X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d453005212bf82d3fb70d62815b72cce10a802b6..87d8648154e2be94ac235b79b0cd9b7ec8596b44:/sshd.8 diff --git a/sshd.8 b/sshd.8 index f614b8dc..8563e021 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.231 2006/07/10 12:46:52 dtucker Exp $ -.Dd September 25, 1999 +.\" $OpenBSD: sshd.8,v 1.249 2009/10/08 20:42:13 jmc Exp $ +.Dd $Mdocdate$ .Dt SSHD 8 .Os .Sh NAME @@ -44,8 +44,9 @@ .Sh SYNOPSIS .Nm sshd .Bk -words -.Op Fl 46Ddeiqt +.Op Fl 46DdeiqTt .Op Fl b Ar bits +.Op Fl C Ar connection_spec .Op Fl f Ar config_file .Op Fl g Ar login_grace_time .Op Fl h Ar host_key_file @@ -58,8 +59,11 @@ .Nm (OpenSSH Daemon) is the daemon program for .Xr ssh 1 . -Together these programs replace rlogin and rsh, and -provide secure encrypted communications between two untrusted hosts +Together these programs replace +.Xr rlogin 1 +and +.Xr rsh 1 , +and provide secure encrypted communications between two untrusted hosts over an insecure network. .Pp .Nm @@ -96,7 +100,25 @@ Forces to use IPv6 addresses only. .It Fl b Ar bits Specifies the number of bits in the ephemeral protocol version 1 -server key (default 768). +server key (default 1024). +.It Fl C Ar connection_spec +Specify the connection parameters to use for the +.Fl T +extended test mode. +If provided, any +.Cm Match +directives in the configuration file +that would apply to the specified user, host, and address will be set before +the configuration is written to standard output. +The connection parameters are supplied as keyword=value pairs. +The keywords are +.Dq user , +.Dq host , +and +.Dq addr . +All are required and may be supplied in any order, either with multiple +.Fl C +options or as a comma-separated list. .It Fl D When this option is specified, .Nm @@ -117,7 +139,7 @@ Maximum is 3. When this option is specified, .Nm will send the output to the standard error instead of the system log. -.It Fl f Ar configuration_file +.It Fl f Ar config_file Specifies the name of the configuration file. The default is .Pa /etc/ssh/sshd_config . @@ -188,6 +210,15 @@ Quiet mode. Nothing is sent to the system log. Normally the beginning, authentication, and termination of each connection is logged. +.It Fl T +Extended test mode. +Check the validity of the configuration file, output the effective configuration +to stdout and then exit. +Optionally, +.Cm Match +rules may be applied by specifying the connection parameters using one or more +.Fl C +options. .It Fl t Test mode. Only check the validity of the configuration file and sanity of the keys. @@ -229,7 +260,7 @@ or .El .Sh AUTHENTICATION The OpenSSH SSH daemon supports SSH protocols 1 and 2. -Both protocols are supported by default, +The default is to use protocol 2 only, though this can be changed via the .Cm Protocol option in @@ -273,7 +304,7 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-sha1 or hmac-md5). +(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). .Pp Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using @@ -299,8 +330,9 @@ on Tru64, a leading .Ql \&*LOCKED\&* on FreeBSD and a leading -.Ql \&!! -on Linux). If there is a requirement to disable password authentication +.Ql \&! +on most Linuxes). +If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg .Ql NP @@ -481,6 +513,9 @@ to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. Note that this option applies to shell, command or subsystem execution. .It Cm environment="NAME=value" Specifies that the string is to be added to the environment when @@ -496,23 +531,27 @@ This option is automatically disabled if .Cm UseLogin is enabled. .It Cm from="pattern-list" -Specifies that in addition to public key authentication, the canonical name -of the remote host must be present in the comma-separated list of -patterns. -The purpose -of this option is to optionally increase security: public key authentication -by itself does not trust the network or name servers or anything (but -the key); however, if somebody somehow steals the key, the key -permits an intruder to log in from anywhere in the world. -This additional option makes using a stolen key more difficult (name -servers and/or routers would have to be compromised in addition to -just the key). -.Pp +Specifies that in addition to public key authentication, either the canonical +name of the remote host or its IP address must be present in the +comma-separated list of patterns. See .Sx PATTERNS in .Xr ssh_config 5 for more information on patterns. +.Pp +In addition to the wildcard matching that may be applied to hostnames or +addresses, a +.Cm from +stanza may match IP addresses using CIDR address/masklen notation. +.Pp +The purpose of this option is to optionally increase security: public key +authentication by itself does not trust the network or name servers or +anything (but the key); however, if somebody somehow steals the key, the key +permits an intruder to log in from anywhere in the world. +This additional option makes using a stolen key more difficult (name +servers and/or routers would have to be compromised in addition to +just the key). .It Cm no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. @@ -524,6 +563,9 @@ This might be used, e.g. in connection with the option. .It Cm no-pty Prevents tty allocation (a request to allocate a pty will fail). +.It Cm no-user-rc +Disables execution of +.Pa ~/.ssh/rc . .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. @@ -594,7 +636,7 @@ and .Ql \&] brackets then followed by .Ql \&: -and and a non-standard port number. +and a non-standard port number. .Pp Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. @@ -675,12 +717,31 @@ This file is used in exactly the same way as but allows host-based authentication without permitting login with rlogin/rsh. .Pp +.It ~/.ssh/ +This directory is the default location for all user-specific configuration +and authentication information. +There is no general requirement to keep the entire contents of this directory +secret, but the recommended permissions are read/write/execute for the user, +and not accessible by others. +.Pp .It ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described above. -This file is not highly sensitive, but the recommended +The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .Pp +If this file, the +.Pa ~/.ssh +directory, or the user's home directory are writable +by other users, then the file could be modified or replaced by unauthorized +users. +In this case, +.Nm +will not allow it to be used unless the +.Cm StrictModes +option has been set to +.Dq no . +.Pp .It ~/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with @@ -741,15 +802,6 @@ This file is used in exactly the same way as but allows host-based authentication without permitting login with rlogin/rsh. .Pp -.It /etc/ssh/ssh_known_hosts -Systemwide list of known host keys. -This file should be prepared by the -system administrator to contain the public host keys of all machines in the -organization. -The format of this file is described above. -This file should be writable only by root/the owner and -should be world-readable. -.Pp .It /etc/ssh/ssh_host_key .It /etc/ssh/ssh_host_dsa_key .It /etc/ssh/ssh_host_rsa_key @@ -773,6 +825,15 @@ the user so their contents can be copied to known hosts files. These files are created using .Xr ssh-keygen 1 . .Pp +.It /etc/ssh/ssh_known_hosts +Systemwide list of known host keys. +This file should be prepared by the +system administrator to contain the public host keys of all machines in the +organization. +The format of this file is described above. +This file should be writable only by root/the owner and +should be world-readable. +.Pp .It /etc/ssh/sshd_config Contains configuration data for .Nm sshd . @@ -809,6 +870,7 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , +.Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , .Xr login.conf 5 ,