summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--moduli.54
-rw-r--r--ssh-keygen.112
-rw-r--r--ssh.14
-rw-r--r--sshd.85
-rw-r--r--sshd_config.53
5 files changed, 13 insertions, 15 deletions
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
21.Nd Diffie-Hellman moduli 21.Nd Diffie-Hellman moduli
22.Sh DESCRIPTION 22.Sh DESCRIPTION
23The 23The
24.Pa /etc/moduli 24.Pa /etc/ssh/moduli
25file contains prime numbers and generators for use by 25file contains prime numbers and generators for use by
26.Xr sshd 8 26.Xr sshd 8
27in the Diffie-Hellman Group Exchange key exchange method. 27in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
110Diffie-Hellman output to sufficiently key the selected symmetric cipher. 110Diffie-Hellman output to sufficiently key the selected symmetric cipher.
111.Xr sshd 8 111.Xr sshd 8
112then randomly selects a modulus from 112then randomly selects a modulus from
113.Fa /etc/moduli 113.Fa /etc/ssh/moduli
114that best meets the size requirement. 114that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 957d2f0f0..143a2349f 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -191,9 +191,7 @@ key in
191.Pa ~/.ssh/id_ed25519 191.Pa ~/.ssh/id_ed25519
192or 192or
193.Pa ~/.ssh/id_rsa . 193.Pa ~/.ssh/id_rsa .
194Additionally, the system administrator may use this to generate host keys, 194Additionally, the system administrator may use this to generate host keys.
195as seen in
196.Pa /etc/rc .
197.Pp 195.Pp
198Normally this program generates the key and asks for a file in which 196Normally this program generates the key and asks for a file in which
199to store the private key. 197to store the private key.
@@ -256,9 +254,7 @@ If
256.Fl f 254.Fl f
257has also been specified, its argument is used as a prefix to the 255has also been specified, its argument is used as a prefix to the
258default path for the resulting host key files. 256default path for the resulting host key files.
259This is used by 257This is used by system administration scripts to generate new host keys.
260.Pa /etc/rc
261to generate new host keys.
262.It Fl a Ar rounds 258.It Fl a Ar rounds
263When saving a private key, this option specifies the number of KDF 259When saving a private key, this option specifies the number of KDF
264(key derivation function) rounds used. 260(key derivation function) rounds used.
@@ -798,7 +794,7 @@ option.
798Valid generator values are 2, 3, and 5. 794Valid generator values are 2, 3, and 5.
799.Pp 795.Pp
800Screened DH groups may be installed in 796Screened DH groups may be installed in
801.Pa /etc/moduli . 797.Pa /etc/ssh/moduli .
802It is important that this file contains moduli of a range of bit lengths and 798It is important that this file contains moduli of a range of bit lengths and
803that both ends of a connection share common moduli. 799that both ends of a connection share common moduli.
804.Sh CERTIFICATES 800.Sh CERTIFICATES
@@ -1049,7 +1045,7 @@ on all machines
1049where the user wishes to log in using public key authentication. 1045where the user wishes to log in using public key authentication.
1050There is no need to keep the contents of this file secret. 1046There is no need to keep the contents of this file secret.
1051.Pp 1047.Pp
1052.It Pa /etc/moduli 1048.It Pa /etc/ssh/moduli
1053Contains Diffie-Hellman groups used for DH-GEX. 1049Contains Diffie-Hellman groups used for DH-GEX.
1054The file format is described in 1050The file format is described in
1055.Xr moduli 5 . 1051.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index 20e4c4efa..4923031f4 100644
--- a/ssh.1
+++ b/ssh.1
@@ -873,6 +873,10 @@ implements public key authentication protocol automatically,
873using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 873using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
874The HISTORY section of 874The HISTORY section of
875.Xr ssl 8 875.Xr ssl 8
876(on non-OpenBSD systems, see
877.nh
878http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
879.hy
876contains a brief discussion of the DSA and RSA algorithms. 880contains a brief discussion of the DSA and RSA algorithms.
877.Pp 881.Pp
878The file 882The file
diff --git a/sshd.8 b/sshd.8
index 57a7fd66b..4abc01d66 100644
--- a/sshd.8
+++ b/sshd.8
@@ -65,7 +65,7 @@ over an insecure network.
65.Nm 65.Nm
66listens for connections from clients. 66listens for connections from clients.
67It is normally started at boot from 67It is normally started at boot from
68.Pa /etc/rc . 68.Pa /etc/init.d/ssh .
69It forks a new 69It forks a new
70daemon for each incoming connection. 70daemon for each incoming connection.
71The forked daemons handle 71The forked daemons handle
@@ -884,7 +884,7 @@ This file is for host-based authentication (see
884.Xr ssh 1 ) . 884.Xr ssh 1 ) .
885It should only be writable by root. 885It should only be writable by root.
886.Pp 886.Pp
887.It Pa /etc/moduli 887.It Pa /etc/ssh/moduli
888Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" 888Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
889key exchange method. 889key exchange method.
890The file format is described in 890The file format is described in
@@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable.
982.Xr ssh-keyscan 1 , 982.Xr ssh-keyscan 1 ,
983.Xr chroot 2 , 983.Xr chroot 2 ,
984.Xr hosts_access 5 , 984.Xr hosts_access 5 ,
985.Xr login.conf 5 ,
986.Xr moduli 5 , 985.Xr moduli 5 ,
987.Xr sshd_config 5 , 986.Xr sshd_config 5 ,
988.Xr inetd 8 , 987.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index 46537f177..270805060 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -393,8 +393,7 @@ Certificates signed using other algorithms will not be accepted for
393public key or host-based authentication. 393public key or host-based authentication.
394.It Cm ChallengeResponseAuthentication 394.It Cm ChallengeResponseAuthentication
395Specifies whether challenge-response authentication is allowed (e.g. via 395Specifies whether challenge-response authentication is allowed (e.g. via
396PAM or through authentication styles supported in 396PAM).
397.Xr login.conf 5 )
398The default is 397The default is
399.Cm yes . 398.Cm yes .
400.It Cm ChrootDirectory 399.It Cm ChrootDirectory