- jmc@cvs.openbsd.org 2006/02/13 11:27:25

     [sshd.8]
     sort FILES and use a -compact list;

diff --git a/ChangeLog b/ChangeLog
index 68acc5442d2c1acb5c0f20fc19f3bf7c90415f28..f5659a2b68207e3f743b36f9fde848c2740aed86 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -104,6 +104,9 @@
      [sshd.8]
      - avoid nasty line split
      - `*' does not need to be escaped
      [sshd.8]
      - avoid nasty line split
      - `*' does not need to be escaped

+   - jmc@cvs.openbsd.org 2006/02/13 11:27:25
+     [sshd.8]
+     sort FILES and use a -compact list;

 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)

diff --git a/sshd.8 b/sshd.8
index 0ad133d0d9a2c39af608be172a5ac00f5a1e783d..e56b422a66dcff6b113347645ae256dcaa08a252 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: sshd.8,v 1.222 2006/02/13 11:08:43 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.223 2006/02/13 11:27:25 jmc Exp $

 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os


@@ -591,77 +591,8 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
 AAAA1234.....=
 .Ed
 .Sh FILES
 AAAA1234.....=
 .Ed
 .Sh FILES

-.Bl -tag -width Ds
-.It Pa /etc/ssh/sshd_config
-Contains configuration data for
-.Nm sshd .
-The file format and configuration options are described in
-.Xr sshd_config 5 .
-.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys.
-These files should only be owned by root, readable only by root, and not
-accessible to others.
-Note that
-.Nm
-does not start if this file is group/world-accessible.
-.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
-These three files contain the public parts of the host keys.
-These files should be world-readable but writable only by
-root.
-Their contents should match the respective private parts.
-These files are not
-really used for anything; they are provided for the convenience of
-the user so their contents can be copied to known hosts files.
-These files are created using
-.Xr ssh-keygen 1 .
-.It Pa /etc/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
-The file format is described in
-.Xr moduli 5 .
-.It Pa /var/empty
-.Xr chroot 2
-directory used by
-.Nm
-during privilege separation in the pre-authentication phase.
-The directory should not contain any files and must be owned by root
-and not group or world-writable.
-.It Pa /var/run/sshd.pid
-Contains the process ID of the
-.Nm
-listening for connections (if there are several daemons running
-concurrently for different ports, this contains the process ID of the one
-started last).
-The content of this file is not sensitive; it can be world-readable.
-.It Pa ~/.ssh/authorized_keys
-Lists the public keys (RSA or DSA) that can be used to log into the user's account.
-This file must be readable by root (which may on some machines imply
-it being world-readable if the user's home directory resides on an NFS
-volume).
-It is recommended that it not be accessible by others.
-The format of this file is described above.
-Users will place the contents of their
-.Pa identity.pub ,
-.Pa id_dsa.pub
-and/or
-.Pa id_rsa.pub
-files into this file, as described in
-.Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
-These files are consulted when using rhosts with RSA host
-authentication or protocol version 2 hostbased authentication
-to check the public key of the host.
-The key must be listed in one of these files to be accepted.
-The client uses the same files
-to verify that it is connecting to the correct remote host.
-These files should be writable only by root/the owner.
-.Pa /etc/ssh/ssh_known_hosts
-should be world-readable, and
-.Pa ~/.ssh/known_hosts
-can, but need not be, world-readable.
-.It Pa /etc/motd
-See
-.Xr motd 5 .
-.It Pa ~/.hushlogin
+.Bl -tag -width Ds -compact
+.It ~/.hushlogin

 This file is used to suppress printing the last login time and
 .Pa /etc/motd ,
 if
 This file is used to suppress printing the last login time and
 .Pa /etc/motd ,
 if


@@ -672,19 +603,8 @@ respectively,
 are enabled.
 It does not suppress printing of the banner specified by
 .Cm Banner .
 are enabled.
 It does not suppress printing of the banner specified by
 .Cm Banner .

-.It Pa /etc/nologin
-If this file exists,
-.Nm
-refuses to let anyone except root log in.
-The contents of the file
-are displayed to anyone trying to log in, and non-root connections are
-refused.
-The file should be world-readable.
-.It Pa /etc/hosts.allow, /etc/hosts.deny
-Access controls that should be enforced by tcp-wrappers are defined here.
-Further details are described in
-.Xr hosts_access 5 .
-.It Pa ~/.rhosts
+.Pp
+.It ~/.rhosts

 This file is used during
 .Cm RhostsRSAAuthentication
 and
 This file is used during
 .Cm RhostsRSAAuthentication
 and


@@ -702,56 +622,30 @@ It is also possible to use netgroups in the file.
 Either host or user
 name may be of the form +@groupname to specify all hosts or all users
 in the group.
 Either host or user
 name may be of the form +@groupname to specify all hosts or all users
 in the group.

-.It Pa ~/.shosts
+.Pp
+.It ~/.shosts

 For ssh,
 this file is exactly the same as for
 .Pa .rhosts .
 However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 For ssh,
 this file is exactly the same as for
 .Pa .rhosts .
 However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.

-.It Pa /etc/hosts.equiv
-This file is used during
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication.
-In the simplest form, this file contains host names, one per line.
-Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.
-The host name may also be
-followed by a user name; such users are permitted to log in as
-.Em any
-user on this machine (except root).
-Additionally, the syntax
-.Dq +@group
-can be used to specify netgroups.
-Negated entries start with
-.Ql \&- .
-.Pp
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.
-Additionally, successful client host key authentication is required.
-This file must be writable only by root; it is recommended
-that it be world-readable.

 .Pp
 .Pp

-.Sy "Warning: It is almost never a good idea to use user names in"
-.Pa hosts.equiv .
-Beware that it really means that the named user(s) can log in as
-.Em anybody ,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.
-Using a user name practically grants the user root access.
-The only valid use for user names that I can think
-of is in negative entries.
+.It ~/.ssh/authorized_keys
+Lists the public keys (RSA or DSA) that can be used to log into the user's account.
+This file must be readable by root (which may on some machines imply
+it being world-readable if the user's home directory resides on an NFS
+volume).
+It is recommended that it not be accessible by others.
+The format of this file is described above.
+Users will place the contents of their
+.Pa identity.pub ,
+.Pa id_dsa.pub
+and/or
+.Pa id_rsa.pub
+files into this file, as described in
+.Xr ssh-keygen 1 .

 .Pp
 .Pp

-Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
-This is processed exactly as
-.Pa /etc/hosts.equiv .
-However, this file may be useful in environments that want to run both
-rsh/rlogin and ssh.
-.It Pa ~/.ssh/environment
+.It ~/.ssh/environment

 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
 .Ql # ) ,
 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
 .Ql # ) ,


@@ -762,7 +656,22 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
 controlled via the
 .Cm PermitUserEnvironment
 option.

-.It Pa ~/.ssh/rc
+.Pp
+.It ~/.ssh/known_hosts
+.It /etc/ssh/ssh_known_hosts
+These files are consulted when using rhosts with RSA host
+authentication or protocol version 2 hostbased authentication
+to check the public key of the host.
+The key must be listed in one of these files to be accepted.
+The client uses the same files
+to verify that it is connecting to the correct remote host.
+These files should be writable only by root/the owner.
+.Pa /etc/ssh/ssh_known_hosts
+should be world-readable, and
+.Pa ~/.ssh/known_hosts
+can, but need not be, world-readable.
+.Pp
+.It ~/.ssh/rc

 If this file exists, it is run with
 .Pa /bin/sh
 after reading the
 If this file exists, it is run with
 .Pa /bin/sh
 after reading the


@@ -805,12 +714,127 @@ does not exist either, xauth is used to add the cookie.
 .Pp
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
 This file should be writable only by the user, and need not be
 readable by anyone else.

-.It Pa /etc/ssh/sshrc
+.Pp
+.It /etc/hosts.allow
+.It /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
+.It /etc/hosts.equiv
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+authentication.
+In the simplest form, this file contains host names, one per line.
+Users on
+those hosts are permitted to log in without a password, provided they
+have the same user name on both machines.
+The host name may also be
+followed by a user name; such users are permitted to log in as
+.Em any
+user on this machine (except root).
+Additionally, the syntax
+.Dq +@group
+can be used to specify netgroups.
+Negated entries start with
+.Ql \&- .
+.Pp
+If the client host/user is successfully matched in this file, login is
+automatically permitted provided the client and server user names are the
+same.
+Additionally, successful client host key authentication is required.
+This file must be writable only by root; it is recommended
+that it be world-readable.
+.Pp
+.Sy "Warning: It is almost never a good idea to use user names in"
+.Pa hosts.equiv .
+Beware that it really means that the named user(s) can log in as
+.Em anybody ,
+which includes bin, daemon, adm, and other accounts that own critical
+binaries and directories.
+Using a user name practically grants the user root access.
+The only valid use for user names that I can think
+of is in negative entries.
+.Pp
+Note that this warning also applies to rsh/rlogin.
+.Pp
+.It /etc/moduli
+Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+The file format is described in
+.Xr moduli 5 .
+.Pp
+.It /etc/motd
+See
+.Xr motd 5 .
+.Pp
+.It /etc/nologin
+If this file exists,
+.Nm
+refuses to let anyone except root log in.
+The contents of the file
+are displayed to anyone trying to log in, and non-root connections are
+refused.
+The file should be world-readable.
+.Pp
+.It /etc/shosts.equiv
+This is processed exactly as
+.Pa /etc/hosts.equiv .
+However, this file may be useful in environments that want to run both
+rsh/rlogin and ssh.
+.Pp
+.It /etc/ssh/ssh_host_key
+.It /etc/ssh/ssh_host_dsa_key
+.It /etc/ssh/ssh_host_rsa_key
+These three files contain the private parts of the host keys.
+These files should only be owned by root, readable only by root, and not
+accessible to others.
+Note that
+.Nm
+does not start if this file is group/world-accessible.
+.Pp
+.It /etc/ssh/ssh_host_key.pub
+.It /etc/ssh/ssh_host_dsa_key.pub
+.It /etc/ssh/ssh_host_rsa_key.pub
+These three files contain the public parts of the host keys.
+These files should be world-readable but writable only by
+root.
+Their contents should match the respective private parts.
+These files are not
+really used for anything; they are provided for the convenience of
+the user so their contents can be copied to known hosts files.
+These files are created using
+.Xr ssh-keygen 1 .
+.Pp
+.It /etc/ssh/sshd_config
+Contains configuration data for
+.Nm sshd .
+The file format and configuration options are described in
+.Xr sshd_config 5 .
+.Pp
+.It /etc/ssh/sshrc

 Like
 .Pa ~/.ssh/rc .
 This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 Like
 .Pa ~/.ssh/rc .
 This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.

+.Pp
+.It /var/empty
+.Xr chroot 2
+directory used by
+.Nm
+during privilege separation in the pre-authentication phase.
+The directory should not contain any files and must be owned by root
+and not group or world-writable.
+.Pp
+.It /var/run/sshd.pid
+Contains the process ID of the
+.Nm
+listening for connections (if there are several daemons running
+concurrently for different ports, this contains the process ID of the one
+started last).
+The content of this file is not sensitive; it can be world-readable.

 .El
 .Sh SEE ALSO
 .Xr scp 1 ,
 .El
 .Sh SEE ALSO
 .Xr scp 1 ,