diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 77 |
1 files changed, 67 insertions, 10 deletions
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.255 2010/03/05 06:50:35 jmc Exp $ |
38 | .Dd $Mdocdate: March 26 2009 $ | 38 | .Dd $Mdocdate: March 5 2010 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -47,6 +47,7 @@ | |||
47 | .Op Fl 46DdeiqTt | 47 | .Op Fl 46DdeiqTt |
48 | .Op Fl b Ar bits | 48 | .Op Fl b Ar bits |
49 | .Op Fl C Ar connection_spec | 49 | .Op Fl C Ar connection_spec |
50 | .Op Fl c Ar host_certificate_file | ||
50 | .Op Fl f Ar config_file | 51 | .Op Fl f Ar config_file |
51 | .Op Fl g Ar login_grace_time | 52 | .Op Fl g Ar login_grace_time |
52 | .Op Fl h Ar host_key_file | 53 | .Op Fl h Ar host_key_file |
@@ -119,6 +120,15 @@ and | |||
119 | All are required and may be supplied in any order, either with multiple | 120 | All are required and may be supplied in any order, either with multiple |
120 | .Fl C | 121 | .Fl C |
121 | options or as a comma-separated list. | 122 | options or as a comma-separated list. |
123 | .It Fl c Ar host_certificate_file | ||
124 | Specifies a path to a certificate file to identify | ||
125 | .Nm | ||
126 | during key exchange. | ||
127 | The certificate file must match a host key file specified using the | ||
128 | .Fl h | ||
129 | option or the | ||
130 | .Cm HostKey | ||
131 | configuration directive. | ||
122 | .It Fl D | 132 | .It Fl D |
123 | When this option is specified, | 133 | When this option is specified, |
124 | .Nm | 134 | .Nm |
@@ -127,8 +137,8 @@ This allows easy monitoring of | |||
127 | .Nm sshd . | 137 | .Nm sshd . |
128 | .It Fl d | 138 | .It Fl d |
129 | Debug mode. | 139 | Debug mode. |
130 | The server sends verbose debug output to the system | 140 | The server sends verbose debug output to standard error, |
131 | log, and does not put itself in the background. | 141 | and does not put itself in the background. |
132 | The server also will not fork and will only process one connection. | 142 | The server also will not fork and will only process one connection. |
133 | This option is only intended for debugging for the server. | 143 | This option is only intended for debugging for the server. |
134 | Multiple | 144 | Multiple |
@@ -263,7 +273,7 @@ or | |||
263 | .El | 273 | .El |
264 | .Sh AUTHENTICATION | 274 | .Sh AUTHENTICATION |
265 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. | 275 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. |
266 | Both protocols are supported by default, | 276 | The default is to use protocol 2 only, |
267 | though this can be changed via the | 277 | though this can be changed via the |
268 | .Cm Protocol | 278 | .Cm Protocol |
269 | option in | 279 | option in |
@@ -501,6 +511,13 @@ No spaces are permitted, except within double quotes. | |||
501 | The following option specifications are supported (note | 511 | The following option specifications are supported (note |
502 | that option keywords are case-insensitive): | 512 | that option keywords are case-insensitive): |
503 | .Bl -tag -width Ds | 513 | .Bl -tag -width Ds |
514 | .It Cm cert-authority | ||
515 | Specifies that the listed key is a certification authority (CA) that is | ||
516 | trusted to validate signed certificates for user authentication. | ||
517 | .Pp | ||
518 | Certificates may encode access restrictions similar to these key options. | ||
519 | If both certificate restrictions and key options are present, the most | ||
520 | restrictive union of the two is applied. | ||
504 | .It Cm command="command" | 521 | .It Cm command="command" |
505 | Specifies that the command is executed whenever this key is used for | 522 | Specifies that the command is executed whenever this key is used for |
506 | authentication. | 523 | authentication. |
@@ -520,6 +537,10 @@ The command originally supplied by the client is available in the | |||
520 | .Ev SSH_ORIGINAL_COMMAND | 537 | .Ev SSH_ORIGINAL_COMMAND |
521 | environment variable. | 538 | environment variable. |
522 | Note that this option applies to shell, command or subsystem execution. | 539 | Note that this option applies to shell, command or subsystem execution. |
540 | Also note that this command may be superseded by either a | ||
541 | .Xr sshd_config 5 | ||
542 | .Cm ForceCommand | ||
543 | directive or a command embedded in a certificate. | ||
523 | .It Cm environment="NAME=value" | 544 | .It Cm environment="NAME=value" |
524 | Specifies that the string is to be added to the environment when | 545 | Specifies that the string is to be added to the environment when |
525 | logging in using this key. | 546 | logging in using this key. |
@@ -616,10 +637,19 @@ be prepared by the administrator (optional), and the per-user file is | |||
616 | maintained automatically: whenever the user connects from an unknown host, | 637 | maintained automatically: whenever the user connects from an unknown host, |
617 | its key is added to the per-user file. | 638 | its key is added to the per-user file. |
618 | .Pp | 639 | .Pp |
619 | Each line in these files contains the following fields: hostnames, | 640 | Each line in these files contains the following fields: markers (optional), |
620 | bits, exponent, modulus, comment. | 641 | hostnames, bits, exponent, modulus, comment. |
621 | The fields are separated by spaces. | 642 | The fields are separated by spaces. |
622 | .Pp | 643 | .Pp |
644 | The marker is optional, but if it is present then it must be one of | ||
645 | .Dq @cert-authority , | ||
646 | to indicate that the line contains a certification authority (CA) key, | ||
647 | or | ||
648 | .Dq @revoked , | ||
649 | to indicate that the key contained on the line is revoked and must not ever | ||
650 | be accepted. | ||
651 | Only one marker should be used on a key line. | ||
652 | .Pp | ||
623 | Hostnames is a comma-separated list of patterns | 653 | Hostnames is a comma-separated list of patterns |
624 | .Pf ( Ql * | 654 | .Pf ( Ql * |
625 | and | 655 | and |
@@ -659,8 +689,25 @@ Lines starting with | |||
659 | and empty lines are ignored as comments. | 689 | and empty lines are ignored as comments. |
660 | .Pp | 690 | .Pp |
661 | When performing host authentication, authentication is accepted if any | 691 | When performing host authentication, authentication is accepted if any |
662 | matching line has the proper key. | 692 | matching line has the proper key; either one that matches exactly or, |
663 | It is thus permissible (but not | 693 | if the server has presented a certificate for authentication, the key |
694 | of the certification authority that signed the certificate. | ||
695 | For a key to be trusted as a certification authority, it must use the | ||
696 | .Dq @cert-authority | ||
697 | marker described above. | ||
698 | .Pp | ||
699 | The known hosts file also provides a facility to mark keys as revoked, | ||
700 | for example when it is known that the associated private key has been | ||
701 | stolen. | ||
702 | Revoked keys are specified by including the | ||
703 | .Dq @revoked | ||
704 | marker at the beginning of the key line, and are never accepted for | ||
705 | authentication or as certification authorities, but instead will | ||
706 | produce a warning from | ||
707 | .Xr ssh 1 | ||
708 | when they are encountered. | ||
709 | .Pp | ||
710 | It is permissible (but not | ||
664 | recommended) to have several lines or different host keys for the same | 711 | recommended) to have several lines or different host keys for the same |
665 | names. | 712 | names. |
666 | This will inevitably happen when short forms of host names | 713 | This will inevitably happen when short forms of host names |
@@ -671,10 +718,16 @@ accepted if valid information can be found from either file. | |||
671 | .Pp | 718 | .Pp |
672 | Note that the lines in these files are typically hundreds of characters | 719 | Note that the lines in these files are typically hundreds of characters |
673 | long, and you definitely don't want to type in the host keys by hand. | 720 | long, and you definitely don't want to type in the host keys by hand. |
674 | Rather, generate them by a script | 721 | Rather, generate them by a script, |
722 | .Xr ssh-keyscan 1 | ||
675 | or by taking | 723 | or by taking |
676 | .Pa /etc/ssh/ssh_host_key.pub | 724 | .Pa /etc/ssh/ssh_host_key.pub |
677 | and adding the host names at the front. | 725 | and adding the host names at the front. |
726 | .Xr ssh-keygen 1 | ||
727 | also offers some basic automated editing for | ||
728 | .Pa ~/.ssh/known_hosts | ||
729 | including removing hosts matching a host name and converting all host | ||
730 | names to their hashed representations. | ||
678 | .Pp | 731 | .Pp |
679 | An example ssh_known_hosts file: | 732 | An example ssh_known_hosts file: |
680 | .Bd -literal -offset 3n | 733 | .Bd -literal -offset 3n |
@@ -684,6 +737,10 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= | |||
684 | # A hashed hostname | 737 | # A hashed hostname |
685 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | 738 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
686 | AAAA1234.....= | 739 | AAAA1234.....= |
740 | # A revoked key | ||
741 | @revoked * ssh-rsa AAAAB5W... | ||
742 | # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org | ||
743 | @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... | ||
687 | .Ed | 744 | .Ed |
688 | .Sh FILES | 745 | .Sh FILES |
689 | .Bl -tag -width Ds -compact | 746 | .Bl -tag -width Ds -compact |