1 files changed, 40 insertions, 12 deletions
diff --git a/sshd.8 b/sshd.8
index c5949dc1a..99e62173c 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 .Em .rhosts
-authentication,
-.Em .rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
@@ -135,11 +133,6 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
-.Em rhosts
-authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.
-System security is not improved unless
 .Nm rshd ,
 .Nm rlogind ,
 and
@@ -430,7 +423,9 @@ or
 .Dq ssh-rsa .
 .Pp
 Note that lines in this file are usually several hundred bytes long
-(because of the size of the public key encoding).
+(because of the size of the public key encoding) up to a limit of
+8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
+keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub
@@ -561,6 +556,14 @@ to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
 .Pp
+Alternately, hostnames may be stored in a hashed form which hides host names
+and addresses should the file's contents be disclosed.
+Hashed hostnames start with a
+.Ql |
+character.
+Only one hashed hostname may appear on a single line and none of the above
+negation or wildcard operators may be applied.
+.Pp
 Bits, exponent, and modulus are taken directly from the RSA host key; they
 can be obtained, e.g., from
 .Pa /etc/ssh/ssh_host_key.pub .
@@ -592,6 +595,11 @@ and adding the host names at the front.
 closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
 cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
 .Ed
+.Bd -literal
+# A hashed hostname
+|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
+AAAA1234.....=
+.Ed
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config
@@ -660,6 +668,20 @@ These files should be writable only by root/the owner.
 should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
 can, but need not be, world-readable.
+.It Pa /etc/motd
+See
+.Xr motd 5 .
+.It Pa $HOME/.hushlogin
+This file is used to suppress printing the last login time and
+.Pa /etc/motd ,
+if
+.Cm PrintLastLog
+and
+.Cm PrintMotd ,
+respectively,
+are enabled.
+It does not suppress printing of the banner specified by
+.Cm Banner .
 .It Pa /etc/nologin
 If this file exists,
 .Nm
@@ -673,7 +695,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+and contains host-username pairs, separated by a space, one per
 line.
 The given user on the corresponding host is permitted to log in
 without a password.
@@ -694,7 +720,9 @@ However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@@ -713,7 +741,7 @@ Negated entries start with
 If the client host/user is successfully matched in this file, login is
 automatically permitted provided the client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
 This file must be writable only by root; it is recommended
 that it be world-readable.
 .Pp

diff --git a/sshd.8 b/sshd.8 index c5949dc1a..99e62173c 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $	37	.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -106,8 +106,6 @@ to use from those offered by the server.
106	Next, the server and the client enter an authentication dialog.	106	Next, the server and the client enter an authentication dialog.
107	The client tries to authenticate itself using	107	The client tries to authenticate itself using
108	.Em .rhosts	108	.Em .rhosts
109	authentication,
110	.Em .rhosts
111	authentication combined with RSA host	109	authentication combined with RSA host
112	authentication, RSA challenge-response authentication, or password	110	authentication, RSA challenge-response authentication, or password
113	based authentication.	111	based authentication.
@@ -135,11 +133,6 @@ or
135	.Ql \&NP\&	133	.Ql \&NP\&
136	).	134	).
137	.Pp	135	.Pp
138	.Em rhosts
139	authentication is normally disabled
140	because it is fundamentally insecure, but can be enabled in the server
141	configuration file if desired.
142	System security is not improved unless
143	.Nm rshd ,	136	.Nm rshd ,
144	.Nm rlogind ,	137	.Nm rlogind ,
145	and	138	and
@@ -430,7 +423,9 @@ or
430	.Dq ssh-rsa .	423	.Dq ssh-rsa .
431	.Pp	424	.Pp
432	Note that lines in this file are usually several hundred bytes long	425	Note that lines in this file are usually several hundred bytes long
433	(because of the size of the public key encoding).	426	(because of the size of the public key encoding) up to a limit of
		427	8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
		428	keys up to 16 kilobits.
434	You don't want to type them in; instead, copy the	429	You don't want to type them in; instead, copy the
435	.Pa identity.pub ,	430	.Pa identity.pub ,
436	.Pa id_dsa.pub	431	.Pa id_dsa.pub
@@ -561,6 +556,14 @@ to indicate negation: if the host name matches a negated
561	pattern, it is not accepted (by that line) even if it matched another	556	pattern, it is not accepted (by that line) even if it matched another
562	pattern on the line.	557	pattern on the line.
563	.Pp	558	.Pp
		559	Alternately, hostnames may be stored in a hashed form which hides host names
		560	and addresses should the file's contents be disclosed.
		561	Hashed hostnames start with a
		562	.Ql \|
		563	character.
		564	Only one hashed hostname may appear on a single line and none of the above
		565	negation or wildcard operators may be applied.
		566	.Pp
564	Bits, exponent, and modulus are taken directly from the RSA host key; they	567	Bits, exponent, and modulus are taken directly from the RSA host key; they
565	can be obtained, e.g., from	568	can be obtained, e.g., from
566	.Pa /etc/ssh/ssh_host_key.pub .	569	.Pa /etc/ssh/ssh_host_key.pub .
@@ -592,6 +595,11 @@ and adding the host names at the front.
592	closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi	595	closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
593	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=	596	cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
594	.Ed	597	.Ed
		598	.Bd -literal
		599	# A hashed hostname
		600	\|1\|JfKTdBh7rNbXkVAQCRp4OQoPfmI=\|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
		601	AAAA1234.....=
		602	.Ed
595	.Sh FILES	603	.Sh FILES
596	.Bl -tag -width Ds	604	.Bl -tag -width Ds
597	.It Pa /etc/ssh/sshd_config	605	.It Pa /etc/ssh/sshd_config
@@ -660,6 +668,20 @@ These files should be writable only by root/the owner.
660	should be world-readable, and	668	should be world-readable, and
661	.Pa $HOME/.ssh/known_hosts	669	.Pa $HOME/.ssh/known_hosts
662	can, but need not be, world-readable.	670	can, but need not be, world-readable.
		671	.It Pa /etc/motd
		672	See
		673	.Xr motd 5 .
		674	.It Pa $HOME/.hushlogin
		675	This file is used to suppress printing the last login time and
		676	.Pa /etc/motd ,
		677	if
		678	.Cm PrintLastLog
		679	and
		680	.Cm PrintMotd ,
		681	respectively,
		682	are enabled.
		683	It does not suppress printing of the banner specified by
		684	.Cm Banner .
663	.It Pa /etc/nologin	685	.It Pa /etc/nologin
664	If this file exists,	686	If this file exists,
665	.Nm	687	.Nm
@@ -673,7 +695,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
673	Further details are described in	695	Further details are described in
674	.Xr hosts_access 5 .	696	.Xr hosts_access 5 .
675	.It Pa $HOME/.rhosts	697	.It Pa $HOME/.rhosts
676	This file contains host-username pairs, separated by a space, one per	698	This file is used during
		699	.Cm RhostsRSAAuthentication
		700	and
		701	.Cm HostbasedAuthentication
		702	and contains host-username pairs, separated by a space, one per
677	line.	703	line.
678	The given user on the corresponding host is permitted to log in	704	The given user on the corresponding host is permitted to log in
679	without a password.	705	without a password.
@@ -694,7 +720,9 @@ However, this file is
694	not used by rlogin and rshd, so using this permits access using SSH only.	720	not used by rlogin and rshd, so using this permits access using SSH only.
695	.It Pa /etc/hosts.equiv	721	.It Pa /etc/hosts.equiv
696	This file is used during	722	This file is used during
697	.Em rhosts	723	.Cm RhostsRSAAuthentication
		724	and
		725	.Cm HostbasedAuthentication
698	authentication.	726	authentication.
699	In the simplest form, this file contains host names, one per line.	727	In the simplest form, this file contains host names, one per line.
700	Users on	728	Users on
@@ -713,7 +741,7 @@ Negated entries start with
713	If the client host/user is successfully matched in this file, login is	741	If the client host/user is successfully matched in this file, login is
714	automatically permitted provided the client and server user names are the	742	automatically permitted provided the client and server user names are the
715	same.	743	same.
716	Additionally, successful RSA host authentication is normally required.	744	Additionally, successful client host key authentication is required.
717	This file must be writable only by root; it is recommended	745	This file must be writable only by root; it is recommended
718	that it be world-readable.	746	that it be world-readable.
719	.Pp	747	.Pp