- stevesk@cvs.openbsd.org 2001/09/03 20:58:33
[readconf.c readconf.h ssh.c]
fatal() for nonexistent -Fssh_config. ok markus@
+ - deraadt@cvs.openbsd.org 2001/09/05 06:23:07
+ [scp.1 sftp.1 ssh.1 ssh-agent.1 sshd.8 ssh-keygen.1 ssh-keyscan.1]
+ avoid first person in manual pages
20010815
- (bal) Fixed stray code in readconf.c that went in by mistake.
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.17 2001/08/14 17:54:29 stevesk Exp $
+.\" $OpenBSD: scp.1,v 1.18 2001/09/05 06:23:07 deraadt Exp $
.\"
.Dd September 25, 1999
.Dt SCP 1
configuration file. This is useful for specifying options
for which there is no separate
.Nm scp
-command-line flag. For example, to force the use of protocol
-version 1 you may specify
+command-line flag. For example, forcing the use of protocol
+version 1 is specified using
.Ic scp -oProtocol=1 .
.It Fl 4
Forces
-.\" $OpenBSD: sftp.1,v 1.23 2001/08/14 17:54:29 stevesk Exp $
+.\" $OpenBSD: sftp.1,v 1.24 2001/09/05 06:23:07 deraadt Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
configuration file. This is useful for specifying options
for which there is no separate
.Nm sftp
-command-line flag. For example, to force the use of protocol
-version 1 you may specify
+command-line flag. For example, forcing the use of protocol
+version 1 is specified using
.Ic sftp -oProtocol=1 .
.It Fl v
Raise logging level. This option is also passed to ssh.
-.\" $OpenBSD: ssh-agent.1,v 1.27 2001/08/23 18:02:48 stevesk Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.28 2001/09/05 06:23:07 deraadt Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
identities anywhere in the network in a secure way.
.Pp
There are two main ways to get an agent setup:
-Either you let the agent
-start a new subcommand into which some environment variables are exported, or
-you let the agent print the needed shell commands (either
+Either the agent starts a new subcommand into which some environment
+variables are exported, or the agent prints the needed shell commands
+(either
.Xr sh 1
or
.Xr csh 1
-.\" $OpenBSD: ssh-keygen.1,v 1.48 2001/08/02 15:07:23 jakob Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.49 2001/09/05 06:23:07 deraadt Exp $
.\"
.\" -*- nroff -*-
.\"
defaults to generating a RSA1 key for use by SSH protocol version 1.
Specifying the
.Fl t
-option allows you to create a key for use by SSH protocol version 2.
+option instead creates a key for use by SSH protocol version 2.
.Pp
Normally each user wishing to use SSH
with RSA or DSA authentication runs this once to create the authentication
.Pp
There is no way to recover a lost passphrase.
If the passphrase is
-lost or forgotten, you will have to generate a new key and copy the
+lost or forgotten, a new key must be generated and copied to the
corresponding public key to other machines.
.Pp
For RSA1 keys,
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using RSA authentication.
+where the user wishes to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_dsa
Contains the protocol version 2 DSA authentication identity of the user.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using public key authentication.
+where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using public key authentication.
+where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.El
.Sh AUTHORS
-.\" $OpenBSD: ssh-keyscan.1,v 1.11 2001/08/23 18:08:59 stevesk Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.12 2001/09/05 06:23:07 deraadt Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
uses non-blocking socket I/O to contact as many hosts as possible in
parallel, so it is very efficient. The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh. You do not need login access to the
-machines you are scanning, nor does the scanning process involve
-any encryption.
+hosts are down or do not run ssh. For scanning, one does not need
+login access to the machines that are being scanned, nor does the
+scanning process involve any encryption.
.Pp
The options are as follows:
.Bl -tag -width Ds
to use IPv6 addresses only.
.El
.Sh SECURITY
-If you make an ssh_known_hosts file using
+If a ssh_known_hosts file is constructed using
.Nm
-without verifying the keys, you will be vulnerable to
+without verifying the keys, users will be vulnerable to
.I man in the middle
attacks.
-On the other hand, if your security model allows such a risk,
+On the other hand, if the security model allows such a risk,
.Nm
-can help you detect tampered keyfiles or man in the middle attacks which
-have begun after you created your ssh_known_hosts file.
+can help in the detection of tampered keyfiles or man in the middle
+attacks which have begun after the ssh_known_hosts file was created.
.Sh EXAMPLES
.Pp
Print the
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.136 2001/08/30 16:04:35 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.137 2001/09/05 06:23:07 deraadt Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
option.)
.It Fl N
Do not execute a remote command.
-This is useful if you just want to forward ports
+This is useful for just forwarding ports
(protocol version 2 only).
.It Fl o Ar option
Can be used to give options in the format used in the configuration file.
per-host basis in the configuration file.
.It Fl P
Use a non-privileged port for outgoing connections.
-This can be used if your firewall does
+This can be used if a firewall does
not permit connections from privileged ports.
Note that this option turns off
.Cm RhostsAuthentication
If set to
.Dq yes ,
passphrase/password querying will be disabled.
-This option is useful in scripts and other batch jobs where you have no
-user to supply the password.
+This option is useful in scripts and other batch jobs where no user
+is present to supply the password.
The argument must be
.Dq yes
or
real host name when looking up or saving the host key
in the host key database files.
This option is useful for tunneling ssh connections
-or if you have multiple servers running on a single host.
+or for multiple servers running on a single host.
.It Cm HostName
Specifies the real host name to log into.
This can be used to specify nicknames or abbreviations for hosts.
will never automatically add host keys to the
.Pa $HOME/.ssh/known_hosts
file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks.
-However, it can be somewhat annoying if you don't have good
+This provides maximum protection against trojan horse attacks,
+however, can be annoying when the
.Pa /etc/ssh_known_hosts
-files installed and frequently
-connect to new hosts.
+file is poorly maintained, or connections to new hosts are
+frequently made.
This option forces the user to manually
add all new hosts.
If this flag is set to
.Dq no .
The default is
.Dq no .
-Note that you need to set this option to
+Note that this option must be set to
.Dq yes
-if you want to use
+if
.Cm RhostsAuthentication
and
.Cm RhostsRSAAuthentication
-with older servers.
+authentications are needed with older servers.
.It Cm User
Specifies the user to log in as.
-This can be useful if you have a different user name on different machines.
+This can be useful when a different user name is used on different machines.
This saves the trouble of
having to remember to give the user name on the command line.
.It Cm UserKnownHostsFile
file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using protocol version 1 RSA authentication.
+where the user wishes to log in using protocol version 1 RSA authentication.
The contents of the
.Pa $HOME/.ssh/id_dsa.pub
and
file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
-where you wish to log in using protocol version 2 DSA/RSA authentication.
+where the user wishes to log in using protocol version 2 DSA/RSA authentication.
These files are not
sensitive and can (but need not) be readable by anyone.
These files are
.Xr sshd 8
will be installed so that it requires successful RSA host
authentication before permitting \s+2.\s0rhosts authentication.
-If your server machine does not have the client's host key in
+If the server machine does not have the client's host key in
.Pa /etc/ssh_known_hosts ,
-you can store it in
+it can be stored in
.Pa $HOME/.ssh/known_hosts .
The easiest way to do this is to
connect back to the client from the server machine using ssh; this
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.146 2001/08/30 20:36:34 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.147 2001/09/05 06:23:07 deraadt Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
.Ql ?
can be used as
wildcards in the patterns.
-Only group names are valid; a numerical group ID isn't recognized.
+Only group names are valid; a numerical group ID is not recognized.
By default login is allowed regardless of the group list.
.Pp
.It Cm AllowTcpForwarding
.Ql ?
can be used as
wildcards in the patterns.
-Only user names are valid; a numerical user ID isn't recognized.
+Only user names are valid; a numerical user ID is not recognized.
By default login is allowed regardless of the user name.
If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, allowing you to restrict logins to particular
+are separately checked, restricting logins to particular
users from particular hosts.
.Pp
.It Cm AuthorizedKeysFile
encrypted channel and therefore will not be spoofable. The TCP keepalive
option enabled by
.Cm Keepalive
-is spoofable. You want to use the client
-alive mechanism when you are basing something important on
-clients having an active connection to the server.
+is spoofable. The client alive mechanism is valuable when the client or
+server depend on knowing when a connection has become inactive.
.Pp
-The default value is 3. If you set
+The default value is 3. If
.Cm ClientAliveInterval
-(above) to 15, and leave this value at the default, unresponsive ssh clients
+(above) is set to 15, and
+.Cm Keepalive is left at the default, unresponsive ssh clients
will be disconnected after approximately 45 seconds.
.It Cm DenyGroups
This keyword can be followed by a number of group names, separated
.Ql ?
can be used as
wildcards in the patterns.
-Only group names are valid; a numerical group ID isn't recognized.
+Only group names are valid; a numerical group ID is not recognized.
By default login is allowed regardless of the group list.
.Pp
.It Cm DenyUsers
and
.Ql ?
can be used as wildcards in the patterns.
-Only user names are valid; a numerical user ID isn't recognized.
+Only user names are valid; a numerical user ID is not recognized.
By default login is allowed regardless of the user name.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
The command supplied by the user (if any) is ignored.
The command is run on a pty if the connection requests a pty;
otherwise it is run without a tty.
-Note that if you want a 8-bit clean channel,
-you must not request a pty or should specify
+If a 8-bit clean channel is required,
+one must not request a pty or should specify
.Cm no-pty .
A quote may be included in the command by quoting it with a backslash.
This option might be useful
andersk / openssh.git / commitdiff
