diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 40 |
1 files changed, 27 insertions, 13 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.186 2002/06/22 16:45:29 stevesk Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -203,7 +203,7 @@ The default is | |||
203 | refuses to start if there is no configuration file. | 203 | refuses to start if there is no configuration file. |
204 | .It Fl g Ar login_grace_time | 204 | .It Fl g Ar login_grace_time |
205 | Gives the grace time for clients to authenticate themselves (default | 205 | Gives the grace time for clients to authenticate themselves (default |
206 | 600 seconds). | 206 | 120 seconds). |
207 | If the client fails to authenticate the user within | 207 | If the client fails to authenticate the user within |
208 | this many seconds, the server disconnects and exits. | 208 | this many seconds, the server disconnects and exits. |
209 | A value of zero indicates no limit. | 209 | A value of zero indicates no limit. |
@@ -350,7 +350,11 @@ Sets up basic environment. | |||
350 | .It | 350 | .It |
351 | Reads | 351 | Reads |
352 | .Pa $HOME/.ssh/environment | 352 | .Pa $HOME/.ssh/environment |
353 | if it exists. | 353 | if it exists and users are allowed to change their environment. |
354 | See the | ||
355 | .Cm PermitUserEnvironment | ||
356 | option in | ||
357 | .Xr sshd_config 5 . | ||
354 | .It | 358 | .It |
355 | Changes to user's home directory. | 359 | Changes to user's home directory. |
356 | .It | 360 | .It |
@@ -385,9 +389,9 @@ Each RSA public key consists of the following fields, separated by | |||
385 | spaces: options, bits, exponent, modulus, comment. | 389 | spaces: options, bits, exponent, modulus, comment. |
386 | Each protocol version 2 public key consists of: | 390 | Each protocol version 2 public key consists of: |
387 | options, keytype, base64 encoded key, comment. | 391 | options, keytype, base64 encoded key, comment. |
388 | The options fields | 392 | The options field |
389 | are optional; its presence is determined by whether the line starts | 393 | is optional; its presence is determined by whether the line starts |
390 | with a number or not (the option field never starts with a number). | 394 | with a number or not (the options field never starts with a number). |
391 | The bits, exponent, modulus and comment fields give the RSA key for | 395 | The bits, exponent, modulus and comment fields give the RSA key for |
392 | protocol version 1; the | 396 | protocol version 1; the |
393 | comment field is not used for anything (but may be convenient for the | 397 | comment field is not used for anything (but may be convenient for the |
@@ -398,7 +402,7 @@ or | |||
398 | .Dq ssh-rsa . | 402 | .Dq ssh-rsa . |
399 | .Pp | 403 | .Pp |
400 | Note that lines in this file are usually several hundred bytes long | 404 | Note that lines in this file are usually several hundred bytes long |
401 | (because of the size of the RSA key modulus). | 405 | (because of the size of the public key encoding). |
402 | You don't want to type them in; instead, copy the | 406 | You don't want to type them in; instead, copy the |
403 | .Pa identity.pub , | 407 | .Pa identity.pub , |
404 | .Pa id_dsa.pub | 408 | .Pa id_dsa.pub |
@@ -417,7 +421,7 @@ The following option specifications are supported (note | |||
417 | that option keywords are case-insensitive): | 421 | that option keywords are case-insensitive): |
418 | .Bl -tag -width Ds | 422 | .Bl -tag -width Ds |
419 | .It Cm from="pattern-list" | 423 | .It Cm from="pattern-list" |
420 | Specifies that in addition to RSA authentication, the canonical name | 424 | Specifies that in addition to public key authentication, the canonical name |
421 | of the remote host must be present in the comma-separated list of | 425 | of the remote host must be present in the comma-separated list of |
422 | patterns | 426 | patterns |
423 | .Pf ( Ql * | 427 | .Pf ( Ql * |
@@ -429,7 +433,7 @@ patterns negated by prefixing them with | |||
429 | .Ql ! ; | 433 | .Ql ! ; |
430 | if the canonical host name matches a negated pattern, the key is not accepted. | 434 | if the canonical host name matches a negated pattern, the key is not accepted. |
431 | The purpose | 435 | The purpose |
432 | of this option is to optionally increase security: RSA authentication | 436 | of this option is to optionally increase security: public key authentication |
433 | by itself does not trust the network or name servers or anything (but | 437 | by itself does not trust the network or name servers or anything (but |
434 | the key); however, if somebody somehow steals the key, the key | 438 | the key); however, if somebody somehow steals the key, the key |
435 | permits an intruder to log in from anywhere in the world. | 439 | permits an intruder to log in from anywhere in the world. |
@@ -447,7 +451,7 @@ one must not request a pty or should specify | |||
447 | .Cm no-pty . | 451 | .Cm no-pty . |
448 | A quote may be included in the command by quoting it with a backslash. | 452 | A quote may be included in the command by quoting it with a backslash. |
449 | This option might be useful | 453 | This option might be useful |
450 | to restrict certain RSA keys to perform just a specific operation. | 454 | to restrict certain public keys to perform just a specific operation. |
451 | An example might be a key that permits remote backups but nothing else. | 455 | An example might be a key that permits remote backups but nothing else. |
452 | Note that the client may specify TCP/IP and/or X11 | 456 | Note that the client may specify TCP/IP and/or X11 |
453 | forwarding unless they are explicitly prohibited. | 457 | forwarding unless they are explicitly prohibited. |
@@ -458,6 +462,10 @@ logging in using this key. | |||
458 | Environment variables set this way | 462 | Environment variables set this way |
459 | override other default environment values. | 463 | override other default environment values. |
460 | Multiple options of this type are permitted. | 464 | Multiple options of this type are permitted. |
465 | Environment processing is disabled by default and is | ||
466 | controlled via the | ||
467 | .Cm PermitUserEnvironment | ||
468 | option. | ||
461 | This option is automatically disabled if | 469 | This option is automatically disabled if |
462 | .Cm UseLogin | 470 | .Cm UseLogin |
463 | is enabled. | 471 | is enabled. |
@@ -578,6 +586,8 @@ These files are created using | |||
578 | .Xr ssh-keygen 1 . | 586 | .Xr ssh-keygen 1 . |
579 | .It Pa /etc/moduli | 587 | .It Pa /etc/moduli |
580 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 588 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
589 | The file format is described in | ||
590 | .Xr moduli 5 . | ||
581 | .It Pa /var/empty | 591 | .It Pa /var/empty |
582 | .Xr chroot 2 | 592 | .Xr chroot 2 |
583 | directory used by | 593 | directory used by |
@@ -698,6 +708,10 @@ It can only contain empty lines, comment lines (that start with | |||
698 | and assignment lines of the form name=value. | 708 | and assignment lines of the form name=value. |
699 | The file should be writable | 709 | The file should be writable |
700 | only by the user; it need not be readable by anyone else. | 710 | only by the user; it need not be readable by anyone else. |
711 | Environment processing is disabled by default and is | ||
712 | controlled via the | ||
713 | .Cm PermitUserEnvironment | ||
714 | option. | ||
701 | .It Pa $HOME/.ssh/rc | 715 | .It Pa $HOME/.ssh/rc |
702 | If this file exists, it is run with /bin/sh after reading the | 716 | If this file exists, it is run with /bin/sh after reading the |
703 | environment files but before starting the user's shell or command. | 717 | environment files but before starting the user's shell or command. |
@@ -723,12 +737,12 @@ something similar to: | |||
723 | if read proto cookie && [ -n "$DISPLAY" ]; then | 737 | if read proto cookie && [ -n "$DISPLAY" ]; then |
724 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | 738 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
725 | # X11UseLocalhost=yes | 739 | # X11UseLocalhost=yes |
726 | xauth add unix:`echo $DISPLAY | | 740 | echo add unix:`echo $DISPLAY | |
727 | cut -c11-` $proto $cookie | 741 | cut -c11-` $proto $cookie |
728 | else | 742 | else |
729 | # X11UseLocalhost=no | 743 | # X11UseLocalhost=no |
730 | xauth add $DISPLAY $proto $cookie | 744 | echo add $DISPLAY $proto $cookie |
731 | fi | 745 | fi | xauth -q - |
732 | fi | 746 | fi |
733 | .Ed | 747 | .Ed |
734 | .Pp | 748 | .Pp |