upstream: rework authorized_keys example section, removing irrelevant
stuff, de-wrapping the example lines and better aligning the examples with common usage and FAQs; ok jmc OpenBSD-Commit-ID: d59f1c9281f828148e2a2e49eb9629266803b75c
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
d9cb35bbec
commit
c298c4da57
41
sshd.8
41
sshd.8
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd.8,v 1.314 2021/04/03 05:46:41 djm Exp $
|
.\" $OpenBSD: sshd.8,v 1.315 2021/06/04 05:59:18 djm Exp $
|
||||||
.Dd $Mdocdate: April 3 2021 $
|
.Dd $Mdocdate: June 4 2021 $
|
||||||
.Dt SSHD 8
|
.Dt SSHD 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
|
@ -665,24 +665,25 @@ option.
|
||||||
.Pp
|
.Pp
|
||||||
An example authorized_keys file:
|
An example authorized_keys file:
|
||||||
.Bd -literal -offset 3n
|
.Bd -literal -offset 3n
|
||||||
# Comments allowed at start of line
|
# Comments are allowed at start of line. Blank lines are allowed.
|
||||||
ssh-rsa AAAAB3Nza...LiPk== user@example.net
|
# Plain key, no restrictions
|
||||||
from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
|
ssh-rsa ...
|
||||||
AAAAB2...19Q== john@example.net
|
# Forced command, disable PTY and all forwarding
|
||||||
command="dump /home",no-pty,no-port-forwarding ssh-rsa
|
restrict,command="dump /home" ssh-rsa ...
|
||||||
AAAAC3...51R== example.net
|
# Restriction of ssh -L forwarding destinations
|
||||||
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa
|
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
|
||||||
AAAAB5...21S==
|
# Restriction of ssh -R forwarding listeners
|
||||||
permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa
|
permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
|
||||||
AAAAB5...21S==
|
# Configuration for tunnel forwarding
|
||||||
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
|
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
|
||||||
jane@example.net
|
# Override of restriction to allow PTY allocation
|
||||||
restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
|
restrict,pty,command="nethack" ssh-rsa ...
|
||||||
user@example.net
|
# Allow FIDO key without requiring touch
|
||||||
restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
|
no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
|
||||||
user@example.net
|
# Require user-verification (e.g. PIN or biometric) for FIDO key
|
||||||
no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
|
verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
|
||||||
user@example.net
|
# Trust CA key, allow touch-less FIDO if requested in certificate
|
||||||
|
cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
|
||||||
.Ed
|
.Ed
|
||||||
.Sh SSH_KNOWN_HOSTS FILE FORMAT
|
.Sh SSH_KNOWN_HOSTS FILE FORMAT
|
||||||
The
|
The
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue