From 467b00c38ba244f9966466e57a89d003f3afb159 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Apr 2013 15:23:07 +1000 Subject: - djm@cvs.openbsd.org 2013/04/19 01:00:10 [sshd_config.5] document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@ --- ChangeLog | 5 +++++ sshd_config.5 | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b7a189221..666596b55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,11 @@ - djm@cvs.openbsd.org 2013/04/18 02:16:07 [sftp.c] make "sftp -q" do what it says on the sticker: hush everything but errors; + ok dtucker@ + - djm@cvs.openbsd.org 2013/04/19 01:00:10 + [sshd_config.5] + document the requirment that the AuthorizedKeysCommand be owned by root; + ok dtucker@ markus@ 20130418 - (djm) [config.guess config.sub] Update to last versions before they switch diff --git a/sshd_config.5 b/sshd_config.5 index 4fe3c55b6..590fb4088 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.157 2013/03/07 19:27:25 markus Exp $ -.Dd $Mdocdate: March 7 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -202,7 +202,8 @@ The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. -The program will be invoked with a single argument of the username +The program must be owned by root and not writable by group or others. +It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see .Sx AUTHORIZED_KEYS -- cgit v1.2.3