diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 55 |
1 files changed, 44 insertions, 11 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $ |
37 | .Dd $Mdocdate: July 3 2015 $ | 37 | .Dd $Mdocdate: February 17 2016 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -275,14 +275,12 @@ though this can be changed via the | |||
275 | .Cm Protocol | 275 | .Cm Protocol |
276 | option in | 276 | option in |
277 | .Xr sshd_config 5 . | 277 | .Xr sshd_config 5 . |
278 | Protocol 2 supports DSA, ECDSA, Ed25519 and RSA keys; | 278 | Protocol 1 should not be used |
279 | protocol 1 only supports RSA keys. | 279 | and is only offered to support legacy devices. |
280 | For both protocols, | ||
281 | each host has a host-specific key, | ||
282 | normally 2048 bits, | ||
283 | used to identify the host. | ||
284 | .Pp | 280 | .Pp |
285 | Forward security for protocol 1 is provided through | 281 | Each host has a host-specific key, |
282 | used to identify the host. | ||
283 | Partial forward security for protocol 1 is provided through | ||
286 | an additional server key, | 284 | an additional server key, |
287 | normally 1024 bits, | 285 | normally 1024 bits, |
288 | generated when the server starts. | 286 | generated when the server starts. |
@@ -470,7 +468,7 @@ does not exist either, xauth is used to add the cookie. | |||
470 | .Cm AuthorizedKeysFile | 468 | .Cm AuthorizedKeysFile |
471 | specifies the files containing public keys for | 469 | specifies the files containing public keys for |
472 | public key authentication; | 470 | public key authentication; |
473 | if none is specified, the default is | 471 | if this option is not specified, the default is |
474 | .Pa ~/.ssh/authorized_keys | 472 | .Pa ~/.ssh/authorized_keys |
475 | and | 473 | and |
476 | .Pa ~/.ssh/authorized_keys2 . | 474 | .Pa ~/.ssh/authorized_keys2 . |
@@ -522,6 +520,10 @@ No spaces are permitted, except within double quotes. | |||
522 | The following option specifications are supported (note | 520 | The following option specifications are supported (note |
523 | that option keywords are case-insensitive): | 521 | that option keywords are case-insensitive): |
524 | .Bl -tag -width Ds | 522 | .Bl -tag -width Ds |
523 | .It Cm agent-forwarding | ||
524 | Enable authentication agent forwarding previously disabled by the | ||
525 | .Cm restrict | ||
526 | option. | ||
525 | .It Cm cert-authority | 527 | .It Cm cert-authority |
526 | Specifies that the listed key is a certification authority (CA) that is | 528 | Specifies that the listed key is a certification authority (CA) that is |
527 | trusted to validate signed certificates for user authentication. | 529 | trusted to validate signed certificates for user authentication. |
@@ -616,6 +618,9 @@ they must be literal domains or addresses. | |||
616 | A port specification of | 618 | A port specification of |
617 | .Cm * | 619 | .Cm * |
618 | matches any port. | 620 | matches any port. |
621 | .It Cm port-forwarding | ||
622 | Enable port forwarding previously disabled by the | ||
623 | .Cm restrict | ||
619 | .It Cm principals="principals" | 624 | .It Cm principals="principals" |
620 | On a | 625 | On a |
621 | .Cm cert-authority | 626 | .Cm cert-authority |
@@ -627,12 +632,33 @@ This option is ignored for keys that are not marked as trusted certificate | |||
627 | signers using the | 632 | signers using the |
628 | .Cm cert-authority | 633 | .Cm cert-authority |
629 | option. | 634 | option. |
635 | .It Cm pty | ||
636 | Permits tty allocation previously disabled by the | ||
637 | .Cm restrict | ||
638 | option. | ||
639 | .It Cm restrict | ||
640 | Enable all restrictions, i.e. disable port, agent and X11 forwarding, | ||
641 | as well as disabling PTY allocation | ||
642 | and execution of | ||
643 | .Pa ~/.ssh/rc . | ||
644 | If any future restriction capabilities are added to authorized_keys files | ||
645 | they will be included in this set. | ||
630 | .It Cm tunnel="n" | 646 | .It Cm tunnel="n" |
631 | Force a | 647 | Force a |
632 | .Xr tun 4 | 648 | .Xr tun 4 |
633 | device on the server. | 649 | device on the server. |
634 | Without this option, the next available device will be used if | 650 | Without this option, the next available device will be used if |
635 | the client requests a tunnel. | 651 | the client requests a tunnel. |
652 | .It Cm user-rc | ||
653 | Enables execution of | ||
654 | .Pa ~/.ssh/rc | ||
655 | previously disabled by the | ||
656 | .Cm restrict | ||
657 | option. | ||
658 | .It Cm X11-forwarding | ||
659 | Permits X11 forwarding previously disabled by the | ||
660 | .Cm restrict | ||
661 | option. | ||
636 | .El | 662 | .El |
637 | .Pp | 663 | .Pp |
638 | An example authorized_keys file: | 664 | An example authorized_keys file: |
@@ -647,6 +673,10 @@ permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | |||
647 | AAAAB5...21S== | 673 | AAAAB5...21S== |
648 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 674 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
649 | jane@example.net | 675 | jane@example.net |
676 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | ||
677 | user@example.net | ||
678 | restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== | ||
679 | user@example.net | ||
650 | .Ed | 680 | .Ed |
651 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 681 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
652 | The | 682 | The |
@@ -856,9 +886,12 @@ This file is for host-based authentication (see | |||
856 | It should only be writable by root. | 886 | It should only be writable by root. |
857 | .Pp | 887 | .Pp |
858 | .It Pa /etc/moduli | 888 | .It Pa /etc/moduli |
859 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 889 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" |
890 | key exchange method. | ||
860 | The file format is described in | 891 | The file format is described in |
861 | .Xr moduli 5 . | 892 | .Xr moduli 5 . |
893 | If no usable groups are found in this file then fixed internal groups will | ||
894 | be used. | ||
862 | .Pp | 895 | .Pp |
863 | .It Pa /etc/motd | 896 | .It Pa /etc/motd |
864 | See | 897 | See |