diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 70 |
1 files changed, 30 insertions, 40 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.195 2004/08/26 16:00:55 markus Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -103,35 +103,25 @@ is specified, | |||
103 | .Ar command | 103 | .Ar command |
104 | is executed on the remote host instead of a login shell. | 104 | is executed on the remote host instead of a login shell. |
105 | .Ss SSH protocol version 1 | 105 | .Ss SSH protocol version 1 |
106 | First, if the machine the user logs in from is listed in | 106 | The first authentication method is the |
107 | .Em rhosts | ||
108 | or | ||
109 | .Em hosts.equiv | ||
110 | method combined with RSA-based host authentication. | ||
111 | If the machine the user logs in from is listed in | ||
107 | .Pa /etc/hosts.equiv | 112 | .Pa /etc/hosts.equiv |
108 | or | 113 | or |
109 | .Pa /etc/shosts.equiv | 114 | .Pa /etc/shosts.equiv |
110 | on the remote machine, and the user names are | 115 | on the remote machine, and the user names are |
111 | the same on both sides, the user is immediately permitted to log in. | 116 | the same on both sides, or if the files |
112 | Second, if | 117 | .Pa $HOME/.rhosts |
113 | .Pa .rhosts | ||
114 | or | 118 | or |
115 | .Pa .shosts | 119 | .Pa $HOME/.shosts |
116 | exists in the user's home directory on the | 120 | exist in the user's home directory on the |
117 | remote machine and contains a line containing the name of the client | 121 | remote machine and contain a line containing the name of the client |
118 | machine and the name of the user on that machine, the user is | 122 | machine and the name of the user on that machine, the user is |
119 | permitted to log in. | 123 | considered for log in. |
120 | This form of authentication alone is normally not | 124 | Additionally, if the server can verify the client's |
121 | allowed by the server because it is not secure. | ||
122 | .Pp | ||
123 | The second authentication method is the | ||
124 | .Em rhosts | ||
125 | or | ||
126 | .Em hosts.equiv | ||
127 | method combined with RSA-based host authentication. | ||
128 | It means that if the login would be permitted by | ||
129 | .Pa $HOME/.rhosts , | ||
130 | .Pa $HOME/.shosts , | ||
131 | .Pa /etc/hosts.equiv , | ||
132 | or | ||
133 | .Pa /etc/shosts.equiv , | ||
134 | and if additionally the server can verify the client's | ||
135 | host key (see | 125 | host key (see |
136 | .Pa /etc/ssh/ssh_known_hosts | 126 | .Pa /etc/ssh/ssh_known_hosts |
137 | and | 127 | and |
@@ -147,7 +137,7 @@ spoofing, DNS spoofing and routing spoofing. | |||
147 | and the rlogin/rsh protocol in general, are inherently insecure and should be | 137 | and the rlogin/rsh protocol in general, are inherently insecure and should be |
148 | disabled if security is desired.] | 138 | disabled if security is desired.] |
149 | .Pp | 139 | .Pp |
150 | As a third authentication method, | 140 | As a second authentication method, |
151 | .Nm | 141 | .Nm |
152 | supports RSA based authentication. | 142 | supports RSA based authentication. |
153 | The scheme is based on public-key cryptography: there are cryptosystems | 143 | The scheme is based on public-key cryptography: there are cryptosystems |
@@ -195,9 +185,6 @@ file corresponds to the conventional | |||
195 | file, and has one key | 185 | file, and has one key |
196 | per line, though the lines can be very long). | 186 | per line, though the lines can be very long). |
197 | After this, the user can log in without giving the password. | 187 | After this, the user can log in without giving the password. |
198 | RSA authentication is much more secure than | ||
199 | .Em rhosts | ||
200 | authentication. | ||
201 | .Pp | 188 | .Pp |
202 | The most convenient way to use RSA authentication may be with an | 189 | The most convenient way to use RSA authentication may be with an |
203 | authentication agent. | 190 | authentication agent. |
@@ -1012,7 +999,9 @@ By default | |||
1012 | is not setuid root. | 999 | is not setuid root. |
1013 | .It Pa $HOME/.rhosts | 1000 | .It Pa $HOME/.rhosts |
1014 | This file is used in | 1001 | This file is used in |
1015 | .Em rhosts | 1002 | .Cm RhostsRSAAuthentication |
1003 | and | ||
1004 | .Cm HostbasedAuthentication | ||
1016 | authentication to list the | 1005 | authentication to list the |
1017 | host/user pairs that are permitted to log in. | 1006 | host/user pairs that are permitted to log in. |
1018 | (Note that this file is | 1007 | (Note that this file is |
@@ -1031,12 +1020,10 @@ The recommended | |||
1031 | permission for most machines is read/write for the user, and not | 1020 | permission for most machines is read/write for the user, and not |
1032 | accessible by others. | 1021 | accessible by others. |
1033 | .Pp | 1022 | .Pp |
1034 | Note that by default | 1023 | Note that |
1035 | .Xr sshd 8 | 1024 | .Xr sshd 8 |
1036 | will be installed so that it requires successful RSA host | 1025 | allows authentication only in combination with client host key |
1037 | authentication before permitting | 1026 | authentication before permitting log in. |
1038 | .Em rhosts | ||
1039 | authentication. | ||
1040 | If the server machine does not have the client's host key in | 1027 | If the server machine does not have the client's host key in |
1041 | .Pa /etc/ssh/ssh_known_hosts , | 1028 | .Pa /etc/ssh/ssh_known_hosts , |
1042 | it can be stored in | 1029 | it can be stored in |
@@ -1049,15 +1036,19 @@ will automatically add the host key to | |||
1049 | This file is used exactly the same way as | 1036 | This file is used exactly the same way as |
1050 | .Pa .rhosts . | 1037 | .Pa .rhosts . |
1051 | The purpose for | 1038 | The purpose for |
1052 | having this file is to be able to use rhosts authentication with | 1039 | having this file is to be able to use |
1053 | .Nm | 1040 | .Cm RhostsRSAAuthentication |
1054 | without permitting login with | 1041 | and |
1042 | .Cm HostbasedAuthentication | ||
1043 | authentication without permitting login with | ||
1055 | .Xr rlogin | 1044 | .Xr rlogin |
1056 | or | 1045 | or |
1057 | .Xr rsh 1 . | 1046 | .Xr rsh 1 . |
1058 | .It Pa /etc/hosts.equiv | 1047 | .It Pa /etc/hosts.equiv |
1059 | This file is used during | 1048 | This file is used during |
1060 | .Em rhosts | 1049 | .Cm RhostsRSAAuthentication |
1050 | and | ||
1051 | .Cm HostbasedAuthentication | ||
1061 | authentication. | 1052 | authentication. |
1062 | It contains | 1053 | It contains |
1063 | canonical hosts names, one per line (the full format is described in the | 1054 | canonical hosts names, one per line (the full format is described in the |
@@ -1066,8 +1057,7 @@ manual page). | |||
1066 | If the client host is found in this file, login is | 1057 | If the client host is found in this file, login is |
1067 | automatically permitted provided client and server user names are the | 1058 | automatically permitted provided client and server user names are the |
1068 | same. | 1059 | same. |
1069 | Additionally, successful RSA host authentication is normally | 1060 | Additionally, successful client host key authentication is required. |
1070 | required. | ||
1071 | This file should only be writable by root. | 1061 | This file should only be writable by root. |
1072 | .It Pa /etc/shosts.equiv | 1062 | .It Pa /etc/shosts.equiv |
1073 | This file is processed exactly as | 1063 | This file is processed exactly as |