1 files changed, 40 insertions, 12 deletions
diff --git a/sshd.8 b/sshd.8
index 233b00037..ac3bf96cf 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 .Em .rhosts
-authentication,
-.Em .rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
@@ -135,11 +133,6 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
-.Em rhosts
-authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.
-System security is not improved unless
 .Nm rshd ,
 .Nm rlogind ,
 and
@@ -427,7 +420,9 @@ or
 .Dq ssh-rsa .
 .Pp
 Note that lines in this file are usually several hundred bytes long
-(because of the size of the public key encoding).
+(because of the size of the public key encoding) up to a limit of
+8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
+keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub
@@ -558,6 +553,14 @@ to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
 .Pp
+Alternately, hostnames may be stored in a hashed form which hides host names
+and addresses should the file's contents be disclosed.
+Hashed hostnames start with a
+.Ql |
+character.
+Only one hashed hostname may appear on a single line and none of the above
+negation or wildcard operators may be applied.
+.Pp
 Bits, exponent, and modulus are taken directly from the RSA host key; they
 can be obtained, e.g., from
 .Pa /etc/ssh/ssh_host_key.pub .
@@ -589,6 +592,11 @@ and adding the host names at the front.
 closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
 cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
 .Ed
+.Bd -literal
+# A hashed hostname
+|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
+AAAA1234.....=
+.Ed
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config
@@ -657,6 +665,20 @@ These files should be writable only by root/the owner.
 should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
 can, but need not be, world-readable.
+.It Pa /etc/motd
+See
+.Xr motd 5 .
+.It Pa $HOME/.hushlogin
+This file is used to suppress printing the last login time and
+.Pa /etc/motd ,
+if
+.Cm PrintLastLog
+and
+.Cm PrintMotd ,
+respectively,
+are enabled.
+It does not suppress printing of the banner specified by
+.Cm Banner .
 .It Pa /etc/nologin
 If this file exists,
 .Nm
@@ -670,7 +692,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+and contains host-username pairs, separated by a space, one per
 line.
 The given user on the corresponding host is permitted to log in
 without a password.
@@ -691,7 +717,9 @@ However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@@ -710,7 +738,7 @@ Negated entries start with
 If the client host/user is successfully matched in this file, login is
 automatically permitted provided the client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
 This file must be writable only by root; it is recommended
 that it be world-readable.
 .Pp

diff --git a/sshd.8 b/sshd.8 index 233b00037..ac3bf96cf 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $	37	.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
106	Next, the server and the client enter an authentication dialog.	106	Next, the server and the client enter an authentication dialog.
107	The client tries to authenticate itself using	107	The client tries to authenticate itself using
108	.Em .rhosts	108	.Em .rhosts
109	authentication,
110	.Em .rhosts
111	authentication combined with RSA host	109	authentication combined with RSA host
112	authentication, RSA challenge-response authentication, or password	110	authentication, RSA challenge-response authentication, or password
113	based authentication.	111	based authentication.
@@ -135,11 +133,6 @@ or
135	.Ql \&NP\&	133	.Ql \&NP\&
136	).	134	).
137	.Pp	135	.Pp
138	.Em rhosts
139	authentication is normally disabled
140	because it is fundamentally insecure, but can be enabled in the server
141	configuration file if desired.
142	System security is not improved unless
143	.Nm rshd ,	136	.Nm rshd ,
144	.Nm rlogind ,	137	.Nm rlogind ,
145	and	138	and
@@ -427,7 +420,9 @@ or
427	.Dq ssh-rsa .	420	.Dq ssh-rsa .
428	.Pp	421	.Pp
429	Note that lines in this file are usually several hundred bytes long	422	Note that lines in this file are usually several hundred bytes long
430	(because of the size of the public key encoding).	423	(because of the size of the public key encoding) up to a limit of
		424	8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
		425	keys up to 16 kilobits.
431	You don't want to type them in; instead, copy the	426	You don't want to type them in; instead, copy the
432	.Pa identity.pub ,	427	.Pa identity.pub ,
433	.Pa id_dsa.pub	428	.Pa id_dsa.pub
@@ -558,6 +553,14 @@ to indicate negation: if the host name matches a negated
558	pattern, it is not accepted (by that line) even if it matched another	553	pattern, it is not accepted (by that line) even if it matched another
559	pattern on the line.	554	pattern on the line.
560	.Pp	555	.Pp
		556	Alternately, hostnames may be stored in a hashed form which hides host names
		557	and addresses should the file's contents be disclosed.
		558	Hashed hostnames start with a
		559	.Ql \|
		560	character.
		561	Only one hashed hostname may appear on a single line and none of the above
		562	negation or wildcard operators may be applied.
		563	.Pp
561	Bits, exponent, and modulus are taken directly from the RSA host key; they	564	Bits, exponent, and modulus are taken directly from the RSA host key; they
562	can be obtained, e.g., from	565	can be obtained, e.g., from
563	.Pa /etc/ssh/ssh_host_key.pub .	566	.Pa /etc/ssh/ssh_host_key.pub .
@@ -589,6 +592,11 @@ and adding the host names at the front.
589	closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi	592	closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
590	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=	593	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
591	.Ed	594	.Ed
		595	.Bd -literal
		596	# A hashed hostname
		597	\|1\|JfKTdBh7rNbXkVAQCRp4OQoPfmI=\|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
		598	AAAA1234.....=
		599	.Ed
592	.Sh FILES	600	.Sh FILES
593	.Bl -tag -width Ds	601	.Bl -tag -width Ds
594	.It Pa /etc/ssh/sshd_config	602	.It Pa /etc/ssh/sshd_config
@@ -657,6 +665,20 @@ These files should be writable only by root/the owner.
657	should be world-readable, and	665	should be world-readable, and
658	.Pa $HOME/.ssh/known_hosts	666	.Pa $HOME/.ssh/known_hosts
659	can, but need not be, world-readable.	667	can, but need not be, world-readable.
		668	.It Pa /etc/motd
		669	See
		670	.Xr motd 5 .
		671	.It Pa $HOME/.hushlogin
		672	This file is used to suppress printing the last login time and
		673	.Pa /etc/motd ,
		674	if
		675	.Cm PrintLastLog
		676	and
		677	.Cm PrintMotd ,
		678	respectively,
		679	are enabled.
		680	It does not suppress printing of the banner specified by
		681	.Cm Banner .
660	.It Pa /etc/nologin	682	.It Pa /etc/nologin
661	If this file exists,	683	If this file exists,
662	.Nm	684	.Nm
@@ -670,7 +692,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
670	Further details are described in	692	Further details are described in
671	.Xr hosts_access 5 .	693	.Xr hosts_access 5 .
672	.It Pa $HOME/.rhosts	694	.It Pa $HOME/.rhosts
673	This file contains host-username pairs, separated by a space, one per	695	This file is used during
		696	.Cm RhostsRSAAuthentication
		697	and
		698	.Cm HostbasedAuthentication
		699	and contains host-username pairs, separated by a space, one per
674	line.	700	line.
675	The given user on the corresponding host is permitted to log in	701	The given user on the corresponding host is permitted to log in
676	without a password.	702	without a password.
@@ -691,7 +717,9 @@ However, this file is
691	not used by rlogin and rshd, so using this permits access using SSH only.	717	not used by rlogin and rshd, so using this permits access using SSH only.
692	.It Pa /etc/hosts.equiv	718	.It Pa /etc/hosts.equiv
693	This file is used during	719	This file is used during
694	.Em rhosts	720	.Cm RhostsRSAAuthentication
		721	and
		722	.Cm HostbasedAuthentication
695	authentication.	723	authentication.
696	In the simplest form, this file contains host names, one per line.	724	In the simplest form, this file contains host names, one per line.
697	Users on	725	Users on
@@ -710,7 +738,7 @@ Negated entries start with
710	If the client host/user is successfully matched in this file, login is	738	If the client host/user is successfully matched in this file, login is
711	automatically permitted provided the client and server user names are the	739	automatically permitted provided the client and server user names are the
712	same.	740	same.
713	Additionally, successful RSA host authentication is normally required.	741	Additionally, successful client host key authentication is required.
714	This file must be writable only by root; it is recommended	742	This file must be writable only by root; it is recommended
715	that it be world-readable.	743	that it be world-readable.
716	.Pp	744	.Pp