diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 44 |
1 files changed, 37 insertions, 7 deletions
@@ -146,11 +146,11 @@ DESCRIPTION | |||
146 | AUTHENTICATION | 146 | AUTHENTICATION |
147 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to | 147 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to |
148 | use protocol 2 only, though this can be changed via the Protocol option | 148 | use protocol 2 only, though this can be changed via the Protocol option |
149 | in sshd_config(5). Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; | 149 | in sshd_config(5). Protocol 1 should not be used and is only offered to |
150 | protocol 1 only supports RSA keys. For both protocols, each host has a | 150 | support legacy devices. |
151 | host-specific key, normally 2048 bits, used to identify the host. | ||
152 | 151 | ||
153 | Forward security for protocol 1 is provided through an additional server | 152 | Each host has a host-specific key, used to identify the host. Partial |
153 | forward security for protocol 1 is provided through an additional server | ||
154 | key, normally 1024 bits, generated when the server starts. This key is | 154 | key, normally 1024 bits, generated when the server starts. This key is |
155 | normally regenerated every hour if it has been used, and is never stored | 155 | normally regenerated every hour if it has been used, and is never stored |
156 | on disk. Whenever a client connects, the daemon responds with its public | 156 | on disk. Whenever a client connects, the daemon responds with its public |
@@ -268,7 +268,7 @@ SSHRC | |||
268 | 268 | ||
269 | AUTHORIZED_KEYS FILE FORMAT | 269 | AUTHORIZED_KEYS FILE FORMAT |
270 | AuthorizedKeysFile specifies the files containing public keys for public | 270 | AuthorizedKeysFile specifies the files containing public keys for public |
271 | key authentication; if none is specified, the default is | 271 | key authentication; if this option is not specified, the default is |
272 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the | 272 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the |
273 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are | 273 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are |
274 | ignored as comments). Protocol 1 public keys consist of the following | 274 | ignored as comments). Protocol 1 public keys consist of the following |
@@ -298,6 +298,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
298 | The following option specifications are supported (note that option | 298 | The following option specifications are supported (note that option |
299 | keywords are case-insensitive): | 299 | keywords are case-insensitive): |
300 | 300 | ||
301 | agent-forwarding | ||
302 | Enable authentication agent forwarding previously disabled by the | ||
303 | restrict option. | ||
304 | |||
301 | cert-authority | 305 | cert-authority |
302 | Specifies that the listed key is a certification authority (CA) | 306 | Specifies that the listed key is a certification authority (CA) |
303 | that is trusted to validate signed certificates for user | 307 | that is trusted to validate signed certificates for user |
@@ -378,6 +382,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
378 | must be literal domains or addresses. A port specification of * | 382 | must be literal domains or addresses. A port specification of * |
379 | matches any port. | 383 | matches any port. |
380 | 384 | ||
385 | port-forwarding | ||
386 | Enable port forwarding previously disabled by the restrict | ||
387 | |||
381 | principals="principals" | 388 | principals="principals" |
382 | On a cert-authority line, specifies allowed principals for | 389 | On a cert-authority line, specifies allowed principals for |
383 | certificate authentication as a comma-separated list. At least | 390 | certificate authentication as a comma-separated list. At least |
@@ -386,11 +393,28 @@ AUTHORIZED_KEYS FILE FORMAT | |||
386 | ignored for keys that are not marked as trusted certificate | 393 | ignored for keys that are not marked as trusted certificate |
387 | signers using the cert-authority option. | 394 | signers using the cert-authority option. |
388 | 395 | ||
396 | pty Permits tty allocation previously disabled by the restrict | ||
397 | option. | ||
398 | |||
399 | restrict | ||
400 | Enable all restrictions, i.e. disable port, agent and X11 | ||
401 | forwarding, as well as disabling PTY allocation and execution of | ||
402 | ~/.ssh/rc. If any future restriction capabilities are added to | ||
403 | authorized_keys files they will be included in this set. | ||
404 | |||
389 | tunnel="n" | 405 | tunnel="n" |
390 | Force a tun(4) device on the server. Without this option, the | 406 | Force a tun(4) device on the server. Without this option, the |
391 | next available device will be used if the client requests a | 407 | next available device will be used if the client requests a |
392 | tunnel. | 408 | tunnel. |
393 | 409 | ||
410 | user-rc | ||
411 | Enables execution of ~/.ssh/rc previously disabled by the | ||
412 | restrict option. | ||
413 | |||
414 | X11-forwarding | ||
415 | Permits X11 forwarding previously disabled by the restrict | ||
416 | option. | ||
417 | |||
394 | An example authorized_keys file: | 418 | An example authorized_keys file: |
395 | 419 | ||
396 | # Comments allowed at start of line | 420 | # Comments allowed at start of line |
@@ -403,6 +427,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
403 | AAAAB5...21S== | 427 | AAAAB5...21S== |
404 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 428 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
405 | jane@example.net | 429 | jane@example.net |
430 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | ||
431 | user@example.net | ||
432 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | ||
433 | user@example.net | ||
406 | 434 | ||
407 | SSH_KNOWN_HOSTS FILE FORMAT | 435 | SSH_KNOWN_HOSTS FILE FORMAT |
408 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host | 436 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host |
@@ -552,7 +580,9 @@ FILES | |||
552 | 580 | ||
553 | /etc/moduli | 581 | /etc/moduli |
554 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | 582 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group |
555 | Exchange". The file format is described in moduli(5). | 583 | Exchange" key exchange method. The file format is described in |
584 | moduli(5). If no usable groups are found in this file then fixed | ||
585 | internal groups will be used. | ||
556 | 586 | ||
557 | /etc/motd | 587 | /etc/motd |
558 | See motd(5). | 588 | See motd(5). |
@@ -632,4 +662,4 @@ AUTHORS | |||
632 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 662 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
633 | for privilege separation. | 663 | for privilege separation. |
634 | 664 | ||
635 | OpenBSD 5.8 July 3, 2015 OpenBSD 5.8 | 665 | OpenBSD 5.9 February 17, 2016 OpenBSD 5.9 |