From 59a5f9bd69a42957dfb28342fecc6d1cfa4c7afc Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Sat, 3 Mar 2001 21:37:50 +0000 Subject: - (bal) Remove make-ssh-known-hosts.1 since it's no longer valid. --- ChangeLog | 13 +- contrib/make-ssh-known-hosts.1 | 432 ----------------------------------------- 2 files changed, 8 insertions(+), 437 deletions(-) delete mode 100644 contrib/make-ssh-known-hosts.1 diff --git a/ChangeLog b/ChangeLog index 7313e0a47..6c33e928a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,8 +1,11 @@ +20010304 + - (bal) Remove make-ssh-known-hosts.1 since it's no longer valid. + 20010303 - - Remove make-ssh-known-hosts.pl, ssh-keyscan is better. - - Document PAM ChallengeResponseAuthentication in sshd.8 - - Disable and comment ChallengeResponseAuthentication in sshd_config - - Allow PRNGd entropy collection from localhost TCP socket. Replace + - (djm) Remove make-ssh-known-hosts.pl, ssh-keyscan is better. + - (djm) Document PAM ChallengeResponseAuthentication in sshd.8 + - (djm) Disable and comment ChallengeResponseAuthentication in sshd_config + - (djm) Allow PRNGd entropy collection from localhost TCP socket. Replace "--with-egd-pool" configure option with "--with-prngd-socket" and "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke @@ -4184,4 +4187,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.848 2001/03/03 13:29:20 djm Exp $ +$Id: ChangeLog,v 1.849 2001/03/03 21:37:50 mouring Exp $ diff --git a/contrib/make-ssh-known-hosts.1 b/contrib/make-ssh-known-hosts.1 deleted file mode 100644 index cf0d52f0b..000000000 --- a/contrib/make-ssh-known-hosts.1 +++ /dev/null @@ -1,432 +0,0 @@ -.\" -*- nroff -*- -.\" ---------------------------------------------------------------------- -.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file -.\" Copyright (c) 1995 Tero Kivinen -.\" All Rights Reserved. -.\" -.\" Make-ssh-known-hosts is distributed in the hope that it will be -.\" useful, but WITHOUT ANY WARRANTY. No author or distributor accepts -.\" responsibility to anyone for the consequences of using it or for -.\" whether it serves any particular purpose or works at all, unless he -.\" says so in writing. Refer to the General Public License for full -.\" details. -.\" -.\" Everyone is granted permission to copy, modify and redistribute -.\" make-ssh-known-hosts, but only under the conditions described in -.\" the General Public License. A copy of this license is supposed to -.\" have been given to you along with make-ssh-known-hosts so you can -.\" know your rights and responsibilities. It should be in a file named -.\" COPYING. Among other things, the copyright notice and this notice -.\" must be preserved on all copies. -.\" ---------------------------------------------------------------------- -.\" Program: make-ssh-known-hosts.1 -.\" $Source: /var/cvs/openssh/contrib/Attic/make-ssh-known-hosts.1,v $ -.\" Author : $Author: damien $ -.\" -.\" (C) Tero Kivinen 1995 -.\" -.\" Creation : 03:51 Jun 28 1995 kivinen -.\" Last Modification : 03:44 Jun 28 1995 kivinen -.\" Last check in : $Date: 2000/03/15 01:13:03 $ -.\" Revision number : $Revision: 1.1 $ -.\" State : $State: Exp $ -.\" Version : 1.1 -.\" -.\" Description : Manual page for make-ssh-known-hosts.pl -.\" -.\" $Log: make-ssh-known-hosts.1,v $ -.\" Revision 1.1 2000/03/15 01:13:03 damien -.\" - Created contrib/ subdirectory. Included helpers from Phil Hands' -.\" Debian package, README file and chroot patch from Ricardo Cerqueira -.\" -.\" - Moved gnome-ssh-askpass.c to contrib directory and reomved config -.\" option. -.\" - Slight cleanup to doc files -.\" -.\" Revision 1.4 1998/07/08 00:40:14 kivinen -.\" Changed to do similar commercial #ifdef processing than other -.\" files. -.\" -.\" Revision 1.3 1998/06/11 00:07:21 kivinen -.\" Fixed comment characters. -.\" -.\" Revision 1.2 1997/04/27 21:48:28 kivinen -.\" Added F-SECURE stuff. -.\" -.\" Revision 1.1.1.1 1996/02/18 21:38:13 ylo -.\" Imported ssh-1.2.13. -.\" -.\" Revision 1.5 1995/10/02 01:23:23 ylo -.\" Make substitutions by configure. -.\" -.\" Revision 1.4 1995/08/31 09:21:35 ylo -.\" Minor cleanup. -.\" -.\" Revision 1.3 1995/08/29 22:37:10 ylo -.\" Minor cleanup. -.\" -.\" Revision 1.2 1995/07/15 13:26:11 ylo -.\" Changes from kivinen. -.\" -.\" Revision 1.1.1.1 1995/07/12 22:41:05 ylo -.\" Imported ssh-1.0.0. -.\" -.\" -.\" -.\" If you have any useful modifications or extensions please send them to -.\" Tero.Kivinen@hut.fi -.\" -.\" -.\" -.\" -.\" -.\" #ifndef F_SECURE_COMMERCIAL -.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS" -.\" #endif F_SECURE_COMMERCIAL -.SH NAME -make-ssh-known-hosts \- make ssh_known_hosts file from DNS data -.SH SYNOPSIS -.na -.TP -.B make-ssh-known-hosts -.RB "[\|" "\-\-initialdns "\c -.I initial_dns\c -\|] -.br -.RB "[\|" "\-\-server "\c -.I domain_name_server\c -\|] -.br -.RB "[\|" "\-\-subdomains "\c -.I comma_separated_list_of_subdomains\c -\|] -.br -.RB "[\|" "\-\-debug "\c -.I debug_level\c -\|] -.br -.RB "[\|" "\-\-timeout "\c -.I ssh_exec_timeout\c -\|] -.br -.RB "[\|" "\-\-pingtimeout "\c -.I ping_timeout\c -\|] -.br -.RB "[\|" "\-\-passwordtimeout "\c -.I timeout_when_asking_password\c -\|] -.br -.RB "[\|" "\-\-notrustdaemon" "\|]" -.br -.RB "[\|" "\-\-norecursive" "\|]" -.br -.RB "[\|" "\-\-domainnamesplit" "\|]" -.br -.RB "[\|" "\-\-silent" "\|]" -.br -.RB "[\|" "\-\-keyscan" "\|]" -.br -.RB "[\|" "\-\-nslookup "\c -.I path_to_nslookup_program\c -\|] -.br -.RB "[\|" "\-\-ssh "\c -.I path_to_ssh_program\c -\|] -.br -.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]" - -.SH DESCRIPTION -.LP -.B make-ssh-known-hosts -is a perl5 script that helps create the -.I /etc/ssh_known_hosts -file, which is used by -.B ssh -to contain the host keys of all publicly known hosts. -.B Ssh -does not normally permit login using rhosts or /etc/hosts.equiv -authentication unless the server knows the client's host key. In -addition, the host keys are used to prevent man-in-the-middle attacks. -.LP -In addition to -.IR /etc/ssh_known_hosts ", -.B ssh -also uses the -.I $HOME/.ssh/known_hosts -file. This file, however, is intended to contain only those hosts -that the particular user needs but are not in the global file. It is -intended that the -.I /etc/ssh_known_hosts -file be maintained by the system administration, and periodically -updated to contain the host keys for any new hosts. -.LP -The -.B make-ssh-known-hosts -program finds all the hosts in a domain by making a DNS query to the -master domain name server of the domain. The master domain name server -is located by searching for the SOA record of the domain from the initial -domain name server (which can be specified with the -.B \-\-initialdns -option). The master domain name server can also be given directly with -the -.B \-\-server -option. -.LP -After getting the hostname list -.B make-ssh-known-hosts -tries to get the public key from every host in the domain. It first -tries to connect ssh port to check check if the host is alive, and if -so, it tries to run the command -.B cat /etc/ssh_host_key.pub -on the remote machine using -.BR ssh ". -If the command succeeds, it knows the remote machine has -.B ssh -installed properly, and it then extracts the public key from the -output, and prints the -.B /etc/ssh_known_hosts -entry for it to -.BR STDOUT ". Because -.B make-ssh-known-hosts -is usually run before -remote machines have /etc/ssh_known_hosts file you may have to use -RSA-authentication to allow access to hosts. -.LP -If the command fails for some reason, it checks if the -.B ssh -client still got the public key from the remote host in the initial dialog, -and if so, it will print a proper entry, and if -.B \-\-notrustdaemon -option is given comment it out. -.LP -.I Domain_name -is the domain name for which the file is to be generated. By default -.B make-ssh-known-hosts -extracts also all subdomains of domain. Many sites will want to -include several domains in their -.I /etc/ssh_known_hosts -file. The entries for each domain should be extracted separately by -running -.B make-ssh-known-hosts -once for each domain. The results should then be combined to create -the final file. -.LP -.I Take_regexp -is a perl regular expression that matches the hosts to be taken from the -domain. The data matched contains all the DNS records in the form "\|\c -.B fieldname=value\c -\|". The fields are separated with newline, and the perl match is made in -multiline mode and it is case insensetive. The multiline mode means -that you can use a regexp like "\|\c -.B ^wks=.*telnet.*$\c -\|" to match all hosts that have WKS (well known services) field that -contains value "telnet". -.LP -.I Remove_regexp -is similar but those hosts that match the regexp are not added (it can -be used for example to filter out PCs and Macs using the hinfo field: "\|\c -.B ^hinfo=.*(mac|pc)\c -\|"). - -.SH OPTIONS -.TP -.BI "\-\-initialdns " "initial_dns"\c -.TP -.BI "\-i " "initial_dns"\c -\&Set the initial domain name server used to query the SOA record of the -domain. - -.TP -.BI "\-\-server " "domain_name_server"\c -.TP -.BI "\-se " "domain_name_server"\c -\&Set the master domain name server of the domain. This host is used -to query the DNS list of the domain. - -.TP -.BI "\-\-subdomains " "subdomainlist"\c -.TP -.BI "\-su " "subdomainlist"\c -\&Comma separated list of subdomains that are added to hostnames. For -example, if subdomainlist is "\|\c -.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c -\|" then when host foobar is added to -.B /etc/ssh_known_hosts -file it has aliases "\|\c -.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c -\|". The default action is to take all subparts of the host but the -second last on a host by host basis. (The last element is usually the -country code, and something like -.I foobar.foo.bar.zappa.hut -would not make sense.) - -.TP -.BI "\-\-debug " "debug_level"\c -.TP -.BI "\-de " "debug_level"\c -\&Set the debug level. Default is 5, bigger values give more output. -Using a big value (like 999) will print lots of debugging output. - -.TP -.BI "\-\-timeout " "ssh_exec_timeout"\c -.TP -.BI "\-ti " "ssh_exec_timeout"\c -\&Timeout when executing -.B ssh -command. The default is 60 seconds. - -.TP -.BI "\-\-pingtimeout " "ping_timeout"\c -.TP -.BI "\-pi " "ping_timeout"\c -\&Timeout when trying to ping the ssh port. The default is 3 seconds. - -.TP -.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c -.TP -.BI "\-pa " "timeout_when_asking_password"\c -\&Timeout when asking password for ssh command. Default is that no -passwords are queried. Use value 0 to have no timeout for password queries. - -.TP -.BI "\-\-notrustdaemon"\c -.TP -.BI "\-notr"\c -\&If the -.B ssh -command fails, use the public key stored in the local known hosts file -and trust it is the correct key for the host. If this option is not -given such entries are commented out in the generated -.B /etc/ssh_known_hosts -file. - -.TP -.BI "\-\-norecursive"\c -.TP -.BI "\-nor"\c -\&Tell -.B make-ssh-known-hosts -that it should only extract keys for the given domain, and not to be -recursive. - -.TP -.BI "\-\-domainnamesplit"\c -.TP -.BI "\-do"\c -\&Split the domainname to get the list of subdomains. Use this option -if you don't want hostname to splitted to pieces automatically. -Default splitting is done host by host basis. If the domain is -zappa.hut.fi, and the host name is foo.bar then default action adds -entries "\|\c -.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c -\|" and this options adds entries "\|\c -.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c -\|"). - -.TP -.BI "\-\-silent"\c -.TP -.BI "\-si"\c -\&Be silent. - -.TP -.BI "\-\-keyscan"\c -.TP -.BI "\-k"\c -\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn -hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries". -The output of this can be feeded to ssh-keyscan to fetch keys. - -.TP -.BI "\-\-nslookup " "path_to_nslookup_program"\c -.TP -.BI "\-n " "path_to_nslookup_program"\c -\&Path to the -.B nslookup -program. - -.TP -.BI "\-\-ssh " "path_to_ssh_program"\c -.TP -.BI "\-ss " "path_to_ssh_program"\c -\&Path to the -.B ssh -program, including all options. - -.SH EXAMPLES -.LP -The following command: -.IP -.B example# make-ssh-known-hosts cs.hut.fi > \c -.B /etc/ssh_known_hosts -.LP -finds all public keys of the hosts in -.B cs.hut.fi -domain and put them to -.B /etc/ssh_known_hosts -file splitting domain names on a per host basis. -.LP -The command -.IP -.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c -.B hut-hosts -.LP -finds all hosts in -.B hut.fi -domain, and its subdomains having own name server (cs.hut.fi, -tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key -to hut-hosts file. This would require that the domain name server of -hut.fi would define all hosts running ssh to have entry ssh in their -WKS record. Because nobody yet adds ssh to WKS, it would be better to -use command -.IP -.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c -.B hut-hosts -.LP -that would take those host having telnet service. This uses default -subdomain list. - -.LP -The command: -.IP -.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c -.B dipoli-hosts -.LP -finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain -(note dipoli.hut.fi does not have own name server so its entries are -in hut.fi-server) and that are not Mac or PC. - -.SH FILES -.ta 3i -/etc/ssh_known_hosts Global host public key list - -.SH "SEE ALSO" -.BR ssh (1), -.BR sshd (8), -.BR ssh-keygen (1), -.BR ping (8), -.BR nslookup (8), -.BR perl (1), -.BR perlre (1) - -.SH AUTHOR -Tero Kivinen - -.SH COPYING -.LP -Permission is granted to make and distribute verbatim copies of -this manual provided the copyright notice and this permission notice -are preserved on all copies. -.LP -Permission is granted to copy and distribute modified versions of this -manual under the conditions for verbatim copying, provided that the -entire resulting derived work is distributed under the terms of a -permission notice identical to this one. -.LP -Permission is granted to copy and distribute translations of this -manual into another language, under the above conditions for modified -versions, except that this permission notice may be included in -translations approved by the the author instead of in the original -English. -- cgit v1.2.3