summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.163
1 files changed, 31 insertions, 32 deletions
diff --git a/ssh.1 b/ssh.1
index 5ce1cfe70..ce1eeb49a 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ 37.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -788,7 +788,36 @@ prompts the user for a password.
788The password is sent to the remote 788The password is sent to the remote
789host for checking; however, since all communications are encrypted, 789host for checking; however, since all communications are encrypted,
790the password cannot be seen by someone listening on the network. 790the password cannot be seen by someone listening on the network.
791.Sh LOGIN SESSION AND REMOTE EXECUTION 791.Pp
792.Nm
793automatically maintains and checks a database containing
794identification for all hosts it has ever been used with.
795Host keys are stored in
796.Pa ~/.ssh/known_hosts
797in the user's home directory.
798Additionally, the file
799.Pa /etc/ssh/ssh_known_hosts
800is automatically checked for known hosts.
801Any new hosts are automatically added to the user's file.
802If a host's identification ever changes,
803.Nm
804warns about this and disables password authentication to prevent
805server spoofing or man-in-the-middle attacks,
806which could otherwise be used to circumvent the encryption.
807The
808.Cm StrictHostKeyChecking
809option can be used to control logins to machines whose
810host key is not known or has changed.
811.Pp
812.Nm
813can be configured to verify host identification using fingerprint resource
814records (SSHFP) published in DNS.
815The
816.Cm VerifyHostKeyDNS
817option can be used to control how DNS lookups are performed.
818SSHFP resource records can be generated using
819.Xr ssh-keygen 1 .
820.Pp
792When the user's identity has been accepted by the server, the server 821When the user's identity has been accepted by the server, the server
793either executes the given command, or logs into the machine and gives 822either executes the given command, or logs into the machine and gives
794the user a normal shell on the remote machine. 823the user a normal shell on the remote machine.
@@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can
924be specified either on the command line or in a configuration file. 953be specified either on the command line or in a configuration file.
925One possible application of TCP/IP forwarding is a secure connection to an 954One possible application of TCP/IP forwarding is a secure connection to an
926electronic purse; another is going through firewalls. 955electronic purse; another is going through firewalls.
927.Sh SERVER AUTHENTICATION
928.Nm
929automatically maintains and checks a database containing
930identifications for all hosts it has ever been used with.
931Host keys are stored in
932.Pa ~/.ssh/known_hosts
933in the user's home directory.
934Additionally, the file
935.Pa /etc/ssh/ssh_known_hosts
936is automatically checked for known hosts.
937Any new hosts are automatically added to the user's file.
938If a host's identification ever changes,
939.Nm
940warns about this and disables password authentication to prevent a
941trojan horse from getting the user's password.
942Another purpose of this mechanism is to prevent man-in-the-middle attacks
943which could otherwise be used to circumvent the encryption.
944The
945.Cm StrictHostKeyChecking
946option can be used to prevent logins to machines whose
947host key is not known or has changed.
948.Pp
949.Nm
950can be configured to verify host identification using fingerprint resource
951records (SSHFP) published in DNS.
952The
953.Cm VerifyHostKeyDNS
954option can be used to control how DNS lookups are performed.
955SSHFP resource records can be generated using
956.Xr ssh-keygen 1 .
957.Sh ENVIRONMENT 956.Sh ENVIRONMENT
958.Nm 957.Nm
959will normally set the following environment variables: 958will normally set the following environment variables: