summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--moduli.54
-rw-r--r--ssh-keygen.112
-rw-r--r--ssh.14
-rw-r--r--sshd.85
-rw-r--r--sshd_config.53
5 files changed, 13 insertions, 15 deletions
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
21.Nd Diffie-Hellman moduli 21.Nd Diffie-Hellman moduli
22.Sh DESCRIPTION 22.Sh DESCRIPTION
23The 23The
24.Pa /etc/moduli 24.Pa /etc/ssh/moduli
25file contains prime numbers and generators for use by 25file contains prime numbers and generators for use by
26.Xr sshd 8 26.Xr sshd 8
27in the Diffie-Hellman Group Exchange key exchange method. 27in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
110Diffie-Hellman output to sufficiently key the selected symmetric cipher. 110Diffie-Hellman output to sufficiently key the selected symmetric cipher.
111.Xr sshd 8 111.Xr sshd 8
112then randomly selects a modulus from 112then randomly selects a modulus from
113.Fa /etc/moduli 113.Fa /etc/ssh/moduli
114that best meets the size requirement. 114that best meets the size requirement.
115.Sh SEE ALSO 115.Sh SEE ALSO
116.Xr ssh-keygen 1 , 116.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 144be7d6b..753cc625b 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -171,9 +171,7 @@ key in
171.Pa ~/.ssh/id_dsa 171.Pa ~/.ssh/id_dsa
172or 172or
173.Pa ~/.ssh/id_rsa . 173.Pa ~/.ssh/id_rsa .
174Additionally, the system administrator may use this to generate host keys, 174Additionally, the system administrator may use this to generate host keys.
175as seen in
176.Pa /etc/rc .
177.Pp 175.Pp
178Normally this program generates the key and asks for a file in which 176Normally this program generates the key and asks for a file in which
179to store the private key. 177to store the private key.
@@ -219,9 +217,7 @@ The options are as follows:
219For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 217For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
220do not exist, generate the host keys with the default key file path, 218do not exist, generate the host keys with the default key file path,
221an empty passphrase, default bits for the key type, and default comment. 219an empty passphrase, default bits for the key type, and default comment.
222This is used by 220This is used by system administration scripts to generate new host keys.
223.Pa /etc/rc
224to generate new host keys.
225.It Fl a Ar trials 221.It Fl a Ar trials
226Specifies the number of primality tests to perform when screening DH-GEX 222Specifies the number of primality tests to perform when screening DH-GEX
227candidates using the 223candidates using the
@@ -605,7 +601,7 @@ option.
605Valid generator values are 2, 3, and 5. 601Valid generator values are 2, 3, and 5.
606.Pp 602.Pp
607Screened DH groups may be installed in 603Screened DH groups may be installed in
608.Pa /etc/moduli . 604.Pa /etc/ssh/moduli .
609It is important that this file contains moduli of a range of bit lengths and 605It is important that this file contains moduli of a range of bit lengths and
610that both ends of a connection share common moduli. 606that both ends of a connection share common moduli.
611.Sh CERTIFICATES 607.Sh CERTIFICATES
@@ -800,7 +796,7 @@ on all machines
800where the user wishes to log in using public key authentication. 796where the user wishes to log in using public key authentication.
801There is no need to keep the contents of this file secret. 797There is no need to keep the contents of this file secret.
802.Pp 798.Pp
803.It Pa /etc/moduli 799.It Pa /etc/ssh/moduli
804Contains Diffie-Hellman groups used for DH-GEX. 800Contains Diffie-Hellman groups used for DH-GEX.
805The file format is described in 801The file format is described in
806.Xr moduli 5 . 802.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index 0b38ae188..b3c3924a5 100644
--- a/ssh.1
+++ b/ssh.1
@@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys,
756but protocol 2 may use any. 756but protocol 2 may use any.
757The HISTORY section of 757The HISTORY section of
758.Xr ssl 8 758.Xr ssl 8
759(on non-OpenBSD systems, see
760.nh
761http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
762.hy
759contains a brief discussion of the DSA and RSA algorithms. 763contains a brief discussion of the DSA and RSA algorithms.
760.Pp 764.Pp
761The file 765The file
diff --git a/sshd.8 b/sshd.8
index a604429b7..6bdd2192c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -70,7 +70,7 @@ over an insecure network.
70.Nm 70.Nm
71listens for connections from clients. 71listens for connections from clients.
72It is normally started at boot from 72It is normally started at boot from
73.Pa /etc/rc . 73.Pa /etc/init.d/ssh .
74It forks a new 74It forks a new
75daemon for each incoming connection. 75daemon for each incoming connection.
76The forked daemons handle 76The forked daemons handle
@@ -859,7 +859,7 @@ This file is for host-based authentication (see
859.Xr ssh 1 ) . 859.Xr ssh 1 ) .
860It should only be writable by root. 860It should only be writable by root.
861.Pp 861.Pp
862.It Pa /etc/moduli 862.It Pa /etc/ssh/moduli
863Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 863Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
864The file format is described in 864The file format is described in
865.Xr moduli 5 . 865.Xr moduli 5 .
@@ -957,7 +957,6 @@ The content of this file is not sensitive; it can be world-readable.
957.Xr ssh-vulnkey 1 , 957.Xr ssh-vulnkey 1 ,
958.Xr chroot 2 , 958.Xr chroot 2 ,
959.Xr hosts_access 5 , 959.Xr hosts_access 5 ,
960.Xr login.conf 5 ,
961.Xr moduli 5 , 960.Xr moduli 5 ,
962.Xr sshd_config 5 , 961.Xr sshd_config 5 ,
963.Xr inetd 8 , 962.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index eaf8d01a2..ec4851ac4 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -283,8 +283,7 @@ This option is only available for protocol version 2.
283By default, no banner is displayed. 283By default, no banner is displayed.
284.It Cm ChallengeResponseAuthentication 284.It Cm ChallengeResponseAuthentication
285Specifies whether challenge-response authentication is allowed (e.g. via 285Specifies whether challenge-response authentication is allowed (e.g. via
286PAM or though authentication styles supported in 286PAM).
287.Xr login.conf 5 )
288The default is 287The default is
289.Dq yes . 288.Dq yes .
290.It Cm ChrootDirectory 289.It Cm ChrootDirectory