From c8d6421a645529a3c831dccc5d9d9e073de68657 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:13:42 +1000 Subject: - djm@cvs.openbsd.org 2005/09/19 11:37:34 [ssh_config.5 ssh.1] mention ability to specify bind_address for DynamicForward and -D options; bz#1077 spotted by Haruyama Seigo --- ssh.1 | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ssh.1 b/ssh.1 index b0749763b..135e3b6c5 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.210 2005/09/19 11:37:34 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -47,7 +47,12 @@ .Op Fl 1246AaCfgkMNnqsTtVvXxY .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec -.Op Fl D Ar port +.Oo Fl D\ \& +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Oc .Op Fl e Ar escape_char .Op Fl F Ar configfile .Op Fl i Ar identity_file @@ -494,13 +499,20 @@ The default is arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, aes192-ctr,aes256-ctr'' .Ed -.It Fl D Ar port +.It Fl D Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Xc Specifies a local .Dq dynamic application-level port forwarding. This works by allocating a socket to listen to .Ar port -on the local side, and whenever a connection is made to this port, the +on the local side, optionally bound to the specified +.Ar bind_address . +Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. @@ -509,6 +521,30 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file. +.Pp +IPv6 addresses can be specified with an alternative syntax: +.Sm off +.Xo +.Op Ar bind_address No / +.Ar port +.Xc +.Sm on +or by enclosing the address in square brackets. +Only the superuser can forward privileged ports. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Dq localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. .It Fl e Ar ch | ^ch | none Sets the escape character for sessions with a pty (default: .Ql ~ ) . -- cgit v1.2.3 From 05d4dfe38fe786a8e9fd675c8eeef7ab801443de Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:17:38 +1000 Subject: - jmc@cvs.openbsd.org 2005/09/19 15:38:27 [ssh.1] some more .Bk/.Ek to avoid ugly line split; --- ChangeLog | 5 ++++- ssh.1 | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 7d27adb18..58eb48885 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - djm@cvs.openbsd.org 2005/09/19 11:48:10 [gss-serv.c] typo + - jmc@cvs.openbsd.org 2005/09/19 15:38:27 + [ssh.1] + some more .Bk/.Ek to avoid ugly line split; 20050930 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype @@ -3061,4 +3064,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3907 2005/10/03 08:17:02 dtucker Exp $ +$Id: ChangeLog,v 1.3908 2005/10/03 08:17:38 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 135e3b6c5..6b3c2fcf8 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.210 2005/09/19 11:37:34 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.211 2005/09/19 15:38:27 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -43,7 +43,6 @@ .Nd OpenSSH SSH client (remote login program) .Sh SYNOPSIS .Nm ssh -.Bk -words .Op Fl 1246AaCfgkMNnqsTtVvXxY .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec @@ -55,14 +54,18 @@ .Oc .Op Fl e Ar escape_char .Op Fl F Ar configfile +.Bk -words .Op Fl i Ar identity_file +.Ek .Oo Fl L\ \& .Sm off .Oo Ar bind_address : Oc .Ar port : host : hostport .Sm on .Oc +.Bk -words .Op Fl l Ar login_name +.Ek .Op Fl m Ar mac_spec .Op Fl O Ar ctl_cmd .Op Fl o Ar option @@ -76,7 +79,6 @@ .Op Fl S Ar ctl_path .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command -.Ek .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for -- cgit v1.2.3 From 1e4308e6fa41a1436e64ff9faaa4174bf73fa166 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:18:40 +1000 Subject: - djm@cvs.openbsd.org 2005/09/19 23:31:31 [ssh.1] spelling nit from stevesk@ --- ChangeLog | 5 ++++- ssh.1 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 22e43bf45..e0c4ba662 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ - jmc@cvs.openbsd.org 2005/09/19 15:42:44 [ssh.c] update -D usage here too; + - djm@cvs.openbsd.org 2005/09/19 23:31:31 + [ssh.1] + spelling nit from stevesk@ 20050930 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype @@ -3067,4 +3070,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3909 2005/10/03 08:18:05 dtucker Exp $ +$Id: ChangeLog,v 1.3910 2005/10/03 08:18:40 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 6b3c2fcf8..8e0f37719 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.211 2005/09/19 15:38:27 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.212 2005/09/19 23:31:31 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -455,7 +455,7 @@ option. Selects the cipher specification for encrypting the session. .Pp Protocol version 1 allows specification of a single cipher. -The suported values are +The supported values are .Dq 3des , .Dq blowfish and -- cgit v1.2.3 From c94ebbc723234b7246cfbdcc78f1ca0b36743211 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:25:21 +1100 Subject: - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2005/11/30 11:18:27 [ssh.1] timezone -> time zone --- ChangeLog | 8 +++++++- ssh.1 | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index f5d6b0e6f..12a217f60 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20051213 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/11/30 11:18:27 + [ssh.1] + timezone -> time zone + 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed in top level directory and not noticed for over a year :) @@ -3389,4 +3395,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4016 2005/12/01 01:51:59 djm Exp $ +$Id: ChangeLog,v 1.4017 2005/12/13 08:25:21 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 8e0f37719..6342d3cdc 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.212 2005/09/19 23:31:31 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.213 2005/11/30 11:18:27 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -975,7 +975,7 @@ with the current shell or command. If the current session has no tty, this variable is not set. .It Ev TZ -The timezone variable is set to indicate the present timezone if it +The time zone variable is set to indicate the present time zone if it was set when the daemon was started (i.e., the daemon passes the value on to new connections). .It Ev USER -- cgit v1.2.3 From 6dbdb6afeec1820b2799c2693fc8e8b364be8228 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:25:43 +1100 Subject: - jmc@cvs.openbsd.org 2005/11/30 11:45:20 [ssh.1] avoid ambiguities in describing TZ; ok djm@ --- ChangeLog | 6 +++++- ssh.1 | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 12a217f60..d187f2aa0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - jmc@cvs.openbsd.org 2005/11/30 11:18:27 [ssh.1] timezone -> time zone + - jmc@cvs.openbsd.org 2005/11/30 11:45:20 + [ssh.1] + avoid ambiguities in describing TZ; + ok djm@ 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3395,4 +3399,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4017 2005/12/13 08:25:21 djm Exp $ +$Id: ChangeLog,v 1.4018 2005/12/13 08:25:43 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 6342d3cdc..dd97a8995 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.213 2005/11/30 11:18:27 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.214 2005/11/30 11:45:20 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -975,7 +975,7 @@ with the current shell or command. If the current session has no tty, this variable is not set. .It Ev TZ -The time zone variable is set to indicate the present time zone if it +This variable is set to indicate the present time zone if it was set when the daemon was started (i.e., the daemon passes the value on to new connections). .It Ev USER -- cgit v1.2.3 From d27b947178df3689bfb7fdfb62a5f1337ef73481 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:29:02 +1100 Subject: - reyk@cvs.openbsd.org 2005/12/06 22:38:28 [auth-options.c auth-options.h channels.c channels.h clientloop.c] [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] [sshconnect.h sshd.8 sshd_config sshd_config.5] Add support for tun(4) forwarding over OpenSSH, based on an idea and initial channel code bits by markus@. This is a simple and easy way to use OpenSSH for ad hoc virtual private network connections, e.g. administrative tunnels or secure wireless access. It's based on a new ssh channel and works similar to the existing TCP forwarding support, except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. ok djm@, markus@, jmc@ (manpages), tested and discussed with others --- ChangeLog | 17 ++++++++++++++++- auth-options.c | 41 ++++++++++++++++++++++++++++++++++++++++- auth-options.h | 3 ++- channels.c | 42 ++++++++++++++++++++++++++++++++++++++++-- channels.h | 4 +++- clientloop.c | 11 ++++++++++- misc.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- misc.h | 4 +++- readconf.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++--- readconf.h | 10 +++++++++- scp.c | 3 ++- servconf.c | 12 ++++++++++-- servconf.h | 5 ++++- serverloop.c | 34 +++++++++++++++++++++++++++++++++- sftp.c | 3 ++- ssh.1 | 20 +++++++++++++++++++- ssh.c | 39 ++++++++++++++++++++++++++++++++++++--- ssh_config | 5 ++++- ssh_config.5 | 38 +++++++++++++++++++++++++++++++++++++- sshconnect.c | 38 +++++++++++++++++++++++++++++++++++++- sshconnect.h | 4 ++-- sshd.8 | 10 +++++++++- sshd_config | 3 ++- sshd_config.5 | 8 +++++++- 24 files changed, 433 insertions(+), 31 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index d187f2aa0..96ed9a05d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,21 @@ [ssh.1] avoid ambiguities in describing TZ; ok djm@ + - reyk@cvs.openbsd.org 2005/12/06 22:38:28 + [auth-options.c auth-options.h channels.c channels.h clientloop.c] + [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] + [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] + [sshconnect.h sshd.8 sshd_config sshd_config.5] + Add support for tun(4) forwarding over OpenSSH, based on an idea and + initial channel code bits by markus@. This is a simple and easy way to + use OpenSSH for ad hoc virtual private network connections, e.g. + administrative tunnels or secure wireless access. It's based on a new + ssh channel and works similar to the existing TCP forwarding support, + except that it depends on the tun(4) network interface on both ends of + the connection for layer 2 or layer 3 tunneling. This diff also adds + support for LocalCommand in the ssh(1) client. + + ok djm@, markus@, jmc@ (manpages), tested and discussed with others 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3399,4 +3414,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4018 2005/12/13 08:25:43 djm Exp $ +$Id: ChangeLog,v 1.4019 2005/12/13 08:29:02 djm Exp $ diff --git a/auth-options.c b/auth-options.c index a85e40835..54798d9ad 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.32 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "match.h" @@ -35,6 +35,9 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; +/* "tunnel=" option. */ +int forced_tun_device = -1; + extern ServerOptions options; void @@ -54,6 +57,7 @@ auth_clear_options(void) xfree(forced_command); forced_command = NULL; } + forced_tun_device = -1; channel_clear_permitted_opens(); auth_debug_reset(); } @@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto next_option; } + cp = "tunnel=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char *tun = NULL; + opts += strlen(cp); + tun = xmalloc(strlen(opts) + 1); + i = 0; + while (*opts) { + if (*opts == '"') + break; + tun[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(tun); + forced_tun_device = -1; + goto bad_option; + } + tun[i] = 0; + forced_tun_device = a2tun(tun, NULL); + xfree(tun); + if (forced_tun_device < -1) { + debug("%.100s, line %lu: invalid tun device", + file, linenum); + auth_debug_add("%.100s, line %lu: invalid tun device", + file, linenum); + forced_tun_device = -1; + goto bad_option; + } + auth_debug_add("Forced tun device: %d", forced_tun_device); + opts++; + goto next_option; + } next_option: /* * Skip the comma, and move to the next option diff --git a/auth-options.h b/auth-options.h index 15fb21255..3cd02a71f 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $ */ +/* $OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag; extern int no_pty_flag; extern char *forced_command; extern struct envstring *custom_environment; +extern int forced_tun_device; int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); diff --git a/channels.c b/channels.c index 9607717cc..b4fd89f96 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.227 2005/10/14 02:29:37 stevesk Exp $"); +RCSID("$OpenBSD: channels.c,v 1.228 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1414,6 +1414,8 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) debug2("channel %d: filter stops", c->self); chan_read_failed(c); } + } else if (c->datagram) { + buffer_put_string(&c->input, buf, len); } else { buffer_append(&c->input, buf, len); } @@ -1432,6 +1434,23 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { + if (c->datagram) { + data = buffer_get_string(&c->output, &dlen); + /* ignore truncated writes, datagrams might get lost */ + c->local_consumed += dlen + 4; + len = write(c->wfd, data, dlen); + xfree(data); + if (len < 0 && (errno == EINTR || errno == EAGAIN)) + return 1; + if (len <= 0) { + if (c->type != SSH_CHANNEL_OPEN) + chan_mark_dead(c); + else + chan_write_failed(c); + return -1; + } + return 1; + } data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); #ifdef _AIX @@ -1792,6 +1811,22 @@ channel_output_poll(void) if ((c->istate == CHAN_INPUT_OPEN || c->istate == CHAN_INPUT_WAIT_DRAIN) && (len = buffer_len(&c->input)) > 0) { + if (c->datagram) { + if (len > 0) { + u_char *data; + u_int dlen; + + data = buffer_get_string(&c->input, + &dlen); + packet_start(SSH2_MSG_CHANNEL_DATA); + packet_put_int(c->remote_id); + packet_put_string(data, dlen); + packet_send(); + c->remote_window -= dlen + 4; + xfree(data); + } + continue; + } /* * Send some data for the other side over the secure * connection. @@ -1914,7 +1949,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt) c->local_window -= data_len; } packet_check_eom(); - buffer_append(&c->output, data, data_len); + if (c->datagram) + buffer_put_string(&c->output, data, data_len); + else + buffer_append(&c->output, data, data_len); xfree(data); } diff --git a/channels.h b/channels.h index 7e1cc7c5a..743a2065e 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.80 2005/10/10 10:23:08 djm Exp $ */ +/* $OpenBSD: channels.h,v 1.81 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -112,6 +112,8 @@ struct Channel { /* filter */ channel_filter_fn *input_filter; + + int datagram; /* keep boundaries */ }; #define CHAN_EXTENDED_IGNORE 0 diff --git a/clientloop.c b/clientloop.c index 001c8f119..a97734c3f 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.145 2005/10/30 08:52:17 djm Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.146 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -914,6 +914,15 @@ process_cmdline(void) logit(" -Lport:host:hostport Request local forward"); logit(" -Rport:host:hostport Request remote forward"); logit(" -KRhostport Cancel remote forward"); + if (!options.permit_local_command) + goto out; + logit(" !args Execute local command"); + goto out; + } + + if (*s == '!' && options.permit_local_command) { + s++; + ssh_local_cmd(s); goto out; } diff --git a/misc.c b/misc.c index 27b947f0c..9b23e2c37 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.35 2005/09/13 23:40:07 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.36 2005/12/06 22:38:27 reyk Exp $"); #include "misc.h" #include "log.h" @@ -194,6 +194,37 @@ a2port(const char *s) return port; } +int +a2tun(const char *s, int *remote) +{ + const char *errstr = NULL; + char *sp, *ep; + int tun; + + if (remote != NULL) { + *remote = -1; + sp = xstrdup(s); + if ((ep = strchr(sp, ':')) == NULL) { + xfree(sp); + return (a2tun(s, NULL)); + } + ep[0] = '\0'; ep++; + *remote = a2tun(ep, NULL); + tun = a2tun(sp, NULL); + xfree(sp); + return (tun); + } + + if (strcasecmp(s, "any") == 0) + return (-1); + + tun = strtonum(s, 0, INT_MAX, &errstr); + if (errstr != NULL || tun < -1) + return (-2); + + return (tun); +} + #define SECONDS 1 #define MINUTES (SECONDS * 60) #define HOURS (MINUTES * 60) @@ -507,6 +538,31 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, return -1; } +int +tun_open(int tun) +{ + char name[100]; + int i, fd; + + if (tun > -1) { + snprintf(name, sizeof(name), "/dev/tun%d", tun); + if ((fd = open(name, O_RDWR)) >= 0) { + debug("%s: %s: %d", __func__, name, fd); + return (fd); + } + } else { + for (i = 100; i >= 0; i--) { + snprintf(name, sizeof(name), "/dev/tun%d", i); + if ((fd = open(name, O_RDWR)) >= 0) { + debug("%s: %s: %d", __func__, name, fd); + return (fd); + } + } + } + debug("%s: %s failed: %s", __func__, name, strerror(errno)); + return (-1); +} + void sanitise_stdfd(void) { diff --git a/misc.h b/misc.h index 51541336c..ff2ba1b5a 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.26 2005/09/13 23:40:07 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.27 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -20,6 +20,7 @@ int set_nonblock(int); int unset_nonblock(int); void set_nodelay(int); int a2port(const char *); +int a2tun(const char *, int *); char *hpdelim(char **); char *cleanhostname(char *); char *colon(char *); @@ -49,3 +50,4 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); char *read_passphrase(const char *, int); int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); +int tun_open(int); diff --git a/readconf.c b/readconf.c index cf27a9f41..b6aad9d8d 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.144 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -70,6 +70,10 @@ RCSID("$OpenBSD: readconf.c,v 1.143 2005/07/30 02:03:47 djm Exp $"); Cipher none PasswordAuthentication no + Host vpn.fake.com + Tunnel yes + TunnelDevice 3 + # Defaults for various options Host * ForwardAgent no @@ -107,6 +111,7 @@ typedef enum { oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, + oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oDeprecated, oUnsupported } OpCodes; @@ -198,6 +203,10 @@ static struct { { "controlpath", oControlPath }, { "controlmaster", oControlMaster }, { "hashknownhosts", oHashKnownHosts }, + { "tunnel", oTunnel }, + { "tunneldevice", oTunnelDevice }, + { "localcommand", oLocalCommand }, + { "permitlocalcommand", oPermitLocalCommand }, { NULL, oBadOption } }; @@ -264,6 +273,7 @@ clear_forwardings(Options *options) xfree(options->remote_forwards[i].connect_host); } options->num_remote_forwards = 0; + options->tun_open = 0; } /* @@ -296,7 +306,7 @@ process_config_line(Options *options, const char *host, int *activep) { char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; - int opcode, *intptr, value; + int opcode, *intptr, value, value2; size_t len; Forward fwd; @@ -553,9 +563,10 @@ parse_string: goto parse_string; case oProxyCommand: + charptr = &options->proxy_command; +parse_command: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, linenum); - charptr = &options->proxy_command; len = strspn(s, WHITESPACE "="); if (*activep && *charptr == NULL) *charptr = xstrdup(s + len); @@ -822,6 +833,31 @@ parse_int: intptr = &options->hash_known_hosts; goto parse_flag; + case oTunnel: + intptr = &options->tun_open; + goto parse_flag; + + case oTunnelDevice: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + value = a2tun(arg, &value2); + if (value < -1) + fatal("%.200s line %d: Bad tun device.", filename, linenum); + if (*activep) { + options->tun_local = value; + options->tun_remote = value2; + } + break; + + case oLocalCommand: + charptr = &options->local_command; + goto parse_command; + + case oPermitLocalCommand: + intptr = &options->permit_local_command; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -966,6 +1002,11 @@ initialize_options(Options * options) options->control_path = NULL; options->control_master = -1; options->hash_known_hosts = -1; + options->tun_open = -1; + options->tun_local = -1; + options->tun_remote = -1; + options->local_command = NULL; + options->permit_local_command = -1; } /* @@ -1090,6 +1131,11 @@ fill_default_options(Options * options) options->control_master = 0; if (options->hash_known_hosts == -1) options->hash_known_hosts = 0; + if (options->tun_open == -1) + options->tun_open = 0; + if (options->permit_local_command == -1) + options->permit_local_command = 0; + /* options->local_command should not be set by default */ /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index 2b9deb9db..4565b2c2c 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.67 2005/06/08 11:25:09 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.68 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -114,6 +114,14 @@ typedef struct { int control_master; int hash_known_hosts; + + int tun_open; /* tun(4) */ + int tun_local; /* force tun device (optional) */ + int tun_remote; /* force tun device (optional) */ + + char *local_command; + int permit_local_command; + } Options; #define SSHCTL_MASTER_NO 0 diff --git a/scp.c b/scp.c index a19021f85..5dced6ce4 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.127 2005/11/12 18:38:15 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.128 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -231,6 +231,7 @@ main(int argc, char **argv) addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-x"); addargs(&args, "-oForwardAgent no"); + addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; diff --git a/servconf.c b/servconf.c index 9e420a527..91a0ced29 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.145 2005/12/06 22:38:27 reyk Exp $"); #include "ssh.h" #include "log.h" @@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; options->num_accept_env = 0; + options->permit_tun = -1; /* Needs to be accessable in many places */ use_privsep = -1; @@ -229,6 +230,8 @@ fill_default_server_options(ServerOptions *options) } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->permit_tun == -1) + options->permit_tun = 0; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -270,7 +273,7 @@ typedef enum { sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -373,6 +376,7 @@ static struct { { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, { "acceptenv", sAcceptEnv }, + { "permittunnel", sPermitTunnel }, { NULL, sBadOption } }; @@ -962,6 +966,10 @@ parse_flag: } break; + case sPermitTunnel: + intptr = &options->permit_tun; + goto parse_flag; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/servconf.h b/servconf.h index f7e56d521..ab82c8f57 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.72 2005/12/06 22:38:27 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -133,7 +133,10 @@ typedef struct { char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + int use_pam; /* Enable auth via PAM */ + + int permit_tun; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/serverloop.c b/serverloop.c index 03376bacf..199f7696d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.121 2005/10/31 11:48:29 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.122 2005/12/06 22:38:27 reyk Exp $"); #include "xmalloc.h" #include "packet.h" @@ -913,6 +913,36 @@ server_request_direct_tcpip(void) return c; } +static Channel * +server_request_tun(void) +{ + Channel *c = NULL; + int sock, tun; + + if (!options.permit_tun) { + packet_send_debug("Server has disabled tunnel device forwarding."); + return NULL; + } + + tun = packet_get_int(); + if (forced_tun_device != -1) { + if (tun != -1 && forced_tun_device != tun) + goto done; + tun = forced_tun_device; + } + sock = tun_open(tun); + if (sock < 0) + goto done; + c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); + c->datagram = 1; + + done: + if (c == NULL) + packet_send_debug("Failed to open the tunnel device."); + return c; +} + static Channel * server_request_session(void) { @@ -958,6 +988,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) c = server_request_session(); } else if (strcmp(ctype, "direct-tcpip") == 0) { c = server_request_direct_tcpip(); + } else if (strcmp(ctype, "tun@openssh.com") == 0) { + c = server_request_tun(); } if (c != NULL) { debug("server_input_channel_open: confirm %s", ctype); diff --git a/sftp.c b/sftp.c index ff3223ad2..24f6dc538 100644 --- a/sftp.c +++ b/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.68 2005/10/31 06:15:04 dtucker Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $"); #ifdef USE_LIBEDIT #include @@ -1457,6 +1457,7 @@ main(int argc, char **argv) addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); + addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes"); ll = SYSLOG_LEVEL_INFO; diff --git a/ssh.1 b/ssh.1 index dd97a8995..8a55c2f64 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.214 2005/11/30 11:45:20 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.215 2005/12/06 22:38:27 reyk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -77,6 +77,7 @@ .Sm on .Oc .Op Fl S Ar ctl_path +.Op Fl w Ar tunnel : tunnel .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Sh DESCRIPTION @@ -301,6 +302,12 @@ options (see below). It also allows the cancellation of existing remote port-forwardings using .Fl KR Ar hostport . +The +.Ic ! Ar command +allows the user to execute a local command if the +.Ic PermitLocalCommand +option is enabled in +.Xr ssh_config 5 . Basic help is available, using the .Fl h option. @@ -747,12 +754,14 @@ For full details of the options listed below, and their possible values, see .It IdentityFile .It IdentitiesOnly .It KbdInteractiveDevices +.It LocalCommand .It LocalForward .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts .It PasswordAuthentication +.It PermitLocalCommand .It Port .It PreferredAuthentications .It Protocol @@ -767,6 +776,8 @@ For full details of the options listed below, and their possible values, see .It SmartcardDevice .It StrictHostKeyChecking .It TCPKeepAlive +.It Tunnel +.It TunnelDevice .It UsePrivilegedPort .It User .It UserKnownHostsFile @@ -866,6 +877,13 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. +.It Fl w +Requests a +.Xr tun 4 +device on the client and server like the +.Cm Tunnel +directive in +.Xr ssh_config 5 . .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. diff --git a/ssh.c b/ssh.c index 2227755cd..8a4a0e4c9 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.254 2005/10/30 08:52:18 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.255 2005/12/06 22:38:27 reyk Exp $"); #include #include @@ -162,7 +162,7 @@ usage(void) " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [user@]hostname [command]\n" +" [-w tunnel:tunnel] [user@]hostname [command]\n" ); exit(1); } @@ -244,7 +244,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -340,6 +340,14 @@ again: if (opt == 'V') exit(0); break; + case 'w': + options.tun_open = 1; + options.tun_local = a2tun(optarg, &options.tun_remote); + if (options.tun_local < -1) { + fprintf(stderr, "Bad tun device '%s'\n", optarg); + exit(1); + } + break; case 'q': options.log_level = SYSLOG_LEVEL_QUIET; break; @@ -1059,6 +1067,26 @@ ssh_session2_setup(int id, void *arg) packet_send(); } + if (options.tun_open) { + Channel *c; + int fd; + + debug("Requesting tun."); + if ((fd = tun_open(options.tun_local)) >= 0) { + c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, + 0, "tun", 1); + c->datagram = 1; + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring("tun@openssh.com"); + packet_put_int(c->self); + packet_put_int(c->local_window_max); + packet_put_int(c->local_maxpacket); + packet_put_int(options.tun_remote); + packet_send(); + } + } + client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"), NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply); @@ -1123,6 +1151,11 @@ ssh_session2(void) if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN)) id = ssh_session2_open(); + /* Execute a local command */ + if (options.local_command != NULL && + options.permit_local_command) + ssh_local_cmd(options.local_command); + /* If requested, let ssh continue in the background. */ if (fork_after_authentication_flag) if (daemon(1, 1) < 0) diff --git a/ssh_config b/ssh_config index f41bee0a2..7bc8762d6 100644 --- a/ssh_config +++ b/ssh_config @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $ +# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -37,3 +37,6 @@ # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no diff --git a/ssh_config.5 b/ssh_config.5 index 13cdee88b..d1930baab 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.64 2005/10/30 08:43:47 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.65 2005/12/06 22:38:27 reyk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -556,6 +556,14 @@ The default is Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. +.It Cm LocalCommand +Specifies a command to execute on the local machine after successfully +connecting to the server. +The command string extends to the end of the line, and is executed with +.Pa /bin/sh . +This directive is ignored unless +.Cm PermitLocalCommand +has been enabled. .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. @@ -628,6 +636,19 @@ The default is .It Cm Port Specifies the port number to connect on the remote host. Default is 22. +.It Cm PermitLocalCommand +Allow local command execution via the +.Ic LocalCommand +option or using the +.Ic ! Ar command +escape sequence in +.Xr ssh 1 . +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. @@ -887,6 +908,21 @@ Note that this option must be set to for .Cm RhostsRSAAuthentication with older servers. +.It Cm Tunnel +Request starting +.Xr tun 4 +device forwarding between the client and the server. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . +.It Cm TunnelDevice +Force a specified +.Xr tun 4 +device on the client. +Without this option, the next available device will be used. .It Cm User Specifies the user to log in as. This can be useful when a different user name is used on different machines. diff --git a/sshconnect.c b/sshconnect.c index 2245a8af6..64ffec240 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.170 2005/10/30 08:52:18 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.171 2005/12/06 22:38:27 reyk Exp $"); #include @@ -1034,3 +1034,39 @@ warn_changed_key(Key *host_key) xfree(fp); } + +/* + * Execute a local command + */ +int +ssh_local_cmd(const char *args) +{ + char *shell; + pid_t pid; + int status; + + if (!options.permit_local_command || + args == NULL || !*args) + return (1); + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + pid = fork(); + if (pid == 0) { + debug3("Executing %s -c \"%s\"", shell, args); + execl(shell, shell, "-c", args, (char *)NULL); + error("Couldn't execute %s -c \"%s\": %s", + shell, args, strerror(errno)); + _exit(1); + } else if (pid == -1) + fatal("fork failed: %.100s", strerror(errno)); + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (!WIFEXITED(status)) + return (1); + + return (WEXITSTATUS(status)); +} diff --git a/sshconnect.h b/sshconnect.h index 0be30fe69..e7c7a2b34 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.17 2002/06/19 00:27:55 deraadt Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.18 2005/12/06 22:38:28 reyk Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -49,7 +49,7 @@ void ssh_userauth1(const char *, const char *, char *, Sensitive *); void ssh_userauth2(const char *, const char *, char *, Sensitive *); void ssh_put_password(char *); - +int ssh_local_cmd(const char *); /* * Macros to raise/lower permissions. diff --git a/sshd.8 b/sshd.8 index c610f47b8..53eddcdfb 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.208 2005/06/08 03:50:00 djm Exp $ +.\" $OpenBSD: sshd.8,v 1.209 2005/12/06 22:38:28 reyk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -518,6 +518,12 @@ Multiple options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. +.It Cm tunnel="n" +Force a +.Xr tun 4 +device on the server. +Without this option, the next available device will be used if +the client requests a tunnel. .El .Ss Examples 1024 33 12121...312314325 ylo@foo.bar @@ -527,6 +533,8 @@ from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi .Pp permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 +.Pp +tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== reyk@openbsd.org .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts diff --git a/sshd_config b/sshd_config index 1440c05ff..4957dd1a6 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -96,6 +96,7 @@ #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 +#PermitTunnel no # no default banner path #Banner /some/path diff --git a/sshd_config.5 b/sshd_config.5 index 45c1c0131..3835fcd62 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.45 2005/09/21 23:36:54 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.46 2005/12/06 22:38:28 reyk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -502,6 +502,12 @@ All other authentication methods are disabled for root. If this option is set to .Dq no root is not allowed to log in. +.It Cm PermitTunnel +Specifies whether +.Xr tun 4 +device forwarding is allowed. +The default is +.Dq no . .It Cm PermitUserEnvironment Specifies whether .Pa ~/.ssh/environment -- cgit v1.2.3 From f0c8c15322fcb26911f9552e696810c3639f7341 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:29:58 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/07 10:52:13 [ssh.1] - avoid line split in SYNOPSIS - add args to -w - kill trailing whitespace --- ChangeLog | 8 ++++++-- ssh.1 | 10 ++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 337f70086..dd191651f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,11 +20,15 @@ except that it depends on the tun(4) network interface on both ends of the connection for layer 2 or layer 3 tunneling. This diff also adds support for LocalCommand in the ssh(1) client. - ok djm@, markus@, jmc@ (manpages), tested and discussed with others - djm@cvs.openbsd.org 2005/12/07 03:52:22 [clientloop.c] reyk forgot to compile with -Werror (missing header) + - jmc@cvs.openbsd.org 2005/12/07 10:52:13 + [ssh.1] + - avoid line split in SYNOPSIS + - add args to -w + - kill trailing whitespace 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3417,4 +3421,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4020 2005/12/13 08:29:36 djm Exp $ +$Id: ChangeLog,v 1.4021 2005/12/13 08:30:05 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 8a55c2f64..246142319 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.215 2005/12/06 22:38:27 reyk Exp $ +.\" $OpenBSD: ssh.1,v 1.216 2005/12/07 10:52:13 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -77,9 +77,11 @@ .Sm on .Oc .Op Fl S Ar ctl_path -.Op Fl w Ar tunnel : tunnel +.Bk -words +.Op Fl w Ar tunnel : Ns Ar tunnel .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command +.Ek .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for @@ -302,7 +304,7 @@ options (see below). It also allows the cancellation of existing remote port-forwardings using .Fl KR Ar hostport . -The +The .Ic ! Ar command allows the user to execute a local command if the .Ic PermitLocalCommand @@ -877,7 +879,7 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. -.It Fl w +.It Fl w Ar tunnel : Ns Ar tunnel Requests a .Xr tun 4 device on the client and server like the -- cgit v1.2.3 From 4b2319fb85203fa07a90c9b36560a77080feb2ad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:30:27 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/08 14:59:44 [ssh.1 ssh_config.5] make `!command' a little clearer; ok reyk --- ChangeLog | 6 +++++- ssh.1 | 5 ++--- ssh_config.5 | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index dd191651f..35b1b7b38 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ - avoid line split in SYNOPSIS - add args to -w - kill trailing whitespace + - jmc@cvs.openbsd.org 2005/12/08 14:59:44 + [ssh.1 ssh_config.5] + make `!command' a little clearer; + ok reyk 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3421,4 +3425,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4021 2005/12/13 08:30:05 djm Exp $ +$Id: ChangeLog,v 1.4022 2005/12/13 08:30:27 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 246142319..9f89b9730 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.216 2005/12/07 10:52:13 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.217 2005/12/08 14:59:44 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -304,8 +304,7 @@ options (see below). It also allows the cancellation of existing remote port-forwardings using .Fl KR Ar hostport . -The -.Ic ! Ar command +.Ic !\& Ns Ar command allows the user to execute a local command if the .Ic PermitLocalCommand option is enabled in diff --git a/ssh_config.5 b/ssh_config.5 index d1930baab..440a6d71d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.65 2005/12/06 22:38:27 reyk Exp $ +.\" $OpenBSD: ssh_config.5,v 1.66 2005/12/08 14:59:44 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -640,7 +640,7 @@ Default is 22. Allow local command execution via the .Ic LocalCommand option or using the -.Ic ! Ar command +.Ic !\& Ns Ar command escape sequence in .Xr ssh 1 . The argument must be -- cgit v1.2.3 From d3877b995ac0e1245c70e520cc986aac99c901be Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 20 Dec 2005 16:09:36 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/16 18:07:08 [ssh.1] move the option descriptions up the page: start of a restructure; ok markus deraadt --- ChangeLog | 6 +- ssh.1 | 908 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 459 insertions(+), 455 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 8100e9745..04d851cf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - reyk@cvs.openbsd.org 2005/12/13 15:03:02 [serverloop.c] if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY + - jmc@cvs.openbsd.org 2005/12/16 18:07:08 + [ssh.1] + move the option descriptions up the page: start of a restructure; + ok markus deraadt 20051219 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac @@ -3477,4 +3481,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4032 2005/12/20 05:08:42 dtucker Exp $ +$Id: ChangeLog,v 1.4033 2005/12/20 05:09:36 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 9f89b9730..c50bc1526 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.217 2005/12/08 14:59:44 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.218 2005/12/16 18:07:08 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -107,430 +107,132 @@ If is specified, .Ar command is executed on the remote host instead of a login shell. -.Ss SSH protocol version 1 -The first authentication method is the -.Em rhosts -or -.Em hosts.equiv -method combined with RSA-based host authentication. -If the machine the user logs in from is listed in -.Pa /etc/hosts.equiv -or -.Pa /etc/shosts.equiv -on the remote machine, and the user names are -the same on both sides, or if the files -.Pa ~/.rhosts -or -.Pa ~/.shosts -exist in the user's home directory on the -remote machine and contain a line containing the name of the client -machine and the name of the user on that machine, the user is -considered for log in. -Additionally, if the server can verify the client's -host key (see -.Pa /etc/ssh/ssh_known_hosts -and -.Pa ~/.ssh/known_hosts -in the -.Sx FILES -section), only then is login permitted. -This authentication method closes security holes due to IP -spoofing, DNS spoofing and routing spoofing. -[Note to the administrator: -.Pa /etc/hosts.equiv , -.Pa ~/.rhosts , -and the rlogin/rsh protocol in general, are inherently insecure and should be -disabled if security is desired.] .Pp -As a second authentication method, +The options are as follows: +.Bl -tag -width Ds +.It Fl 1 +Forces .Nm -supports RSA based authentication. -The scheme is based on public-key cryptography: there are cryptosystems -where encryption and decryption are done using separate keys, and it -is not possible to derive the decryption key from the encryption key. -RSA is one such system. -The idea is that each user creates a public/private -key pair for authentication purposes. -The server knows the public key, and only the user knows the private key. -.Pp -The file -.Pa ~/.ssh/authorized_keys -lists the public keys that are permitted for logging in. -When the user logs in, the +to try protocol version 1 only. +.It Fl 2 +Forces .Nm -program tells the server which key pair it would like to use for -authentication. -The server checks if this key is permitted, and if so, -sends the user (actually the +to try protocol version 2 only. +.It Fl 4 +Forces .Nm -program running on behalf of the user) a challenge, a random number, -encrypted by the user's public key. -The challenge can only be decrypted using the proper private key. -The user's client then decrypts the challenge using the private key, -proving that he/she knows the private key -but without disclosing it to the server. -.Pp +to use IPv4 addresses only. +.It Fl 6 +Forces .Nm -implements the RSA authentication protocol automatically. -The user creates his/her RSA key pair by running -.Xr ssh-keygen 1 . -This stores the private key in -.Pa ~/.ssh/identity -and stores the public key in -.Pa ~/.ssh/identity.pub -in the user's home directory. -The user should then copy the -.Pa identity.pub -to -.Pa ~/.ssh/authorized_keys -in his/her home directory on the remote machine (the -.Pa authorized_keys -file corresponds to the conventional -.Pa ~/.rhosts -file, and has one key -per line, though the lines can be very long). -After this, the user can log in without giving the password. +to use IPv6 addresses only. +.It Fl A +Enables forwarding of the authentication agent connection. +This can also be specified on a per-host basis in a configuration file. .Pp -The most convenient way to use RSA authentication may be with an -authentication agent. -See -.Xr ssh-agent 1 -for more information. +Agent forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the agent's Unix-domain socket) +can access the local agent through the forwarded connection. +An attacker cannot obtain key material from the agent, +however they can perform operations on the keys that enable them to +authenticate using the identities loaded into the agent. +.It Fl a +Disables forwarding of the authentication agent connection. +.It Fl b Ar bind_address +Use +.Ar bind_address +on the local machine as the source address +of the connection. +Only useful on systems with more than one address. +.It Fl C +Requests compression of all data (including stdin, stdout, stderr, and +data for forwarded X11 and TCP/IP connections). +The compression algorithm is the same used by +.Xr gzip 1 , +and the +.Dq level +can be controlled by the +.Cm CompressionLevel +option for protocol version 1. +Compression is desirable on modem lines and other +slow connections, but will only slow down things on fast networks. +The default value can be set on a host-by-host basis in the +configuration files; see the +.Cm Compression +option. +.It Fl c Ar cipher_spec +Selects the cipher specification for encrypting the session. .Pp -If other authentication methods fail, +Protocol version 1 allows specification of a single cipher. +The supported values are +.Dq 3des , +.Dq blowfish +and +.Dq des . +.Ar 3des +(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. +It is believed to be secure. +.Ar blowfish +is a fast block cipher; it appears very secure and is much faster than +.Ar 3des . +.Ar des +is only supported in the .Nm -prompts the user for a password. -The password is sent to the remote -host for checking; however, since all communications are encrypted, -the password cannot be seen by someone listening on the network. -.Ss SSH protocol version 2 -When a user connects using protocol version 2, -similar authentication methods are available. -Using the default values for -.Cm PreferredAuthentications , -the client will try to authenticate first using the hostbased method; -if this method fails, public key authentication is attempted, -and finally if this method fails, keyboard-interactive and -password authentication are tried. -.Pp -The public key method is similar to RSA authentication described -in the previous section and allows the RSA or DSA algorithm to be used: -The client uses his private key, -.Pa ~/.ssh/id_dsa -or -.Pa ~/.ssh/id_rsa , -to sign the session identifier and sends the result to the server. -The server checks whether the matching public key is listed in -.Pa ~/.ssh/authorized_keys -and grants access if both the key is found and the signature is correct. -The session identifier is derived from a shared Diffie-Hellman value -and is only known to the client and the server. -.Pp -If public key authentication fails or is not available, a password -can be sent encrypted to the remote host to prove the user's identity. +client for interoperability with legacy protocol 1 implementations +that do not support the +.Ar 3des +cipher. +Its use is strongly discouraged due to cryptographic weaknesses. +The default is +.Dq 3des . .Pp -Additionally, +For protocol version 2 +.Ar cipher_spec +is a comma-separated list of ciphers +listed in order of preference. +The supported ciphers are +.Dq 3des-cbc , +.Dq aes128-cbc , +.Dq aes192-cbc , +.Dq aes256-cbc , +.Dq aes128-ctr , +.Dq aes192-ctr , +.Dq aes256-ctr , +.Dq arcfour128 , +.Dq arcfour256 , +.Dq arcfour , +.Dq blowfish-cbc , +and +.Dq cast128-cbc . +The default is +.Bd -literal + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, + arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, + aes192-ctr,aes256-ctr'' +.Ed +.It Fl D Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Xc +Specifies a local +.Dq dynamic +application-level port forwarding. +This works by allocating a socket to listen to +.Ar port +on the local side, optionally bound to the specified +.Ar bind_address . +Whenever a connection is made to this port, the +connection is forwarded over the secure channel, and the application +protocol is then used to determine where to connect to from the +remote machine. +Currently the SOCKS4 and SOCKS5 protocols are supported, and .Nm -supports hostbased or challenge response authentication. -.Pp -Protocol 2 provides additional mechanisms for confidentiality -(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) -and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). -Note that protocol 1 lacks a strong mechanism for ensuring the -integrity of the connection. -.Ss Login session and remote execution -When the user's identity has been accepted by the server, the server -either executes the given command, or logs into the machine and gives -the user a normal shell on the remote machine. -All communication with -the remote command or shell will be automatically encrypted. -.Pp -If a pseudo-terminal has been allocated (normal login session), the -user may use the escape characters noted below. -.Pp -If no pseudo-tty has been allocated, -the session is transparent and can be used to reliably transfer binary data. -On most systems, setting the escape character to -.Dq none -will also make the session transparent even if a tty is used. -.Pp -The session terminates when the command or shell on the remote -machine exits and all X11 and TCP/IP connections have been closed. -The exit status of the remote program is returned as the exit status of -.Nm ssh . -.Ss Escape Characters -When a pseudo-terminal has been requested, -.Nm -supports a number of functions through the use of an escape character. -.Pp -A single tilde character can be sent as -.Ic ~~ -or by following the tilde by a character other than those described below. -The escape character must always follow a newline to be interpreted as -special. -The escape character can be changed in configuration files using the -.Cm EscapeChar -configuration directive or on the command line by the -.Fl e -option. -.Pp -The supported escapes (assuming the default -.Ql ~ ) -are: -.Bl -tag -width Ds -.It Cm ~. -Disconnect. -.It Cm ~^Z -Background -.Nm ssh . -.It Cm ~# -List forwarded connections. -.It Cm ~& -Background -.Nm -at logout when waiting for forwarded connection / X11 sessions to terminate. -.It Cm ~? -Display a list of escape characters. -.It Cm ~B -Send a BREAK to the remote system -(only useful for SSH protocol version 2 and if the peer supports it). -.It Cm ~C -Open command line. -Currently this allows the addition of port forwardings using the -.Fl L -and -.Fl R -options (see below). -It also allows the cancellation of existing remote port-forwardings -using -.Fl KR Ar hostport . -.Ic !\& Ns Ar command -allows the user to execute a local command if the -.Ic PermitLocalCommand -option is enabled in -.Xr ssh_config 5 . -Basic help is available, using the -.Fl h -option. -.It Cm ~R -Request rekeying of the connection -(only useful for SSH protocol version 2 and if the peer supports it). -.El -.Ss X11 and TCP forwarding -If the -.Cm ForwardX11 -variable is set to -.Dq yes -(or see the description of the -.Fl X -and -.Fl x -options described later) -and the user is using X11 (the -.Ev DISPLAY -environment variable is set), the connection to the X11 display is -automatically forwarded to the remote side in such a way that any X11 -programs started from the shell (or command) will go through the -encrypted channel, and the connection to the real X server will be made -from the local machine. -The user should not manually set -.Ev DISPLAY . -Forwarding of X11 connections can be -configured on the command line or in configuration files. -.Pp -The -.Ev DISPLAY -value set by -.Nm -will point to the server machine, but with a display number greater than zero. -This is normal, and happens because -.Nm -creates a -.Dq proxy -X server on the server machine for forwarding the -connections over the encrypted channel. -.Pp -.Nm -will also automatically set up Xauthority data on the server machine. -For this purpose, it will generate a random authorization cookie, -store it in Xauthority on the server, and verify that any forwarded -connections carry this cookie and replace it by the real cookie when -the connection is opened. -The real authentication cookie is never -sent to the server machine (and no cookies are sent in the plain). -.Pp -If the -.Cm ForwardAgent -variable is set to -.Dq yes -(or see the description of the -.Fl A -and -.Fl a -options described later) and -the user is using an authentication agent, the connection to the agent -is automatically forwarded to the remote side. -.Pp -Forwarding of arbitrary TCP/IP connections over the secure channel can -be specified either on the command line or in a configuration file. -One possible application of TCP/IP forwarding is a secure connection to an -electronic purse; another is going through firewalls. -.Ss Server authentication -.Nm -automatically maintains and checks a database containing -identifications for all hosts it has ever been used with. -Host keys are stored in -.Pa ~/.ssh/known_hosts -in the user's home directory. -Additionally, the file -.Pa /etc/ssh/ssh_known_hosts -is automatically checked for known hosts. -Any new hosts are automatically added to the user's file. -If a host's identification ever changes, -.Nm -warns about this and disables password authentication to prevent a -trojan horse from getting the user's password. -Another purpose of this mechanism is to prevent man-in-the-middle attacks -which could otherwise be used to circumvent the encryption. -The -.Cm StrictHostKeyChecking -option can be used to prevent logins to machines whose -host key is not known or has changed. -.Pp -.Nm -can be configured to verify host identification using fingerprint resource -records (SSHFP) published in DNS. -The -.Cm VerifyHostKeyDNS -option can be used to control how DNS lookups are performed. -SSHFP resource records can be generated using -.Xr ssh-keygen 1 . -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl 1 -Forces -.Nm -to try protocol version 1 only. -.It Fl 2 -Forces -.Nm -to try protocol version 2 only. -.It Fl 4 -Forces -.Nm -to use IPv4 addresses only. -.It Fl 6 -Forces -.Nm -to use IPv6 addresses only. -.It Fl A -Enables forwarding of the authentication agent connection. -This can also be specified on a per-host basis in a configuration file. -.Pp -Agent forwarding should be enabled with caution. -Users with the ability to bypass file permissions on the remote host -(for the agent's Unix-domain socket) -can access the local agent through the forwarded connection. -An attacker cannot obtain key material from the agent, -however they can perform operations on the keys that enable them to -authenticate using the identities loaded into the agent. -.It Fl a -Disables forwarding of the authentication agent connection. -.It Fl b Ar bind_address -Use -.Ar bind_address -on the local machine as the source address -of the connection. -Only useful on systems with more than one address. -.It Fl C -Requests compression of all data (including stdin, stdout, stderr, and -data for forwarded X11 and TCP/IP connections). -The compression algorithm is the same used by -.Xr gzip 1 , -and the -.Dq level -can be controlled by the -.Cm CompressionLevel -option for protocol version 1. -Compression is desirable on modem lines and other -slow connections, but will only slow down things on fast networks. -The default value can be set on a host-by-host basis in the -configuration files; see the -.Cm Compression -option. -.It Fl c Ar cipher_spec -Selects the cipher specification for encrypting the session. -.Pp -Protocol version 1 allows specification of a single cipher. -The supported values are -.Dq 3des , -.Dq blowfish -and -.Dq des . -.Ar 3des -(triple-des) is an encrypt-decrypt-encrypt triple with three different keys. -It is believed to be secure. -.Ar blowfish -is a fast block cipher; it appears very secure and is much faster than -.Ar 3des . -.Ar des -is only supported in the -.Nm -client for interoperability with legacy protocol 1 implementations -that do not support the -.Ar 3des -cipher. -Its use is strongly discouraged due to cryptographic weaknesses. -The default is -.Dq 3des . -.Pp -For protocol version 2 -.Ar cipher_spec -is a comma-separated list of ciphers -listed in order of preference. -The supported ciphers are -.Dq 3des-cbc , -.Dq aes128-cbc , -.Dq aes192-cbc , -.Dq aes256-cbc , -.Dq aes128-ctr , -.Dq aes192-ctr , -.Dq aes256-ctr , -.Dq arcfour128 , -.Dq arcfour256 , -.Dq arcfour , -.Dq blowfish-cbc , -and -.Dq cast128-cbc . -The default is -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, - arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, - aes192-ctr,aes256-ctr'' -.Ed -.It Fl D Xo -.Sm off -.Oo Ar bind_address : Oc -.Ar port -.Sm on -.Xc -Specifies a local -.Dq dynamic -application-level port forwarding. -This works by allocating a socket to listen to -.Ar port -on the local side, optionally bound to the specified -.Ar bind_address . -Whenever a connection is made to this port, the -connection is forwarded over the secure channel, and the application -protocol is then used to determine where to connect to from the -remote machine. -Currently the SOCKS4 and SOCKS5 protocols are supported, and -.Nm -will act as a SOCKS server. -Only root can forward privileged ports. -Dynamic port forwardings can also be specified in the configuration file. +will act as a SOCKS server. +Only root can forward privileged ports. +Dynamic port forwardings can also be specified in the configuration file. .Pp IPv6 addresses can be specified with an alternative syntax: .Sm off @@ -871,53 +573,351 @@ Display the version number and exit. Verbose mode. Causes .Nm -to print debugging messages about its progress. -This is helpful in -debugging connection, authentication, and configuration problems. -Multiple -.Fl v -options increase the verbosity. -The maximum is 3. -.It Fl w Ar tunnel : Ns Ar tunnel -Requests a -.Xr tun 4 -device on the client and server like the -.Cm Tunnel -directive in -.Xr ssh_config 5 . -.It Fl X -Enables X11 forwarding. -This can also be specified on a per-host basis in a configuration file. +to print debugging messages about its progress. +This is helpful in +debugging connection, authentication, and configuration problems. +Multiple +.Fl v +options increase the verbosity. +The maximum is 3. +.It Fl w Ar tunnel : Ns Ar tunnel +Requests a +.Xr tun 4 +device on the client and server like the +.Cm Tunnel +directive in +.Xr ssh_config 5 . +.It Fl X +Enables X11 forwarding. +This can also be specified on a per-host basis in a configuration file. +.Pp +X11 forwarding should be enabled with caution. +Users with the ability to bypass file permissions on the remote host +(for the user's X authorization database) +can access the local X11 display through the forwarded connection. +An attacker may then be able to perform activities such as keystroke monitoring. +.Pp +For this reason, X11 forwarding is subjected to X11 SECURITY extension +restrictions by default. +Please refer to the +.Nm +.Fl Y +option and the +.Cm ForwardX11Trusted +directive in +.Xr ssh_config 5 +for more information. +.It Fl x +Disables X11 forwarding. +.It Fl Y +Enables trusted X11 forwarding. +Trusted X11 forwardings are not subjected to the X11 SECURITY extension +controls. +.El +.Ss SSH protocol version 1 +The first authentication method is the +.Em rhosts +or +.Em hosts.equiv +method combined with RSA-based host authentication. +If the machine the user logs in from is listed in +.Pa /etc/hosts.equiv +or +.Pa /etc/shosts.equiv +on the remote machine, and the user names are +the same on both sides, or if the files +.Pa ~/.rhosts +or +.Pa ~/.shosts +exist in the user's home directory on the +remote machine and contain a line containing the name of the client +machine and the name of the user on that machine, the user is +considered for log in. +Additionally, if the server can verify the client's +host key (see +.Pa /etc/ssh/ssh_known_hosts +and +.Pa ~/.ssh/known_hosts +in the +.Sx FILES +section), only then is login permitted. +This authentication method closes security holes due to IP +spoofing, DNS spoofing and routing spoofing. +[Note to the administrator: +.Pa /etc/hosts.equiv , +.Pa ~/.rhosts , +and the rlogin/rsh protocol in general, are inherently insecure and should be +disabled if security is desired.] +.Pp +As a second authentication method, +.Nm +supports RSA based authentication. +The scheme is based on public-key cryptography: there are cryptosystems +where encryption and decryption are done using separate keys, and it +is not possible to derive the decryption key from the encryption key. +RSA is one such system. +The idea is that each user creates a public/private +key pair for authentication purposes. +The server knows the public key, and only the user knows the private key. +.Pp +The file +.Pa ~/.ssh/authorized_keys +lists the public keys that are permitted for logging in. +When the user logs in, the +.Nm +program tells the server which key pair it would like to use for +authentication. +The server checks if this key is permitted, and if so, +sends the user (actually the +.Nm +program running on behalf of the user) a challenge, a random number, +encrypted by the user's public key. +The challenge can only be decrypted using the proper private key. +The user's client then decrypts the challenge using the private key, +proving that he/she knows the private key +but without disclosing it to the server. +.Pp +.Nm +implements the RSA authentication protocol automatically. +The user creates his/her RSA key pair by running +.Xr ssh-keygen 1 . +This stores the private key in +.Pa ~/.ssh/identity +and stores the public key in +.Pa ~/.ssh/identity.pub +in the user's home directory. +The user should then copy the +.Pa identity.pub +to +.Pa ~/.ssh/authorized_keys +in his/her home directory on the remote machine (the +.Pa authorized_keys +file corresponds to the conventional +.Pa ~/.rhosts +file, and has one key +per line, though the lines can be very long). +After this, the user can log in without giving the password. +.Pp +The most convenient way to use RSA authentication may be with an +authentication agent. +See +.Xr ssh-agent 1 +for more information. +.Pp +If other authentication methods fail, +.Nm +prompts the user for a password. +The password is sent to the remote +host for checking; however, since all communications are encrypted, +the password cannot be seen by someone listening on the network. +.Ss SSH protocol version 2 +When a user connects using protocol version 2, +similar authentication methods are available. +Using the default values for +.Cm PreferredAuthentications , +the client will try to authenticate first using the hostbased method; +if this method fails, public key authentication is attempted, +and finally if this method fails, keyboard-interactive and +password authentication are tried. .Pp -X11 forwarding should be enabled with caution. -Users with the ability to bypass file permissions on the remote host -(for the user's X authorization database) -can access the local X11 display through the forwarded connection. -An attacker may then be able to perform activities such as keystroke monitoring. +The public key method is similar to RSA authentication described +in the previous section and allows the RSA or DSA algorithm to be used: +The client uses his private key, +.Pa ~/.ssh/id_dsa +or +.Pa ~/.ssh/id_rsa , +to sign the session identifier and sends the result to the server. +The server checks whether the matching public key is listed in +.Pa ~/.ssh/authorized_keys +and grants access if both the key is found and the signature is correct. +The session identifier is derived from a shared Diffie-Hellman value +and is only known to the client and the server. .Pp -For this reason, X11 forwarding is subjected to X11 SECURITY extension -restrictions by default. -Please refer to the +If public key authentication fails or is not available, a password +can be sent encrypted to the remote host to prove the user's identity. +.Pp +Additionally, .Nm -.Fl Y -option and the -.Cm ForwardX11Trusted -directive in -.Xr ssh_config 5 -for more information. -.It Fl x -Disables X11 forwarding. -.It Fl Y -Enables trusted X11 forwarding. -Trusted X11 forwardings are not subjected to the X11 SECURITY extension -controls. -.El -.Sh CONFIGURATION FILES +supports hostbased or challenge response authentication. +.Pp +Protocol 2 provides additional mechanisms for confidentiality +(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) +and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). +Note that protocol 1 lacks a strong mechanism for ensuring the +integrity of the connection. +.Ss Login session and remote execution +When the user's identity has been accepted by the server, the server +either executes the given command, or logs into the machine and gives +the user a normal shell on the remote machine. +All communication with +the remote command or shell will be automatically encrypted. +.Pp +If a pseudo-terminal has been allocated (normal login session), the +user may use the escape characters noted below. +.Pp +If no pseudo-tty has been allocated, +the session is transparent and can be used to reliably transfer binary data. +On most systems, setting the escape character to +.Dq none +will also make the session transparent even if a tty is used. +.Pp +The session terminates when the command or shell on the remote +machine exits and all X11 and TCP/IP connections have been closed. +The exit status of the remote program is returned as the exit status of +.Nm ssh . +.Pp .Nm may additionally obtain configuration data from a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in .Xr ssh_config 5 . +.Ss Escape Characters +When a pseudo-terminal has been requested, +.Nm +supports a number of functions through the use of an escape character. +.Pp +A single tilde character can be sent as +.Ic ~~ +or by following the tilde by a character other than those described below. +The escape character must always follow a newline to be interpreted as +special. +The escape character can be changed in configuration files using the +.Cm EscapeChar +configuration directive or on the command line by the +.Fl e +option. +.Pp +The supported escapes (assuming the default +.Ql ~ ) +are: +.Bl -tag -width Ds +.It Cm ~. +Disconnect. +.It Cm ~^Z +Background +.Nm ssh . +.It Cm ~# +List forwarded connections. +.It Cm ~& +Background +.Nm +at logout when waiting for forwarded connection / X11 sessions to terminate. +.It Cm ~? +Display a list of escape characters. +.It Cm ~B +Send a BREAK to the remote system +(only useful for SSH protocol version 2 and if the peer supports it). +.It Cm ~C +Open command line. +Currently this allows the addition of port forwardings using the +.Fl L +and +.Fl R +options (see below). +It also allows the cancellation of existing remote port-forwardings +using +.Fl KR Ar hostport . +.Ic !\& Ns Ar command +allows the user to execute a local command if the +.Ic PermitLocalCommand +option is enabled in +.Xr ssh_config 5 . +Basic help is available, using the +.Fl h +option. +.It Cm ~R +Request rekeying of the connection +(only useful for SSH protocol version 2 and if the peer supports it). +.El +.Ss X11 and TCP forwarding +If the +.Cm ForwardX11 +variable is set to +.Dq yes +(or see the description of the +.Fl X +and +.Fl x +options described later) +and the user is using X11 (the +.Ev DISPLAY +environment variable is set), the connection to the X11 display is +automatically forwarded to the remote side in such a way that any X11 +programs started from the shell (or command) will go through the +encrypted channel, and the connection to the real X server will be made +from the local machine. +The user should not manually set +.Ev DISPLAY . +Forwarding of X11 connections can be +configured on the command line or in configuration files. +.Pp +The +.Ev DISPLAY +value set by +.Nm +will point to the server machine, but with a display number greater than zero. +This is normal, and happens because +.Nm +creates a +.Dq proxy +X server on the server machine for forwarding the +connections over the encrypted channel. +.Pp +.Nm +will also automatically set up Xauthority data on the server machine. +For this purpose, it will generate a random authorization cookie, +store it in Xauthority on the server, and verify that any forwarded +connections carry this cookie and replace it by the real cookie when +the connection is opened. +The real authentication cookie is never +sent to the server machine (and no cookies are sent in the plain). +.Pp +If the +.Cm ForwardAgent +variable is set to +.Dq yes +(or see the description of the +.Fl A +and +.Fl a +options described later) and +the user is using an authentication agent, the connection to the agent +is automatically forwarded to the remote side. +.Pp +Forwarding of arbitrary TCP/IP connections over the secure channel can +be specified either on the command line or in a configuration file. +One possible application of TCP/IP forwarding is a secure connection to an +electronic purse; another is going through firewalls. +.Ss Server authentication +.Nm +automatically maintains and checks a database containing +identifications for all hosts it has ever been used with. +Host keys are stored in +.Pa ~/.ssh/known_hosts +in the user's home directory. +Additionally, the file +.Pa /etc/ssh/ssh_known_hosts +is automatically checked for known hosts. +Any new hosts are automatically added to the user's file. +If a host's identification ever changes, +.Nm +warns about this and disables password authentication to prevent a +trojan horse from getting the user's password. +Another purpose of this mechanism is to prevent man-in-the-middle attacks +which could otherwise be used to circumvent the encryption. +The +.Cm StrictHostKeyChecking +option can be used to prevent logins to machines whose +host key is not known or has changed. +.Pp +.Nm +can be configured to verify host identification using fingerprint resource +records (SSHFP) published in DNS. +The +.Cm VerifyHostKeyDNS +option can be used to control how DNS lookups are performed. +SSHFP resource records can be generated using +.Xr ssh-keygen 1 . .Sh ENVIRONMENT .Nm will normally set the following environment variables: -- cgit v1.2.3 From b18c867c9d638589e9dc20bd52b32aac4f43d8dc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 20 Dec 2005 16:10:09 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/16 18:08:53 [ssh.1] simplify a sentence; --- ChangeLog | 5 ++++- ssh.1 | 5 ++--- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 04d851cf5..4026257d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ [ssh.1] move the option descriptions up the page: start of a restructure; ok markus deraadt + - jmc@cvs.openbsd.org 2005/12/16 18:08:53 + [ssh.1] + simplify a sentence; 20051219 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac @@ -3481,4 +3484,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4033 2005/12/20 05:09:36 dtucker Exp $ +$Id: ChangeLog,v 1.4034 2005/12/20 05:10:09 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index c50bc1526..f09b95281 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.218 2005/12/16 18:07:08 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.219 2005/12/16 18:08:53 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -105,8 +105,7 @@ depending on the protocol version used. If .Ar command is specified, -.Ar command -is executed on the remote host instead of a login shell. +it is executed on the remote host instead of a login shell. .Pp The options are as follows: .Bl -tag -width Ds -- cgit v1.2.3 From ff9f484f45e919b54ec27f64f87c90627f100238 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 20 Dec 2005 16:10:45 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/16 18:12:22 [ssh.1] make the description of -c a little nicer; --- ssh.1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'ssh.1') diff --git a/ssh.1 b/ssh.1 index f09b95281..1e46dab64 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.219 2005/12/16 18:08:53 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.220 2005/12/16 18:12:22 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -166,7 +166,7 @@ Selects the cipher specification for encrypting the session. Protocol version 1 allows specification of a single cipher. The supported values are .Dq 3des , -.Dq blowfish +.Dq blowfish , and .Dq des . .Ar 3des @@ -204,11 +204,11 @@ The supported ciphers are .Dq blowfish-cbc , and .Dq cast128-cbc . -The default is -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, - arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, - aes192-ctr,aes256-ctr'' +The default is: +.Bd -literal -offset indent +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, +arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, +aes192-ctr,aes256-ctr .Ed .It Fl D Xo .Sm off -- cgit v1.2.3 From 5434cfe3680541727dc7b89426ffb329a5141495 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 20 Dec 2005 16:11:35 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/16 18:14:40 [ssh.1] signpost the protocol sections; --- ChangeLog | 5 ++++- ssh.1 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 4026257d4..ed6e88550 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - jmc@cvs.openbsd.org 2005/12/16 18:08:53 [ssh.1] simplify a sentence; + - jmc@cvs.openbsd.org 2005/12/16 18:14:40 + [ssh.1] + signpost the protocol sections; 20051219 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac @@ -3484,4 +3487,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4034 2005/12/20 05:10:09 dtucker Exp $ +$Id: ChangeLog,v 1.4035 2005/12/20 05:11:35 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 1e46dab64..31b614b1d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.220 2005/12/16 18:12:22 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.221 2005/12/16 18:14:40 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -100,7 +100,7 @@ connects and logs into the specified name). The user must prove his/her identity to the remote machine using one of several methods -depending on the protocol version used. +depending on the protocol version used (see below). .Pp If .Ar command -- cgit v1.2.3 From c93a813802cc2a339bcf1dc41c60878a5b1c0373 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:52:13 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/20 21:59:43 [ssh.1] merge the sections on protocols 1 and 2 into one section on authentication; feedback djm dtucker ok deraadt markus dtucker --- ChangeLog | 11 ++++- ssh.1 | 165 ++++++++++++++++++++++++++++++++++---------------------------- 2 files changed, 100 insertions(+), 76 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 981ef5691..cfb73fc1f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20051224 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/12/20 21:59:43 + [ssh.1] + merge the sections on protocols 1 and 2 into one section on + authentication; + feedback djm dtucker + ok deraadt markus dtucker + 20051220 - (dtucker) OpenBSD CVS Sync - reyk@cvs.openbsd.org 2005/12/13 15:03:02 @@ -3499,4 +3508,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4039 2005/12/20 05:15:51 dtucker Exp $ +$Id: ChangeLog,v 1.4040 2005/12/24 03:52:13 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 31b614b1d..84bd62eb3 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.221 2005/12/16 18:14:40 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.222 2005/12/20 21:59:43 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -613,12 +613,38 @@ Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. .El -.Ss SSH protocol version 1 -The first authentication method is the -.Em rhosts -or -.Em hosts.equiv -method combined with RSA-based host authentication. +.Sh AUTHENTICATION +The OpenSSH SSH client supports OpenSSH protocols 1 and 2. +Protocol 2 is the default, with +.Nm +falling back to protocol 1 if it detects protocol 2 is unsupported. +These settings may be altered using the +.Cm Protocol +option in +.Xr ssh_config 5 , +or enforced using the +.Fl 1 +and +.Fl 2 +options (see above). +Both protocols support similar authentication methods, +but protocol 2 is preferred since +it provides additional mechanisms for confidentiality +(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) +and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). +Protocol 1 lacks a strong mechanism for ensuring the +integrity of the connection. +.Pp +The methods available for authentication are: +host-based authentication, +public key authentication, +challenge-response authentication, +and password authentication. +Authentication methods are tried in the order specified above, +though protocol 2 has a configuration option to change the default order: +.Cm PreferredAuthentications . +.Pp +Host-based authentication works as follows: If the machine the user logs in from is listed in .Pa /etc/hosts.equiv or @@ -631,33 +657,42 @@ or exist in the user's home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is -considered for log in. -Additionally, if the server can verify the client's -host key (see +considered for login. +Additionally, the server +.Em must +be able to verify the client's +host key (see the description of .Pa /etc/ssh/ssh_known_hosts and -.Pa ~/.ssh/known_hosts -in the -.Sx FILES -section), only then is login permitted. +.Pa ~/.ssh/known_hosts , +below) +for login to be permitted. This authentication method closes security holes due to IP -spoofing, DNS spoofing and routing spoofing. +spoofing, DNS spoofing, and routing spoofing. [Note to the administrator: .Pa /etc/hosts.equiv , .Pa ~/.rhosts , and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] .Pp -As a second authentication method, -.Nm -supports RSA based authentication. -The scheme is based on public-key cryptography: there are cryptosystems -where encryption and decryption are done using separate keys, and it -is not possible to derive the decryption key from the encryption key. -RSA is one such system. +Public key authentication works as follows: +The scheme is based on public-key cryptography, +using cryptosystems +where encryption and decryption are done using separate keys, +and it is unfeasible to derive the decryption key from the encryption key. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. +.Nm +implements public key authentication protocol automatically, +using either the RSA or DSA algorithms. +Protocol 1 is restricted to using only RSA keys, +but protocol 2 may use either. +The +.Sx HISTORY +section of +.Xr ssl 8 +contains a brief discussion of the two algorithms. .Pp The file .Pa ~/.ssh/authorized_keys @@ -666,84 +701,64 @@ When the user logs in, the .Nm program tells the server which key pair it would like to use for authentication. -The server checks if this key is permitted, and if so, -sends the user (actually the -.Nm -program running on behalf of the user) a challenge, a random number, -encrypted by the user's public key. -The challenge can only be decrypted using the proper private key. -The user's client then decrypts the challenge using the private key, -proving that he/she knows the private key -but without disclosing it to the server. +The client proves that it has access to the private key +and the server checks that the corresponding public key +is authorized to accept the account. .Pp -.Nm -implements the RSA authentication protocol automatically. -The user creates his/her RSA key pair by running +The user creates his/her key pair by running .Xr ssh-keygen 1 . This stores the private key in .Pa ~/.ssh/identity +(protocol 1), +.Pa ~/.ssh/id_dsa +(protocol 2 DSA), +or +.Pa ~/.ssh/id_rsa +(protocol 2 RSA) and stores the public key in .Pa ~/.ssh/identity.pub +(protocol 1), +.Pa ~/.ssh/id_dsa.pub +(protocol 2 DSA), +or +.Pa ~/.ssh/id_rsa.pub +(protocol 2 RSA) in the user's home directory. -The user should then copy the -.Pa identity.pub +The user should then copy the public key to .Pa ~/.ssh/authorized_keys -in his/her home directory on the remote machine (the +in his/her home directory on the remote machine. +The .Pa authorized_keys file corresponds to the conventional .Pa ~/.rhosts file, and has one key -per line, though the lines can be very long). +per line, though the lines can be very long. After this, the user can log in without giving the password. .Pp -The most convenient way to use RSA authentication may be with an +The most convenient way to use public key authentication may be with an authentication agent. See .Xr ssh-agent 1 for more information. .Pp -If other authentication methods fail, +Challenge-response authentication works as follows: +The server sends an arbitrary +.Qq challenge +text, and prompts for a response. +Protocol 2 allows multiple challenges and responses; +protocol 1 is restricted to just one challenge/response. +Examples of challenge-response authentication include +BSD Authentication (see +.Xr login.conf 5 ) +and PAM (some non-OpenBSD systems). +.Pp +Finally, if other authentication methods fail, .Nm prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Ss SSH protocol version 2 -When a user connects using protocol version 2, -similar authentication methods are available. -Using the default values for -.Cm PreferredAuthentications , -the client will try to authenticate first using the hostbased method; -if this method fails, public key authentication is attempted, -and finally if this method fails, keyboard-interactive and -password authentication are tried. -.Pp -The public key method is similar to RSA authentication described -in the previous section and allows the RSA or DSA algorithm to be used: -The client uses his private key, -.Pa ~/.ssh/id_dsa -or -.Pa ~/.ssh/id_rsa , -to sign the session identifier and sends the result to the server. -The server checks whether the matching public key is listed in -.Pa ~/.ssh/authorized_keys -and grants access if both the key is found and the signature is correct. -The session identifier is derived from a shared Diffie-Hellman value -and is only known to the client and the server. -.Pp -If public key authentication fails or is not available, a password -can be sent encrypted to the remote host to prove the user's identity. -.Pp -Additionally, -.Nm -supports hostbased or challenge response authentication. -.Pp -Protocol 2 provides additional mechanisms for confidentiality -(the traffic is encrypted using AES, 3DES, Blowfish, CAST128 or Arcfour) -and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). -Note that protocol 1 lacks a strong mechanism for ensuring the -integrity of the connection. .Ss Login session and remote execution When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives -- cgit v1.2.3 From 52d2061ab09517e31d4a7cb548bd05e7b232647c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:52:36 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/20 22:02:50 [ssh.1] .Ss -> .Sh: subsections have not made this page more readable --- ChangeLog | 5 ++++- ssh.1 | 10 +++++----- 2 files changed, 9 insertions(+), 6 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index cfb73fc1f..a2a23c85d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ authentication; feedback djm dtucker ok deraadt markus dtucker + - jmc@cvs.openbsd.org 2005/12/20 22:02:50 + [ssh.1] + .Ss -> .Sh: subsections have not made this page more readable 20051220 - (dtucker) OpenBSD CVS Sync @@ -3508,4 +3511,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4040 2005/12/24 03:52:13 djm Exp $ +$Id: ChangeLog,v 1.4041 2005/12/24 03:52:36 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 84bd62eb3..1bd0d620e 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.222 2005/12/20 21:59:43 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.223 2005/12/20 22:02:50 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -759,7 +759,7 @@ prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Ss Login session and remote execution +.Sh LOGIN SESSION AND REMOTE EXECUTION When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -785,7 +785,7 @@ may additionally obtain configuration data from a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in .Xr ssh_config 5 . -.Ss Escape Characters +.Sh ESCAPE CHARACTERS When a pseudo-terminal has been requested, .Nm supports a number of functions through the use of an escape character. @@ -843,7 +843,7 @@ option. Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it). .El -.Ss X11 and TCP forwarding +.Sh X11 AND TCP FORWARDING If the .Cm ForwardX11 variable is set to @@ -902,7 +902,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. -.Ss Server authentication +.Sh SERVER AUTHENTICATION .Nm automatically maintains and checks a database containing identifications for all hosts it has ever been used with. -- cgit v1.2.3 From e9b333a54494fbc51b76e6877d52ecb2ef8845fa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:53:04 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/20 22:09:41 [ssh.1] move info on ssh return values and config files up into the main description; --- ChangeLog | 6 +++++- ssh.1 | 24 +++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index a2a23c85d..aaeeb0746 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ - jmc@cvs.openbsd.org 2005/12/20 22:02:50 [ssh.1] .Ss -> .Sh: subsections have not made this page more readable + - jmc@cvs.openbsd.org 2005/12/20 22:09:41 + [ssh.1] + move info on ssh return values and config files up into the main + description; 20051220 - (dtucker) OpenBSD CVS Sync @@ -3511,4 +3515,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4041 2005/12/24 03:52:36 djm Exp $ +$Id: ChangeLog,v 1.4042 2005/12/24 03:53:04 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 1bd0d620e..caa78f4af 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.223 2005/12/20 22:02:50 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.224 2005/12/20 22:09:41 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -613,6 +613,16 @@ Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. .El +.Pp +.Nm +may additionally obtain configuration data from +a per-user configuration file and a system-wide configuration file. +The file format and configuration options are described in +.Xr ssh_config 5 . +.Pp +.Nm +exits with the exit status of the remote command or with 255 +if an error occurred. .Sh AUTHENTICATION The OpenSSH SSH client supports OpenSSH protocols 1 and 2. Protocol 2 is the default, with @@ -777,14 +787,6 @@ will also make the session transparent even if a tty is used. .Pp The session terminates when the command or shell on the remote machine exits and all X11 and TCP/IP connections have been closed. -The exit status of the remote program is returned as the exit status of -.Nm ssh . -.Pp -.Nm -may additionally obtain configuration data from -a per-user configuration file and a system-wide configuration file. -The file format and configuration options are described in -.Xr ssh_config 5 . .Sh ESCAPE CHARACTERS When a pseudo-terminal has been requested, .Nm @@ -1223,10 +1225,6 @@ Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. .El -.Sh DIAGNOSTICS -.Nm -exits with the exit status of the remote command or with 255 -if an error occurred. .Sh SEE ALSO .Xr gzip 1 , .Xr rsh 1 , -- cgit v1.2.3 From 329cb016386a7e5eaa839fc34e6e53c9428e76db Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:53:23 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/21 11:48:16 [ssh.1] -L and -R descriptions are now above, not below, ~C description; --- ChangeLog | 5 ++++- ssh.1 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index aaeeb0746..cef2a84e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ [ssh.1] move info on ssh return values and config files up into the main description; + - jmc@cvs.openbsd.org 2005/12/21 11:48:16 + [ssh.1] + -L and -R descriptions are now above, not below, ~C description; 20051220 - (dtucker) OpenBSD CVS Sync @@ -3515,4 +3518,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4042 2005/12/24 03:53:04 djm Exp $ +$Id: ChangeLog,v 1.4043 2005/12/24 03:53:23 djm Exp $ diff --git a/ssh.1 b/ssh.1 index caa78f4af..10d77e568 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.224 2005/12/20 22:09:41 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.225 2005/12/21 11:48:16 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -829,7 +829,7 @@ Currently this allows the addition of port forwardings using the .Fl L and .Fl R -options (see below). +options (see above). It also allows the cancellation of existing remote port-forwardings using .Fl KR Ar hostport . -- cgit v1.2.3 From 9a765b22b78d3e2d3102db094bc08a3ad33436bb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:53:44 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/21 11:57:25 [ssh.1] options now described `above', rather than `later'; --- ChangeLog | 5 ++++- ssh.1 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index cef2a84e9..3ebcd6ad5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - jmc@cvs.openbsd.org 2005/12/21 11:48:16 [ssh.1] -L and -R descriptions are now above, not below, ~C description; + - jmc@cvs.openbsd.org 2005/12/21 11:57:25 + [ssh.1] + options now described `above', rather than `later'; 20051220 - (dtucker) OpenBSD CVS Sync @@ -3518,4 +3521,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4043 2005/12/24 03:53:23 djm Exp $ +$Id: ChangeLog,v 1.4044 2005/12/24 03:53:44 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 10d77e568..2cf222234 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.225 2005/12/21 11:48:16 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.226 2005/12/21 11:57:25 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -854,7 +854,7 @@ variable is set to .Fl X and .Fl x -options described later) +options above) and the user is using X11 (the .Ev DISPLAY environment variable is set), the connection to the X11 display is @@ -896,7 +896,7 @@ variable is set to .Fl A and .Fl a -options described later) and +options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. .Pp -- cgit v1.2.3 From d7f308f6d8b3583d8c97fa71cfb9b10f07ee5418 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:55:16 +1100 Subject: - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 [sshd.8] clarify precedence of -p, Port, ListenAddress; ok and help jmc@ --- ChangeLog | 5 ++++- ssh.1 | 7 ++++--- sshd.8 | 10 +++++++--- 3 files changed, 15 insertions(+), 7 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 4fd581232..645feffc0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ [ssh.1] -Y does X11 forwarding too; ok markus + - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 + [sshd.8] + clarify precedence of -p, Port, ListenAddress; ok and help jmc@ 20051220 - (dtucker) OpenBSD CVS Sync @@ -3525,4 +3528,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4045 2005/12/24 03:54:03 djm Exp $ +$Id: ChangeLog,v 1.4046 2005/12/24 03:55:16 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 2cf222234..36abe684a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.226 2005/12/21 11:57:25 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.227 2005/12/21 12:53:31 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -851,9 +851,10 @@ If the variable is set to .Dq yes (or see the description of the -.Fl X +.Fl X , +.Fl x , and -.Fl x +.Fl Y options above) and the user is using X11 (the .Ev DISPLAY diff --git a/sshd.8 b/sshd.8 index 53eddcdfb..ee6e7d797 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.209 2005/12/06 22:38:28 reyk Exp $ +.\" $OpenBSD: sshd.8,v 1.210 2005/12/21 22:44:26 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -288,8 +288,12 @@ For full details of the options, and their values, see Specifies the port on which the server listens for connections (default 22). Multiple port options are permitted. -Ports specified in the configuration file are ignored when a -command-line port is specified. +Ports specified in the configuration file with the +.Cm Port +option are ignored when a command-line port is specified. +Ports specified using the +.Cm ListenAddress +option override command-line ports. .It Fl q Quiet mode. Nothing is sent to the system log. -- cgit v1.2.3 From cf1e342c6c10dc216ce165684bca058377c3b7e6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:56:04 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/22 11:23:42 [ssh.1] expand the description of -w somewhat; help/ok reyk --- ChangeLog | 6 +++++- ssh.1 | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 4072f14ba..37cd66bd9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ - jmc@cvs.openbsd.org 2005/12/22 10:31:40 [ssh_config.5] put the description of "UsePrivilegedPort" in the correct place; + - jmc@cvs.openbsd.org 2005/12/22 11:23:42 + [ssh.1] + expand the description of -w somewhat; + help/ok reyk 20051220 - (dtucker) OpenBSD CVS Sync @@ -3531,4 +3535,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4047 2005/12/24 03:55:47 djm Exp $ +$Id: ChangeLog,v 1.4048 2005/12/24 03:56:04 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 36abe684a..c42d74eba 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.227 2005/12/21 12:53:31 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.228 2005/12/22 11:23:42 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -582,7 +582,18 @@ The maximum is 3. .It Fl w Ar tunnel : Ns Ar tunnel Requests a .Xr tun 4 -device on the client and server like the +device on the client +(first +.Ar tunnel +arg) +and server +(second +.Ar tunnel +arg). +The devices may be specified by numerical ID or the keyword +.Dq any , +which uses the next available tunnel device. +See also the .Cm Tunnel directive in .Xr ssh_config 5 . -- cgit v1.2.3 From 2142ba0769a2ddd69bcde786a78e83045216acae Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:56:29 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/23 14:55:53 [ssh.1] - sync the description of -e w/ synopsis - simplify the description of -I - note that -I is only available if support compiled in, and that it isn't by default feedback/ok djm@ --- ChangeLog | 9 ++++++++- ssh.1 | 9 +++++---- 2 files changed, 13 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 37cd66bd9..4795f9a62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,13 @@ [ssh.1] expand the description of -w somewhat; help/ok reyk + - jmc@cvs.openbsd.org 2005/12/23 14:55:53 + [ssh.1] + - sync the description of -e w/ synopsis + - simplify the description of -I + - note that -I is only available if support compiled in, and that it + isn't by default + feedback/ok djm@ 20051220 - (dtucker) OpenBSD CVS Sync @@ -3535,4 +3542,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4048 2005/12/24 03:56:04 djm Exp $ +$Id: ChangeLog,v 1.4049 2005/12/24 03:56:29 djm Exp $ diff --git a/ssh.1 b/ssh.1 index c42d74eba..28633fff1 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.228 2005/12/22 11:23:42 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.229 2005/12/23 14:55:53 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -256,7 +256,7 @@ indicates that the listening port be bound for local use only, while an empty address or .Sq * indicates that the port should be available from all interfaces. -.It Fl e Ar ch | ^ch | none +.It Fl e Ar escape_char Sets the escape character for sessions with a pty (default: .Ql ~ ) . The escape character is only recognized at the beginning of a line. @@ -292,11 +292,12 @@ something like .It Fl g Allows remote hosts to connect to local forwarded ports. .It Fl I Ar smartcard_device -Specifies which smartcard device to use. -The argument is the device +Specify the device .Nm should use to communicate with a smartcard used for storing the user's private RSA key. +This option is only available if support for smartcard devices +is compiled in (default is no support). .It Fl i Ar identity_file Selects a file from which the identity (private key) for RSA or DSA authentication is read. -- cgit v1.2.3 From 35978210462d089a53a3e4764b8fb21e1963acba Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Dec 2005 14:56:47 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/23 23:46:23 [ssh.1] less mark up for -c; --- ChangeLog | 5 ++++- ssh.1 | 30 +++++++++++++++--------------- 2 files changed, 19 insertions(+), 16 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 4795f9a62..aa210591e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - note that -I is only available if support compiled in, and that it isn't by default feedback/ok djm@ + - jmc@cvs.openbsd.org 2005/12/23 23:46:23 + [ssh.1] + less mark up for -c; 20051220 - (dtucker) OpenBSD CVS Sync @@ -3542,4 +3545,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4049 2005/12/24 03:56:29 djm Exp $ +$Id: ChangeLog,v 1.4050 2005/12/24 03:56:47 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 28633fff1..71baf45f5 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.229 2005/12/23 14:55:53 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.230 2005/12/23 23:46:23 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -186,24 +186,24 @@ Its use is strongly discouraged due to cryptographic weaknesses. The default is .Dq 3des . .Pp -For protocol version 2 +For protocol version 2, .Ar cipher_spec is a comma-separated list of ciphers listed in order of preference. -The supported ciphers are -.Dq 3des-cbc , -.Dq aes128-cbc , -.Dq aes192-cbc , -.Dq aes256-cbc , -.Dq aes128-ctr , -.Dq aes192-ctr , -.Dq aes256-ctr , -.Dq arcfour128 , -.Dq arcfour256 , -.Dq arcfour , -.Dq blowfish-cbc , +The supported ciphers are: +3des-cbc, +aes128-cbc, +aes192-cbc, +aes256-cbc, +aes128-ctr, +aes192-ctr, +aes256-ctr, +arcfour128, +arcfour256, +arcfour, +blowfish-cbc, and -.Dq cast128-cbc . +cast128-cbc. The default is: .Bd -literal -offset indent aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, -- cgit v1.2.3 From 88b25524b885885896e23e01e1aa873864ca7386 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 31 Dec 2005 16:23:15 +1100 Subject: - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 [ssh.1] document -MM; ok djm@ --- ChangeLog | 5 ++++- ssh.1 | 9 ++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 29f4b599a..94e3f6e5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ with the -b flag; based on a diff from john l. scarfone; ok djm + - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 + [ssh.1] + document -MM; ok djm@ 20051229 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd @@ -3568,4 +3571,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4055 2005/12/31 05:22:55 djm Exp $ +$Id: ChangeLog,v 1.4056 2005/12/31 05:23:15 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 71baf45f5..5ce1cfe70 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.230 2005/12/23 23:46:23 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -369,6 +369,13 @@ Places the client into .Dq master mode for connection sharing. +Multiple +.Fl M +options places +.Nm +into +.Dq master +mode with confirmation required before slave connections are accepted. Refer to the description of .Cm ControlMaster in -- cgit v1.2.3 From 48c94abf5b4d262ce4572c5b26d0ffdff8d25a87 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 2 Jan 2006 23:38:00 +1100 Subject: - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2005/12/31 10:46:17 [ssh.1] merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER AUTHENTICATION" sections into "AUTHENTICATION"; some rewording done to make the text read better, plus some improvements from djm; ok djm --- ChangeLog | 10 +++++++++- ssh.1 | 63 +++++++++++++++++++++++++++++++-------------------------------- 2 files changed, 40 insertions(+), 33 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 972b172ad..e5ec073ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 20060102 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/12/31 10:46:17 + [ssh.1] + merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER + AUTHENTICATION" sections into "AUTHENTICATION"; + some rewording done to make the text read better, plus some + improvements from djm; + ok djm 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] @@ -3590,4 +3598,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4063 2006/01/02 09:23:18 djm Exp $ +$Id: ChangeLog,v 1.4064 2006/01/02 12:38:00 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 5ce1cfe70..ce1eeb49a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -788,7 +788,36 @@ prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Sh LOGIN SESSION AND REMOTE EXECUTION +.Pp +.Nm +automatically maintains and checks a database containing +identification for all hosts it has ever been used with. +Host keys are stored in +.Pa ~/.ssh/known_hosts +in the user's home directory. +Additionally, the file +.Pa /etc/ssh/ssh_known_hosts +is automatically checked for known hosts. +Any new hosts are automatically added to the user's file. +If a host's identification ever changes, +.Nm +warns about this and disables password authentication to prevent +server spoofing or man-in-the-middle attacks, +which could otherwise be used to circumvent the encryption. +The +.Cm StrictHostKeyChecking +option can be used to control logins to machines whose +host key is not known or has changed. +.Pp +.Nm +can be configured to verify host identification using fingerprint resource +records (SSHFP) published in DNS. +The +.Cm VerifyHostKeyDNS +option can be used to control how DNS lookups are performed. +SSHFP resource records can be generated using +.Xr ssh-keygen 1 . +.Pp When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. -.Sh SERVER AUTHENTICATION -.Nm -automatically maintains and checks a database containing -identifications for all hosts it has ever been used with. -Host keys are stored in -.Pa ~/.ssh/known_hosts -in the user's home directory. -Additionally, the file -.Pa /etc/ssh/ssh_known_hosts -is automatically checked for known hosts. -Any new hosts are automatically added to the user's file. -If a host's identification ever changes, -.Nm -warns about this and disables password authentication to prevent a -trojan horse from getting the user's password. -Another purpose of this mechanism is to prevent man-in-the-middle attacks -which could otherwise be used to circumvent the encryption. -The -.Cm StrictHostKeyChecking -option can be used to prevent logins to machines whose -host key is not known or has changed. -.Pp -.Nm -can be configured to verify host identification using fingerprint resource -records (SSHFP) published in DNS. -The -.Cm VerifyHostKeyDNS -option can be used to control how DNS lookups are performed. -SSHFP resource records can be generated using -.Xr ssh-keygen 1 . .Sh ENVIRONMENT .Nm will normally set the following environment variables: -- cgit v1.2.3 From 14af93ee770f90a15ace4fb4f15506ffee75fe17 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 2 Jan 2006 23:38:21 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/31 13:44:04 [ssh.1] clean up ENVIRONMENT a little; --- ChangeLog | 5 ++++- ssh.1 | 24 ++++++++++++++---------- 2 files changed, 18 insertions(+), 11 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index e5ec073ba..9f70be15b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ some rewording done to make the text read better, plus some improvements from djm; ok djm + - jmc@cvs.openbsd.org 2005/12/31 13:44:04 + [ssh.1] + clean up ENVIRONMENT a little; 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] @@ -3598,4 +3601,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4064 2006/01/02 12:38:00 djm Exp $ +$Id: ChangeLog,v 1.4065 2006/01/02 12:38:21 djm Exp $ diff --git a/ssh.1 b/ssh.1 index ce1eeb49a..898379d94 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.233 2005/12/31 13:44:04 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -964,9 +964,12 @@ variable indicates the location of the X11 server. It is automatically set by .Nm to point to a value of the form -.Dq hostname:n -where hostname indicates -the host where the shell runs, and n is an integer \*(Ge 1. +.Dq hostname:n , +where +.Dq hostname +indicates the host where the shell runs, and +.Sq n +is an integer \*(Ge 1. .Nm uses this special value to forward X11 connections over the secure channel. @@ -1012,15 +1015,16 @@ may be necessary to redirect the input from .Pa /dev/null to make this work.) .It Ev SSH_AUTH_SOCK -Identifies the path of a unix-domain socket used to communicate with the -agent. +Identifies the path of a +.Ux Ns -domain +socket used to communicate with the agent. .It Ev SSH_CONNECTION Identifies the client and server ends of the connection. The variable contains -four space-separated values: client ip-address, client port number, -server ip-address and server port number. +four space-separated values: client IP address, client port number, +server IP address, and server port number. .It Ev SSH_ORIGINAL_COMMAND -The variable contains the original command line if a forced command +This variable contains the original command line if a forced command is executed. It can be used to extract the original arguments. .It Ev SSH_TTY @@ -1042,7 +1046,7 @@ reads .Pa ~/.ssh/environment , and adds lines of the format .Dq VARNAME=value -to the environment if the file exists and if users are allowed to +to the environment if the file exists and users are allowed to change their environment. For more information, see the .Cm PermitUserEnvironment -- cgit v1.2.3 From 1164c299f15ecf424960d9dbebe71c19c3cf4b53 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 2 Jan 2006 23:38:37 +1100 Subject: - jmc@cvs.openbsd.org 2005/12/31 13:45:19 [ssh.1] .Nm does not require an argument; --- ChangeLog | 5 ++++- ssh.1 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 9f70be15b..a1f0b7842 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - jmc@cvs.openbsd.org 2005/12/31 13:44:04 [ssh.1] clean up ENVIRONMENT a little; + - jmc@cvs.openbsd.org 2005/12/31 13:45:19 + [ssh.1] + .Nm does not require an argument; 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] @@ -3601,4 +3604,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4065 2006/01/02 12:38:21 djm Exp $ +$Id: ChangeLog,v 1.4066 2006/01/02 12:38:37 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 898379d94..2a8386dc4 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.233 2005/12/31 13:44:04 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.234 2005/12/31 13:45:19 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -859,7 +859,7 @@ are: Disconnect. .It Cm ~^Z Background -.Nm ssh . +.Nm . .It Cm ~# List forwarded connections. .It Cm ~& @@ -990,7 +990,7 @@ Set to the path of the user's mailbox. Set to the default .Ev PATH , as specified when compiling -.Nm ssh . +.Nm . .It Ev SSH_ASKPASS If .Nm -- cgit v1.2.3 From a07a59188a5a236c0fb8ef3fb8188ca3d6227458 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 2 Jan 2006 23:41:37 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/02 12:31:06 [ssh.1] start to cut some duplicate info from FILES; help/ok djm --- ChangeLog | 6 +++++- ssh.1 | 31 +++++++------------------------ 2 files changed, 12 insertions(+), 25 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 577123925..99b7aedcd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,10 @@ clarify tun(4) opening - set the mode and bring the interface up. also (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. suggested and ok by djm@ + - jmc@cvs.openbsd.org 2006/01/02 12:31:06 + [ssh.1] + start to cut some duplicate info from FILES; + help/ok djm 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] @@ -3618,4 +3622,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4070 2006/01/02 12:41:21 djm Exp $ +$Id: ChangeLog,v 1.4071 2006/01/02 12:41:37 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 2a8386dc4..de9d9312f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.234 2005/12/31 13:45:19 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.235 2006/01/02 12:31:06 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1061,38 +1061,21 @@ in See .Xr sshd 8 . .It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa -Contains the authentication identity of the user. -They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. +Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). -Note that .Nm -ignores a private key file if it is accessible by others. +will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when -generating the key; the passphrase will be used to encrypt the +generating the key which will be used to encrypt the sensitive part of this file using 3DES. .It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub -Contains the public key for authentication (public part of the -identity file in human-readable form). -The contents of the -.Pa ~/.ssh/identity.pub -file should be added to the file -.Pa ~/.ssh/authorized_keys -on all machines -where the user wishes to log in using protocol version 1 RSA authentication. -The contents of the -.Pa ~/.ssh/id_dsa.pub -and -.Pa ~/.ssh/id_rsa.pub -file should be added to -.Pa ~/.ssh/authorized_keys -on all machines -where the user wishes to log in using protocol version 2 DSA/RSA authentication. +Contains the public key for authentication. These files are not sensitive and can (but need not) be readable by anyone. -These files are -never used automatically and are not necessary; they are only provided for +They are +never used automatically and are not necessary: they are only provided for the convenience of the user. .It Pa ~/.ssh/config This is the per-user configuration file. -- cgit v1.2.3 From 7655f5cd9fe856bb833de92521d415b66bf4d5d4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:48:18 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/03 16:31:10 [ssh.1] move FILES to a -compact list, and make each files an item in that list. this avoids nastly line wrap when we have long pathnames, and treats each file as a separate item; remove the .Pa too, since it is useless. --- ChangeLog | 11 ++++++++++- ssh.1 | 52 ++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 46 insertions(+), 17 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index f5e287dc4..021d06359 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20060106 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/03 16:31:10 + [ssh.1] + move FILES to a -compact list, and make each files an item in that list. + this avoids nastly line wrap when we have long pathnames, and treats + each file as a separate item; + remove the .Pa too, since it is useless. + 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3631,4 +3640,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4073 2006/01/03 20:27:50 djm Exp $ +$Id: ChangeLog,v 1.4074 2006/01/06 03:48:18 djm Exp $ diff --git a/ssh.1 b/ssh.1 index de9d9312f..e6204027f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.235 2006/01/02 12:31:06 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.236 2006/01/03 16:31:10 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1053,14 +1053,17 @@ For more information, see the option in .Xr sshd_config 5 . .Sh FILES -.Bl -tag -width Ds -.It Pa ~/.ssh/known_hosts +.Bl -tag -width Ds -compact +.It ~/.ssh/known_hosts Records host keys for all hosts the user has logged into that are not in .Pa /etc/ssh/ssh_known_hosts . See .Xr sshd 8 . -.It Pa ~/.ssh/identity, ~/.ssh/id_dsa, ~/.ssh/id_rsa +.Pp +.It ~/.ssh/identity +.It ~/.ssh/id_dsa +.It ~/.ssh/id_rsa Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not @@ -1070,20 +1073,25 @@ will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES. -.It Pa ~/.ssh/identity.pub, ~/.ssh/id_dsa.pub, ~/.ssh/id_rsa.pub +.Pp +.It ~/.ssh/identity.pub +.It ~/.ssh/id_dsa.pub +.It ~/.ssh/id_rsa.pub Contains the public key for authentication. These files are not sensitive and can (but need not) be readable by anyone. They are never used automatically and are not necessary: they are only provided for the convenience of the user. -.It Pa ~/.ssh/config +.Pp +.It ~/.ssh/config This is the per-user configuration file. The file format and configuration options are described in .Xr ssh_config 5 . Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. -.It Pa ~/.ssh/authorized_keys +.Pp +.It ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 @@ -1093,7 +1101,8 @@ In the simplest form the format is the same as the identity files. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. -.It Pa /etc/ssh/ssh_known_hosts +.Pp +.It /etc/ssh/ssh_known_hosts Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the @@ -1116,11 +1125,15 @@ to verify the client host when logging in; other names are needed because does not convert the user-supplied name to a canonical name before checking the key, because someone with access to the name servers would then be able to fool host authentication. +.Pp .It Pa /etc/ssh/ssh_config Systemwide configuration file. The file format and configuration options are described in .Xr ssh_config 5 . -.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key +.Pp +.It /etc/ssh/ssh_host_key +.It /etc/ssh/ssh_host_dsa_key +.It /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and are used for .Cm RhostsRSAAuthentication @@ -1143,7 +1156,8 @@ be setuid root when that authentication method is used. By default .Nm is not setuid root. -.It Pa ~/.rhosts +.Pp +.It ~/.rhosts This file is used in .Cm RhostsRSAAuthentication and @@ -1178,7 +1192,8 @@ The easiest way to do this is to connect back to the client from the server machine using ssh; this will automatically add the host key to .Pa ~/.ssh/known_hosts . -.It Pa ~/.shosts +.Pp +.It ~/.shosts This file is used exactly the same way as .Pa .rhosts . The purpose for @@ -1190,7 +1205,8 @@ authentication without permitting login with .Xr rlogin or .Xr rsh 1 . -.It Pa /etc/hosts.equiv +.Pp +.It /etc/hosts.equiv This file is used during .Cm RhostsRSAAuthentication and @@ -1205,20 +1221,23 @@ automatically permitted provided client and server user names are the same. Additionally, successful client host key authentication is required. This file should only be writable by root. -.It Pa /etc/shosts.equiv +.Pp +.It /etc/shosts.equiv This file is processed exactly as .Pa /etc/hosts.equiv . This file may be useful to permit logins using .Nm but not using rsh/rlogin. -.It Pa /etc/ssh/sshrc +.Pp +.It /etc/ssh/sshrc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is started. See the .Xr sshd 8 manual page for more information. -.It Pa ~/.ssh/rc +.Pp +.It ~/.ssh/rc Commands in this file are executed by .Nm when the user logs in just before the user's shell (or command) is @@ -1226,7 +1245,8 @@ started. See the .Xr sshd 8 manual page for more information. -.It Pa ~/.ssh/environment +.Pp +.It ~/.ssh/environment Contains additional definitions for environment variables, see section .Sx ENVIRONMENT above. -- cgit v1.2.3 From 6aa2290b0c57fb35125c03e99cfc017ee4730df9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:48:34 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/03 16:35:30 [ssh.1] use a larger width for the ENVIRONMENT list; --- ChangeLog | 5 ++++- ssh.1 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 021d06359..b5157efe9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ this avoids nastly line wrap when we have long pathnames, and treats each file as a separate item; remove the .Pa too, since it is useless. + - jmc@cvs.openbsd.org 2006/01/03 16:35:30 + [ssh.1] + use a larger width for the ENVIRONMENT list; 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3640,4 +3643,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4074 2006/01/06 03:48:18 djm Exp $ +$Id: ChangeLog,v 1.4075 2006/01/06 03:48:34 djm Exp $ diff --git a/ssh.1 b/ssh.1 index e6204027f..bf6e7cb4a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.236 2006/01/03 16:31:10 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.237 2006/01/03 16:35:30 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -956,7 +956,7 @@ electronic purse; another is going through firewalls. .Sh ENVIRONMENT .Nm will normally set the following environment variables: -.Bl -tag -width LOGNAME +.Bl -tag -width "SSH_ORIGINAL_COMMAND" .It Ev DISPLAY The .Ev DISPLAY -- cgit v1.2.3 From fb8ea74116bebb5cf68b1c346604895bd16c45e5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:48:52 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/03 16:52:36 [ssh.1] put FILES in some sort of order: sort by pathname --- ChangeLog | 5 +- ssh.1 | 234 +++++++++++++++++++++++++++++++------------------------------- 2 files changed, 121 insertions(+), 118 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index b5157efe9..df3e17d21 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - jmc@cvs.openbsd.org 2006/01/03 16:35:30 [ssh.1] use a larger width for the ENVIRONMENT list; + - jmc@cvs.openbsd.org 2006/01/03 16:52:36 + [ssh.1] + put FILES in some sort of order: sort by pathname 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3643,4 +3646,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4075 2006/01/06 03:48:34 djm Exp $ +$Id: ChangeLog,v 1.4076 2006/01/06 03:48:52 djm Exp $ diff --git a/ssh.1 b/ssh.1 index bf6e7cb4a..6042633df 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.237 2006/01/03 16:35:30 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.238 2006/01/03 16:52:36 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1054,109 +1054,6 @@ option in .Xr sshd_config 5 . .Sh FILES .Bl -tag -width Ds -compact -.It ~/.ssh/known_hosts -Records host keys for all hosts the user has logged into that are not -in -.Pa /etc/ssh/ssh_known_hosts . -See -.Xr sshd 8 . -.Pp -.It ~/.ssh/identity -.It ~/.ssh/id_dsa -.It ~/.ssh/id_rsa -Contains the private key for authentication. -These files -contain sensitive data and should be readable by the user but not -accessible by others (read/write/execute). -.Nm -will simply ignore a private key file if it is accessible by others. -It is possible to specify a passphrase when -generating the key which will be used to encrypt the -sensitive part of this file using 3DES. -.Pp -.It ~/.ssh/identity.pub -.It ~/.ssh/id_dsa.pub -.It ~/.ssh/id_rsa.pub -Contains the public key for authentication. -These files are not -sensitive and can (but need not) be readable by anyone. -They are -never used automatically and are not necessary: they are only provided for -the convenience of the user. -.Pp -.It ~/.ssh/config -This is the per-user configuration file. -The file format and configuration options are described in -.Xr ssh_config 5 . -Because of the potential for abuse, this file must have strict permissions: -read/write for the user, and not accessible by others. -.Pp -.It ~/.ssh/authorized_keys -Lists the public keys (RSA/DSA) that can be used for logging in as this user. -The format of this file is described in the -.Xr sshd 8 -manual page. -In the simplest form the format is the same as the -.Pa .pub -identity files. -This file is not highly sensitive, but the recommended -permissions are read/write for the user, and not accessible by others. -.Pp -.It /etc/ssh/ssh_known_hosts -Systemwide list of known host keys. -This file should be prepared by the -system administrator to contain the public host keys of all machines in the -organization. -This file should be world-readable. -This file contains -public keys, one per line, in the following format (fields separated -by spaces): system name, public key and optional comment field. -When different names are used -for the same machine, all such names should be listed, separated by -commas. -The format is described in the -.Xr sshd 8 -manual page. -.Pp -The canonical system name (as returned by name servers) is used by -.Xr sshd 8 -to verify the client host when logging in; other names are needed because -.Nm -does not convert the user-supplied name to a canonical name before -checking the key, because someone with access to the name servers -would then be able to fool host authentication. -.Pp -.It Pa /etc/ssh/ssh_config -Systemwide configuration file. -The file format and configuration options are described in -.Xr ssh_config 5 . -.Pp -.It /etc/ssh/ssh_host_key -.It /etc/ssh/ssh_host_dsa_key -.It /etc/ssh/ssh_host_rsa_key -These three files contain the private parts of the host keys -and are used for -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication . -If the protocol version 1 -.Cm RhostsRSAAuthentication -method is used, -.Nm -must be setuid root, since the host key is readable only by root. -For protocol version 2, -.Nm -uses -.Xr ssh-keysign 8 -to access the host keys for -.Cm HostbasedAuthentication . -This eliminates the requirement that -.Nm -be setuid root when that authentication method is used. -By default -.Nm -is not setuid root. -.Pp .It ~/.rhosts This file is used in .Cm RhostsRSAAuthentication @@ -1206,6 +1103,68 @@ authentication without permitting login with or .Xr rsh 1 . .Pp +.It ~/.ssh/authorized_keys +Lists the public keys (RSA/DSA) that can be used for logging in as this user. +The format of this file is described in the +.Xr sshd 8 +manual page. +In the simplest form the format is the same as the +.Pa .pub +identity files. +This file is not highly sensitive, but the recommended +permissions are read/write for the user, and not accessible by others. +.Pp +.It ~/.ssh/config +This is the per-user configuration file. +The file format and configuration options are described in +.Xr ssh_config 5 . +Because of the potential for abuse, this file must have strict permissions: +read/write for the user, and not accessible by others. +.Pp +.It ~/.ssh/environment +Contains additional definitions for environment variables, see section +.Sx ENVIRONMENT +above. +.Pp +.It ~/.ssh/identity +.It ~/.ssh/id_dsa +.It ~/.ssh/id_rsa +Contains the private key for authentication. +These files +contain sensitive data and should be readable by the user but not +accessible by others (read/write/execute). +.Nm +will simply ignore a private key file if it is accessible by others. +It is possible to specify a passphrase when +generating the key which will be used to encrypt the +sensitive part of this file using 3DES. +.Pp +.It ~/.ssh/identity.pub +.It ~/.ssh/id_dsa.pub +.It ~/.ssh/id_rsa.pub +Contains the public key for authentication. +These files are not +sensitive and can (but need not) be readable by anyone. +They are +never used automatically and are not necessary: they are only provided for +the convenience of the user. +.Pp +.It ~/.ssh/known_hosts +Records host keys for all hosts the user has logged into that are not +in +.Pa /etc/ssh/ssh_known_hosts . +See +.Xr sshd 8 . +.Pp +.It ~/.ssh/rc +Commands in this file are executed by +.Nm +when the user logs in just before the user's shell (or command) is +started. +See the +.Xr sshd 8 +manual page for more information. +.Pp .It /etc/hosts.equiv This file is used during .Cm RhostsRSAAuthentication @@ -1229,27 +1188,68 @@ This file may be useful to permit logins using .Nm but not using rsh/rlogin. .Pp -.It /etc/ssh/sshrc -Commands in this file are executed by +.It Pa /etc/ssh/ssh_config +Systemwide configuration file. +The file format and configuration options are described in +.Xr ssh_config 5 . +.Pp +.It /etc/ssh/ssh_host_key +.It /etc/ssh/ssh_host_dsa_key +.It /etc/ssh/ssh_host_rsa_key +These three files contain the private parts of the host keys +and are used for +.Cm RhostsRSAAuthentication +and +.Cm HostbasedAuthentication . +If the protocol version 1 +.Cm RhostsRSAAuthentication +method is used, .Nm -when the user logs in just before the user's shell (or command) is started. -See the +must be setuid root, since the host key is readable only by root. +For protocol version 2, +.Nm +uses +.Xr ssh-keysign 8 +to access the host keys for +.Cm HostbasedAuthentication . +This eliminates the requirement that +.Nm +be setuid root when that authentication method is used. +By default +.Nm +is not setuid root. +.Pp +.It /etc/ssh/ssh_known_hosts +Systemwide list of known host keys. +This file should be prepared by the +system administrator to contain the public host keys of all machines in the +organization. +This file should be world-readable. +This file contains +public keys, one per line, in the following format (fields separated +by spaces): system name, public key and optional comment field. +When different names are used +for the same machine, all such names should be listed, separated by +commas. +The format is described in the .Xr sshd 8 -manual page for more information. +manual page. .Pp -.It ~/.ssh/rc +The canonical system name (as returned by name servers) is used by +.Xr sshd 8 +to verify the client host when logging in; other names are needed because +.Nm +does not convert the user-supplied name to a canonical name before +checking the key, because someone with access to the name servers +would then be able to fool host authentication. +.Pp +.It /etc/ssh/sshrc Commands in this file are executed by .Nm -when the user logs in just before the user's shell (or command) is -started. +when the user logs in just before the user's shell (or command) is started. See the .Xr sshd 8 manual page for more information. -.Pp -.It ~/.ssh/environment -Contains additional definitions for environment variables, see section -.Sx ENVIRONMENT -above. .El .Sh SEE ALSO .Xr gzip 1 , -- cgit v1.2.3 From 4c102eede39e71cf6a32b9cca6149ed67f6178aa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:49:17 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/03 16:55:18 [ssh.1] tweak the description of ~/.ssh/environment --- ChangeLog | 5 ++++- ssh.1 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index df3e17d21..1784bd131 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - jmc@cvs.openbsd.org 2006/01/03 16:52:36 [ssh.1] put FILES in some sort of order: sort by pathname + - jmc@cvs.openbsd.org 2006/01/03 16:55:18 + [ssh.1] + tweak the description of ~/.ssh/environment 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3646,4 +3649,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4076 2006/01/06 03:48:52 djm Exp $ +$Id: ChangeLog,v 1.4077 2006/01/06 03:49:17 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 6042633df..27a51b690 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.238 2006/01/03 16:52:36 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.239 2006/01/03 16:55:18 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1122,8 +1122,8 @@ Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others. .Pp .It ~/.ssh/environment -Contains additional definitions for environment variables, see section -.Sx ENVIRONMENT +Contains additional definitions for environment variables; see +.Sx ENVIRONMENT , above. .Pp .It ~/.ssh/identity -- cgit v1.2.3 From 1bcdb50a3dd315178ad889070d0313e3a3e5ff04 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:49:38 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/04 18:42:46 [ssh.1] chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES entries; ok markus --- ChangeLog | 7 ++++++- ssh.1 | 69 ++++++++++++--------------------------------------------------- 2 files changed, 19 insertions(+), 57 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 1784bd131..281faccab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ - jmc@cvs.openbsd.org 2006/01/03 16:55:18 [ssh.1] tweak the description of ~/.ssh/environment + - jmc@cvs.openbsd.org 2006/01/04 18:42:46 + [ssh.1] + chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES + entries; + ok markus 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3649,4 +3654,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4077 2006/01/06 03:49:17 djm Exp $ +$Id: ChangeLog,v 1.4078 2006/01/06 03:49:38 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 27a51b690..d2f6f11e5 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.239 2006/01/03 16:55:18 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.240 2006/01/04 18:42:46 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1055,19 +1055,9 @@ option in .Sh FILES .Bl -tag -width Ds -compact .It ~/.rhosts -This file is used in -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication -authentication to list the -host/user pairs that are permitted to log in. -(Note that this file is -also used by rlogin and rsh, which makes using this file insecure.) -Each line of the file contains a host name (in the canonical form -returned by name servers), and then a user name on that host, -separated by a space. +This file is used for host-based authentication (see above). On some machines this file may need to be -world-readable if the user's home directory is on a NFS partition, +world-readable if the user's home directory is on an NFS partition, because .Xr sshd 8 reads it as root. @@ -1077,31 +1067,11 @@ The recommended permission for most machines is read/write for the user, and not accessible by others. .Pp -Note that -.Xr sshd 8 -allows authentication only in combination with client host key -authentication before permitting log in. -If the server machine does not have the client's host key in -.Pa /etc/ssh/ssh_known_hosts , -it can be stored in -.Pa ~/.ssh/known_hosts . -The easiest way to do this is to -connect back to the client from the server machine using ssh; this -will automatically add the host key to -.Pa ~/.ssh/known_hosts . -.Pp .It ~/.shosts -This file is used exactly the same way as -.Pa .rhosts . -The purpose for -having this file is to be able to use -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication -authentication without permitting login with -.Xr rlogin -or -.Xr rsh 1 . +This file is used in exactly the same way as +.Pa .rhosts , +but allows host-based authentication without permitting login with +rlogin/rsh. .Pp .It ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. @@ -1166,27 +1136,14 @@ See the manual page for more information. .Pp .It /etc/hosts.equiv -This file is used during -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication -authentication. -It contains -canonical hosts names, one per line (the full format is described in the -.Xr sshd 8 -manual page). -If the client host is found in this file, login is -automatically permitted provided client and server user names are the -same. -Additionally, successful client host key authentication is required. -This file should only be writable by root. +This file is for host-based authentication (see above). +It should only be writable by root. .Pp .It /etc/shosts.equiv -This file is processed exactly as -.Pa /etc/hosts.equiv . -This file may be useful to permit logins using -.Nm -but not using rsh/rlogin. +This file is used in exactly the same way as +.Pa hosts.equiv , +but allows host-based authentication without permitting login with +rlogin/rsh. .Pp .It Pa /etc/ssh/ssh_config Systemwide configuration file. -- cgit v1.2.3 From a246d3b9b25d2b0ea3f71972e11553fd7b70517f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:49:54 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/04 18:45:01 [ssh.1] remove .Xr's to rsh(1) and telnet(1): they are hardly needed; --- ChangeLog | 5 ++++- ssh.1 | 4 +--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 281faccab..c3e9d8851 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES entries; ok markus + - jmc@cvs.openbsd.org 2006/01/04 18:45:01 + [ssh.1] + remove .Xr's to rsh(1) and telnet(1): they are hardly needed; 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3654,4 +3657,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4078 2006/01/06 03:49:38 djm Exp $ +$Id: ChangeLog,v 1.4079 2006/01/06 03:49:54 djm Exp $ diff --git a/ssh.1 b/ssh.1 index d2f6f11e5..ef4b3ff4c 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.240 2006/01/04 18:42:46 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.241 2006/01/04 18:45:01 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1210,13 +1210,11 @@ manual page for more information. .El .Sh SEE ALSO .Xr gzip 1 , -.Xr rsh 1 , .Xr scp 1 , .Xr sftp 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr telnet 1 , .Xr hosts.equiv 5 , .Xr ssh_config 5 , .Xr ssh-keysign 8 , -- cgit v1.2.3 From 128a0f114d2c0db4e4e94f055f591e79708f9990 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:50:11 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/04 19:40:24 [ssh.1] +.Xr ssh-keyscan 1 , --- ChangeLog | 5 ++++- ssh.1 | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index c3e9d8851..fe17d953d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - jmc@cvs.openbsd.org 2006/01/04 18:45:01 [ssh.1] remove .Xr's to rsh(1) and telnet(1): they are hardly needed; + - jmc@cvs.openbsd.org 2006/01/04 19:40:24 + [ssh.1] + +.Xr ssh-keyscan 1 , 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3657,4 +3660,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4079 2006/01/06 03:49:54 djm Exp $ +$Id: ChangeLog,v 1.4080 2006/01/06 03:50:11 djm Exp $ diff --git a/ssh.1 b/ssh.1 index ef4b3ff4c..510cf6b69 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.241 2006/01/04 18:45:01 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.242 2006/01/04 19:40:24 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1215,6 +1215,7 @@ manual page for more information. .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , +.Xr ssh-keyscan 1 , .Xr hosts.equiv 5 , .Xr ssh_config 5 , .Xr ssh-keysign 8 , -- cgit v1.2.3 From c27f83a63c818b04f957a3225d6781526084c481 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 6 Jan 2006 14:50:26 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/04 19:50:09 [ssh.1] -.Xr gzip 1 , --- ChangeLog | 5 ++++- ssh.1 | 3 +-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index fe17d953d..08c2183d8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - jmc@cvs.openbsd.org 2006/01/04 19:40:24 [ssh.1] +.Xr ssh-keyscan 1 , + - jmc@cvs.openbsd.org 2006/01/04 19:50:09 + [ssh.1] + -.Xr gzip 1 , 20060103 - (djm) [channels.c] clean up harmless merge error, from reyk@ @@ -3660,4 +3663,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4080 2006/01/06 03:50:11 djm Exp $ +$Id: ChangeLog,v 1.4081 2006/01/06 03:50:26 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 510cf6b69..789e94733 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.242 2006/01/04 19:40:24 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.243 2006/01/04 19:50:09 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1209,7 +1209,6 @@ See the manual page for more information. .El .Sh SEE ALSO -.Xr gzip 1 , .Xr scp 1 , .Xr sftp 1 , .Xr ssh-add 1 , -- cgit v1.2.3 From e87eb4ce3ce4711b94a72d729352c240047f17c1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:08:36 +1100 Subject: - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2006/01/06 13:27:32 [ssh.1] weed out some duplicate info in the known_hosts FILES entries; ok djm --- ChangeLog | 9 ++++++++- ssh.1 | 30 ++++++++---------------------- 2 files changed, 16 insertions(+), 23 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 612612b4a..462328c18 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20060114 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/06 13:27:32 + [ssh.1] + weed out some duplicate info in the known_hosts FILES entries; + ok djm + 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on tcpip service so it's always started after IP is up. Patch from @@ -3674,4 +3681,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4083 2006/01/09 13:02:44 dtucker Exp $ +$Id: ChangeLog,v 1.4084 2006/01/13 23:08:36 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 789e94733..cfe1655e6 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.243 2006/01/04 19:50:09 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.244 2006/01/06 13:27:32 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1120,11 +1120,11 @@ never used automatically and are not necessary: they are only provided for the convenience of the user. .Pp .It ~/.ssh/known_hosts -Records host keys for all hosts the user has logged into that are not -in -.Pa /etc/ssh/ssh_known_hosts . +Contains a list of host keys for all hosts the user has logged into +that are not already in the systemwide list of known host keys. See -.Xr sshd 8 . +.Xr sshd 8 +for further details of the format of this file. .Pp .It ~/.ssh/rc Commands in this file are executed by @@ -1181,24 +1181,10 @@ Systemwide list of known host keys. This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. -This file should be world-readable. -This file contains -public keys, one per line, in the following format (fields separated -by spaces): system name, public key and optional comment field. -When different names are used -for the same machine, all such names should be listed, separated by -commas. -The format is described in the -.Xr sshd 8 -manual page. -.Pp -The canonical system name (as returned by name servers) is used by +It should be world-readable. +See .Xr sshd 8 -to verify the client host when logging in; other names are needed because -.Nm -does not convert the user-supplied name to a canonical name before -checking the key, because someone with access to the name servers -would then be able to fool host authentication. +for further details of the format of this file. .Pp .It /etc/ssh/sshrc Commands in this file are executed by -- cgit v1.2.3 From 7e76e1f101cf672df9ca1822f2a04cb4289df519 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:08:57 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/06 13:29:10 [ssh.1] final round of whacking FILES for duplicate info, and some consistency fixes; ok djm --- ChangeLog | 7 ++++++- ssh.1 | 25 ++++++++----------------- 2 files changed, 14 insertions(+), 18 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 462328c18..e453cd43c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [ssh.1] weed out some duplicate info in the known_hosts FILES entries; ok djm + - jmc@cvs.openbsd.org 2006/01/06 13:29:10 + [ssh.1] + final round of whacking FILES for duplicate info, and some consistency + fixes; + ok djm 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on @@ -3681,4 +3686,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4084 2006/01/13 23:08:36 djm Exp $ +$Id: ChangeLog,v 1.4085 2006/01/13 23:08:57 djm Exp $ diff --git a/ssh.1 b/ssh.1 index cfe1655e6..0ebe177f5 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.244 2006/01/06 13:27:32 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.245 2006/01/06 13:29:10 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1078,9 +1078,6 @@ Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. -In the simplest form the format is the same as the -.Pa .pub -identity files. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .Pp @@ -1129,7 +1126,7 @@ for further details of the format of this file. .It ~/.ssh/rc Commands in this file are executed by .Nm -when the user logs in just before the user's shell (or command) is +when the user logs in, just before the user's shell (or command) is started. See the .Xr sshd 8 @@ -1154,24 +1151,18 @@ The file format and configuration options are described in .It /etc/ssh/ssh_host_dsa_key .It /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys -and are used for -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication . -If the protocol version 1 -.Cm RhostsRSAAuthentication -method is used, +and are used for host-based authentication. +If protocol version 1 is used, .Nm must be setuid root, since the host key is readable only by root. For protocol version 2, .Nm uses .Xr ssh-keysign 8 -to access the host keys for -.Cm HostbasedAuthentication . -This eliminates the requirement that +to access the host keys, +eliminating the requirement that .Nm -be setuid root when that authentication method is used. +be setuid root when host-based authentication is used. By default .Nm is not setuid root. @@ -1189,7 +1180,7 @@ for further details of the format of this file. .It /etc/ssh/sshrc Commands in this file are executed by .Nm -when the user logs in just before the user's shell (or command) is started. +when the user logs in, just before the user's shell (or command) is started. See the .Xr sshd 8 manual page for more information. -- cgit v1.2.3 From f31771810cf89a3e687112e71264be266012b2de Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:09:13 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/12 14:44:12 [ssh.1] split sections on tcp and x11 forwarding into two sections. add an example in the tcp section, based on sth i wrote for ssh faq; help + ok: djm markus dtucker --- ChangeLog | 7 ++++++- ssh.1 | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 68 insertions(+), 8 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index e453cd43c..51f05cac2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,11 @@ final round of whacking FILES for duplicate info, and some consistency fixes; ok djm + - jmc@cvs.openbsd.org 2006/01/12 14:44:12 + [ssh.1] + split sections on tcp and x11 forwarding into two sections. + add an example in the tcp section, based on sth i wrote for ssh faq; + help + ok: djm markus dtucker 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on @@ -3686,4 +3691,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4085 2006/01/13 23:08:57 djm Exp $ +$Id: ChangeLog,v 1.4086 2006/01/13 23:09:13 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 0ebe177f5..c15cfc319 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.245 2006/01/06 13:29:10 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.246 2006/01/12 14:44:12 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -893,7 +893,67 @@ option. Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it). .El -.Sh X11 AND TCP FORWARDING +.Sh TCP FORWARDING +Forwarding of arbitrary TCP connections over the secure channel can +be specified either on the command line or in a configuration file. +One possible application of TCP forwarding is a secure connection to a +mail server; another is going through firewalls. +.Pp +In the example below, we look at encrypting communication between +an IRC client and server, even though the IRC server does not directly +support encrypted communications. +This works as follows: +the user connects to the remote host using +.Nm , +specifying a port to be used to forward connections +to the remote server. +After that it is possible to start the service which is to be encrypted +on the client machine, +connecting to the same local port, +and +.Nm +will encrypt and forward the connection. +.Pp +The following example tunnels an IRC session from client machine +.Dq 127.0.0.1 +(localhost) +to remote server +.Dq server.example.com : +.Bd -literal -offset 4n +$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 +$ irc -c '#users' -p 1234 pinky 127.0.0.1 +.Ed +.Pp +This tunnels a connection to IRC server +.Dq server.example.com , +joining channel +.Dq #users , +nickname +.Dq pinky , +using port 1234. +It doesn't matter which port is used, +as long as it's greater than 1023 +(remember, only root can open sockets on privileged ports) +and doesn't conflict with any ports already in use. +The connection is forwarded to port 6667 on the remote server, +since that's the standard port for IRC services. +.Pp +The +.Fl f +option backgrounds +.Nm +and the remote command +.Dq sleep 10 +is specified to allow an amount of time +(10 seconds, in the example) +to start the service which is to be tunnelled. +If no connections are made within the time specified, +.Nm +will exit. +Once opened, +a SSH connection will remain active +until all actively forwarded connections have closed. +.Sh X11 FORWARDING If the .Cm ForwardX11 variable is set to @@ -948,11 +1008,6 @@ and options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. -.Pp -Forwarding of arbitrary TCP/IP connections over the secure channel can -be specified either on the command line or in a configuration file. -One possible application of TCP/IP forwarding is a secure connection to an -electronic purse; another is going through firewalls. .Sh ENVIRONMENT .Nm will normally set the following environment variables: -- cgit v1.2.3 From 8bfaf93f607ab97ed09a9247bbf23ca82ffcf75e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:09:30 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/12 18:48:48 [ssh.1] refer to `TCP' rather than `TCP/IP' in the context of connection forwarding; ok markus --- ChangeLog | 7 ++++++- ssh.1 | 8 ++++---- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 51f05cac2..b562035ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,11 @@ split sections on tcp and x11 forwarding into two sections. add an example in the tcp section, based on sth i wrote for ssh faq; help + ok: djm markus dtucker + - jmc@cvs.openbsd.org 2006/01/12 18:48:48 + [ssh.1] + refer to `TCP' rather than `TCP/IP' in the context of connection + forwarding; + ok markus 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on @@ -3691,4 +3696,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4086 2006/01/13 23:09:13 djm Exp $ +$Id: ChangeLog,v 1.4087 2006/01/13 23:09:30 djm Exp $ diff --git a/ssh.1 b/ssh.1 index c15cfc319..b430ff823 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.246 2006/01/12 14:44:12 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.247 2006/01/12 18:48:48 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -89,7 +89,7 @@ executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. -X11 connections and arbitrary TCP/IP ports +X11 connections and arbitrary TCP ports can also be forwarded over the secure channel. .Pp .Nm @@ -146,7 +146,7 @@ of the connection. Only useful on systems with more than one address. .It Fl C Requests compression of all data (including stdin, stdout, stderr, and -data for forwarded X11 and TCP/IP connections). +data for forwarded X11 and TCP connections). The compression algorithm is the same used by .Xr gzip 1 , and the @@ -834,7 +834,7 @@ On most systems, setting the escape character to will also make the session transparent even if a tty is used. .Pp The session terminates when the command or shell on the remote -machine exits and all X11 and TCP/IP connections have been closed. +machine exits and all X11 and TCP connections have been closed. .Sh ESCAPE CHARACTERS When a pseudo-terminal has been requested, .Nm -- cgit v1.2.3 From 4a8dc9e2974063b51da3c5c9e6732f64362a783a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 14 Jan 2006 10:10:31 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/12 22:34:12 [ssh.1] back out a sentence - AUTHENTICATION already documents this; --- ChangeLog | 5 ++++- ssh.1 | 5 +---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 18b9ec375..8cb8fd131 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - jmc@cvs.openbsd.org 2006/01/12 22:26:02 [ssh_config.5] refer to TCP forwarding, rather than TCP/IP forwarding; + - jmc@cvs.openbsd.org 2006/01/12 22:34:12 + [ssh.1] + back out a sentence - AUTHENTICATION already documents this; 20060109 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on @@ -3702,4 +3705,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4089 2006/01/13 23:10:17 djm Exp $ +$Id: ChangeLog,v 1.4090 2006/01/13 23:10:31 djm Exp $ diff --git a/ssh.1 b/ssh.1 index b430ff823..59694822a 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.247 2006/01/12 18:48:48 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.248 2006/01/12 22:34:12 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -950,9 +950,6 @@ to start the service which is to be tunnelled. If no connections are made within the time specified, .Nm will exit. -Once opened, -a SSH connection will remain active -until all actively forwarded connections have closed. .Sh X11 FORWARDING If the .Cm ForwardX11 -- cgit v1.2.3 From 94299ec251c84fb07329f3322cd5d6390d70eb7d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 20 Jan 2006 11:30:14 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/15 17:37:05 [ssh.1] correction from deraadt --- ChangeLog | 8 +++++++- ssh.1 | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 8cb8fd131..d550404a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20060120 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/01/15 17:37:05 + [ssh.1] + correction from deraadt + 20060114 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2006/01/06 13:27:32 @@ -3705,4 +3711,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4090 2006/01/13 23:10:31 djm Exp $ +$Id: ChangeLog,v 1.4091 2006/01/20 00:30:14 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 59694822a..59ec74b3f 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.248 2006/01/12 22:34:12 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.249 2006/01/15 17:37:05 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -643,7 +643,7 @@ The file format and configuration options are described in exits with the exit status of the remote command or with 255 if an error occurred. .Sh AUTHENTICATION -The OpenSSH SSH client supports OpenSSH protocols 1 and 2. +The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the default, with .Nm falling back to protocol 1 if it detects protocol 2 is unsupported. -- cgit v1.2.3 From 248dd13c4686bcf1c1b29533a7f5c2e4264083cf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 20 Jan 2006 11:30:58 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/18 10:53:29 [ssh.1] add a section on ssh-based vpn, based on reyk's README.tun; --- ChangeLog | 5 ++++- ssh.1 | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 2 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index d550404a7..ea78b6504 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - jmc@cvs.openbsd.org 2006/01/15 17:37:05 [ssh.1] correction from deraadt + - jmc@cvs.openbsd.org 2006/01/18 10:53:29 + [ssh.1] + add a section on ssh-based vpn, based on reyk's README.tun; 20060114 - (djm) OpenBSD CVS Sync @@ -3711,4 +3714,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4091 2006/01/20 00:30:14 dtucker Exp $ +$Id: ChangeLog,v 1.4092 2006/01/20 00:30:58 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index 59ec74b3f..661e8f962 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.249 2006/01/15 17:37:05 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.250 2006/01/18 10:53:29 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1005,6 +1005,56 @@ and options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. +.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS +.Nm +contains support for Virtual Private Network (VPN) tunnelling +using the +.Xr tun 4 +network pseudo-device, +allowing two networks to be joined securely. +The +.Xr sshd_config 5 +configuration option +.Cm PermitTunnel +controls whether the server supports this, +and at what level (layer 2 or 3 traffic). +.Pp +The following example would connect client network 10.0.50.0/24 +with remote network 10.0.99.0/24, provided that the SSH server +running on the gateway to the remote network, +at 192.168.1.15, allows it: +.Bd -literal -offset indent +# ssh -f -w 0:1 192.168.1.15 true +# ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252 +.Ed +.Pp +Client access may be more finely tuned via the +.Pa /root/.ssh/authorized_keys +file (see below) and the +.Cm PermitRootLogin +server option. +The following entry would permit connections on the first +.Xr tun 4 +device from user +.Dq jane +and on the second device from user +.Dq john , +if +.Cm PermitRootLogin +is set to +.Dq forced-commands-only : +.Bd -literal -offset 2n +tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane +tunnel="2",command="sh /etc/netstart tun1" ssh-rsa ... john +.Ed +.Pp +Since a SSH-based setup entails a fair amount of overhead, +it may be more suited to temporary setups, +such as for wireless VPNs. +More permanent VPNs are better provided by tools such as +.Xr ipsecctl 8 +and +.Xr isakmpd 8 . .Sh ENVIRONMENT .Nm will normally set the following environment variables: @@ -1244,6 +1294,7 @@ manual page for more information. .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , +.Xr tun 4 , .Xr hosts.equiv 5 , .Xr ssh_config 5 , .Xr ssh-keysign 8 , -- cgit v1.2.3 From 62388b2b63394c6a6ee44271426a13de5e0ce827 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 20 Jan 2006 11:31:47 +1100 Subject: - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 [scp.1 ssh.1 ssh_config.5 sftp.1] Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ --- ChangeLog | 6 +++++- scp.1 | 3 ++- sftp.1 | 3 ++- ssh.1 | 3 ++- ssh_config.5 | 17 ++++++++++++++++- 5 files changed, 27 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index ea78b6504..5fa01b32d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - jmc@cvs.openbsd.org 2006/01/18 10:53:29 [ssh.1] add a section on ssh-based vpn, based on reyk's README.tun; + - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 + [scp.1 ssh.1 ssh_config.5 sftp.1] + Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot + #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ 20060114 - (djm) OpenBSD CVS Sync @@ -3714,4 +3718,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4092 2006/01/20 00:30:58 dtucker Exp $ +$Id: ChangeLog,v 1.4093 2006/01/20 00:31:47 dtucker Exp $ diff --git a/scp.1 b/scp.1 index b5191e318..d9b1f8e8f 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -152,6 +152,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication +.It RekeyLimit .It RhostsRSAAuthentication .It RSAAuthentication .It SendEnv diff --git a/sftp.1 b/sftp.1 index 6b500596c..47aafa89e 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.62 2005/12/30 16:59:00 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication +.It RekeyLimit .It RhostsRSAAuthentication .It RSAAuthentication .It SendEnv diff --git a/ssh.1 b/ssh.1 index 661e8f962..3fe142dc1 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.250 2006/01/18 10:53:29 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.251 2006/01/20 00:14:55 dtucker Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -477,6 +477,7 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication +.It RekeyLimit .It RemoteForward .It RhostsRSAAuthentication .It RSAAuthentication diff --git a/ssh_config.5 b/ssh_config.5 index e8186a988..790c9b204 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.74 2006/01/12 22:26:02 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.75 2006/01/20 00:14:55 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -718,6 +718,21 @@ or The default is .Dq yes . This option applies to protocol version 2 only. +.It Cm RekeyLimit +Specifies the maximum amount of data that may be transmitted before the +session key will be renegotiated. +The argument is the number of bytes, with an optional suffix of +.Dq K , +.Dq M , +or +.Dq G +to indicate Kilobytes, Megabytes, or Gigabytes, respectively. +The default is between +.Dq 1G +and +.Dq 4G , +depending on the cipher. +Note that this option applies to protocol version 2 only. .It Cm RemoteForward Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. -- cgit v1.2.3 From bbc59094b95aee8456918c35a8138179d34008a1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jan 2006 21:46:51 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/26 08:47:56 [ssh.1] add a section on verifying host keys in dns; written with a lot of help from jakob; feedback dtucker/markus; ok markus --- ChangeLog | 8 +++++++- ssh.1 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 58 insertions(+), 11 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 9229652e8..f38e515fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,12 @@ - jmc@cvs.openbsd.org 2006/01/25 09:07:22 [sshd.8] move subsections to full sections; + - jmc@cvs.openbsd.org 2006/01/26 08:47:56 + [ssh.1] + add a section on verifying host keys in dns; + written with a lot of help from jakob; + feedback dtucker/markus; + ok markus 20060129 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the @@ -3737,4 +3743,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4097 2006/01/31 10:46:20 djm Exp $ +$Id: ChangeLog,v 1.4098 2006/01/31 10:46:51 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 3fe142dc1..309782879 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.251 2006/01/20 00:14:55 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.252 2006/01/26 08:47:56 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -810,15 +810,6 @@ The option can be used to control logins to machines whose host key is not known or has changed. .Pp -.Nm -can be configured to verify host identification using fingerprint resource -records (SSHFP) published in DNS. -The -.Cm VerifyHostKeyDNS -option can be used to control how DNS lookups are performed. -SSHFP resource records can be generated using -.Xr ssh-keygen 1 . -.Pp When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -1006,6 +997,56 @@ and options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded to the remote side. +.Sh VERIFYING HOST KEYS +When connecting to a server for the first time, +a fingerprint of the server's public key is presented to the user +(unless the option +.Cm StrictHostKeyChecking +has been disabled). +Fingerprints can be determined using +.Xr ssh-keygen 1 : +.Pp +.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key +.Pp +If the fingerprint is already known, +it can be matched and verified, +and the key can be accepted. +If the fingerprint is unknown, +an alternative method of verification is available: +SSH fingerprints verified by DNS. +An additional resource record (RR), +SSHFP, +is added to a zonefile +and the connecting client is able to match the fingerprint +with that of the key presented. +.Pp +In this example, we are connecting a client to a server, +.Dq host.example.com . +The SSHFP resource records should first be added to the zonefile for +host.example.com: +.Bd -literal -offset indent +$ ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -r host.example.com. +$ ssh-keygen -f /etc/ssh/ssh_host_dsa_key.pub -r host.example.com. +.Ed +.Pp +The output lines will have to be added to the zonefile. +To check that the zone is answering fingerprint queries: +.Pp +.Dl $ dig -t SSHFP host.example.com +.Pp +Finally the client connects: +.Bd -literal -offset indent +$ ssh -o "VerifyHostKeyDNS ask" host.example.com +[...] +Matching host key fingerprint found in DNS. +Are you sure you want to continue connecting (yes/no)? +.Ed +.Pp +See the +.Cm VerifyHostKeyDNS +option in +.Xr ssh_config 5 +for more information. .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS .Nm contains support for Virtual Private Network (VPN) tunnelling -- cgit v1.2.3 From b5dd55cccc7096d3db59378bba44920183f34110 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 31 Jan 2006 21:47:58 +1100 Subject: - jmc@cvs.openbsd.org 2006/01/30 13:37:49 [ssh.1] remove an incorrect sentence; reported by roumen petrov; ok djm markus --- ChangeLog | 7 ++++++- ssh.1 | 5 +---- 2 files changed, 7 insertions(+), 5 deletions(-) (limited to 'ssh.1') diff --git a/ChangeLog b/ChangeLog index 879ac1065..51c272248 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,11 @@ mark channel as write failed or dead instead of read failed on error of the channel output filter. ok markus@ + - jmc@cvs.openbsd.org 2006/01/30 13:37:49 + [ssh.1] + remove an incorrect sentence; + reported by roumen petrov; + ok djm markus 20060129 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the @@ -3748,4 +3753,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4099 2006/01/31 10:47:15 djm Exp $ +$Id: ChangeLog,v 1.4100 2006/01/31 10:47:58 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 309782879..f4c677628 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.252 2006/01/26 08:47:56 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.253 2006/01/30 13:37:49 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -1256,9 +1256,6 @@ sensitive part of this file using 3DES. Contains the public key for authentication. These files are not sensitive and can (but need not) be readable by anyone. -They are -never used automatically and are not necessary: they are only provided for -the convenience of the user. .Pp .It ~/.ssh/known_hosts Contains a list of host keys for all hosts the user has logged into -- cgit v1.2.3