summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sshd_config.5138
1 files changed, 85 insertions, 53 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 6c30f7084..59c9ea471 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.234 2016/09/22 17:55:13 djm Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.235 2016/09/22 19:19:01 jmc Exp $
37.Dd $Mdocdate: September 22 2016 $ 37.Dd $Mdocdate: September 22 2016 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
@@ -240,22 +240,21 @@ of a single authentication method is sufficient.
240Specifies a program to be used to look up the user's public keys. 240Specifies a program to be used to look up the user's public keys.
241The program must be owned by root, not writable by group or others and 241The program must be owned by root, not writable by group or others and
242specified by an absolute path. 242specified by an absolute path.
243.Pp
244Arguments to 243Arguments to
245.Cm AuthorizedKeysCommand 244.Cm AuthorizedKeysCommand
246may be provided using the following tokens, which will be expanded 245accept the tokens described in the
247at runtime: %% is replaced by a literal '%', %u is replaced by the 246.Sx TOKENS
248username being authenticated, %h is replaced by the home directory 247section.
249of the user being authenticated, %t is replaced with the key type 248If no arguments are specified then the username of the target user is used.
250offered for authentication, %f is replaced with the fingerprint of
251the key, and %k is replaced with the key being offered for authentication.
252If no arguments are specified then the username of the target user
253will be supplied.
254.Pp 249.Pp
255The program should produce on standard output zero or 250The program should produce on standard output zero or
256more lines of authorized_keys output (see AUTHORIZED_KEYS in 251more lines of authorized_keys output (see
252.Sx AUTHORIZED_KEYS
253in
257.Xr sshd 8 ) . 254.Xr sshd 8 ) .
258If a key supplied by AuthorizedKeysCommand does not successfully authenticate 255If a key supplied by
256.Cm AuthorizedKeysCommand
257does not successfully authenticate
259and authorize the user then public key authentication continues using the usual 258and authorize the user then public key authentication continues using the usual
260.Cm AuthorizedKeysFile 259.Cm AuthorizedKeysFile
261files. 260files.
@@ -272,18 +271,16 @@ is not, then
272.Xr sshd 8 271.Xr sshd 8
273will refuse to start. 272will refuse to start.
274.It Cm AuthorizedKeysFile 273.It Cm AuthorizedKeysFile
275Specifies the file that contains the public keys that can be used 274Specifies the file that contains the public keys used for user authentication.
276for user authentication.
277The format is described in the 275The format is described in the
278AUTHORIZED_KEYS FILE FORMAT 276.Sx AUTHORIZED_KEYS FILE FORMAT
279section of 277section of
280.Xr sshd 8 . 278.Xr sshd 8 .
279Arguments to
281.Cm AuthorizedKeysFile 280.Cm AuthorizedKeysFile
282may contain tokens of the form %T which are substituted during connection 281accept the tokens described in the
283setup. 282.Sx TOKENS
284The following tokens are defined: %% is replaced by a literal '%', 283section.
285%h is replaced by the home directory of the user being authenticated, and
286%u is replaced by the username of that user.
287After expansion, 284After expansion,
288.Cm AuthorizedKeysFile 285.Cm AuthorizedKeysFile
289is taken to be an absolute path or one relative to the user's home 286is taken to be an absolute path or one relative to the user's home
@@ -300,24 +297,12 @@ certificate principals as per
300.Cm AuthorizedPrincipalsFile . 297.Cm AuthorizedPrincipalsFile .
301The program must be owned by root, not writable by group or others and 298The program must be owned by root, not writable by group or others and
302specified by an absolute path. 299specified by an absolute path.
303.Pp
304Arguments to 300Arguments to
305.Cm AuthorizedPrincipalsCommand 301.Cm AuthorizedPrincipalsCommand
306may be provided using the following tokens, which will be expanded 302accept the tokens described in the
307at runtime: 303.Sx TOKENS
308%% is replaced by a literal '%', 304section.
309%F with the fingerprint of the CA key, 305If no arguments are specified then the username of the target user is used.
310%f is replaced with certificate fingerprint,
311%K is replaced with the base-64 encoded CA key.
312%k is replaced with the full base-64 encoded certificate,
313%h is replaced with the home directory of the user being authenticated,
314%i is replaced with key ID in the certificate,
315%s is replaced with the serial number of the certificate,
316%T with the type of the CA key,
317%t is replaced with type of the certificate being offered, and
318%u is replaced by the username being authenticated,
319If no arguments are specified then the username of the target user
320will be supplied.
321.Pp 306.Pp
322The program should produce on standard output zero or 307The program should produce on standard output zero or
323more lines of 308more lines of
@@ -329,9 +314,13 @@ or
329.Cm AuthorizedPrincipalsFile 314.Cm AuthorizedPrincipalsFile
330is specified, then certificates offered by the client for authentication 315is specified, then certificates offered by the client for authentication
331must contain a principal that is listed. 316must contain a principal that is listed.
332By default, no AuthorizedPrincipalsCommand is run. 317By default, no
318.Cm AuthorizedPrincipalsCommand
319is run.
333.It Cm AuthorizedPrincipalsCommandUser 320.It Cm AuthorizedPrincipalsCommandUser
334Specifies the user under whose account the AuthorizedPrincipalsCommand is run. 321Specifies the user under whose account the
322.Cm AuthorizedPrincipalsCommand
323is run.
335It is recommended to use a dedicated user that has no other role on the host 324It is recommended to use a dedicated user that has no other role on the host
336than running authorized principals commands. 325than running authorized principals commands.
337If 326If
@@ -348,29 +337,28 @@ When using certificates signed by a key listed in
348.Cm TrustedUserCAKeys , 337.Cm TrustedUserCAKeys ,
349this file lists names, one of which must appear in the certificate for it 338this file lists names, one of which must appear in the certificate for it
350to be accepted for authentication. 339to be accepted for authentication.
351Names are listed one per line preceded by key options (as described 340Names are listed one per line preceded by key options (as described in
352in AUTHORIZED_KEYS FILE FORMAT in 341.Sx AUTHORIZED_KEYS FILE FORMAT
342in
353.Xr sshd 8 ) . 343.Xr sshd 8 ) .
354Empty lines and comments starting with 344Empty lines and comments starting with
355.Ql # 345.Ql #
356are ignored. 346are ignored.
357.Pp 347.Pp
348Arguments to
358.Cm AuthorizedPrincipalsFile 349.Cm AuthorizedPrincipalsFile
359may contain tokens of the form %T which are substituted during connection 350accept the tokens described in the
360setup. 351.Sx TOKENS
361The following tokens are defined: %% is replaced by a literal '%', 352section.
362%h is replaced by the home directory of the user being authenticated, and
363%u is replaced by the username of that user.
364After expansion, 353After expansion,
365.Cm AuthorizedPrincipalsFile 354.Cm AuthorizedPrincipalsFile
366is taken to be an absolute path or one relative to the user's home 355is taken to be an absolute path or one relative to the user's home directory.
367directory.
368.Pp
369The default is 356The default is
370.Dq none , 357.Dq none ,
371i.e. not to use a principals file \(en in this case, the username 358i.e. not to use a principals file \(en in this case, the username
372of the user must appear in a certificate's principals list for it to be 359of the user must appear in a certificate's principals list for it to be
373accepted. 360accepted.
361.Pp
374Note that 362Note that
375.Cm AuthorizedPrincipalsFile 363.Cm AuthorizedPrincipalsFile
376is only used when authentication proceeds using a CA listed in 364is only used when authentication proceeds using a CA listed in
@@ -406,11 +394,11 @@ which are not writable by any other user or group.
406After the chroot, 394After the chroot,
407.Xr sshd 8 395.Xr sshd 8
408changes the working directory to the user's home directory. 396changes the working directory to the user's home directory.
409.Pp 397Arguments to
410The pathname may contain the following tokens that are expanded at runtime once 398.Cm ChrootDirectory
411the connecting user has been authenticated: %% is replaced by a literal '%', 399accept the tokens described in the
412%h is replaced by the home directory of the user being authenticated, and 400.Sx TOKENS
413%u is replaced by the username of that user. 401section.
414.Pp 402.Pp
415The 403The
416.Cm ChrootDirectory 404.Cm ChrootDirectory
@@ -1665,6 +1653,50 @@ Time format examples:
1665.It 1h30m 1653.It 1h30m
16661 hour 30 minutes (90 minutes) 16541 hour 30 minutes (90 minutes)
1667.El 1655.El
1656.Sh TOKENS
1657Arguments to some keywords can make use of tokens,
1658which are expanded at runtime:
1659.Pp
1660.Bl -tag -width XXXX -offset indent -compact
1661.It %%
1662A literal
1663.Sq % .
1664.It %F
1665The fingerprint of the CA key.
1666.It %f
1667The fingerprint of the key or certificate.
1668.It %h
1669The home directory of the user.
1670.It %i
1671The key ID in the certificate.
1672.It %K
1673The base64-encoded CA key.
1674.It %k
1675The base64-encoded key or certificate for authentication.
1676.It %s
1677The serial number of the certificate.
1678.It \&%T
1679The type of the CA key.
1680.It %t
1681The key or certificate type.
1682.It %u
1683The username.
1684.El
1685.Pp
1686.Cm AuthorizedKeysCommand
1687accepts the tokens %%, %f, %h, %t, and %u.
1688.Pp
1689.Cm AuthorizedKeysFile
1690accepts the tokens %%, %h, and %u.
1691.Pp
1692.Cm AuthorizedPrincipalsCommand
1693accepts the tokens %%, %F, %f, %K, %k, %h, %i, %s, %T, %t, and %u.
1694.Pp
1695.Cm AuthorizedPrincipalsFile
1696accepts the tokens %%, %h, and %u.
1697.Pp
1698.Cm ChrootDirectory
1699accepts the tokens %%, %h, and %u.
1668.Sh FILES 1700.Sh FILES
1669.Bl -tag -width Ds 1701.Bl -tag -width Ds
1670.It Pa /etc/ssh/sshd_config 1702.It Pa /etc/ssh/sshd_config