summaryrefslogtreecommitdiff
path: root/sshd.8
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.8')
-rw-r--r--sshd.877
1 files changed, 67 insertions, 10 deletions
diff --git a/sshd.8 b/sshd.8
index 5b527b0f2..5df48a005 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.248 2009/03/26 08:38:39 sobrado Exp $ 37.\" $OpenBSD: sshd.8,v 1.255 2010/03/05 06:50:35 jmc Exp $
38.Dd $Mdocdate: March 26 2009 $ 38.Dd $Mdocdate: March 5 2010 $
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -47,6 +47,7 @@
47.Op Fl 46DdeiqTt 47.Op Fl 46DdeiqTt
48.Op Fl b Ar bits 48.Op Fl b Ar bits
49.Op Fl C Ar connection_spec 49.Op Fl C Ar connection_spec
50.Op Fl c Ar host_certificate_file
50.Op Fl f Ar config_file 51.Op Fl f Ar config_file
51.Op Fl g Ar login_grace_time 52.Op Fl g Ar login_grace_time
52.Op Fl h Ar host_key_file 53.Op Fl h Ar host_key_file
@@ -119,6 +120,15 @@ and
119All are required and may be supplied in any order, either with multiple 120All are required and may be supplied in any order, either with multiple
120.Fl C 121.Fl C
121options or as a comma-separated list. 122options or as a comma-separated list.
123.It Fl c Ar host_certificate_file
124Specifies a path to a certificate file to identify
125.Nm
126during key exchange.
127The certificate file must match a host key file specified using the
128.Fl h
129option or the
130.Cm HostKey
131configuration directive.
122.It Fl D 132.It Fl D
123When this option is specified, 133When this option is specified,
124.Nm 134.Nm
@@ -127,8 +137,8 @@ This allows easy monitoring of
127.Nm sshd . 137.Nm sshd .
128.It Fl d 138.It Fl d
129Debug mode. 139Debug mode.
130The server sends verbose debug output to the system 140The server sends verbose debug output to standard error,
131log, and does not put itself in the background. 141and does not put itself in the background.
132The server also will not fork and will only process one connection. 142The server also will not fork and will only process one connection.
133This option is only intended for debugging for the server. 143This option is only intended for debugging for the server.
134Multiple 144Multiple
@@ -263,7 +273,7 @@ or
263.El 273.El
264.Sh AUTHENTICATION 274.Sh AUTHENTICATION
265The OpenSSH SSH daemon supports SSH protocols 1 and 2. 275The OpenSSH SSH daemon supports SSH protocols 1 and 2.
266Both protocols are supported by default, 276The default is to use protocol 2 only,
267though this can be changed via the 277though this can be changed via the
268.Cm Protocol 278.Cm Protocol
269option in 279option in
@@ -501,6 +511,13 @@ No spaces are permitted, except within double quotes.
501The following option specifications are supported (note 511The following option specifications are supported (note
502that option keywords are case-insensitive): 512that option keywords are case-insensitive):
503.Bl -tag -width Ds 513.Bl -tag -width Ds
514.It Cm cert-authority
515Specifies that the listed key is a certification authority (CA) that is
516trusted to validate signed certificates for user authentication.
517.Pp
518Certificates may encode access restrictions similar to these key options.
519If both certificate restrictions and key options are present, the most
520restrictive union of the two is applied.
504.It Cm command="command" 521.It Cm command="command"
505Specifies that the command is executed whenever this key is used for 522Specifies that the command is executed whenever this key is used for
506authentication. 523authentication.
@@ -520,6 +537,10 @@ The command originally supplied by the client is available in the
520.Ev SSH_ORIGINAL_COMMAND 537.Ev SSH_ORIGINAL_COMMAND
521environment variable. 538environment variable.
522Note that this option applies to shell, command or subsystem execution. 539Note that this option applies to shell, command or subsystem execution.
540Also note that this command may be superseded by either a
541.Xr sshd_config 5
542.Cm ForceCommand
543directive or a command embedded in a certificate.
523.It Cm environment="NAME=value" 544.It Cm environment="NAME=value"
524Specifies that the string is to be added to the environment when 545Specifies that the string is to be added to the environment when
525logging in using this key. 546logging in using this key.
@@ -616,10 +637,19 @@ be prepared by the administrator (optional), and the per-user file is
616maintained automatically: whenever the user connects from an unknown host, 637maintained automatically: whenever the user connects from an unknown host,
617its key is added to the per-user file. 638its key is added to the per-user file.
618.Pp 639.Pp
619Each line in these files contains the following fields: hostnames, 640Each line in these files contains the following fields: markers (optional),
620bits, exponent, modulus, comment. 641hostnames, bits, exponent, modulus, comment.
621The fields are separated by spaces. 642The fields are separated by spaces.
622.Pp 643.Pp
644The marker is optional, but if it is present then it must be one of
645.Dq @cert-authority ,
646to indicate that the line contains a certification authority (CA) key,
647or
648.Dq @revoked ,
649to indicate that the key contained on the line is revoked and must not ever
650be accepted.
651Only one marker should be used on a key line.
652.Pp
623Hostnames is a comma-separated list of patterns 653Hostnames is a comma-separated list of patterns
624.Pf ( Ql * 654.Pf ( Ql *
625and 655and
@@ -659,8 +689,25 @@ Lines starting with
659and empty lines are ignored as comments. 689and empty lines are ignored as comments.
660.Pp 690.Pp
661When performing host authentication, authentication is accepted if any 691When performing host authentication, authentication is accepted if any
662matching line has the proper key. 692matching line has the proper key; either one that matches exactly or,
663It is thus permissible (but not 693if the server has presented a certificate for authentication, the key
694of the certification authority that signed the certificate.
695For a key to be trusted as a certification authority, it must use the
696.Dq @cert-authority
697marker described above.
698.Pp
699The known hosts file also provides a facility to mark keys as revoked,
700for example when it is known that the associated private key has been
701stolen.
702Revoked keys are specified by including the
703.Dq @revoked
704marker at the beginning of the key line, and are never accepted for
705authentication or as certification authorities, but instead will
706produce a warning from
707.Xr ssh 1
708when they are encountered.
709.Pp
710It is permissible (but not
664recommended) to have several lines or different host keys for the same 711recommended) to have several lines or different host keys for the same
665names. 712names.
666This will inevitably happen when short forms of host names 713This will inevitably happen when short forms of host names
@@ -671,10 +718,16 @@ accepted if valid information can be found from either file.
671.Pp 718.Pp
672Note that the lines in these files are typically hundreds of characters 719Note that the lines in these files are typically hundreds of characters
673long, and you definitely don't want to type in the host keys by hand. 720long, and you definitely don't want to type in the host keys by hand.
674Rather, generate them by a script 721Rather, generate them by a script,
722.Xr ssh-keyscan 1
675or by taking 723or by taking
676.Pa /etc/ssh/ssh_host_key.pub 724.Pa /etc/ssh/ssh_host_key.pub
677and adding the host names at the front. 725and adding the host names at the front.
726.Xr ssh-keygen 1
727also offers some basic automated editing for
728.Pa ~/.ssh/known_hosts
729including removing hosts matching a host name and converting all host
730names to their hashed representations.
678.Pp 731.Pp
679An example ssh_known_hosts file: 732An example ssh_known_hosts file:
680.Bd -literal -offset 3n 733.Bd -literal -offset 3n
@@ -684,6 +737,10 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
684# A hashed hostname 737# A hashed hostname
685|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa 738|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
686AAAA1234.....= 739AAAA1234.....=
740# A revoked key
741@revoked * ssh-rsa AAAAB5W...
742# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
743@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
687.Ed 744.Ed
688.Sh FILES 745.Sh FILES
689.Bl -tag -width Ds -compact 746.Bl -tag -width Ds -compact