diff --git a/ChangeLog b/ChangeLog index 27bdea89a..46fcf667a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -123,6 +123,9 @@ [sshd.8] move the sshrc stuff out of FILES, and into its own section: FILES is not a good place to document how stuff works; + - jmc@cvs.openbsd.org 2006/02/19 20:02:17 + [sshd.8] + sync the (s)hosts.equiv FILES entries w/ those from ssh.1; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4024,4 +4027,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4174 2006/03/15 00:35:54 djm Exp $ +$Id: ChangeLog,v 1.4175 2006/03/15 00:36:18 djm Exp $ diff --git a/sshd.8 b/sshd.8 index 6df9d8aab..24c149975 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.226 2006/02/19 19:52:10 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.227 2006/02/19 20:02:17 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -708,43 +708,9 @@ Further details are described in .Xr hosts_access 5 . .Pp .It /etc/hosts.equiv -This file is used during -.Cm RhostsRSAAuthentication -and -.Cm HostbasedAuthentication -authentication. -In the simplest form, this file contains host names, one per line. -Users on -those hosts are permitted to log in without a password, provided they -have the same user name on both machines. -The host name may also be -followed by a user name; such users are permitted to log in as -.Em any -user on this machine (except root). -Additionally, the syntax -.Dq +@group -can be used to specify netgroups. -Negated entries start with -.Ql \&- . -.Pp -If the client host/user is successfully matched in this file, login is -automatically permitted provided the client and server user names are the -same. -Additionally, successful client host key authentication is required. -This file must be writable only by root; it is recommended -that it be world-readable. -.Pp -.Sy "Warning: It is almost never a good idea to use user names in" -.Pa hosts.equiv . -Beware that it really means that the named user(s) can log in as -.Em anybody , -which includes bin, daemon, adm, and other accounts that own critical -binaries and directories. -Using a user name practically grants the user root access. -The only valid use for user names that I can think -of is in negative entries. -.Pp -Note that this warning also applies to rsh/rlogin. +This file is for host-based authentication (see +.Xr ssh 1 ) . +It should only be writable by root. .Pp .It /etc/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". @@ -765,10 +731,10 @@ refused. The file should be world-readable. .Pp .It /etc/shosts.equiv -This is processed exactly as -.Pa /etc/hosts.equiv . -However, this file may be useful in environments that want to run both -rsh/rlogin and ssh. +This file is used in exactly the same way as +.Pa hosts.equiv , +but allows host-based authentication without permitting login with +rlogin/rsh. .Pp .It /etc/ssh/ssh_known_hosts Systemwide list of known host keys.