-.\" $OpenBSD: ssh-keysign.8,v 1.1 2002/05/25 08:16:59 markus Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 24, 2002
+.Dd $Mdocdate$
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
.Nm ssh-keysign
-.Nd ssh helper program for hostbased authentication
+.Nd ssh helper program for host-based authentication
.Sh SYNOPSIS
-.Nm ssh-keysign
+.Nm
.Sh DESCRIPTION
.Nm
is used by
.Xr ssh 1
-to access the local host keys during hostbased authentication with
-SSH protocol version 2.
-Since the host keys are readable only by root
+to access the local host keys and generate the digital signature
+required during host-based authentication with SSH protocol version 2.
+.Pp
.Nm
-must be setuid root.
+is disabled by default and can only be enabled in the
+global client configuration file
+.Pa /etc/ssh/ssh_config
+by setting
+.Cm EnableSSHKeysign
+to
+.Dq yes .
+.Pp
.Nm
is not intended to be invoked by the user, but from
.Xr ssh 1 .
.Xr ssh 1
and
.Xr sshd 8
-for more information about hostbased authentication.
+for more information about host-based authentication.
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa /etc/ssh/ssh_config
+Controls whether
+.Nm
+is enabled.
+.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
+These files contain the private parts of the host keys used to
+generate the digital signature.
+They should be owned by root, readable only by root, and not
+accessible to others.
+Since they are readable only by root,
+.Nm
+must be set-uid root if host-based authentication is used.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
+.Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
.Xr sshd 8
-.Sh AUTHORS
-Markus Friedl <markus@openbsd.org>
.Sh HISTORY
.Nm
first appeared in
.Ox 3.2 .
+.Sh AUTHORS
+.An Markus Friedl Aq markus@openbsd.org
andersk / openssh.git / blobdiff