X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/98143cfc9a9eb27ec628c971fd19845f1740bedb..f49bc4f73e5ce327cdd3b4a84760ed58950f063b:/ssh.1 diff --git a/ssh.1 b/ssh.1 index d93b114c..94a22f1e 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.109 2001/05/04 14:21:55 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.116 2001/06/23 02:34:31 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -224,7 +224,7 @@ or .Pa $HOME/.ssh/id_rsa , to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in -.Pa $HOME/.ssh/authorized_keys2 +.Pa $HOME/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. @@ -304,7 +304,16 @@ and if the peer supports it) .Pp .Ss X11 and TCP forwarding .Pp -If the user is using X11 (the +If the +.Cm ForwardX11 +variable is set to +.Dq yes +(or, see the description of the +.Fl X +and +.Fl x +options described later) +and the user is using X11 (the .Ev DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 @@ -352,17 +361,12 @@ electronic purse; another is going through firewalls. .Nm automatically maintains and checks a database containing identifications for all hosts it has ever been used with. -RSA host keys are stored in +Host keys are stored in .Pa $HOME/.ssh/known_hosts -and -host keys used in the protocol version 2 are stored in -.Pa $HOME/.ssh/known_hosts2 in the user's home directory. -Additionally, the files +Additionally, the file .Pa /etc/ssh_known_hosts -and -.Pa /etc/ssh_known_hosts2 -are automatically checked for known hosts. +is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, @@ -788,13 +792,9 @@ or The default is .Dq no . .It Cm GlobalKnownHostsFile -Specifies a file to use for the protocol version 1 global +Specifies a file to use for the global host key database instead of .Pa /etc/ssh_known_hosts . -.It Cm GlobalKnownHostsFile2 -Specifies a file to use for the protocol version 2 global -host key database instead of -.Pa /etc/ssh_known_hosts2 . .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. @@ -803,7 +803,7 @@ The argument must be or .Dq no . The default is -.Dq yes . +.Dq no . This option applies to protocol version 2 only and is similar to .Cm RhostsRSAAuthentication . @@ -889,11 +889,7 @@ The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is -.Pp -.Bd -literal - ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, - hmac-sha1-96,hmac-md5-96'' -.Ed +.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. @@ -916,7 +912,7 @@ authentication methods. This allows a client to prefer one method (e.g. over another method (e.g. .Cm password ) The default for this option is: -.Dq publickey, password, keyboard-interactive +.Dq publickey,hostbased,password,keyboard-interactive .It Cm Protocol Specifies the protocol versions .Nm @@ -984,7 +980,7 @@ authentication time on slow connections when rhosts authentication is not used. Most servers do not permit RhostsAuthentication because it is not secure (see -.Cm RhostsRSAAuthentication ). +.Cm RhostsRSAAuthentication ) . The argument to this keyword must be .Dq yes or @@ -1031,14 +1027,10 @@ If this flag is set to .Nm will never automatically add host keys to the .Pa $HOME/.ssh/known_hosts -and -.Pa $HOME/.ssh/known_hosts2 -files, and refuses to connect to hosts whose host key has changed. +file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks. However, it can be somewhat annoying if you don't have good .Pa /etc/ssh_known_hosts -and -.Pa /etc/ssh_known_hosts2 files installed and frequently connect to new hosts. This option forces the user to manually @@ -1085,13 +1077,9 @@ This can be useful if you have a different user name on different machines. This saves the trouble of having to remember to give the user name on the command line. .It Cm UserKnownHostsFile -Specifies a file to use for the protocol version 1 user +Specifies a file to use for the user host key database instead of .Pa $HOME/.ssh/known_hosts . -.It Cm UserKnownHostsFile2 -Specifies a file to use for the protocol version 2 user -host key database instead of -.Pa $HOME/.ssh/known_hosts2 . .It Cm UseRsh Specifies that rlogin/rsh should be used for this host. It is possible that the host does not at all support the @@ -1184,13 +1172,10 @@ and adds lines of the format to the environment. .Sh FILES .Bl -tag -width Ds -.It Pa $HOME/.ssh/known_hosts, $HOME/.ssh/known_hosts2 +.It Pa $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into (that are not in -.Pa /etc/ssh_known_hosts -for protocol version 1 or -.Pa /etc/ssh_known_hosts2 -for protocol version 2). +.Pa /etc/ssh_known_hosts . See .Xr sshd 8 . .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa @@ -1219,7 +1204,7 @@ The contents of the and .Pa $HOME/.ssh/id_rsa.pub file should be added to -.Pa $HOME/.ssh/authorized_keys2 +.Pa $HOME/.ssh/authorized_keys on all machines where you wish to log in using protocol version 2 DSA/RSA authentication. These files are not @@ -1237,34 +1222,23 @@ This file does not usually contain any sensitive information, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa $HOME/.ssh/authorized_keys -Lists the RSA keys that can be used for logging in as this user. +Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. In the simplest form the format is the same as the .pub -identity files (that is, each line contains the number of bits in -modulus, public exponent, modulus, and comment fields, separated by -spaces). +identity files. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. -.It Pa $HOME/.ssh/authorized_keys2 -Lists the public keys (RSA/DSA) that can be used for logging in as this user. -This file is not highly sensitive, but the recommended -permissions are read/write for the user, and not accessible by others. -.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2 +.It Pa /etc/ssh_known_hosts Systemwide list of known host keys. -.Pa /etc/ssh_known_hosts -contains RSA and -.Pa /etc/ssh_known_hosts2 -contains RSA or DSA keys for protocol version 2. -These files should be prepared by the +This file should be prepared by the system administrator to contain the public host keys of all machines in the organization. This file should be world-readable. This file contains public keys, one per line, in the following format (fields separated -by spaces): system name, number of bits in modulus, public exponent, -modulus, and optional comment field. +by spaces): system name, public key and optional comment field. When different names are used for the same machine, all such names should be listed, separated by commas.