summaryrefslogtreecommitdiff
path: root/sshd.8
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.8')
-rw-r--r--sshd.868
1 files changed, 47 insertions, 21 deletions
diff --git a/sshd.8 b/sshd.8
index 46660b16c..27b1a3cf6 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $ 37.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -114,6 +114,29 @@ authentication combined with RSA host
114authentication, RSA challenge-response authentication, or password 114authentication, RSA challenge-response authentication, or password
115based authentication. 115based authentication.
116.Pp 116.Pp
117Regardless of the authentication type, the account is checked to
118ensure that it is accessible. An account is not accessible if it is
119locked, listed in
120.Cm DenyUsers
121or its group is listed in
122.Cm DenyGroups
123\&. The definition of a locked account is system dependant. Some platforms
124have their own account database (eg AIX) and some modify the passwd field (
125.Ql \&*LK\&*
126on Solaris,
127.Ql \&*
128on HP-UX, containing
129.Ql Nologin
130on Tru64 and a leading
131.Ql \&!!
132on Linux). If there is a requirement to disable password authentication
133for the account while allowing still public-key, then the passwd field
134should be set to something other than these values (eg
135.Ql NP
136or
137.Ql \&*NP\&*
138).
139.Pp
117Rhosts authentication is normally disabled 140Rhosts authentication is normally disabled
118because it is fundamentally insecure, but can be enabled in the server 141because it is fundamentally insecure, but can be enabled in the server
119configuration file if desired. 142configuration file if desired.
@@ -295,7 +318,6 @@ may also be used to prevent
295from making DNS requests unless the authentication 318from making DNS requests unless the authentication
296mechanism or configuration requires it. 319mechanism or configuration requires it.
297Authentication mechanisms that may require DNS include 320Authentication mechanisms that may require DNS include
298.Cm RhostsAuthentication ,
299.Cm RhostsRSAAuthentication , 321.Cm RhostsRSAAuthentication ,
300.Cm HostbasedAuthentication 322.Cm HostbasedAuthentication
301and using a 323and using a
@@ -432,13 +454,13 @@ that option keywords are case-insensitive):
432Specifies that in addition to public key authentication, the canonical name 454Specifies that in addition to public key authentication, the canonical name
433of the remote host must be present in the comma-separated list of 455of the remote host must be present in the comma-separated list of
434patterns 456patterns
435.Pf ( Ql * 457.Pf ( Ql \&*
436and 458and
437.Ql ? 459.Ql \&?
438serve as wildcards). 460serve as wildcards).
439The list may also contain 461The list may also contain
440patterns negated by prefixing them with 462patterns negated by prefixing them with
441.Ql ! ; 463.Ql \&! ;
442if the canonical host name matches a negated pattern, the key is not accepted. 464if the canonical host name matches a negated pattern, the key is not accepted.
443The purpose 465The purpose
444of this option is to optionally increase security: public key authentication 466of this option is to optionally increase security: public key authentication
@@ -500,9 +522,9 @@ IPv6 addresses can be specified with an alternative syntax:
500.Ar host/port . 522.Ar host/port .
501Multiple 523Multiple
502.Cm permitopen 524.Cm permitopen
503options may be applied separated by commas. No pattern matching is 525options may be applied separated by commas.
504performed on the specified hostnames, they must be literal domains or 526No pattern matching is performed on the specified hostnames,
505addresses. 527they must be literal domains or addresses.
506.El 528.El
507.Ss Examples 529.Ss Examples
5081024 33 12121.\|.\|.\|312314325 ylo@foo.bar 5301024 33 12121.\|.\|.\|312314325 ylo@foo.bar
@@ -527,12 +549,16 @@ Each line in these files contains the following fields: hostnames,
527bits, exponent, modulus, comment. 549bits, exponent, modulus, comment.
528The fields are separated by spaces. 550The fields are separated by spaces.
529.Pp 551.Pp
530Hostnames is a comma-separated list of patterns ('*' and '?' act as 552Hostnames is a comma-separated list of patterns
553.Pf ( Ql \&*
554and
555.Ql \&?
556act as
531wildcards); each pattern in turn is matched against the canonical host 557wildcards); each pattern in turn is matched against the canonical host
532name (when authenticating a client) or against the user-supplied 558name (when authenticating a client) or against the user-supplied
533name (when authenticating a server). 559name (when authenticating a server).
534A pattern may also be preceded by 560A pattern may also be preceded by
535.Ql ! 561.Ql \&!
536to indicate negation: if the host name matches a negated 562to indicate negation: if the host name matches a negated
537pattern, it is not accepted (by that line) even if it matched another 563pattern, it is not accepted (by that line) even if it matched another
538pattern on the line. 564pattern on the line.
@@ -770,17 +796,6 @@ This can be used to specify
770machine-specific login-time initializations globally. 796machine-specific login-time initializations globally.
771This file should be writable only by root, and should be world-readable. 797This file should be writable only by root, and should be world-readable.
772.El 798.El
773.Sh AUTHORS
774OpenSSH is a derivative of the original and free
775ssh 1.2.12 release by Tatu Ylonen.
776Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
777Theo de Raadt and Dug Song
778removed many bugs, re-added newer features and
779created OpenSSH.
780Markus Friedl contributed the support for SSH
781protocol versions 1.5 and 2.0.
782Niels Provos and Markus Friedl contributed support
783for privilege separation.
784.Sh SEE ALSO 799.Sh SEE ALSO
785.Xr scp 1 , 800.Xr scp 1 ,
786.Xr sftp 1 , 801.Xr sftp 1 ,
@@ -812,3 +827,14 @@ for privilege separation.
812.%D January 2002 827.%D January 2002
813.%O work in progress material 828.%O work in progress material
814.Re 829.Re
830.Sh AUTHORS
831OpenSSH is a derivative of the original and free
832ssh 1.2.12 release by Tatu Ylonen.
833Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
834Theo de Raadt and Dug Song
835removed many bugs, re-added newer features and
836created OpenSSH.
837Markus Friedl contributed the support for SSH
838protocol versions 1.5 and 2.0.
839Niels Provos and Markus Friedl contributed support
840for privilege separation.