diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 65 |
1 files changed, 50 insertions, 15 deletions
@@ -9,7 +9,7 @@ | |||
9 | .\" | 9 | .\" |
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | 10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo |
11 | .\" | 11 | .\" |
12 | .\" $Id: sshd.8,v 1.25 2000/07/11 07:31:39 djm Exp $ | 12 | .\" $Id: sshd.8,v 1.26 2000/08/18 03:59:06 djm Exp $ |
13 | .\" | 13 | .\" |
14 | .Dd September 25, 1999 | 14 | .Dd September 25, 1999 |
15 | .Dt SSHD 8 | 15 | .Dt SSHD 8 |
@@ -26,6 +26,7 @@ | |||
26 | .Op Fl h Ar host_key_file | 26 | .Op Fl h Ar host_key_file |
27 | .Op Fl k Ar key_gen_time | 27 | .Op Fl k Ar key_gen_time |
28 | .Op Fl p Ar port | 28 | .Op Fl p Ar port |
29 | .Op Fl u Ar len | ||
29 | .Op Fl V Ar client_protocol_id | 30 | .Op Fl V Ar client_protocol_id |
30 | .Sh DESCRIPTION | 31 | .Sh DESCRIPTION |
31 | .Nm | 32 | .Nm |
@@ -104,7 +105,7 @@ into the machine). | |||
104 | .Pp | 105 | .Pp |
105 | .Ss SSH protocol version 2 | 106 | .Ss SSH protocol version 2 |
106 | .Pp | 107 | .Pp |
107 | Version 2 works similar: | 108 | Version 2 works similarly: |
108 | Each host has a host-specific DSA key used to identify the host. | 109 | Each host has a host-specific DSA key used to identify the host. |
109 | However, when the daemon starts, it does not generate a server key. | 110 | However, when the daemon starts, it does not generate a server key. |
110 | Forward security is provided through a Diffie-Hellman key agreement. | 111 | Forward security is provided through a Diffie-Hellman key agreement. |
@@ -211,6 +212,22 @@ Quiet mode. | |||
211 | Nothing is sent to the system log. | 212 | Nothing is sent to the system log. |
212 | Normally the beginning, | 213 | Normally the beginning, |
213 | authentication, and termination of each connection is logged. | 214 | authentication, and termination of each connection is logged. |
215 | .It Fl u Ar len | ||
216 | This option is used to specify the size of the field | ||
217 | in the | ||
218 | .Li utmp | ||
219 | structure that holds the remote host name. | ||
220 | If the resolved host name is longer than | ||
221 | .Ar len , | ||
222 | the dotted decimal value will be used instead. | ||
223 | This allows hosts with very long host names that | ||
224 | overflow this field to still be uniquely identified. | ||
225 | Specifying | ||
226 | .Fl u0 | ||
227 | indicates that only dotted decimal addresses | ||
228 | should be put into the | ||
229 | .Pa utmp | ||
230 | file. | ||
214 | .It Fl Q | 231 | .It Fl Q |
215 | Do not print an error message if RSA support is missing. | 232 | Do not print an error message if RSA support is missing. |
216 | .It Fl V Ar client_protocol_id | 233 | .It Fl V Ar client_protocol_id |
@@ -257,7 +274,7 @@ and | |||
257 | .Ql ? | 274 | .Ql ? |
258 | can be used as | 275 | can be used as |
259 | wildcards in the patterns. | 276 | wildcards in the patterns. |
260 | Only group names are valid, a numerical group ID isn't recognized. | 277 | Only group names are valid; a numerical group ID isn't recognized. |
261 | By default login is allowed regardless of the primary group. | 278 | By default login is allowed regardless of the primary group. |
262 | .Pp | 279 | .Pp |
263 | .It Cm AllowUsers | 280 | .It Cm AllowUsers |
@@ -270,7 +287,7 @@ and | |||
270 | .Ql ? | 287 | .Ql ? |
271 | can be used as | 288 | can be used as |
272 | wildcards in the patterns. | 289 | wildcards in the patterns. |
273 | Only user names are valid, a numerical user ID isn't recognized. | 290 | Only user names are valid; a numerical user ID isn't recognized. |
274 | By default login is allowed regardless of the user name. | 291 | By default login is allowed regardless of the user name. |
275 | .Pp | 292 | .Pp |
276 | .It Cm Ciphers | 293 | .It Cm Ciphers |
@@ -294,7 +311,7 @@ and | |||
294 | .Ql ? | 311 | .Ql ? |
295 | can be used as | 312 | can be used as |
296 | wildcards in the patterns. | 313 | wildcards in the patterns. |
297 | Only group names are valid, a numerical group ID isn't recognized. | 314 | Only group names are valid; a numerical group ID isn't recognized. |
298 | By default login is allowed regardless of the primary group. | 315 | By default login is allowed regardless of the primary group. |
299 | .Pp | 316 | .Pp |
300 | .It Cm DenyUsers | 317 | .It Cm DenyUsers |
@@ -305,7 +322,7 @@ Login is disallowed for user names that match one of the patterns. | |||
305 | and | 322 | and |
306 | .Ql ? | 323 | .Ql ? |
307 | can be used as wildcards in the patterns. | 324 | can be used as wildcards in the patterns. |
308 | Only user names are valid, a numerical user ID isn't recognized. | 325 | Only user names are valid; a numerical user ID isn't recognized. |
309 | By default login is allowed regardless of the user name. | 326 | By default login is allowed regardless of the user name. |
310 | .It Cm DSAAuthentication | 327 | .It Cm DSAAuthentication |
311 | Specifies whether DSA authentication is allowed. | 328 | Specifies whether DSA authentication is allowed. |
@@ -321,7 +338,7 @@ or | |||
321 | .Dq no . | 338 | .Dq no . |
322 | The default is | 339 | The default is |
323 | .Dq no . | 340 | .Dq no . |
324 | .It Cm HostDsaKey | 341 | .It Cm HostDSAKey |
325 | Specifies the file containing the private DSA host key (default | 342 | Specifies the file containing the private DSA host key (default |
326 | .Pa /etc/ssh_host_dsa_key ) | 343 | .Pa /etc/ssh_host_dsa_key ) |
327 | used by SSH protocol 2.0. | 344 | used by SSH protocol 2.0. |
@@ -383,7 +400,8 @@ Specifies whether Kerberos authentication is allowed. | |||
383 | This can be in the form of a Kerberos ticket, or if | 400 | This can be in the form of a Kerberos ticket, or if |
384 | .Cm PasswordAuthentication | 401 | .Cm PasswordAuthentication |
385 | is yes, the password provided by the user will be validated through | 402 | is yes, the password provided by the user will be validated through |
386 | the Kerberos KDC. | 403 | the Kerberos KDC. To use this option, the server needs a |
404 | Kerberos servtab which allows the verification of the KDC's identity. | ||
387 | Default is | 405 | Default is |
388 | .Dq yes . | 406 | .Dq yes . |
389 | .It Cm KerberosOrLocalPasswd | 407 | .It Cm KerberosOrLocalPasswd |
@@ -443,11 +461,28 @@ Additional connections will be dropped until authentication succeeds or the | |||
443 | .Cm LoginGraceTime | 461 | .Cm LoginGraceTime |
444 | expires for a connection. | 462 | expires for a connection. |
445 | The default is 10. | 463 | The default is 10. |
464 | .Pp | ||
465 | Alternatively, random early drop can be enabled by specifying | ||
466 | the three colon separated values | ||
467 | .Dq start:rate:full | ||
468 | (e.g. "10:30:60"). | ||
469 | .Nm | ||
470 | will refuse connection attempts with a probabillity of | ||
471 | .Dq rate/100 | ||
472 | (30%) | ||
473 | if there are currently | ||
474 | .Dq start | ||
475 | (10) | ||
476 | unauthenticated connections. | ||
477 | The probabillity increases linearly and all connection attempts | ||
478 | are refused if the number of unauthenticated connections reaches | ||
479 | .Dq full | ||
480 | (60). | ||
446 | .It Cm PasswordAuthentication | 481 | .It Cm PasswordAuthentication |
447 | Specifies whether password authentication is allowed. | 482 | Specifies whether password authentication is allowed. |
448 | The default is | 483 | The default is |
449 | .Dq yes . | 484 | .Dq yes . |
450 | Note that this option applies to both protocol version 1 and 2. | 485 | Note that this option applies to both protocol versions 1 and 2. |
451 | .It Cm PermitEmptyPasswords | 486 | .It Cm PermitEmptyPasswords |
452 | When password authentication is allowed, it specifies whether the | 487 | When password authentication is allowed, it specifies whether the |
453 | server allows login to accounts with empty password strings. | 488 | server allows login to accounts with empty password strings. |
@@ -568,7 +603,7 @@ Specifies whether | |||
568 | is used for interactive login sessions. | 603 | is used for interactive login sessions. |
569 | Note that | 604 | Note that |
570 | .Xr login 1 | 605 | .Xr login 1 |
571 | is not never for remote command execution. | 606 | is never used for remote command execution. |
572 | The default is | 607 | The default is |
573 | .Dq no . | 608 | .Dq no . |
574 | .It Cm X11DisplayOffset | 609 | .It Cm X11DisplayOffset |
@@ -666,7 +701,7 @@ You don't want to type them in; instead, copy the | |||
666 | .Pa identity.pub | 701 | .Pa identity.pub |
667 | file and edit it. | 702 | file and edit it. |
668 | .Pp | 703 | .Pp |
669 | The options (if present) consists of comma-separated option | 704 | The options (if present) consist of comma-separated option |
670 | specifications. | 705 | specifications. |
671 | No spaces are permitted, except within double quotes. | 706 | No spaces are permitted, except within double quotes. |
672 | The following option specifications are supported: | 707 | The following option specifications are supported: |
@@ -740,7 +775,7 @@ and | |||
740 | files contain host public keys for all known hosts. | 775 | files contain host public keys for all known hosts. |
741 | The global file should | 776 | The global file should |
742 | be prepared by the administrator (optional), and the per-user file is | 777 | be prepared by the administrator (optional), and the per-user file is |
743 | maintained automatically: whenever the user connects an unknown host | 778 | maintained automatically: whenever the user connects from an unknown host |
744 | its key is added to the per-user file. | 779 | its key is added to the per-user file. |
745 | .Pp | 780 | .Pp |
746 | Each line in these files contains the following fields: hostnames, | 781 | Each line in these files contains the following fields: hostnames, |
@@ -815,7 +850,7 @@ Contains the process ID of the | |||
815 | listening for connections (if there are several daemons running | 850 | listening for connections (if there are several daemons running |
816 | concurrently for different ports, this contains the pid of the one | 851 | concurrently for different ports, this contains the pid of the one |
817 | started last). | 852 | started last). |
818 | The contents of this file are not sensitive; it can be world-readable. | 853 | The content of this file is not sensitive; it can be world-readable. |
819 | .It Pa $HOME/.ssh/authorized_keys | 854 | .It Pa $HOME/.ssh/authorized_keys |
820 | Lists the RSA keys that can be used to log into the user's account. | 855 | Lists the RSA keys that can be used to log into the user's account. |
821 | This file must be readable by root (which may on some machines imply | 856 | This file must be readable by root (which may on some machines imply |
@@ -843,7 +878,7 @@ These files are consulted when using rhosts with RSA host | |||
843 | authentication to check the public key of the host. | 878 | authentication to check the public key of the host. |
844 | The key must be listed in one of these files to be accepted. | 879 | The key must be listed in one of these files to be accepted. |
845 | The client uses the same files | 880 | The client uses the same files |
846 | to verify that the remote host is the one we intended to connect. | 881 | to verify that the remote host is the one it intended to connect. |
847 | These files should be writable only by root/the owner. | 882 | These files should be writable only by root/the owner. |
848 | .Pa /etc/ssh_known_hosts | 883 | .Pa /etc/ssh_known_hosts |
849 | should be world-readable, and | 884 | should be world-readable, and |
@@ -882,7 +917,7 @@ this file is exactly the same as for | |||
882 | .Pa .rhosts . | 917 | .Pa .rhosts . |
883 | However, this file is | 918 | However, this file is |
884 | not used by rlogin and rshd, so using this permits access using SSH only. | 919 | not used by rlogin and rshd, so using this permits access using SSH only. |
885 | .Pa /etc/hosts.equiv | 920 | .It Pa /etc/hosts.equiv |
886 | This file is used during | 921 | This file is used during |
887 | .Pa .rhosts | 922 | .Pa .rhosts |
888 | authentication. | 923 | authentication. |