diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 63 |
1 files changed, 31 insertions, 32 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -788,7 +788,36 @@ prompts the user for a password. | |||
788 | The password is sent to the remote | 788 | The password is sent to the remote |
789 | host for checking; however, since all communications are encrypted, | 789 | host for checking; however, since all communications are encrypted, |
790 | the password cannot be seen by someone listening on the network. | 790 | the password cannot be seen by someone listening on the network. |
791 | .Sh LOGIN SESSION AND REMOTE EXECUTION | 791 | .Pp |
792 | .Nm | ||
793 | automatically maintains and checks a database containing | ||
794 | identification for all hosts it has ever been used with. | ||
795 | Host keys are stored in | ||
796 | .Pa ~/.ssh/known_hosts | ||
797 | in the user's home directory. | ||
798 | Additionally, the file | ||
799 | .Pa /etc/ssh/ssh_known_hosts | ||
800 | is automatically checked for known hosts. | ||
801 | Any new hosts are automatically added to the user's file. | ||
802 | If a host's identification ever changes, | ||
803 | .Nm | ||
804 | warns about this and disables password authentication to prevent | ||
805 | server spoofing or man-in-the-middle attacks, | ||
806 | which could otherwise be used to circumvent the encryption. | ||
807 | The | ||
808 | .Cm StrictHostKeyChecking | ||
809 | option can be used to control logins to machines whose | ||
810 | host key is not known or has changed. | ||
811 | .Pp | ||
812 | .Nm | ||
813 | can be configured to verify host identification using fingerprint resource | ||
814 | records (SSHFP) published in DNS. | ||
815 | The | ||
816 | .Cm VerifyHostKeyDNS | ||
817 | option can be used to control how DNS lookups are performed. | ||
818 | SSHFP resource records can be generated using | ||
819 | .Xr ssh-keygen 1 . | ||
820 | .Pp | ||
792 | When the user's identity has been accepted by the server, the server | 821 | When the user's identity has been accepted by the server, the server |
793 | either executes the given command, or logs into the machine and gives | 822 | either executes the given command, or logs into the machine and gives |
794 | the user a normal shell on the remote machine. | 823 | the user a normal shell on the remote machine. |
@@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can | |||
924 | be specified either on the command line or in a configuration file. | 953 | be specified either on the command line or in a configuration file. |
925 | One possible application of TCP/IP forwarding is a secure connection to an | 954 | One possible application of TCP/IP forwarding is a secure connection to an |
926 | electronic purse; another is going through firewalls. | 955 | electronic purse; another is going through firewalls. |
927 | .Sh SERVER AUTHENTICATION | ||
928 | .Nm | ||
929 | automatically maintains and checks a database containing | ||
930 | identifications for all hosts it has ever been used with. | ||
931 | Host keys are stored in | ||
932 | .Pa ~/.ssh/known_hosts | ||
933 | in the user's home directory. | ||
934 | Additionally, the file | ||
935 | .Pa /etc/ssh/ssh_known_hosts | ||
936 | is automatically checked for known hosts. | ||
937 | Any new hosts are automatically added to the user's file. | ||
938 | If a host's identification ever changes, | ||
939 | .Nm | ||
940 | warns about this and disables password authentication to prevent a | ||
941 | trojan horse from getting the user's password. | ||
942 | Another purpose of this mechanism is to prevent man-in-the-middle attacks | ||
943 | which could otherwise be used to circumvent the encryption. | ||
944 | The | ||
945 | .Cm StrictHostKeyChecking | ||
946 | option can be used to prevent logins to machines whose | ||
947 | host key is not known or has changed. | ||
948 | .Pp | ||
949 | .Nm | ||
950 | can be configured to verify host identification using fingerprint resource | ||
951 | records (SSHFP) published in DNS. | ||
952 | The | ||
953 | .Cm VerifyHostKeyDNS | ||
954 | option can be used to control how DNS lookups are performed. | ||
955 | SSHFP resource records can be generated using | ||
956 | .Xr ssh-keygen 1 . | ||
957 | .Sh ENVIRONMENT | 956 | .Sh ENVIRONMENT |
958 | .Nm | 957 | .Nm |
959 | will normally set the following environment variables: | 958 | will normally set the following environment variables: |