diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -114,6 +114,29 @@ authentication combined with RSA host | |||
114 | authentication, RSA challenge-response authentication, or password | 114 | authentication, RSA challenge-response authentication, or password |
115 | based authentication. | 115 | based authentication. |
116 | .Pp | 116 | .Pp |
117 | Regardless of the authentication type, the account is checked to | ||
118 | ensure that it is accessible. An account is not accessible if it is | ||
119 | locked, listed in | ||
120 | .Cm DenyUsers | ||
121 | or its group is listed in | ||
122 | .Cm DenyGroups | ||
123 | \&. The definition of a locked account is system dependant. Some platforms | ||
124 | have their own account database (eg AIX) and some modify the passwd field ( | ||
125 | .Ql \&*LK\&* | ||
126 | on Solaris, | ||
127 | .Ql \&* | ||
128 | on HP-UX, containing | ||
129 | .Ql Nologin | ||
130 | on Tru64 and a leading | ||
131 | .Ql \&!! | ||
132 | on Linux). If there is a requirement to disable password authentication | ||
133 | for the account while allowing still public-key, then the passwd field | ||
134 | should be set to something other than these values (eg | ||
135 | .Ql NP | ||
136 | or | ||
137 | .Ql \&*NP\&* | ||
138 | ). | ||
139 | .Pp | ||
117 | Rhosts authentication is normally disabled | 140 | Rhosts authentication is normally disabled |
118 | because it is fundamentally insecure, but can be enabled in the server | 141 | because it is fundamentally insecure, but can be enabled in the server |
119 | configuration file if desired. | 142 | configuration file if desired. |