diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 50 |
1 files changed, 43 insertions, 7 deletions
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.253 2010/03/03 22:49:50 djm Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.254 2010/03/04 23:19:29 djm Exp $ |
38 | .Dd $Mdocdate: March 3 2010 $ | 38 | .Dd $Mdocdate: March 4 2010 $ |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -634,10 +634,19 @@ be prepared by the administrator (optional), and the per-user file is | |||
634 | maintained automatically: whenever the user connects from an unknown host, | 634 | maintained automatically: whenever the user connects from an unknown host, |
635 | its key is added to the per-user file. | 635 | its key is added to the per-user file. |
636 | .Pp | 636 | .Pp |
637 | Each line in these files contains the following fields: hostnames, | 637 | Each line in these files contains the following fields: markers (optional), |
638 | bits, exponent, modulus, comment. | 638 | hostnames, bits, exponent, modulus, comment. |
639 | The fields are separated by spaces. | 639 | The fields are separated by spaces. |
640 | .Pp | 640 | .Pp |
641 | The marker is optional, but if it is present then it must be one of | ||
642 | .Dq @cert-authority , | ||
643 | to indicate that the line contains a certification authority (CA) key, | ||
644 | or | ||
645 | .Dq @revoked , | ||
646 | to indicate that the key contained on the line is revoked and must not ever | ||
647 | be accepted. | ||
648 | Only one marker should be used on a key line. | ||
649 | .Pp | ||
641 | Hostnames is a comma-separated list of patterns | 650 | Hostnames is a comma-separated list of patterns |
642 | .Pf ( Ql * | 651 | .Pf ( Ql * |
643 | and | 652 | and |
@@ -677,8 +686,25 @@ Lines starting with | |||
677 | and empty lines are ignored as comments. | 686 | and empty lines are ignored as comments. |
678 | .Pp | 687 | .Pp |
679 | When performing host authentication, authentication is accepted if any | 688 | When performing host authentication, authentication is accepted if any |
680 | matching line has the proper key. | 689 | matching line has the proper key; either one that matches exactly or, |
681 | It is thus permissible (but not | 690 | if the server has presented a certificate for authentication, the key |
691 | of the certification authority that signed the certificate. | ||
692 | For a key to be trusted as a certification authority, it must use the | ||
693 | .Dq @cert-authority | ||
694 | marker described above. | ||
695 | .Pp | ||
696 | The known hosts file also provides a facility to mark keys as revoked, | ||
697 | for example when it is known that the associated private key has been | ||
698 | stolen. | ||
699 | Revoked keys are specified by including the | ||
700 | .Dq @revoked | ||
701 | marker at the beginning of the key line, and are never accepted for | ||
702 | authentication or as certification authorities, but instead will | ||
703 | produce a warning from | ||
704 | .Xr ssh 1 | ||
705 | when they are encountered. | ||
706 | .Pp | ||
707 | It is permissible (but not | ||
682 | recommended) to have several lines or different host keys for the same | 708 | recommended) to have several lines or different host keys for the same |
683 | names. | 709 | names. |
684 | This will inevitably happen when short forms of host names | 710 | This will inevitably happen when short forms of host names |
@@ -689,10 +715,16 @@ accepted if valid information can be found from either file. | |||
689 | .Pp | 715 | .Pp |
690 | Note that the lines in these files are typically hundreds of characters | 716 | Note that the lines in these files are typically hundreds of characters |
691 | long, and you definitely don't want to type in the host keys by hand. | 717 | long, and you definitely don't want to type in the host keys by hand. |
692 | Rather, generate them by a script | 718 | Rather, generate them by a script, |
719 | .Xr ssh-keyscan 1 | ||
693 | or by taking | 720 | or by taking |
694 | .Pa /etc/ssh/ssh_host_key.pub | 721 | .Pa /etc/ssh/ssh_host_key.pub |
695 | and adding the host names at the front. | 722 | and adding the host names at the front. |
723 | .Xr ssh-keygen 1 | ||
724 | also offers some basic automated editing for | ||
725 | .Pa ~/.ssh/known_hosts | ||
726 | including removing hosts matching a host name and converting all host | ||
727 | names to their hashed representations. | ||
696 | .Pp | 728 | .Pp |
697 | An example ssh_known_hosts file: | 729 | An example ssh_known_hosts file: |
698 | .Bd -literal -offset 3n | 730 | .Bd -literal -offset 3n |
@@ -702,6 +734,10 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= | |||
702 | # A hashed hostname | 734 | # A hashed hostname |
703 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | 735 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
704 | AAAA1234.....= | 736 | AAAA1234.....= |
737 | # A revoked key | ||
738 | @revoked * ssh-rsa AAAAB5W... | ||
739 | # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org | ||
740 | @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... | ||
705 | .Ed | 741 | .Ed |
706 | .Sh FILES | 742 | .Sh FILES |
707 | .Bl -tag -width Ds -compact | 743 | .Bl -tag -width Ds -compact |