From 3dc967e17b7eb226ac1211f17ee6fabfc0234015 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:03:15 +1000 Subject: - jmc@cvs.openbsd.org 2005/04/14 12:30:30 [ssh.1] arg to -b is an address, not if_name; ok markus@ --- ssh.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ssh.1 b/ssh.1 index e6f4b4a54..4cbab7477 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.205 2005/03/07 23:41:54 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.206 2005/04/14 12:30:30 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -423,7 +423,7 @@ authenticate using the identities loaded into the agent. .It Fl a Disables forwarding of the authentication agent connection. .It Fl b Ar bind_address -Specify the interface to transmit from on machines with multiple +Specify the interface address to transmit from on machines with multiple interfaces or aliased addresses. .It Fl C Requests compression of all data (including stdin, stdout, stderr, and -- cgit v1.2.3 From 167ea5d0268243991ad3c55cb20fa2b53f577b37 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:04:02 +1000 Subject: - djm@cvs.openbsd.org 2005/04/21 06:17:50 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@ --- ChangeLog | 6 ++++- ssh-add.1 | 14 ++++++------ ssh-agent.1 | 14 ++++++------ ssh-keygen.1 | 26 +++++++++++----------- ssh.1 | 70 +++++++++++++++++++++++++++++------------------------------ ssh_config.5 | 20 ++++++++--------- sshd.8 | 30 ++++++++++++------------- sshd_config.5 | 4 ++-- 8 files changed, 94 insertions(+), 90 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index bd45e73d6..b9d6de72d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ - jakob@cvs.openbsd.org 2005/04/20 10:05:45 [dns.c] do not try to look up SSHFP for numerical hostname. ok djm@ + - djm@cvs.openbsd.org 2005/04/21 06:17:50 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] + [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment + variable, so don't say that we do (bz #623); ok deraadt@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2522,4 +2526,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3767 2005/05/26 02:03:31 djm Exp $ +$Id: ChangeLog,v 1.3768 2005/05/26 02:04:02 djm Exp $ diff --git a/ssh-add.1 b/ssh-add.1 index 1f3df5bec..327fcddae 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.42 2005/03/01 17:32:19 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -57,10 +57,10 @@ adds RSA or DSA identities to the authentication agent, .Xr ssh-agent 1 . When run without arguments, it adds the files -.Pa $HOME/.ssh/id_rsa , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_dsa and -.Pa $HOME/.ssh/identity . +.Pa ~/.ssh/identity . Alternative file names can be given on the command line. If any file requires a passphrase, .Nm @@ -142,11 +142,11 @@ agent. .El .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .El .Pp diff --git a/ssh-agent.1 b/ssh-agent.1 index 226804e5f..741cf4bd1 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.41 2004/07/11 17:48:47 deraadt Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -111,10 +111,10 @@ Keys are added using When executed without arguments, .Xr ssh-add 1 adds the files -.Pa $HOME/.ssh/id_rsa , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_rsa , +.Pa ~/.ssh/id_dsa and -.Pa $HOME/.ssh/identity . +.Pa ~/.ssh/identity . If the identity has a passphrase, .Xr ssh-add 1 asks for the passphrase (using a small X11 application if running @@ -179,11 +179,11 @@ The agent exits automatically when the command given on the command line terminates. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. .It Pa /tmp/ssh-XXXXXXXX/agent. Unix-domain sockets used to contain the connection to the diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c14eed14e..ac0b72764 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.67 2005/03/14 10:09:03 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.68 2005/04/21 06:17:50 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -129,10 +129,10 @@ section for details. Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in -.Pa $HOME/.ssh/identity , -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/identity , +.Pa ~/.ssh/id_dsa or -.Pa $HOME/.ssh/id_rsa . +.Pa ~/.ssh/id_rsa . Additionally, the system administrator may use this to generate host keys, as seen in .Pa /etc/rc . @@ -381,7 +381,7 @@ It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/identity +.It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -392,14 +392,14 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/identity.pub +.It Pa ~/.ssh/identity.pub Contains the protocol version 1 RSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using RSA authentication. There is no need to keep the contents of this file secret. -.It Pa $HOME/.ssh/id_dsa +.It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -410,14 +410,14 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/id_dsa.pub +.It Pa ~/.ssh/id_dsa.pub Contains the protocol version 2 DSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. -.It Pa $HOME/.ssh/id_rsa +.It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to @@ -428,10 +428,10 @@ This file is not automatically accessed by but it is offered as the default file for the private key. .Xr ssh 1 will read this file when a login attempt is made. -.It Pa $HOME/.ssh/id_rsa.pub +.It Pa ~/.ssh/id_rsa.pub Contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. diff --git a/ssh.1 b/ssh.1 index 4cbab7477..05d2234a3 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.206 2005/04/14 12:30:30 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.207 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -109,9 +109,9 @@ or .Pa /etc/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files -.Pa $HOME/.rhosts +.Pa ~/.rhosts or -.Pa $HOME/.shosts +.Pa ~/.shosts exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is @@ -120,7 +120,7 @@ Additionally, if the server can verify the client's host key (see .Pa /etc/ssh/ssh_known_hosts and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts in the .Sx FILES section), only then is login permitted. @@ -128,7 +128,7 @@ This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: .Pa /etc/hosts.equiv , -.Pa $HOME/.rhosts , +.Pa ~/.rhosts , and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] .Pp @@ -144,7 +144,7 @@ key pair for authentication purposes. The server knows the public key, and only the user knows the private key. .Pp The file -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the .Nm @@ -165,18 +165,18 @@ implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running .Xr ssh-keygen 1 . This stores the private key in -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity and stores the public key in -.Pa $HOME/.ssh/identity.pub +.Pa ~/.ssh/identity.pub in the user's home directory. The user should then copy the .Pa identity.pub to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys in his/her home directory on the remote machine (the .Pa authorized_keys file corresponds to the conventional -.Pa $HOME/.rhosts +.Pa ~/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. @@ -206,12 +206,12 @@ password authentication are tried. The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The client uses his private key, -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa or -.Pa $HOME/.ssh/id_rsa , +.Pa ~/.ssh/id_rsa , to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. @@ -365,7 +365,7 @@ electronic purse; another is going through firewalls. automatically maintains and checks a database containing identifications for all hosts it has ever been used with. Host keys are stored in -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts in the user's home directory. Additionally, the file .Pa /etc/ssh/ssh_known_hosts @@ -522,7 +522,7 @@ the system-wide configuration file .Pq Pa /etc/ssh/ssh_config will be ignored. The default for the per-user configuration file is -.Pa $HOME/.ssh/config . +.Pa ~/.ssh/config . .It Fl f Requests .Nm @@ -548,11 +548,11 @@ private RSA key. Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity for protocol version 1, and -.Pa $HOME/.ssh/id_rsa +.Pa ~/.ssh/id_rsa and -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. @@ -941,7 +941,7 @@ Set to the name of the user logging in. Additionally, .Nm reads -.Pa $HOME/.ssh/environment , +.Pa ~/.ssh/environment , and adds lines of the format .Dq VARNAME=value to the environment if the file exists and if users are allowed to @@ -952,13 +952,13 @@ option in .Xr sshd_config 5 . .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/known_hosts +.It Pa ~/.ssh/known_hosts Records host keys for all hosts the user has logged into that are not in .Pa /etc/ssh/ssh_known_hosts . See .Xr sshd 8 . -.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa +.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files @@ -970,21 +970,21 @@ ignores a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. -.It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub +.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the -.Pa $HOME/.ssh/identity.pub +.Pa ~/.ssh/identity.pub file should be added to the file -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 1 RSA authentication. The contents of the -.Pa $HOME/.ssh/id_dsa.pub +.Pa ~/.ssh/id_dsa.pub and -.Pa $HOME/.ssh/id_rsa.pub +.Pa ~/.ssh/id_rsa.pub file should be added to -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. These files are not @@ -992,13 +992,13 @@ sensitive and can (but need not) be readable by anyone. These files are never used automatically and are not necessary; they are only provided for the convenience of the user. -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. -.It Pa $HOME/.ssh/authorized_keys +.It Pa ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 @@ -1058,7 +1058,7 @@ be setuid root when that authentication method is used. By default .Nm is not setuid root. -.It Pa $HOME/.rhosts +.It Pa ~/.rhosts This file is used in .Cm RhostsRSAAuthentication and @@ -1088,12 +1088,12 @@ authentication before permitting log in. If the server machine does not have the client's host key in .Pa /etc/ssh/ssh_known_hosts , it can be stored in -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . The easiest way to do this is to connect back to the client from the server machine using ssh; this will automatically add the host key to -.Pa $HOME/.ssh/known_hosts . -.It Pa $HOME/.shosts +.Pa ~/.ssh/known_hosts . +.It Pa ~/.shosts This file is used exactly the same way as .Pa .rhosts . The purpose for @@ -1133,7 +1133,7 @@ when the user logs in just before the user's shell (or command) is started. See the .Xr sshd 8 manual page for more information. -.It Pa $HOME/.ssh/rc +.It Pa ~/.ssh/rc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is @@ -1141,7 +1141,7 @@ started. See the .Xr sshd 8 manual page for more information. -.It Pa $HOME/.ssh/environment +.It Pa ~/.ssh/environment Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. diff --git a/ssh_config.5 b/ssh_config.5 index b35753307..7e48fa65b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.49 2005/03/16 11:10:38 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.50 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -43,7 +43,7 @@ .Nd OpenSSH SSH client configuration files .Sh SYNOPSIS .Bl -tag -width Ds -compact -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config .It Pa /etc/ssh/ssh_config .El .Sh DESCRIPTION @@ -55,7 +55,7 @@ the following order: command-line options .It user's configuration file -.Pq Pa $HOME/.ssh/config +.Pq Pa ~/.ssh/config .It system-wide configuration file .Pq Pa /etc/ssh/ssh_config @@ -411,7 +411,7 @@ Note that this option applies to protocol version 2 only. Indicates that .Nm ssh should hash host names and addresses when they are added to -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . These hashed names may be used normally by .Nm ssh and @@ -457,11 +457,11 @@ specifications). Specifies a file from which the user's RSA or DSA authentication identity is read. The default is -.Pa $HOME/.ssh/identity +.Pa ~/.ssh/identity for protocol version 1, and -.Pa $HOME/.ssh/id_rsa +.Pa ~/.ssh/id_rsa and -.Pa $HOME/.ssh/id_dsa +.Pa ~/.ssh/id_dsa for protocol version 2. Additionally, any identities represented by the authentication agent will be used for authentication. @@ -751,7 +751,7 @@ If this flag is set to .Dq yes , .Nm ssh will never automatically add host keys to the -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, however, can be annoying when the @@ -823,7 +823,7 @@ having to remember to give the user name on the command line. .It Cm UserKnownHostsFile Specifies a file to use for the user host key database instead of -.Pa $HOME/.ssh/known_hosts . +.Pa ~/.ssh/known_hosts . .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. @@ -856,7 +856,7 @@ The default is .El .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/config +.It Pa ~/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the diff --git a/sshd.8 b/sshd.8 index ac3bf96cf..6acdda130 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.206 2005/03/01 14:59:49 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.207 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -350,7 +350,7 @@ If the login is on a tty, and no command has been specified, prints last login time and .Pa /etc/motd (unless prevented in the configuration file or by -.Pa $HOME/.hushlogin ; +.Pa ~/.hushlogin ; see the .Sx FILES section). @@ -367,7 +367,7 @@ Changes to run with normal user privileges. Sets up basic environment. .It Reads the file -.Pa $HOME/.ssh/environment , +.Pa ~/.ssh/environment , if it exists, and users are allowed to change their environment. See the .Cm PermitUserEnvironment @@ -377,7 +377,7 @@ option in Changes to user's home directory. .It If -.Pa $HOME/.ssh/rc +.Pa ~/.ssh/rc exists, runs it; else if .Pa /etc/ssh/sshrc exists, runs @@ -390,7 +390,7 @@ authentication protocol and cookie in standard input. Runs user's shell or command. .El .Sh AUTHORIZED_KEYS FILE FORMAT -.Pa $HOME/.ssh/authorized_keys +.Pa ~/.ssh/authorized_keys is the default file that lists the public keys that are permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) @@ -528,7 +528,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 The .Pa /etc/ssh/ssh_known_hosts and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts files contain host public keys for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is @@ -639,7 +639,7 @@ listening for connections (if there are several daemons running concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. -.It Pa $HOME/.ssh/authorized_keys +.It Pa ~/.ssh/authorized_keys Lists the public keys (RSA or DSA) that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world-readable if the user's home directory resides on an NFS @@ -653,7 +653,7 @@ and/or .Pa id_rsa.pub files into this file, as described in .Xr ssh-keygen 1 . -.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" +.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts" These files are consulted when using rhosts with RSA host authentication or protocol version 2 hostbased authentication to check the public key of the host. @@ -663,12 +663,12 @@ to verify that it is connecting to the correct remote host. These files should be writable only by root/the owner. .Pa /etc/ssh/ssh_known_hosts should be world-readable, and -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts can, but need not be, world-readable. .It Pa /etc/motd See .Xr motd 5 . -.It Pa $HOME/.hushlogin +.It Pa ~/.hushlogin This file is used to suppress printing the last login time and .Pa /etc/motd , if @@ -691,7 +691,7 @@ The file should be world-readable. Access controls that should be enforced by tcp-wrappers are defined here. Further details are described in .Xr hosts_access 5 . -.It Pa $HOME/.rhosts +.It Pa ~/.rhosts This file is used during .Cm RhostsRSAAuthentication and @@ -709,7 +709,7 @@ It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. -.It Pa $HOME/.shosts +.It Pa ~/.shosts For ssh, this file is exactly the same as for .Pa .rhosts . @@ -758,7 +758,7 @@ This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both rsh/rlogin and ssh. -.It Pa $HOME/.ssh/environment +.It Pa ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with .Ql # ) , @@ -769,7 +769,7 @@ Environment processing is disabled by default and is controlled via the .Cm PermitUserEnvironment option. -.It Pa $HOME/.ssh/rc +.It Pa ~/.ssh/rc If this file exists, it is run with .Pa /bin/sh after reading the @@ -814,7 +814,7 @@ This file should be writable only by the user, and need not be readable by anyone else. .It Pa /etc/ssh/sshrc Like -.Pa $HOME/.ssh/rc . +.Pa ~/.ssh/rc . This can be used to specify machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. diff --git a/sshd_config.5 b/sshd_config.5 index ea79a54bf..df51fb867 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.40 2005/03/18 17:05:00 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.41 2005/04/21 06:17:50 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -327,7 +327,7 @@ The default is Specifies whether .Nm sshd should ignore the user's -.Pa $HOME/.ssh/known_hosts +.Pa ~/.ssh/known_hosts during .Cm RhostsRSAAuthentication or -- cgit v1.2.3 From 3710f278ae76751118fb3ced2ee6e8e320b91002 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 26 May 2005 12:19:17 +1000 Subject: - djm@cvs.openbsd.org 2005/05/23 23:32:46 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; ok markus@ --- ChangeLog | 6 +++++- cipher.c | 61 +++++++++++++++++++++++++++++++++++++---------------------- myproposal.h | 5 +++-- ssh.1 | 9 ++++++--- ssh_config.5 | 9 ++++++--- sshd_config.5 | 9 ++++++--- 6 files changed, 64 insertions(+), 35 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index caf31ec86..0418ae55f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -76,6 +76,10 @@ - removes signed/unsigned comparisons in moduli generation - use strtonum instead of atoi where its easier - check some strlcpy overflow and fatal instead of truncate + - djm@cvs.openbsd.org 2005/05/23 23:32:46 + [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] + add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; + ok markus@ 20050524 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] @@ -2575,4 +2579,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3783 2005/05/26 02:16:18 djm Exp $ +$Id: ChangeLog,v 1.3784 2005/05/26 02:19:17 djm Exp $ diff --git a/cipher.c b/cipher.c index beba4618d..b56492940 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.74 2005/05/23 23:32:46 djm Exp $"); #include "xmalloc.h" #include "log.h" @@ -74,39 +74,42 @@ struct Cipher { int number; /* for ssh1 only */ u_int block_size; u_int key_len; + u_int discard_len; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, - { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, - { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, - { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des }, + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf }, + + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc }, + { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc }, + { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc }, + { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 }, + { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 }, + { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 }, #if OPENSSL_VERSION_NUMBER < 0x00907000L - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, evp_rijndael }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, evp_rijndael }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, #else - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, #endif #if OPENSSL_VERSION_NUMBER >= 0x00905000L - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr }, #endif #if defined(EVP_CTRL_SET_ACSS_MODE) - { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, + { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss }, #endif - { NULL, SSH_CIPHER_INVALID, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL } }; /*--*/ @@ -224,6 +227,7 @@ cipher_init(CipherContext *cc, Cipher *cipher, const EVP_CIPHER *type; #endif int klen; + u_char *junk, *discard; if (cipher->number == SSH_CIPHER_DES) { if (dowarn) { @@ -271,6 +275,17 @@ cipher_init(CipherContext *cc, Cipher *cipher, fatal("cipher_init: EVP_CipherInit: set key failed for %s", cipher->name); #endif + + if (cipher->discard_len > 0) { + junk = xmalloc(cipher->discard_len); + discard = xmalloc(cipher->discard_len); + if (EVP_Cipher(&cc->evp, discard, junk, + cipher->discard_len) == 0) + fatal("evp_crypt: EVP_Cipher failed during discard"); + memset(discard, 0, cipher->discard_len); + xfree(junk); + xfree(discard); + } } void diff --git a/myproposal.h b/myproposal.h index 228ed6882..2edbe1624 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.17 2005/05/23 23:32:46 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -28,7 +28,8 @@ "diffie-hellman-group1-sha1" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ - "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ + "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ + "arcfour128,arcfour256,arcfour," \ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ "aes128-ctr,aes192-ctr,aes256-ctr" #define KEX_DEFAULT_MAC \ diff --git a/ssh.1 b/ssh.1 index 05d2234a3..4cc1738c1 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.207 2005/04/21 06:17:50 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.208 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -479,14 +479,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Fl D Ar port Specifies a local diff --git a/ssh_config.5 b/ssh_config.5 index 42eefa034..18899ae58 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.53 2005/05/20 11:23:32 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.54 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -193,14 +193,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Cm ClearAllForwardings Specifies that all local, remote and dynamic port forwardings diff --git a/sshd_config.5 b/sshd_config.5 index 70d18ab0f..cec2a2382 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.42 2005/05/19 02:39:55 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.43 2005/05/23 23:32:46 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -168,14 +168,17 @@ The supported ciphers are .Dq aes128-ctr , .Dq aes192-ctr , .Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , .Dq arcfour , .Dq blowfish-cbc , and .Dq cast128-cbc . The default is .Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see above) which may be -- cgit v1.2.3 From a5cf85584cbf3dcb156ebee6730616872ddd3be8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 14 Jul 2005 17:04:18 +1000 Subject: - dtucker@cvs.openbsd.org 2005/07/06 09:33:05 [ssh.1] clarify meaning of ssh -b ; with & ok jmc@ --- ChangeLog | 8 +++++++- ssh.1 | 9 ++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index f76094f78..b2d4067e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20050714 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/07/06 09:33:05 + [ssh.1] + clarify meaning of ssh -b ; with & ok jmc@ + 20050707 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for the MIT Kerberos code path into a common function and expand mkstemp @@ -2795,4 +2801,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3838 2005/07/07 10:33:36 dtucker Exp $ +$Id: ChangeLog,v 1.3839 2005/07/14 07:04:18 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 4cc1738c1..b0749763b 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.208 2005/05/23 23:32:46 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -423,8 +423,11 @@ authenticate using the identities loaded into the agent. .It Fl a Disables forwarding of the authentication agent connection. .It Fl b Ar bind_address -Specify the interface address to transmit from on machines with multiple -interfaces or aliased addresses. +Use +.Ar bind_address +on the local machine as the source address +of the connection. +Only useful on systems with more than one address. .It Fl C Requests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP/IP connections). -- cgit v1.2.3