From 4b5e6c81cf6a398a1bc0d9e147cc78ee6dd2c243 Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 2 Jan 2006 12:38:00 +0000 Subject: [PATCH] - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2005/12/31 10:46:17 [ssh.1] merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER AUTHENTICATION" sections into "AUTHENTICATION"; some rewording done to make the text read better, plus some improvements from djm; ok djm --- ChangeLog | 8 +++++++ ssh.1 | 63 +++++++++++++++++++++++++++---------------------------- 2 files changed, 39 insertions(+), 32 deletions(-) diff --git a/ChangeLog b/ChangeLog index e831f3cc..41492581 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 20060102 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2005/12/31 10:46:17 + [ssh.1] + merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER + AUTHENTICATION" sections into "AUTHENTICATION"; + some rewording done to make the text read better, plus some + improvements from djm; + ok djm 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] diff --git a/ssh.1 b/ssh.1 index 5ce1cfe7..ce1eeb49 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -788,7 +788,36 @@ prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Sh LOGIN SESSION AND REMOTE EXECUTION +.Pp +.Nm +automatically maintains and checks a database containing +identification for all hosts it has ever been used with. +Host keys are stored in +.Pa ~/.ssh/known_hosts +in the user's home directory. +Additionally, the file +.Pa /etc/ssh/ssh_known_hosts +is automatically checked for known hosts. +Any new hosts are automatically added to the user's file. +If a host's identification ever changes, +.Nm +warns about this and disables password authentication to prevent +server spoofing or man-in-the-middle attacks, +which could otherwise be used to circumvent the encryption. +The +.Cm StrictHostKeyChecking +option can be used to control logins to machines whose +host key is not known or has changed. +.Pp +.Nm +can be configured to verify host identification using fingerprint resource +records (SSHFP) published in DNS. +The +.Cm VerifyHostKeyDNS +option can be used to control how DNS lookups are performed. +SSHFP resource records can be generated using +.Xr ssh-keygen 1 . +.Pp When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. -.Sh SERVER AUTHENTICATION -.Nm -automatically maintains and checks a database containing -identifications for all hosts it has ever been used with. -Host keys are stored in -.Pa ~/.ssh/known_hosts -in the user's home directory. -Additionally, the file -.Pa /etc/ssh/ssh_known_hosts -is automatically checked for known hosts. -Any new hosts are automatically added to the user's file. -If a host's identification ever changes, -.Nm -warns about this and disables password authentication to prevent a -trojan horse from getting the user's password. -Another purpose of this mechanism is to prevent man-in-the-middle attacks -which could otherwise be used to circumvent the encryption. -The -.Cm StrictHostKeyChecking -option can be used to prevent logins to machines whose -host key is not known or has changed. -.Pp -.Nm -can be configured to verify host identification using fingerprint resource -records (SSHFP) published in DNS. -The -.Cm VerifyHostKeyDNS -option can be used to control how DNS lookups are performed. -SSHFP resource records can be generated using -.Xr ssh-keygen 1 . .Sh ENVIRONMENT .Nm will normally set the following environment variables: -- 2.45.2