diff options
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 61 |
1 files changed, 51 insertions, 10 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: ssh.1,v 1.251 2006/01/20 00:14:55 dtucker Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.252 2006/01/26 08:47:56 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
40 | .Os | 40 | .Os |
@@ -810,15 +810,6 @@ The | |||
810 | option can be used to control logins to machines whose | 810 | option can be used to control logins to machines whose |
811 | host key is not known or has changed. | 811 | host key is not known or has changed. |
812 | .Pp | 812 | .Pp |
813 | .Nm | ||
814 | can be configured to verify host identification using fingerprint resource | ||
815 | records (SSHFP) published in DNS. | ||
816 | The | ||
817 | .Cm VerifyHostKeyDNS | ||
818 | option can be used to control how DNS lookups are performed. | ||
819 | SSHFP resource records can be generated using | ||
820 | .Xr ssh-keygen 1 . | ||
821 | .Pp | ||
822 | When the user's identity has been accepted by the server, the server | 813 | When the user's identity has been accepted by the server, the server |
823 | either executes the given command, or logs into the machine and gives | 814 | either executes the given command, or logs into the machine and gives |
824 | the user a normal shell on the remote machine. | 815 | the user a normal shell on the remote machine. |
@@ -1006,6 +997,56 @@ and | |||
1006 | options above) and | 997 | options above) and |
1007 | the user is using an authentication agent, the connection to the agent | 998 | the user is using an authentication agent, the connection to the agent |
1008 | is automatically forwarded to the remote side. | 999 | is automatically forwarded to the remote side. |
1000 | .Sh VERIFYING HOST KEYS | ||
1001 | When connecting to a server for the first time, | ||
1002 | a fingerprint of the server's public key is presented to the user | ||
1003 | (unless the option | ||
1004 | .Cm StrictHostKeyChecking | ||
1005 | has been disabled). | ||
1006 | Fingerprints can be determined using | ||
1007 | .Xr ssh-keygen 1 : | ||
1008 | .Pp | ||
1009 | .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | ||
1010 | .Pp | ||
1011 | If the fingerprint is already known, | ||
1012 | it can be matched and verified, | ||
1013 | and the key can be accepted. | ||
1014 | If the fingerprint is unknown, | ||
1015 | an alternative method of verification is available: | ||
1016 | SSH fingerprints verified by DNS. | ||
1017 | An additional resource record (RR), | ||
1018 | SSHFP, | ||
1019 | is added to a zonefile | ||
1020 | and the connecting client is able to match the fingerprint | ||
1021 | with that of the key presented. | ||
1022 | .Pp | ||
1023 | In this example, we are connecting a client to a server, | ||
1024 | .Dq host.example.com . | ||
1025 | The SSHFP resource records should first be added to the zonefile for | ||
1026 | host.example.com: | ||
1027 | .Bd -literal -offset indent | ||
1028 | $ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. | ||
1029 | $ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com. | ||
1030 | .Ed | ||
1031 | .Pp | ||
1032 | The output lines will have to be added to the zonefile. | ||
1033 | To check that the zone is answering fingerprint queries: | ||
1034 | .Pp | ||
1035 | .Dl $ dig -t SSHFP host.example.com | ||
1036 | .Pp | ||
1037 | Finally the client connects: | ||
1038 | .Bd -literal -offset indent | ||
1039 | $ ssh -o "VerifyHostKeyDNS ask" host.example.com | ||
1040 | [...] | ||
1041 | Matching host key fingerprint found in DNS. | ||
1042 | Are you sure you want to continue connecting (yes/no)? | ||
1043 | .Ed | ||
1044 | .Pp | ||
1045 | See the | ||
1046 | .Cm VerifyHostKeyDNS | ||
1047 | option in | ||
1048 | .Xr ssh_config 5 | ||
1049 | for more information. | ||
1009 | .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS | 1050 | .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS |
1010 | .Nm | 1051 | .Nm |
1011 | contains support for Virtual Private Network (VPN) tunnelling | 1052 | contains support for Virtual Private Network (VPN) tunnelling |