diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 52 |
1 files changed, 40 insertions, 12 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -106,8 +106,6 @@ to use from those offered by the server. | |||
106 | Next, the server and the client enter an authentication dialog. | 106 | Next, the server and the client enter an authentication dialog. |
107 | The client tries to authenticate itself using | 107 | The client tries to authenticate itself using |
108 | .Em .rhosts | 108 | .Em .rhosts |
109 | authentication, | ||
110 | .Em .rhosts | ||
111 | authentication combined with RSA host | 109 | authentication combined with RSA host |
112 | authentication, RSA challenge-response authentication, or password | 110 | authentication, RSA challenge-response authentication, or password |
113 | based authentication. | 111 | based authentication. |
@@ -135,11 +133,6 @@ or | |||
135 | .Ql \&*NP\&* | 133 | .Ql \&*NP\&* |
136 | ). | 134 | ). |
137 | .Pp | 135 | .Pp |
138 | .Em rhosts | ||
139 | authentication is normally disabled | ||
140 | because it is fundamentally insecure, but can be enabled in the server | ||
141 | configuration file if desired. | ||
142 | System security is not improved unless | ||
143 | .Nm rshd , | 136 | .Nm rshd , |
144 | .Nm rlogind , | 137 | .Nm rlogind , |
145 | and | 138 | and |
@@ -427,7 +420,9 @@ or | |||
427 | .Dq ssh-rsa . | 420 | .Dq ssh-rsa . |
428 | .Pp | 421 | .Pp |
429 | Note that lines in this file are usually several hundred bytes long | 422 | Note that lines in this file are usually several hundred bytes long |
430 | (because of the size of the public key encoding). | 423 | (because of the size of the public key encoding) up to a limit of |
424 | 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA | ||
425 | keys up to 16 kilobits. | ||
431 | You don't want to type them in; instead, copy the | 426 | You don't want to type them in; instead, copy the |
432 | .Pa identity.pub , | 427 | .Pa identity.pub , |
433 | .Pa id_dsa.pub | 428 | .Pa id_dsa.pub |
@@ -558,6 +553,14 @@ to indicate negation: if the host name matches a negated | |||
558 | pattern, it is not accepted (by that line) even if it matched another | 553 | pattern, it is not accepted (by that line) even if it matched another |
559 | pattern on the line. | 554 | pattern on the line. |
560 | .Pp | 555 | .Pp |
556 | Alternately, hostnames may be stored in a hashed form which hides host names | ||
557 | and addresses should the file's contents be disclosed. | ||
558 | Hashed hostnames start with a | ||
559 | .Ql | | ||
560 | character. | ||
561 | Only one hashed hostname may appear on a single line and none of the above | ||
562 | negation or wildcard operators may be applied. | ||
563 | .Pp | ||
561 | Bits, exponent, and modulus are taken directly from the RSA host key; they | 564 | Bits, exponent, and modulus are taken directly from the RSA host key; they |
562 | can be obtained, e.g., from | 565 | can be obtained, e.g., from |
563 | .Pa /etc/ssh/ssh_host_key.pub . | 566 | .Pa /etc/ssh/ssh_host_key.pub . |
@@ -589,6 +592,11 @@ and adding the host names at the front. | |||
589 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 592 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
590 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 593 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
591 | .Ed | 594 | .Ed |
595 | .Bd -literal | ||
596 | # A hashed hostname | ||
597 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
598 | AAAA1234.....= | ||
599 | .Ed | ||
592 | .Sh FILES | 600 | .Sh FILES |
593 | .Bl -tag -width Ds | 601 | .Bl -tag -width Ds |
594 | .It Pa /etc/ssh/sshd_config | 602 | .It Pa /etc/ssh/sshd_config |
@@ -657,6 +665,20 @@ These files should be writable only by root/the owner. | |||
657 | should be world-readable, and | 665 | should be world-readable, and |
658 | .Pa $HOME/.ssh/known_hosts | 666 | .Pa $HOME/.ssh/known_hosts |
659 | can, but need not be, world-readable. | 667 | can, but need not be, world-readable. |
668 | .It Pa /etc/motd | ||
669 | See | ||
670 | .Xr motd 5 . | ||
671 | .It Pa $HOME/.hushlogin | ||
672 | This file is used to suppress printing the last login time and | ||
673 | .Pa /etc/motd , | ||
674 | if | ||
675 | .Cm PrintLastLog | ||
676 | and | ||
677 | .Cm PrintMotd , | ||
678 | respectively, | ||
679 | are enabled. | ||
680 | It does not suppress printing of the banner specified by | ||
681 | .Cm Banner . | ||
660 | .It Pa /etc/nologin | 682 | .It Pa /etc/nologin |
661 | If this file exists, | 683 | If this file exists, |
662 | .Nm | 684 | .Nm |
@@ -670,7 +692,11 @@ Access controls that should be enforced by tcp-wrappers are defined here. | |||
670 | Further details are described in | 692 | Further details are described in |
671 | .Xr hosts_access 5 . | 693 | .Xr hosts_access 5 . |
672 | .It Pa $HOME/.rhosts | 694 | .It Pa $HOME/.rhosts |
673 | This file contains host-username pairs, separated by a space, one per | 695 | This file is used during |
696 | .Cm RhostsRSAAuthentication | ||
697 | and | ||
698 | .Cm HostbasedAuthentication | ||
699 | and contains host-username pairs, separated by a space, one per | ||
674 | line. | 700 | line. |
675 | The given user on the corresponding host is permitted to log in | 701 | The given user on the corresponding host is permitted to log in |
676 | without a password. | 702 | without a password. |
@@ -691,7 +717,9 @@ However, this file is | |||
691 | not used by rlogin and rshd, so using this permits access using SSH only. | 717 | not used by rlogin and rshd, so using this permits access using SSH only. |
692 | .It Pa /etc/hosts.equiv | 718 | .It Pa /etc/hosts.equiv |
693 | This file is used during | 719 | This file is used during |
694 | .Em rhosts | 720 | .Cm RhostsRSAAuthentication |
721 | and | ||
722 | .Cm HostbasedAuthentication | ||
695 | authentication. | 723 | authentication. |
696 | In the simplest form, this file contains host names, one per line. | 724 | In the simplest form, this file contains host names, one per line. |
697 | Users on | 725 | Users on |
@@ -710,7 +738,7 @@ Negated entries start with | |||
710 | If the client host/user is successfully matched in this file, login is | 738 | If the client host/user is successfully matched in this file, login is |
711 | automatically permitted provided the client and server user names are the | 739 | automatically permitted provided the client and server user names are the |
712 | same. | 740 | same. |
713 | Additionally, successful RSA host authentication is normally required. | 741 | Additionally, successful client host key authentication is required. |
714 | This file must be writable only by root; it is recommended | 742 | This file must be writable only by root; it is recommended |
715 | that it be world-readable. | 743 | that it be world-readable. |
716 | .Pp | 744 | .Pp |