 | 602 | .Xr xauth 1 |
602 | cookies. If | 603 | cookies. |
604 | If | ||
603 | .Cm UsePrivilegeSeparation | 605 | .Cm UsePrivilegeSeparation |
604 | is specified, it will be disabled after authentication. | 606 | is specified, it will be disabled after authentication. |
605 | .It Cm UsePrivilegeSeparation | 607 | .It Cm UsePrivilegeSeparation |
606 | Specifies whether | 608 | Specifies whether |
607 | .Nm sshd | 609 | .Nm sshd |
608 | separates privileges by creating an unprivileged child process | 610 | separates privileges by creating an unprivileged child process |
609 | to deal with incoming network traffic. After successful authentication, | 611 | to deal with incoming network traffic. |
610 | another process will be created that has the privilege of the authenticated | 612 | After successful authentication, another process will be created that has |
611 | user. The goal of privilege separation is to prevent privilege | 613 | the privilege of the authenticated user. |
614 | The goal of privilege separation is to prevent privilege | ||
612 | escalation by containing any corruption within the unprivileged processes. | 615 | escalation by containing any corruption within the unprivileged processes. |
613 | The default is | 616 | The default is |
614 | .Dq yes . | 617 | .Dq yes . |
@@ -666,7 +669,8 @@ is enabled. | |||
666 | Specifies whether | 669 | Specifies whether |
667 | .Nm sshd | 670 | .Nm sshd |
668 | should bind the X11 forwarding server to the loopback address or to | 671 | should bind the X11 forwarding server to the loopback address or to |
669 | the wildcard address. By default, | 672 | the wildcard address. |
673 | By default, | ||
670 | .Nm sshd | 674 | .Nm sshd |
671 | binds the forwarding server to the loopback address and sets the | 675 | binds the forwarding server to the loopback address and sets the |
672 | hostname part of the | 676 | hostname part of the |