diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 49 |
1 files changed, 30 insertions, 19 deletions
| @@ -42,6 +42,17 @@ DESCRIPTION | |||
| 42 | authentication combined with RSA host authentication, RSA challenge- | 42 | authentication combined with RSA host authentication, RSA challenge- |
| 43 | response authentication, or password based authentication. | 43 | response authentication, or password based authentication. |
| 44 | 44 | ||
| 45 | Regardless of the authentication type, the account is checked to ensure | ||
| 46 | that it is accessible. An account is not accessible if it is locked, | ||
| 47 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | ||
| 48 | tion of a locked account is system dependant. Some platforms have their | ||
| 49 | own account database (eg AIX) and some modify the passwd field ( M-bM-^@M-^X*LK*M-bM-^@M-^Y | ||
| 50 | on Solaris, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on Tru64 and a leading | ||
| 51 | M-bM-^@M-^X!!M-bM-^@M-^Y on Linux). If there is a requirement to disable password authenti- | ||
| 52 | cation for the account while allowing still public-key, then the passwd | ||
| 53 | field should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or | ||
| 54 | M-bM-^@M-^X*NP*M-bM-^@M-^Y ). | ||
| 55 | |||
| 45 | Rhosts authentication is normally disabled because it is fundamentally | 56 | Rhosts authentication is normally disabled because it is fundamentally |
| 46 | insecure, but can be enabled in the server configuration file if desired. | 57 | insecure, but can be enabled in the server configuration file if desired. |
| 47 | System security is not improved unless rshd, rlogind, and rexecd are dis- | 58 | System security is not improved unless rshd, rlogind, and rexecd are dis- |
| @@ -169,10 +180,10 @@ DESCRIPTION | |||
| 169 | the utmp file. -u0 may also be used to prevent sshd from making | 180 | the utmp file. -u0 may also be used to prevent sshd from making |
| 170 | DNS requests unless the authentication mechanism or configuration | 181 | DNS requests unless the authentication mechanism or configuration |
| 171 | requires it. Authentication mechanisms that may require DNS | 182 | requires it. Authentication mechanisms that may require DNS |
| 172 | include RhostsAuthentication, RhostsRSAAuthentication, | 183 | include RhostsRSAAuthentication, HostbasedAuthentication and |
| 173 | HostbasedAuthentication and using a from="pattern-list" option in | 184 | using a from="pattern-list" option in a key file. Configuration |
| 174 | a key file. Configuration options that require DNS include using | 185 | options that require DNS include using a USER@HOST pattern in |
| 175 | a USER@HOST pattern in AllowUsers or DenyUsers. | 186 | AllowUsers or DenyUsers. |
| 176 | 187 | ||
| 177 | -D When this option is specified sshd will not detach and does not | 188 | -D When this option is specified sshd will not detach and does not |
| 178 | become a daemon. This allows easy monitoring of sshd. | 189 | become a daemon. This allows easy monitoring of sshd. |
| @@ -250,9 +261,9 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 250 | from="pattern-list" | 261 | from="pattern-list" |
| 251 | Specifies that in addition to public key authentication, the | 262 | Specifies that in addition to public key authentication, the |
| 252 | canonical name of the remote host must be present in the comma- | 263 | canonical name of the remote host must be present in the comma- |
| 253 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? serve as wildcards). | 264 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y serve as wildcards). The |
| 254 | The list may also contain patterns negated by prefixing them with | 265 | list may also contain patterns negated by prefixing them with |
| 255 | M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the | 266 | M-bM-^@M-^X!M-bM-^@M-^Y; if the canonical host name matches a negated pattern, the |
| 256 | key is not accepted. The purpose of this option is to optionally | 267 | key is not accepted. The purpose of this option is to optionally |
| 257 | increase security: public key authentication by itself does not | 268 | increase security: public key authentication by itself does not |
| 258 | trust the network or name servers or anything (but the key); how- | 269 | trust the network or name servers or anything (but the key); how- |
| @@ -304,7 +315,7 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 304 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con- | 315 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con- |
| 305 | nect to the specified host and port. IPv6 addresses can be spec- | 316 | nect to the specified host and port. IPv6 addresses can be spec- |
| 306 | ified with an alternative syntax: host/port. Multiple permitopen | 317 | ified with an alternative syntax: host/port. Multiple permitopen |
| 307 | options may be applied separated by commas. No pattern matching | 318 | options may be applied separated by commas. No pattern matching |
| 308 | is performed on the specified hostnames, they must be literal | 319 | is performed on the specified hostnames, they must be literal |
| 309 | domains or addresses. | 320 | domains or addresses. |
| 310 | 321 | ||
| @@ -328,11 +339,11 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
| 328 | Each line in these files contains the following fields: hostnames, bits, | 339 | Each line in these files contains the following fields: hostnames, bits, |
| 329 | exponent, modulus, comment. The fields are separated by spaces. | 340 | exponent, modulus, comment. The fields are separated by spaces. |
| 330 | 341 | ||
| 331 | Hostnames is a comma-separated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wild- | 342 | Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as wild- |
| 332 | cards); each pattern in turn is matched against the canonical host name | 343 | cards); each pattern in turn is matched against the canonical host name |
| 333 | (when authenticating a client) or against the user-supplied name (when | 344 | (when authenticating a client) or against the user-supplied name (when |
| 334 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y! to | 345 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indi- |
| 335 | indicate negation: if the host name matches a negated pattern, it is not | 346 | cate negation: if the host name matches a negated pattern, it is not |
| 336 | accepted (by that line) even if it matched another pattern on the line. | 347 | accepted (by that line) even if it matched another pattern on the line. |
| 337 | 348 | ||
| 338 | Bits, exponent, and modulus are taken directly from the RSA host key; | 349 | Bits, exponent, and modulus are taken directly from the RSA host key; |
| @@ -520,14 +531,6 @@ FILES | |||
| 520 | login-time initializations globally. This file should be | 531 | login-time initializations globally. This file should be |
| 521 | writable only by root, and should be world-readable. | 532 | writable only by root, and should be world-readable. |
| 522 | 533 | ||
| 523 | AUTHORS | ||
| 524 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
| 525 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
| 526 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
| 527 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
| 528 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
| 529 | for privilege separation. | ||
| 530 | |||
| 531 | SEE ALSO | 534 | SEE ALSO |
| 532 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 535 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
| 533 | login.conf(5), moduli(5), sshd_config(5), sftp-server(8) | 536 | login.conf(5), moduli(5), sshd_config(5), sftp-server(8) |
| @@ -540,4 +543,12 @@ SEE ALSO | |||
| 540 | for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- | 543 | for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- |
| 541 | exchange-02.txt, January 2002, work in progress material. | 544 | exchange-02.txt, January 2002, work in progress material. |
| 542 | 545 | ||
| 546 | AUTHORS | ||
| 547 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
| 548 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
| 549 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
| 550 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
| 551 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
| 552 | for privilege separation. | ||
| 553 | |||
| 543 | BSD September 25, 1999 BSD | 554 | BSD September 25, 1999 BSD |