[openssh.git] / ssh-keysign.8

.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate$
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
.Nm ssh-keysign
.Nd ssh helper program for host-based authentication
.Sh SYNOPSIS
.Nm
.Sh DESCRIPTION
.Nm
is used by
.Xr ssh 1
to access the local host keys and generate the digital signature
required during host-based authentication with SSH protocol version 2.
.Pp
.Nm
is disabled by default and can only be enabled in the
global client configuration file
.Pa /etc/ssh/ssh_config
by setting
.Cm EnableSSHKeysign
to
.Dq yes .
.Pp
.Nm
is not intended to be invoked by the user, but from
.Xr ssh 1 .
See
.Xr ssh 1
and
.Xr sshd 8
for more information about host-based authentication.
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/ssh_config
Controls whether
.Nm
is enabled.
.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature.
They should be owned by root, readable only by root, and not
accessible to others.
Since they are readable only by root,
.Nm
must be set-uid root if host-based authentication is used.
.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh_config 5 ,
.Xr sshd 8
.Sh HISTORY
.Nm
first appeared in
.Ox 3.2 .
.Sh AUTHORS
.An Markus Friedl Aq markus@openbsd.org
Commit	Line	Data
e473dcd1	1	.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
39c00dc2	2	.\"
	3	.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
	4	.\"
	5	.\" Redistribution and use in source and binary forms, with or without
	6	.\" modification, are permitted provided that the following conditions
	7	.\" are met:
	8	.\" 1. Redistributions of source code must retain the above copyright
	9	.\" notice, this list of conditions and the following disclaimer.
	10	.\" 2. Redistributions in binary form must reproduce the above copyright
	11	.\" notice, this list of conditions and the following disclaimer in the
	12	.\" documentation and/or other materials provided with the distribution.
	13	.\"
	14	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	.\"
e473dcd1	25	.Dd $Mdocdate$
39c00dc2	26	.Dt SSH-KEYSIGN 8
	27	.Os
	28	.Sh NAME
	29	.Nm ssh-keysign
340a4caf	30	.Nd ssh helper program for host-based authentication
39c00dc2	31	.Sh SYNOPSIS
9cf07a6e	32	.Nm
39c00dc2	33	.Sh DESCRIPTION
	34	.Nm
	35	is used by
	36	.Xr ssh 1
9cf07a6e	37	to access the local host keys and generate the digital signature
340a4caf	38	required during host-based authentication with SSH protocol version 2.
60cd0a97	39	.Pp
	40	.Nm
	41	is disabled by default and can only be enabled in the
eef52fa7	42	global client configuration file
60cd0a97	43	.Pa /etc/ssh/ssh_config
60cd0a97	44	by setting
cc46e2ee	45	.Cm EnableSSHKeysign
60cd0a97	46	to
	47	.Dq yes .
	48	.Pp
39c00dc2	49	.Nm
	50	is not intended to be invoked by the user, but from
	51	.Xr ssh 1 .
	52	See
	53	.Xr ssh 1
	54	and
	55	.Xr sshd 8
340a4caf	56	for more information about host-based authentication.
9cf07a6e	57	.Sh FILES
9cf07a6e	58	.Bl -tag -width Ds
60cd0a97	59	.It Pa /etc/ssh/ssh_config
	60	Controls whether
	61	.Nm
	62	is enabled.
9cf07a6e	63	.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
9cf07a6e	64	These files contain the private parts of the host keys used to
a4e5acef	65	generate the digital signature.
a4e5acef	66	They should be owned by root, readable only by root, and not
9cf07a6e	67	accessible to others.
	68	Since they are readable only by root,
	69	.Nm
340a4caf	70	must be set-uid root if host-based authentication is used.
9cf07a6e	71	.El
39c00dc2	72	.Sh SEE ALSO
39c00dc2	73	.Xr ssh 1 ,
9cf07a6e	74	.Xr ssh-keygen 1 ,
60cd0a97	75	.Xr ssh_config 5 ,
39c00dc2	76	.Xr sshd 8
39c00dc2	77	.Sh HISTORY
	78	.Nm
	79	first appeared in
	80	.Ox 3.2 .
be193d89	81	.Sh AUTHORS
be193d89	82	.An Markus Friedl Aq markus@openbsd.org