From d663bea30a294d440fef4398e5cd816317bd4518 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 11 Dec 2014 05:25:06 +0000 Subject: upstream commit mention AuthorizedKeysCommandUser must be set for AuthorizedKeysCommand to be run; bz#2287 --- sshd_config.5 | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/sshd_config.5 b/sshd_config.5 index 78a8d00be..9f52cf441 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.180 2014/11/22 19:21:03 jmc Exp $ -.Dd $Mdocdate: November 22 2014 $ +.\" $OpenBSD: sshd_config.5,v 1.181 2014/12/11 05:25:06 djm Exp $ +.Dd $Mdocdate: December 11 2014 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -210,6 +210,18 @@ would restrict keyboard interactive authentication to the .Dq bsdauth device. .Pp +If the +.Dq publickey +method is listed more than one, +.Xr sshd 8 +verifies that keys that have been successfully are not reused for subsequent +authentications. +For example, an +.Cm AuthenticationMethods +of +.Dq publickey,publickey +will require successful authentication using two different public keys. +.Pp This option is only available for SSH protocol 2 and will yield a fatal error if enabled if protocol 1 is also enabled. Note that each authentication method listed should also be explicitly enabled @@ -232,6 +244,9 @@ By default, no AuthorizedKeysCommand is run. Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands. +If no user is specified then +.Cm AuthorizedKeysCommand +is ignored. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. -- cgit v1.2.3