diff options
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index de447bce5..a5e20d1e8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.120 2010/03/04 23:17:25 djm Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.125 2010/06/30 07:28:34 jmc Exp $ |
38 | .Dd $Mdocdate: March 4 2010 $ | 38 | .Dd $Mdocdate: June 30 2010 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -182,6 +182,10 @@ for more information on patterns. | |||
182 | .It Cm AuthorizedKeysFile | 182 | .It Cm AuthorizedKeysFile |
183 | Specifies the file that contains the public keys that can be used | 183 | Specifies the file that contains the public keys that can be used |
184 | for user authentication. | 184 | for user authentication. |
185 | The format is described in the | ||
186 | .Sx AUTHORIZED_KEYS FILE FORMAT | ||
187 | section of | ||
188 | .Xr sshd 8 . | ||
185 | .Cm AuthorizedKeysFile | 189 | .Cm AuthorizedKeysFile |
186 | may contain tokens of the form %T which are substituted during connection | 190 | may contain tokens of the form %T which are substituted during connection |
187 | setup. | 191 | setup. |
@@ -194,6 +198,47 @@ is taken to be an absolute path or one relative to the user's home | |||
194 | directory. | 198 | directory. |
195 | The default is | 199 | The default is |
196 | .Dq .ssh/authorized_keys . | 200 | .Dq .ssh/authorized_keys . |
201 | .It Cm AuthorizedPrincipalsFile | ||
202 | Specifies a file that lists principal names that are accepted for | ||
203 | certificate authentication. | ||
204 | When using certificates signed by a key listed in | ||
205 | .Cm TrustedUserCAKeys , | ||
206 | this file lists names, one of which must appear in the certificate for it | ||
207 | to be accepted for authentication. | ||
208 | Names are listed one per line preceded by key options (as described | ||
209 | in | ||
210 | .Sx AUTHORIZED_KEYS FILE FORMAT | ||
211 | in | ||
212 | .Xr sshd 8 ) . | ||
213 | Empty lines and comments starting with | ||
214 | .Ql # | ||
215 | are ignored. | ||
216 | .Pp | ||
217 | .Cm AuthorizedPrincipalsFile | ||
218 | may contain tokens of the form %T which are substituted during connection | ||
219 | setup. | ||
220 | The following tokens are defined: %% is replaced by a literal '%', | ||
221 | %h is replaced by the home directory of the user being authenticated, and | ||
222 | %u is replaced by the username of that user. | ||
223 | After expansion, | ||
224 | .Cm AuthorizedPrincipalsFile | ||
225 | is taken to be an absolute path or one relative to the user's home | ||
226 | directory. | ||
227 | .Pp | ||
228 | The default is not to use a principals file \(en in this case, the username | ||
229 | of the user must appear in a certificate's principals list for it to be | ||
230 | accepted. | ||
231 | Note that | ||
232 | .Cm AuthorizedPrincipalsFile | ||
233 | is only used when authentication proceeds using a CA listed in | ||
234 | .Cm TrustedUserCAKeys | ||
235 | and is not consulted for certification authorities trusted via | ||
236 | .Pa ~/.ssh/authorized_keys , | ||
237 | though the | ||
238 | .Cm principals= | ||
239 | key option offers a similar facility (see | ||
240 | .Xr sshd 8 | ||
241 | for details). | ||
197 | .It Cm Banner | 242 | .It Cm Banner |
198 | The contents of the specified file are sent to the remote user before | 243 | The contents of the specified file are sent to the remote user before |
199 | authentication is allowed. | 244 | authentication is allowed. |
@@ -667,12 +712,15 @@ keyword. | |||
667 | Available keywords are | 712 | Available keywords are |
668 | .Cm AllowAgentForwarding , | 713 | .Cm AllowAgentForwarding , |
669 | .Cm AllowTcpForwarding , | 714 | .Cm AllowTcpForwarding , |
715 | .Cm AuthorizedKeysFile , | ||
716 | .Cm AuthorizedPrincipalsFile , | ||
670 | .Cm Banner , | 717 | .Cm Banner , |
671 | .Cm ChrootDirectory , | 718 | .Cm ChrootDirectory , |
672 | .Cm ForceCommand , | 719 | .Cm ForceCommand , |
673 | .Cm GatewayPorts , | 720 | .Cm GatewayPorts , |
674 | .Cm GSSAPIAuthentication , | 721 | .Cm GSSAPIAuthentication , |
675 | .Cm HostbasedAuthentication , | 722 | .Cm HostbasedAuthentication , |
723 | .Cm HostbasedUsesNameFromPacketOnly , | ||
676 | .Cm KbdInteractiveAuthentication , | 724 | .Cm KbdInteractiveAuthentication , |
677 | .Cm KerberosAuthentication , | 725 | .Cm KerberosAuthentication , |
678 | .Cm MaxAuthTries , | 726 | .Cm MaxAuthTries , |
@@ -681,6 +729,7 @@ Available keywords are | |||
681 | .Cm PermitEmptyPasswords , | 729 | .Cm PermitEmptyPasswords , |
682 | .Cm PermitOpen , | 730 | .Cm PermitOpen , |
683 | .Cm PermitRootLogin , | 731 | .Cm PermitRootLogin , |
732 | .Cm PermitTunnel , | ||
684 | .Cm PubkeyAuthentication , | 733 | .Cm PubkeyAuthentication , |
685 | .Cm RhostsRSAAuthentication , | 734 | .Cm RhostsRSAAuthentication , |
686 | .Cm RSAAuthentication , | 735 | .Cm RSAAuthentication , |