diff options
-rw-r--r-- | sshd_config.5 | 138 |
1 files changed, 85 insertions, 53 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 6c30f7084..59c9ea471 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,7 +33,7 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.234 2016/09/22 17:55:13 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.235 2016/09/22 19:19:01 jmc Exp $ |
37 | .Dd $Mdocdate: September 22 2016 $ | 37 | .Dd $Mdocdate: September 22 2016 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
@@ -240,22 +240,21 @@ of a single authentication method is sufficient. | |||
240 | Specifies a program to be used to look up the user's public keys. | 240 | Specifies a program to be used to look up the user's public keys. |
241 | The program must be owned by root, not writable by group or others and | 241 | The program must be owned by root, not writable by group or others and |
242 | specified by an absolute path. | 242 | specified by an absolute path. |
243 | .Pp | ||
244 | Arguments to | 243 | Arguments to |
245 | .Cm AuthorizedKeysCommand | 244 | .Cm AuthorizedKeysCommand |
246 | may be provided using the following tokens, which will be expanded | 245 | accept the tokens described in the |
247 | at runtime: %% is replaced by a literal '%', %u is replaced by the | 246 | .Sx TOKENS |
248 | username being authenticated, %h is replaced by the home directory | 247 | section. |
249 | of the user being authenticated, %t is replaced with the key type | 248 | If no arguments are specified then the username of the target user is used. |
250 | offered for authentication, %f is replaced with the fingerprint of | ||
251 | the key, and %k is replaced with the key being offered for authentication. | ||
252 | If no arguments are specified then the username of the target user | ||
253 | will be supplied. | ||
254 | .Pp | 249 | .Pp |
255 | The program should produce on standard output zero or | 250 | The program should produce on standard output zero or |
256 | more lines of authorized_keys output (see AUTHORIZED_KEYS in | 251 | more lines of authorized_keys output (see |
252 | .Sx AUTHORIZED_KEYS | ||
253 | in | ||
257 | .Xr sshd 8 ) . | 254 | .Xr sshd 8 ) . |
258 | If a key supplied by AuthorizedKeysCommand does not successfully authenticate | 255 | If a key supplied by |
256 | .Cm AuthorizedKeysCommand | ||
257 | does not successfully authenticate | ||
259 | and authorize the user then public key authentication continues using the usual | 258 | and authorize the user then public key authentication continues using the usual |
260 | .Cm AuthorizedKeysFile | 259 | .Cm AuthorizedKeysFile |
261 | files. | 260 | files. |
@@ -272,18 +271,16 @@ is not, then | |||
272 | .Xr sshd 8 | 271 | .Xr sshd 8 |
273 | will refuse to start. | 272 | will refuse to start. |
274 | .It Cm AuthorizedKeysFile | 273 | .It Cm AuthorizedKeysFile |
275 | Specifies the file that contains the public keys that can be used | 274 | Specifies the file that contains the public keys used for user authentication. |
276 | for user authentication. | ||
277 | The format is described in the | 275 | The format is described in the |
278 | AUTHORIZED_KEYS FILE FORMAT | 276 | .Sx AUTHORIZED_KEYS FILE FORMAT |
279 | section of | 277 | section of |
280 | .Xr sshd 8 . | 278 | .Xr sshd 8 . |
279 | Arguments to | ||
281 | .Cm AuthorizedKeysFile | 280 | .Cm AuthorizedKeysFile |
282 | may contain tokens of the form %T which are substituted during connection | 281 | accept the tokens described in the |
283 | setup. | 282 | .Sx TOKENS |
284 | The following tokens are defined: %% is replaced by a literal '%', | 283 | section. |
285 | %h is replaced by the home directory of the user being authenticated, and | ||
286 | %u is replaced by the username of that user. | ||
287 | After expansion, | 284 | After expansion, |
288 | .Cm AuthorizedKeysFile | 285 | .Cm AuthorizedKeysFile |
289 | is taken to be an absolute path or one relative to the user's home | 286 | is taken to be an absolute path or one relative to the user's home |
@@ -300,24 +297,12 @@ certificate principals as per | |||
300 | .Cm AuthorizedPrincipalsFile . | 297 | .Cm AuthorizedPrincipalsFile . |
301 | The program must be owned by root, not writable by group or others and | 298 | The program must be owned by root, not writable by group or others and |
302 | specified by an absolute path. | 299 | specified by an absolute path. |
303 | .Pp | ||
304 | Arguments to | 300 | Arguments to |
305 | .Cm AuthorizedPrincipalsCommand | 301 | .Cm AuthorizedPrincipalsCommand |
306 | may be provided using the following tokens, which will be expanded | 302 | accept the tokens described in the |
307 | at runtime: | 303 | .Sx TOKENS |
308 | %% is replaced by a literal '%', | 304 | section. |
309 | %F with the fingerprint of the CA key, | 305 | If no arguments are specified then the username of the target user is used. |
310 | %f is replaced with certificate fingerprint, | ||
311 | %K is replaced with the base-64 encoded CA key. | ||
312 | %k is replaced with the full base-64 encoded certificate, | ||
313 | %h is replaced with the home directory of the user being authenticated, | ||
314 | %i is replaced with key ID in the certificate, | ||
315 | %s is replaced with the serial number of the certificate, | ||
316 | %T with the type of the CA key, | ||
317 | %t is replaced with type of the certificate being offered, and | ||
318 | %u is replaced by the username being authenticated, | ||
319 | If no arguments are specified then the username of the target user | ||
320 | will be supplied. | ||
321 | .Pp | 306 | .Pp |
322 | The program should produce on standard output zero or | 307 | The program should produce on standard output zero or |
323 | more lines of | 308 | more lines of |
@@ -329,9 +314,13 @@ or | |||
329 | .Cm AuthorizedPrincipalsFile | 314 | .Cm AuthorizedPrincipalsFile |
330 | is specified, then certificates offered by the client for authentication | 315 | is specified, then certificates offered by the client for authentication |
331 | must contain a principal that is listed. | 316 | must contain a principal that is listed. |
332 | By default, no AuthorizedPrincipalsCommand is run. | 317 | By default, no |
318 | .Cm AuthorizedPrincipalsCommand | ||
319 | is run. | ||
333 | .It Cm AuthorizedPrincipalsCommandUser | 320 | .It Cm AuthorizedPrincipalsCommandUser |
334 | Specifies the user under whose account the AuthorizedPrincipalsCommand is run. | 321 | Specifies the user under whose account the |
322 | .Cm AuthorizedPrincipalsCommand | ||
323 | is run. | ||
335 | It is recommended to use a dedicated user that has no other role on the host | 324 | It is recommended to use a dedicated user that has no other role on the host |
336 | than running authorized principals commands. | 325 | than running authorized principals commands. |
337 | If | 326 | If |
@@ -348,29 +337,28 @@ When using certificates signed by a key listed in | |||
348 | .Cm TrustedUserCAKeys , | 337 | .Cm TrustedUserCAKeys , |
349 | this file lists names, one of which must appear in the certificate for it | 338 | this file lists names, one of which must appear in the certificate for it |
350 | to be accepted for authentication. | 339 | to be accepted for authentication. |
351 | Names are listed one per line preceded by key options (as described | 340 | Names are listed one per line preceded by key options (as described in |
352 | in AUTHORIZED_KEYS FILE FORMAT in | 341 | .Sx AUTHORIZED_KEYS FILE FORMAT |
342 | in | ||
353 | .Xr sshd 8 ) . | 343 | .Xr sshd 8 ) . |
354 | Empty lines and comments starting with | 344 | Empty lines and comments starting with |
355 | .Ql # | 345 | .Ql # |
356 | are ignored. | 346 | are ignored. |
357 | .Pp | 347 | .Pp |
348 | Arguments to | ||
358 | .Cm AuthorizedPrincipalsFile | 349 | .Cm AuthorizedPrincipalsFile |
359 | may contain tokens of the form %T which are substituted during connection | 350 | accept the tokens described in the |
360 | setup. | 351 | .Sx TOKENS |
361 | The following tokens are defined: %% is replaced by a literal '%', | 352 | section. |
362 | %h is replaced by the home directory of the user being authenticated, and | ||
363 | %u is replaced by the username of that user. | ||
364 | After expansion, | 353 | After expansion, |
365 | .Cm AuthorizedPrincipalsFile | 354 | .Cm AuthorizedPrincipalsFile |
366 | is taken to be an absolute path or one relative to the user's home | 355 | is taken to be an absolute path or one relative to the user's home directory. |
367 | directory. | ||
368 | .Pp | ||
369 | The default is | 356 | The default is |
370 | .Dq none , | 357 | .Dq none , |
371 | i.e. not to use a principals file \(en in this case, the username | 358 | i.e. not to use a principals file \(en in this case, the username |
372 | of the user must appear in a certificate's principals list for it to be | 359 | of the user must appear in a certificate's principals list for it to be |
373 | accepted. | 360 | accepted. |
361 | .Pp | ||
374 | Note that | 362 | Note that |
375 | .Cm AuthorizedPrincipalsFile | 363 | .Cm AuthorizedPrincipalsFile |
376 | is only used when authentication proceeds using a CA listed in | 364 | is only used when authentication proceeds using a CA listed in |
@@ -406,11 +394,11 @@ which are not writable by any other user or group. | |||
406 | After the chroot, | 394 | After the chroot, |
407 | .Xr sshd 8 | 395 | .Xr sshd 8 |
408 | changes the working directory to the user's home directory. | 396 | changes the working directory to the user's home directory. |
409 | .Pp | 397 | Arguments to |
410 | The pathname may contain the following tokens that are expanded at runtime once | 398 | .Cm ChrootDirectory |
411 | the connecting user has been authenticated: %% is replaced by a literal '%', | 399 | accept the tokens described in the |
412 | %h is replaced by the home directory of the user being authenticated, and | 400 | .Sx TOKENS |
413 | %u is replaced by the username of that user. | 401 | section. |
414 | .Pp | 402 | .Pp |
415 | The | 403 | The |
416 | .Cm ChrootDirectory | 404 | .Cm ChrootDirectory |
@@ -1665,6 +1653,50 @@ Time format examples: | |||
1665 | .It 1h30m | 1653 | .It 1h30m |
1666 | 1 hour 30 minutes (90 minutes) | 1654 | 1 hour 30 minutes (90 minutes) |
1667 | .El | 1655 | .El |
1656 | .Sh TOKENS | ||
1657 | Arguments to some keywords can make use of tokens, | ||
1658 | which are expanded at runtime: | ||
1659 | .Pp | ||
1660 | .Bl -tag -width XXXX -offset indent -compact | ||
1661 | .It %% | ||
1662 | A literal | ||
1663 | .Sq % . | ||
1664 | .It %F | ||
1665 | The fingerprint of the CA key. | ||
1666 | .It %f | ||
1667 | The fingerprint of the key or certificate. | ||
1668 | .It %h | ||
1669 | The home directory of the user. | ||
1670 | .It %i | ||
1671 | The key ID in the certificate. | ||
1672 | .It %K | ||
1673 | The base64-encoded CA key. | ||
1674 | .It %k | ||
1675 | The base64-encoded key or certificate for authentication. | ||
1676 | .It %s | ||
1677 | The serial number of the certificate. | ||
1678 | .It \&%T | ||
1679 | The type of the CA key. | ||
1680 | .It %t | ||
1681 | The key or certificate type. | ||
1682 | .It %u | ||
1683 | The username. | ||
1684 | .El | ||
1685 | .Pp | ||
1686 | .Cm AuthorizedKeysCommand | ||
1687 | accepts the tokens %%, %f, %h, %t, and %u. | ||
1688 | .Pp | ||
1689 | .Cm AuthorizedKeysFile | ||
1690 | accepts the tokens %%, %h, and %u. | ||
1691 | .Pp | ||
1692 | .Cm AuthorizedPrincipalsCommand | ||
1693 | accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u. | ||
1694 | .Pp | ||
1695 | .Cm AuthorizedPrincipalsFile | ||
1696 | accepts the tokens %%, %h, and %u. | ||
1697 | .Pp | ||
1698 | .Cm ChrootDirectory | ||
1699 | accepts the tokens %%, %h, and %u. | ||
1668 | .Sh FILES | 1700 | .Sh FILES |
1669 | .Bl -tag -width Ds | 1701 | .Bl -tag -width Ds |
1670 | .It Pa /etc/ssh/sshd_config | 1702 | .It Pa /etc/ssh/sshd_config |