summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.161
1 files changed, 51 insertions, 10 deletions
diff --git a/ssh.1 b/ssh.1
index 3fe142dc1..309782879 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.251 2006/01/20 00:14:55 dtucker Exp $ 37.\" $OpenBSD: ssh.1,v 1.252 2006/01/26 08:47:56 jmc Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -810,15 +810,6 @@ The
810option can be used to control logins to machines whose 810option can be used to control logins to machines whose
811host key is not known or has changed. 811host key is not known or has changed.
812.Pp 812.Pp
813.Nm
814can be configured to verify host identification using fingerprint resource
815records (SSHFP) published in DNS.
816The
817.Cm VerifyHostKeyDNS
818option can be used to control how DNS lookups are performed.
819SSHFP resource records can be generated using
820.Xr ssh-keygen 1 .
821.Pp
822When the user's identity has been accepted by the server, the server 813When the user's identity has been accepted by the server, the server
823either executes the given command, or logs into the machine and gives 814either executes the given command, or logs into the machine and gives
824the user a normal shell on the remote machine. 815the user a normal shell on the remote machine.
@@ -1006,6 +997,56 @@ and
1006options above) and 997options above) and
1007the user is using an authentication agent, the connection to the agent 998the user is using an authentication agent, the connection to the agent
1008is automatically forwarded to the remote side. 999is automatically forwarded to the remote side.
1000.Sh VERIFYING HOST KEYS
1001When connecting to a server for the first time,
1002a fingerprint of the server's public key is presented to the user
1003(unless the option
1004.Cm StrictHostKeyChecking
1005has been disabled).
1006Fingerprints can be determined using
1007.Xr ssh-keygen 1 :
1008.Pp
1009.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1010.Pp
1011If the fingerprint is already known,
1012it can be matched and verified,
1013and the key can be accepted.
1014If the fingerprint is unknown,
1015an alternative method of verification is available:
1016SSH fingerprints verified by DNS.
1017An additional resource record (RR),
1018SSHFP,
1019is added to a zonefile
1020and the connecting client is able to match the fingerprint
1021with that of the key presented.
1022.Pp
1023In this example, we are connecting a client to a server,
1024.Dq host.example.com .
1025The SSHFP resource records should first be added to the zonefile for
1026host.example.com:
1027.Bd -literal -offset indent
1028$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com.
1029$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com.
1030.Ed
1031.Pp
1032The output lines will have to be added to the zonefile.
1033To check that the zone is answering fingerprint queries:
1034.Pp
1035.Dl $ dig -t SSHFP host.example.com
1036.Pp
1037Finally the client connects:
1038.Bd -literal -offset indent
1039$ ssh -o "VerifyHostKeyDNS ask" host.example.com
1040[...]
1041Matching host key fingerprint found in DNS.
1042Are you sure you want to continue connecting (yes/no)?
1043.Ed
1044.Pp
1045See the
1046.Cm VerifyHostKeyDNS
1047option in
1048.Xr ssh_config 5
1049for more information.
1009.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS 1050.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
1010.Nm 1051.Nm
1011contains support for Virtual Private Network (VPN) tunnelling 1052contains support for Virtual Private Network (VPN) tunnelling