diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 73 |
1 files changed, 47 insertions, 26 deletions
| @@ -38,9 +38,9 @@ DESCRIPTION | |||
| 38 | tion algorithm to use from those offered by the server. | 38 | tion algorithm to use from those offered by the server. |
| 39 | 39 | ||
| 40 | Next, the server and the client enter an authentication dialog. The | 40 | Next, the server and the client enter an authentication dialog. The |
| 41 | client tries to authenticate itself using .rhosts authentication, .rhosts | 41 | client tries to authenticate itself using .rhosts authentication combined |
| 42 | authentication combined with RSA host authentication, RSA challenge-re- | 42 | with RSA host authentication, RSA challenge-response authentication, or |
| 43 | sponse authentication, or password based authentication. | 43 | password based authentication. |
| 44 | 44 | ||
| 45 | Regardless of the authentication type, the account is checked to ensure | 45 | Regardless of the authentication type, the account is checked to ensure |
| 46 | that it is accessible. An account is not accessible if it is locked, | 46 | that it is accessible. An account is not accessible if it is locked, |
| @@ -53,10 +53,8 @@ DESCRIPTION | |||
| 53 | field should be set to something other than these values (eg `NP' or | 53 | field should be set to something other than these values (eg `NP' or |
| 54 | `*NP*' ). | 54 | `*NP*' ). |
| 55 | 55 | ||
| 56 | rhosts authentication is normally disabled because it is fundamentally | 56 | rshd, rlogind, and rexecd are disabled (thus completely disabling rlogin |
| 57 | insecure, but can be enabled in the server configuration file if desired. | 57 | and rsh into the machine). |
| 58 | System security is not improved unless rshd, rlogind, and rexecd are dis- | ||
| 59 | abled (thus completely disabling rlogin and rsh into the machine). | ||
| 60 | 58 | ||
| 61 | SSH protocol version 2 | 59 | SSH protocol version 2 |
| 62 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | 60 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) |
| @@ -246,9 +244,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
| 246 | or ``ssh-rsa''. | 244 | or ``ssh-rsa''. |
| 247 | 245 | ||
| 248 | Note that lines in this file are usually several hundred bytes long (be- | 246 | Note that lines in this file are usually several hundred bytes long (be- |
| 249 | cause of the size of the public key encoding). You don't want to type | 247 | cause of the size of the public key encoding) up to a limit of 8 kilo- |
| 250 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 248 | bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 |
| 251 | file and edit it. | 249 | kilobits. You don't want to type them in; instead, copy the |
| 250 | identity.pub, id_dsa.pub or the id_rsa.pub file and edit it. | ||
| 252 | 251 | ||
| 253 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | 252 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol |
| 254 | 2 keys of 768 bits. | 253 | 2 keys of 768 bits. |
| @@ -346,6 +345,12 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
| 346 | cate negation: if the host name matches a negated pattern, it is not ac- | 345 | cate negation: if the host name matches a negated pattern, it is not ac- |
| 347 | cepted (by that line) even if it matched another pattern on the line. | 346 | cepted (by that line) even if it matched another pattern on the line. |
| 348 | 347 | ||
| 348 | Alternately, hostnames may be stored in a hashed form which hides host | ||
| 349 | names and addresses should the file's contents be disclosed. Hashed | ||
| 350 | hostnames start with a `|' character. Only one hashed hostname may ap- | ||
| 351 | pear on a single line and none of the above negation or wildcard opera- | ||
| 352 | tors may be applied. | ||
| 353 | |||
| 349 | Bits, exponent, and modulus are taken directly from the RSA host key; | 354 | Bits, exponent, and modulus are taken directly from the RSA host key; |
| 350 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional | 355 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional |
| 351 | comment field continues to the end of the line, and is not used. | 356 | comment field continues to the end of the line, and is not used. |
| @@ -370,6 +375,10 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
| 370 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 375 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
| 371 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 376 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
| 372 | 377 | ||
| 378 | # A hashed hostname | ||
| 379 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
| 380 | AAAA1234.....= | ||
| 381 | |||
| 373 | FILES | 382 | FILES |
| 374 | /etc/ssh/sshd_config | 383 | /etc/ssh/sshd_config |
| 375 | Contains configuration data for sshd. The file format and con- | 384 | Contains configuration data for sshd. The file format and con- |
| @@ -428,6 +437,15 @@ FILES | |||
| 428 | /etc/ssh/ssh_known_hosts should be world-readable, and | 437 | /etc/ssh/ssh_known_hosts should be world-readable, and |
| 429 | $HOME/.ssh/known_hosts can, but need not be, world-readable. | 438 | $HOME/.ssh/known_hosts can, but need not be, world-readable. |
| 430 | 439 | ||
| 440 | /etc/motd | ||
| 441 | See motd(5). | ||
| 442 | |||
| 443 | $HOME/.hushlogin | ||
| 444 | This file is used to suppress printing the last login time and | ||
| 445 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | ||
| 446 | abled. It does not suppress printing of the banner specified by | ||
| 447 | Banner. | ||
| 448 | |||
| 431 | /etc/nologin | 449 | /etc/nologin |
| 432 | If this file exists, sshd refuses to let anyone except root log | 450 | If this file exists, sshd refuses to let anyone except root log |
| 433 | in. The contents of the file are displayed to anyone trying to | 451 | in. The contents of the file are displayed to anyone trying to |
| @@ -439,11 +457,13 @@ FILES | |||
| 439 | fined here. Further details are described in hosts_access(5). | 457 | fined here. Further details are described in hosts_access(5). |
| 440 | 458 | ||
| 441 | $HOME/.rhosts | 459 | $HOME/.rhosts |
| 442 | This file contains host-username pairs, separated by a space, one | 460 | This file is used during RhostsRSAAuthentication and |
| 443 | per line. The given user on the corresponding host is permitted | 461 | HostbasedAuthentication and contains host-username pairs, sepa- |
| 444 | to log in without a password. The same file is used by rlogind | 462 | rated by a space, one per line. The given user on the corre- |
| 445 | and rshd. The file must be writable only by the user; it is rec- | 463 | sponding host is permitted to log in without a password. The |
| 446 | ommended that it not be accessible by others. | 464 | same file is used by rlogind and rshd. The file must be writable |
| 465 | only by the user; it is recommended that it not be accessible by | ||
| 466 | others. | ||
| 447 | 467 | ||
| 448 | It is also possible to use netgroups in the file. Either host or | 468 | It is also possible to use netgroups in the file. Either host or |
| 449 | user name may be of the form +@groupname to specify all hosts or | 469 | user name may be of the form +@groupname to specify all hosts or |
| @@ -455,20 +475,21 @@ FILES | |||
| 455 | access using SSH only. | 475 | access using SSH only. |
| 456 | 476 | ||
| 457 | /etc/hosts.equiv | 477 | /etc/hosts.equiv |
| 458 | This file is used during rhosts authentication. In the simplest | 478 | This file is used during RhostsRSAAuthentication and |
| 459 | form, this file contains host names, one per line. Users on | 479 | HostbasedAuthentication authentication. In the simplest form, |
| 460 | those hosts are permitted to log in without a password, provided | 480 | this file contains host names, one per line. Users on those |
| 461 | they have the same user name on both machines. The host name may | 481 | hosts are permitted to log in without a password, provided they |
| 462 | also be followed by a user name; such users are permitted to log | 482 | have the same user name on both machines. The host name may also |
| 463 | in as any user on this machine (except root). Additionally, the | 483 | be followed by a user name; such users are permitted to log in as |
| 464 | syntax ``+@group'' can be used to specify netgroups. Negated en- | 484 | any user on this machine (except root). Additionally, the syntax |
| 465 | tries start with `-'. | 485 | ``+@group'' can be used to specify netgroups. Negated entries |
| 486 | start with `-'. | ||
| 466 | 487 | ||
| 467 | If the client host/user is successfully matched in this file, lo- | 488 | If the client host/user is successfully matched in this file, lo- |
| 468 | gin is automatically permitted provided the client and server us- | 489 | gin is automatically permitted provided the client and server us- |
| 469 | er names are the same. Additionally, successful RSA host authen- | 490 | er names are the same. Additionally, successful client host key |
| 470 | tication is normally required. This file must be writable only | 491 | authentication is required. This file must be writable only by |
| 471 | by root; it is recommended that it be world-readable. | 492 | root; it is recommended that it be world-readable. |
| 472 | 493 | ||
| 473 | Warning: It is almost never a good idea to use user names in | 494 | Warning: It is almost never a good idea to use user names in |
| 474 | hosts.equiv. Beware that it really means that the named user(s) | 495 | hosts.equiv. Beware that it really means that the named user(s) |