diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 61 |
1 files changed, 33 insertions, 28 deletions
| @@ -115,7 +115,7 @@ DESCRIPTION | |||
| 115 | 115 | ||
| 116 | -g login_grace_time | 116 | -g login_grace_time |
| 117 | Gives the grace time for clients to authenticate themselves | 117 | Gives the grace time for clients to authenticate themselves |
| 118 | (default 600 seconds). If the client fails to authenticate the | 118 | (default 120 seconds). If the client fails to authenticate the |
| 119 | user within this many seconds, the server disconnects and exits. | 119 | user within this many seconds, the server disconnects and exits. |
| 120 | A value of zero indicates no limit. | 120 | A value of zero indicates no limit. |
| 121 | 121 | ||
| @@ -206,7 +206,9 @@ LOGIN PROCESS | |||
| 206 | 206 | ||
| 207 | 5. Sets up basic environment. | 207 | 5. Sets up basic environment. |
| 208 | 208 | ||
| 209 | 6. Reads $HOME/.ssh/environment if it exists. | 209 | 6. Reads $HOME/.ssh/environment if it exists and users are |
| 210 | allowed to change their environment. See the | ||
| 211 | PermitUserEnvironment option in sshd_config(5). | ||
| 210 | 212 | ||
| 211 | 7. Changes to user's home directory. | 213 | 7. Changes to user's home directory. |
| 212 | 214 | ||
| @@ -227,16 +229,16 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 227 | with a `#' are ignored as comments). Each RSA public key consists of the | 229 | with a `#' are ignored as comments). Each RSA public key consists of the |
| 228 | following fields, separated by spaces: options, bits, exponent, modulus, | 230 | following fields, separated by spaces: options, bits, exponent, modulus, |
| 229 | comment. Each protocol version 2 public key consists of: options, keyM-- | 231 | comment. Each protocol version 2 public key consists of: options, keyM-- |
| 230 | type, base64 encoded key, comment. The options fields are optional; its | 232 | type, base64 encoded key, comment. The options field is optional; its |
| 231 | presence is determined by whether the line starts with a number or not | 233 | presence is determined by whether the line starts with a number or not |
| 232 | (the option field never starts with a number). The bits, exponent, moduM-- | 234 | (the options field never starts with a number). The bits, exponent, modM-- |
| 233 | lus and comment fields give the RSA key for protocol version 1; the comM-- | 235 | ulus and comment fields give the RSA key for protocol version 1; the comM-- |
| 234 | ment field is not used for anything (but may be convenient for the user | 236 | ment field is not used for anything (but may be convenient for the user |
| 235 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' | 237 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' |
| 236 | or ``ssh-rsa''. | 238 | or ``ssh-rsa''. |
| 237 | 239 | ||
| 238 | Note that lines in this file are usually several hundred bytes long | 240 | Note that lines in this file are usually several hundred bytes long |
| 239 | (because of the size of the RSA key modulus). You don't want to type | 241 | (because of the size of the public key encoding). You don't want to type |
| 240 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 242 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub |
| 241 | file and edit it. | 243 | file and edit it. |
| 242 | 244 | ||
| @@ -249,18 +251,19 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 249 | case-insensitive): | 251 | case-insensitive): |
| 250 | 252 | ||
| 251 | from="pattern-list" | 253 | from="pattern-list" |
| 252 | Specifies that in addition to RSA authentication, the canonical | 254 | Specifies that in addition to public key authentication, the |
| 253 | name of the remote host must be present in the comma-separated | 255 | canonical name of the remote host must be present in the comma- |
| 254 | list of patterns (`*' and `'? serve as wildcards). The list may | 256 | separated list of patterns (`*' and `'? serve as wildcards). |
| 255 | also contain patterns negated by prefixing them with `'!; if the | 257 | The list may also contain patterns negated by prefixing them with |
| 256 | canonical host name matches a negated pattern, the key is not | 258 | `'!; if the canonical host name matches a negated pattern, the |
| 257 | accepted. The purpose of this option is to optionally increase | 259 | key is not accepted. The purpose of this option is to optionally |
| 258 | security: RSA authentication by itself does not trust the network | 260 | increase security: public key authentication by itself does not |
| 259 | or name servers or anything (but the key); however, if somebody | 261 | trust the network or name servers or anything (but the key); howM-- |
| 260 | somehow steals the key, the key permits an intruder to log in | 262 | ever, if somebody somehow steals the key, the key permits an |
| 261 | from anywhere in the world. This additional option makes using a | 263 | intruder to log in from anywhere in the world. This additional |
| 262 | stolen key more difficult (name servers and/or routers would have | 264 | option makes using a stolen key more difficult (name servers |
| 263 | to be compromised in addition to just the key). | 265 | and/or routers would have to be compromised in addition to just |
| 266 | the key). | ||
| 264 | 267 | ||
| 265 | command="command" | 268 | command="command" |
| 266 | Specifies that the command is executed whenever this key is used | 269 | Specifies that the command is executed whenever this key is used |
| @@ -269,9 +272,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 269 | pty; otherwise it is run without a tty. If a 8-bit clean channel | 272 | pty; otherwise it is run without a tty. If a 8-bit clean channel |
| 270 | is required, one must not request a pty or should specify no-pty. | 273 | is required, one must not request a pty or should specify no-pty. |
| 271 | A quote may be included in the command by quoting it with a backM-- | 274 | A quote may be included in the command by quoting it with a backM-- |
| 272 | slash. This option might be useful to restrict certain RSA keys | 275 | slash. This option might be useful to restrict certain public |
| 273 | to perform just a specific operation. An example might be a key | 276 | keys to perform just a specific operation. An example might be a |
| 274 | that permits remote backups but nothing else. Note that the | 277 | key that permits remote backups but nothing else. Note that the |
| 275 | client may specify TCP/IP and/or X11 forwarding unless they are | 278 | client may specify TCP/IP and/or X11 forwarding unless they are |
| 276 | explicitly prohibited. Note that this option applies to shell, | 279 | explicitly prohibited. Note that this option applies to shell, |
| 277 | command or subsystem execution. | 280 | command or subsystem execution. |
| @@ -280,8 +283,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 280 | Specifies that the string is to be added to the environment when | 283 | Specifies that the string is to be added to the environment when |
| 281 | logging in using this key. Environment variables set this way | 284 | logging in using this key. Environment variables set this way |
| 282 | override other default environment values. Multiple options of | 285 | override other default environment values. Multiple options of |
| 283 | this type are permitted. This option is automatically disabled | 286 | this type are permitted. Environment processing is disabled by |
| 284 | if UseLogin is enabled. | 287 | default and is controlled via the PermitUserEnvironment option. |
| 288 | This option is automatically disabled if UseLogin is enabled. | ||
| 285 | 289 | ||
| 286 | no-port-forwarding | 290 | no-port-forwarding |
| 287 | Forbids TCP/IP forwarding when this key is used for authenticaM-- | 291 | Forbids TCP/IP forwarding when this key is used for authenticaM-- |
| @@ -381,7 +385,7 @@ FILES | |||
| 381 | 385 | ||
| 382 | /etc/moduli | 386 | /etc/moduli |
| 383 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | 387 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group |
| 384 | Exchange". | 388 | Exchange". The file format is described in moduli(5). |
| 385 | 389 | ||
| 386 | /var/empty | 390 | /var/empty |
| 387 | chroot(2) directory used by sshd during privilege separation in | 391 | chroot(2) directory used by sshd during privilege separation in |
| @@ -478,7 +482,8 @@ FILES | |||
| 478 | It can only contain empty lines, comment lines (that start with | 482 | It can only contain empty lines, comment lines (that start with |
| 479 | `#'), and assignment lines of the form name=value. The file | 483 | `#'), and assignment lines of the form name=value. The file |
| 480 | should be writable only by the user; it need not be readable by | 484 | should be writable only by the user; it need not be readable by |
| 481 | anyone else. | 485 | anyone else. Environment processing is disabled by default and |
| 486 | is controlled via the PermitUserEnvironment option. | ||
| 482 | 487 | ||
| 483 | $HOME/.ssh/rc | 488 | $HOME/.ssh/rc |
| 484 | If this file exists, it is run with /bin/sh after reading the | 489 | If this file exists, it is run with /bin/sh after reading the |
| @@ -500,12 +505,12 @@ FILES | |||
| 500 | if read proto cookie && [ -n "$DISPLAY" ]; then | 505 | if read proto cookie && [ -n "$DISPLAY" ]; then |
| 501 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | 506 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
| 502 | # X11UseLocalhost=yes | 507 | # X11UseLocalhost=yes |
| 503 | xauth add unix:`echo $DISPLAY | | 508 | echo add unix:`echo $DISPLAY | |
| 504 | cut -c11-` $proto $cookie | 509 | cut -c11-` $proto $cookie |
| 505 | else | 510 | else |
| 506 | # X11UseLocalhost=no | 511 | # X11UseLocalhost=no |
| 507 | xauth add $DISPLAY $proto $cookie | 512 | echo add $DISPLAY $proto $cookie |
| 508 | fi | 513 | fi | xauth -q - |
| 509 | fi | 514 | fi |
| 510 | 515 | ||
| 511 | If this file does not exist, /etc/ssh/sshrc is run, and if that | 516 | If this file does not exist, /etc/ssh/sshrc is run, and if that |