Import of OpenSSH 3.5p1

[gssapi-openssh.git] / openssh / sshd.8

diff --git a/openssh/sshd.8 b/openssh/sshd.8
index 37a7b58f6f35c71d64f03e5ce03a7608924152d0..22ab70e0021e50715e354627ab7a0b49f38259d0 100644 (file)
--- a/openssh/sshd.8
+++ b/openssh/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd.8,v 1.186 2002/06/22 16:45:29 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $

 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os


@@ -203,7 +203,7 @@ The default is
 refuses to start if there is no configuration file.
 .It Fl g Ar login_grace_time
 Gives the grace time for clients to authenticate themselves (default
 refuses to start if there is no configuration file.
 .It Fl g Ar login_grace_time
 Gives the grace time for clients to authenticate themselves (default

-600 seconds).
+120 seconds).

 If the client fails to authenticate the user within
 this many seconds, the server disconnects and exits.
 A value of zero indicates no limit.
 If the client fails to authenticate the user within
 this many seconds, the server disconnects and exits.
 A value of zero indicates no limit.


@@ -350,7 +350,11 @@ Sets up basic environment.
 .It
 Reads
 .Pa $HOME/.ssh/environment
 .It
 Reads
 .Pa $HOME/.ssh/environment

-if it exists.
+if it exists and users are allowed to change their environment.
+See the
+.Cm PermitUserEnvironment
+option in
+.Xr sshd_config 5 .

 .It
 Changes to user's home directory.
 .It
 .It
 Changes to user's home directory.
 .It


@@ -385,9 +389,9 @@ Each RSA public key consists of the following fields, separated by
 spaces: options, bits, exponent, modulus, comment.
 Each protocol version 2 public key consists of:
 options, keytype, base64 encoded key, comment.
 spaces: options, bits, exponent, modulus, comment.
 Each protocol version 2 public key consists of:
 options, keytype, base64 encoded key, comment.

-The options fields
-are optional; its presence is determined by whether the line starts
-with a number or not (the option field never starts with a number).
+The options field
+is optional; its presence is determined by whether the line starts
+with a number or not (the options field never starts with a number).

 The bits, exponent, modulus and comment fields give the RSA key for
 protocol version 1; the
 comment field is not used for anything (but may be convenient for the
 The bits, exponent, modulus and comment fields give the RSA key for
 protocol version 1; the
 comment field is not used for anything (but may be convenient for the


@@ -398,7 +402,7 @@ or
 .Dq ssh-rsa .
 .Pp
 Note that lines in this file are usually several hundred bytes long
 .Dq ssh-rsa .
 .Pp
 Note that lines in this file are usually several hundred bytes long

-(because of the size of the RSA key modulus).
+(because of the size of the public key encoding).

 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub


@@ -417,7 +421,7 @@ The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
 .It Cm from="pattern-list"
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
 .It Cm from="pattern-list"

-Specifies that in addition to RSA authentication, the canonical name
+Specifies that in addition to public key authentication, the canonical name

 of the remote host must be present in the comma-separated list of
 patterns
 .Pf ( Ql *
 of the remote host must be present in the comma-separated list of
 patterns
 .Pf ( Ql *


@@ -429,7 +433,7 @@ patterns negated by prefixing them with
 .Ql ! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose
 .Ql ! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose

-of this option is to optionally increase security: RSA authentication
+of this option is to optionally increase security: public key authentication

 by itself does not trust the network or name servers or anything (but
 the key); however, if somebody somehow steals the key, the key
 permits an intruder to log in from anywhere in the world.
 by itself does not trust the network or name servers or anything (but
 the key); however, if somebody somehow steals the key, the key
 permits an intruder to log in from anywhere in the world.


@@ -447,7 +451,7 @@ one must not request a pty or should specify
 .Cm no-pty .
 A quote may be included in the command by quoting it with a backslash.
 This option might be useful
 .Cm no-pty .
 A quote may be included in the command by quoting it with a backslash.
 This option might be useful

-to restrict certain RSA keys to perform just a specific operation.
+to restrict certain public keys to perform just a specific operation.

 An example might be a key that permits remote backups but nothing else.
 Note that the client may specify TCP/IP and/or X11
 forwarding unless they are explicitly prohibited.
 An example might be a key that permits remote backups but nothing else.
 Note that the client may specify TCP/IP and/or X11
 forwarding unless they are explicitly prohibited.


@@ -458,6 +462,10 @@ logging in using this key.
 Environment variables set this way
 override other default environment values.
 Multiple options of this type are permitted.
 Environment variables set this way
 override other default environment values.
 Multiple options of this type are permitted.

+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.

 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.


@@ -578,6 +586,8 @@ These files are created using
 .Xr ssh-keygen 1 .
 .It Pa /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 .Xr ssh-keygen 1 .
 .It Pa /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".

+The file format is described in
+.Xr moduli 5 .

 .It Pa /var/empty
 .Xr chroot 2
 directory used by
 .It Pa /var/empty
 .Xr chroot 2
 directory used by


@@ -698,6 +708,10 @@ It can only contain empty lines, comment lines (that start with
 and assignment lines of the form name=value.
 The file should be writable
 only by the user; it need not be readable by anyone else.
 and assignment lines of the form name=value.
 The file should be writable
 only by the user; it need not be readable by anyone else.

+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.

 .It Pa $HOME/.ssh/rc
 If this file exists, it is run with /bin/sh after reading the
 environment files but before starting the user's shell or command.
 .It Pa $HOME/.ssh/rc
 If this file exists, it is run with /bin/sh after reading the
 environment files but before starting the user's shell or command.


@@ -723,12 +737,12 @@ something similar to:
 if read proto cookie && [ -n "$DISPLAY" ]; then
        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                # X11UseLocalhost=yes
 if read proto cookie && [ -n "$DISPLAY" ]; then
        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                # X11UseLocalhost=yes

-               xauth add unix:`echo $DISPLAY |
+               echo add unix:`echo $DISPLAY |

                    cut -c11-` $proto $cookie
        else
                # X11UseLocalhost=no
                    cut -c11-` $proto $cookie
        else
                # X11UseLocalhost=no

-               xauth add $DISPLAY $proto $cookie
-       fi
+               echo add $DISPLAY $proto $cookie
+       fi | xauth -q -

 fi
 .Ed
 .Pp
 fi
 .Ed
 .Pp