summaryrefslogtreecommitdiff
path: root/sshd.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.0')
-rw-r--r--sshd.032
1 files changed, 18 insertions, 14 deletions
diff --git a/sshd.0 b/sshd.0
index a5d40c4d8..bb01b7164 100644
--- a/sshd.0
+++ b/sshd.0
@@ -78,10 +78,10 @@ DESCRIPTION
78 be given if sshd is not run as root (as the normal host key files 78 be given if sshd is not run as root (as the normal host key files
79 are normally not readable by anyone but root). The default is 79 are normally not readable by anyone but root). The default is
80 /etc/ssh/ssh_host_key for protocol version 1, and 80 /etc/ssh/ssh_host_key for protocol version 1, and
81 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for 81 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and
82 protocol version 2. It is possible to have multiple host key 82 /etc/ssh/ssh_host_rsa_key for protocol version 2. It is possible
83 files for the different protocol versions and host key 83 to have multiple host key files for the different protocol
84 algorithms. 84 versions and host key algorithms.
85 85
86 -i Specifies that sshd is being run from inetd(8). sshd is normally 86 -i Specifies that sshd is being run from inetd(8). sshd is normally
87 not run from inetd because it needs to generate the server key 87 not run from inetd because it needs to generate the server key
@@ -143,8 +143,8 @@ DESCRIPTION
143AUTHENTICATION 143AUTHENTICATION
144 The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to 144 The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to
145 use protocol 2 only, though this can be changed via the Protocol option 145 use protocol 2 only, though this can be changed via the Protocol option
146 in sshd_config(5). Protocol 2 supports both RSA and DSA keys; protocol 1 146 in sshd_config(5). Protocol 2 supports DSA, ECDSA and RSA keys; protocol
147 only supports RSA keys. For both protocols, each host has a host- 147 1 only supports RSA keys. For both protocols, each host has a host-
148 specific key, normally 2048 bits, used to identify the host. 148 specific key, normally 2048 bits, used to identify the host.
149 149
150 Forward security for protocol 1 is provided through an additional server 150 Forward security for protocol 1 is provided through an additional server
@@ -273,13 +273,15 @@ AUTHORIZED_KEYS FILE FORMAT
273 exponent, modulus, and comment fields give the RSA key for protocol 273 exponent, modulus, and comment fields give the RSA key for protocol
274 version 1; the comment field is not used for anything (but may be 274 version 1; the comment field is not used for anything (but may be
275 convenient for the user to identify the key). For protocol version 2 the 275 convenient for the user to identify the key). For protocol version 2 the
276 keytype is ``ssh-dss'' or ``ssh-rsa''. 276 keytype is ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'',
277 ``ecdsa-sha2-nistp521'', ``ssh-dss'' or ``ssh-rsa''.
277 278
278 Note that lines in this file are usually several hundred bytes long 279 Note that lines in this file are usually several hundred bytes long
279 (because of the size of the public key encoding) up to a limit of 8 280 (because of the size of the public key encoding) up to a limit of 8
280 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 281 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16
281 kilobits. You don't want to type them in; instead, copy the 282 kilobits. You don't want to type them in; instead, copy the
282 identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. 283 identity.pub, id_dsa.pub, id_ecdsa.pub, or the id_rsa.pub file and edit
284 it.
283 285
284 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 286 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol
285 2 keys of 768 bits. 287 2 keys of 768 bits.
@@ -504,11 +506,11 @@ FILES
504 for the user, and not accessible by others. 506 for the user, and not accessible by others.
505 507
506 ~/.ssh/authorized_keys 508 ~/.ssh/authorized_keys
507 Lists the public keys (RSA/DSA) that can be used for logging in 509 Lists the public keys (DSA/ECDSA/RSA) that can be used for
508 as this user. The format of this file is described above. The 510 logging in as this user. The format of this file is described
509 content of the file is not highly sensitive, but the recommended 511 above. The content of the file is not highly sensitive, but the
510 permissions are read/write for the user, and not accessible by 512 recommended permissions are read/write for the user, and not
511 others. 513 accessible by others.
512 514
513 If this file, the ~/.ssh directory, or the user's home directory 515 If this file, the ~/.ssh directory, or the user's home directory
514 are writable by other users, then the file could be modified or 516 are writable by other users, then the file could be modified or
@@ -565,6 +567,7 @@ FILES
565 567
566 /etc/ssh/ssh_host_key 568 /etc/ssh/ssh_host_key
567 /etc/ssh/ssh_host_dsa_key 569 /etc/ssh/ssh_host_dsa_key
570 /etc/ssh/ssh_host_ecdsa_key
568 /etc/ssh/ssh_host_rsa_key 571 /etc/ssh/ssh_host_rsa_key
569 These three files contain the private parts of the host keys. 572 These three files contain the private parts of the host keys.
570 These files should only be owned by root, readable only by root, 573 These files should only be owned by root, readable only by root,
@@ -573,6 +576,7 @@ FILES
573 576
574 /etc/ssh/ssh_host_key.pub 577 /etc/ssh/ssh_host_key.pub
575 /etc/ssh/ssh_host_dsa_key.pub 578 /etc/ssh/ssh_host_dsa_key.pub
579 /etc/ssh/ssh_host_ecdsa_key.pub
576 /etc/ssh/ssh_host_rsa_key.pub 580 /etc/ssh/ssh_host_rsa_key.pub
577 These three files contain the public parts of the host keys. 581 These three files contain the public parts of the host keys.
578 These files should be world-readable but writable only by root. 582 These files should be world-readable but writable only by root.
@@ -627,4 +631,4 @@ CAVEATS
627 System security is not improved unless rshd, rlogind, and rexecd are 631 System security is not improved unless rshd, rlogind, and rexecd are
628 disabled (thus completely disabling rlogin and rsh into the machine). 632 disabled (thus completely disabling rlogin and rsh into the machine).
629 633
630OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 634OpenBSD 4.8 October 28, 2010 OpenBSD 4.8