diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 61 |
1 files changed, 33 insertions, 28 deletions
@@ -115,7 +115,7 @@ DESCRIPTION | |||
115 | 115 | ||
116 | -g login_grace_time | 116 | -g login_grace_time |
117 | Gives the grace time for clients to authenticate themselves | 117 | Gives the grace time for clients to authenticate themselves |
118 | (default 600 seconds). If the client fails to authenticate the | 118 | (default 120 seconds). If the client fails to authenticate the |
119 | user within this many seconds, the server disconnects and exits. | 119 | user within this many seconds, the server disconnects and exits. |
120 | A value of zero indicates no limit. | 120 | A value of zero indicates no limit. |
121 | 121 | ||
@@ -206,7 +206,9 @@ LOGIN PROCESS | |||
206 | 206 | ||
207 | 5. Sets up basic environment. | 207 | 5. Sets up basic environment. |
208 | 208 | ||
209 | 6. Reads $HOME/.ssh/environment if it exists. | 209 | 6. Reads $HOME/.ssh/environment if it exists and users are |
210 | allowed to change their environment. See the | ||
211 | PermitUserEnvironment option in sshd_config(5). | ||
210 | 212 | ||
211 | 7. Changes to user's home directory. | 213 | 7. Changes to user's home directory. |
212 | 214 | ||
@@ -227,16 +229,16 @@ AUTHORIZED_KEYS FILE FORMAT | |||
227 | with a `#' are ignored as comments). Each RSA public key consists of the | 229 | with a `#' are ignored as comments). Each RSA public key consists of the |
228 | following fields, separated by spaces: options, bits, exponent, modulus, | 230 | following fields, separated by spaces: options, bits, exponent, modulus, |
229 | comment. Each protocol version 2 public key consists of: options, keyM-- | 231 | comment. Each protocol version 2 public key consists of: options, keyM-- |
230 | type, base64 encoded key, comment. The options fields are optional; its | 232 | type, base64 encoded key, comment. The options field is optional; its |
231 | presence is determined by whether the line starts with a number or not | 233 | presence is determined by whether the line starts with a number or not |
232 | (the option field never starts with a number). The bits, exponent, moduM-- | 234 | (the options field never starts with a number). The bits, exponent, modM-- |
233 | lus and comment fields give the RSA key for protocol version 1; the comM-- | 235 | ulus and comment fields give the RSA key for protocol version 1; the comM-- |
234 | ment field is not used for anything (but may be convenient for the user | 236 | ment field is not used for anything (but may be convenient for the user |
235 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' | 237 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' |
236 | or ``ssh-rsa''. | 238 | or ``ssh-rsa''. |
237 | 239 | ||
238 | Note that lines in this file are usually several hundred bytes long | 240 | Note that lines in this file are usually several hundred bytes long |
239 | (because of the size of the RSA key modulus). You don't want to type | 241 | (because of the size of the public key encoding). You don't want to type |
240 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 242 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub |
241 | file and edit it. | 243 | file and edit it. |
242 | 244 | ||
@@ -249,18 +251,19 @@ AUTHORIZED_KEYS FILE FORMAT | |||
249 | case-insensitive): | 251 | case-insensitive): |
250 | 252 | ||
251 | from="pattern-list" | 253 | from="pattern-list" |
252 | Specifies that in addition to RSA authentication, the canonical | 254 | Specifies that in addition to public key authentication, the |
253 | name of the remote host must be present in the comma-separated | 255 | canonical name of the remote host must be present in the comma- |
254 | list of patterns (`*' and `'? serve as wildcards). The list may | 256 | separated list of patterns (`*' and `'? serve as wildcards). |
255 | also contain patterns negated by prefixing them with `'!; if the | 257 | The list may also contain patterns negated by prefixing them with |
256 | canonical host name matches a negated pattern, the key is not | 258 | `'!; if the canonical host name matches a negated pattern, the |
257 | accepted. The purpose of this option is to optionally increase | 259 | key is not accepted. The purpose of this option is to optionally |
258 | security: RSA authentication by itself does not trust the network | 260 | increase security: public key authentication by itself does not |
259 | or name servers or anything (but the key); however, if somebody | 261 | trust the network or name servers or anything (but the key); howM-- |
260 | somehow steals the key, the key permits an intruder to log in | 262 | ever, if somebody somehow steals the key, the key permits an |
261 | from anywhere in the world. This additional option makes using a | 263 | intruder to log in from anywhere in the world. This additional |
262 | stolen key more difficult (name servers and/or routers would have | 264 | option makes using a stolen key more difficult (name servers |
263 | to be compromised in addition to just the key). | 265 | and/or routers would have to be compromised in addition to just |
266 | the key). | ||
264 | 267 | ||
265 | command="command" | 268 | command="command" |
266 | Specifies that the command is executed whenever this key is used | 269 | Specifies that the command is executed whenever this key is used |
@@ -269,9 +272,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
269 | pty; otherwise it is run without a tty. If a 8-bit clean channel | 272 | pty; otherwise it is run without a tty. If a 8-bit clean channel |
270 | is required, one must not request a pty or should specify no-pty. | 273 | is required, one must not request a pty or should specify no-pty. |
271 | A quote may be included in the command by quoting it with a backM-- | 274 | A quote may be included in the command by quoting it with a backM-- |
272 | slash. This option might be useful to restrict certain RSA keys | 275 | slash. This option might be useful to restrict certain public |
273 | to perform just a specific operation. An example might be a key | 276 | keys to perform just a specific operation. An example might be a |
274 | that permits remote backups but nothing else. Note that the | 277 | key that permits remote backups but nothing else. Note that the |
275 | client may specify TCP/IP and/or X11 forwarding unless they are | 278 | client may specify TCP/IP and/or X11 forwarding unless they are |
276 | explicitly prohibited. Note that this option applies to shell, | 279 | explicitly prohibited. Note that this option applies to shell, |
277 | command or subsystem execution. | 280 | command or subsystem execution. |
@@ -280,8 +283,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
280 | Specifies that the string is to be added to the environment when | 283 | Specifies that the string is to be added to the environment when |
281 | logging in using this key. Environment variables set this way | 284 | logging in using this key. Environment variables set this way |
282 | override other default environment values. Multiple options of | 285 | override other default environment values. Multiple options of |
283 | this type are permitted. This option is automatically disabled | 286 | this type are permitted. Environment processing is disabled by |
284 | if UseLogin is enabled. | 287 | default and is controlled via the PermitUserEnvironment option. |
288 | This option is automatically disabled if UseLogin is enabled. | ||
285 | 289 | ||
286 | no-port-forwarding | 290 | no-port-forwarding |
287 | Forbids TCP/IP forwarding when this key is used for authenticaM-- | 291 | Forbids TCP/IP forwarding when this key is used for authenticaM-- |
@@ -381,7 +385,7 @@ FILES | |||
381 | 385 | ||
382 | /etc/moduli | 386 | /etc/moduli |
383 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | 387 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group |
384 | Exchange". | 388 | Exchange". The file format is described in moduli(5). |
385 | 389 | ||
386 | /var/empty | 390 | /var/empty |
387 | chroot(2) directory used by sshd during privilege separation in | 391 | chroot(2) directory used by sshd during privilege separation in |
@@ -478,7 +482,8 @@ FILES | |||
478 | It can only contain empty lines, comment lines (that start with | 482 | It can only contain empty lines, comment lines (that start with |
479 | `#'), and assignment lines of the form name=value. The file | 483 | `#'), and assignment lines of the form name=value. The file |
480 | should be writable only by the user; it need not be readable by | 484 | should be writable only by the user; it need not be readable by |
481 | anyone else. | 485 | anyone else. Environment processing is disabled by default and |
486 | is controlled via the PermitUserEnvironment option. | ||
482 | 487 | ||
483 | $HOME/.ssh/rc | 488 | $HOME/.ssh/rc |
484 | If this file exists, it is run with /bin/sh after reading the | 489 | If this file exists, it is run with /bin/sh after reading the |
@@ -500,12 +505,12 @@ FILES | |||
500 | if read proto cookie && [ -n "$DISPLAY" ]; then | 505 | if read proto cookie && [ -n "$DISPLAY" ]; then |
501 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | 506 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
502 | # X11UseLocalhost=yes | 507 | # X11UseLocalhost=yes |
503 | xauth add unix:`echo $DISPLAY | | 508 | echo add unix:`echo $DISPLAY | |
504 | cut -c11-` $proto $cookie | 509 | cut -c11-` $proto $cookie |
505 | else | 510 | else |
506 | # X11UseLocalhost=no | 511 | # X11UseLocalhost=no |
507 | xauth add $DISPLAY $proto $cookie | 512 | echo add $DISPLAY $proto $cookie |
508 | fi | 513 | fi | xauth -q - |
509 | fi | 514 | fi |
510 | 515 | ||
511 | If this file does not exist, /etc/ssh/sshrc is run, and if that | 516 | If this file does not exist, /etc/ssh/sshrc is run, and if that |