tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- jmc@cvs.openbsd.org 2006/02/13 11:27:25 

[sshd.8]
     sort FILES and use a -compact list;
This commit is contained in:
Damien Miller 2006-03-15 11:33:56 +11:00
parent c8f61cf199
commit d8702e865d
2 changed files with 158 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -104,6 +104,9 @@
[sshd.8]
- avoid nasty line split
- `*' does not need to be escaped
- jmc@cvs.openbsd.org 2006/02/13 11:27:25
[sshd.8]
sort FILES and use a -compact list;
20060313
- (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@ -4005,4 +4008,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4168 2006/03/15 00:33:25 djm Exp $
$Id: ChangeLog,v 1.4169 2006/03/15 00:33:56 djm Exp $

284
sshd.8
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd.8,v 1.222 2006/02/13 11:08:43 jmc Exp $
.\" $OpenBSD: sshd.8,v 1.223 2006/02/13 11:27:25 jmc Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@ -591,77 +591,8 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
AAAA1234.....=
.Ed
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
.Xr sshd_config 5 .
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
accessible to others.
Note that
.Nm
does not start if this file is group/world-accessible.
.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
These three files contain the public parts of the host keys.
These files should be world-readable but writable only by
root.
Their contents should match the respective private parts.
These files are not
really used for anything; they are provided for the convenience of
the user so their contents can be copied to known hosts files.
These files are created using
.Xr ssh-keygen 1 .
.It Pa /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
.Xr moduli 5 .
.It Pa /var/empty
.Xr chroot 2
directory used by
.Nm
during privilege separation in the pre-authentication phase.
The directory should not contain any files and must be owned by root
and not group or world-writable.
.It Pa /var/run/sshd.pid
Contains the process ID of the
.Nm
listening for connections (if there are several daemons running
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
volume).
It is recommended that it not be accessible by others.
The format of this file is described above.
Users will place the contents of their
.Pa identity.pub ,
.Pa id_dsa.pub
and/or
.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.
The key must be listed in one of these files to be accepted.
The client uses the same files
to verify that it is connecting to the correct remote host.
These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
.It Pa /etc/motd
See
.Xr motd 5 .
.It Pa ~/.hushlogin
.Bl -tag -width Ds -compact
.It ~/.hushlogin
This file is used to suppress printing the last login time and
.Pa /etc/motd ,
if
@ -672,19 +603,8 @@ respectively,
are enabled.
It does not suppress printing of the banner specified by
.Cm Banner .
.It Pa /etc/nologin
If this file exists,
.Nm
refuses to let anyone except root log in.
The contents of the file
are displayed to anyone trying to log in, and non-root connections are
refused.
The file should be world-readable.
.It Pa /etc/hosts.allow, /etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.It Pa ~/.rhosts
.Pp
.It ~/.rhosts
This file is used during
.Cm RhostsRSAAuthentication
and
@ -702,56 +622,30 @@ It is also possible to use netgroups in the file.
Either host or user
name may be of the form +@groupname to specify all hosts or all users
in the group.
.It Pa ~/.shosts
.Pp
.It ~/.shosts
For ssh,
this file is exactly the same as for
.Pa .rhosts .
However, this file is
not used by rlogin and rshd, so using this permits access using SSH only.
.It Pa /etc/hosts.equiv
This file is used during
.Cm RhostsRSAAuthentication
and
.Cm HostbasedAuthentication
authentication.
In the simplest form, this file contains host names, one per line.
Users on
those hosts are permitted to log in without a password, provided they
have the same user name on both machines.
The host name may also be
followed by a user name; such users are permitted to log in as
.Em any
user on this machine (except root).
Additionally, the syntax
.Dq +@group
can be used to specify netgroups.
Negated entries start with
.Ql \&- .
.Pp
If the client host/user is successfully matched in this file, login is
automatically permitted provided the client and server user names are the
same.
Additionally, successful client host key authentication is required.
This file must be writable only by root; it is recommended
that it be world-readable.
.It ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
volume).
It is recommended that it not be accessible by others.
The format of this file is described above.
Users will place the contents of their
.Pa identity.pub ,
.Pa id_dsa.pub
and/or
.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
.Pp
.Sy "Warning: It is almost never a good idea to use user names in"
.Pa hosts.equiv .
Beware that it really means that the named user(s) can log in as
.Em anybody ,
which includes bin, daemon, adm, and other accounts that own critical
binaries and directories.
Using a user name practically grants the user root access.
The only valid use for user names that I can think
of is in negative entries.
.Pp
Note that this warning also applies to rsh/rlogin.
.It Pa /etc/shosts.equiv
This is processed exactly as
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
.It Pa ~/.ssh/environment
.It ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
.Ql # ) ,
@ -762,7 +656,22 @@ Environment processing is disabled by default and is
controlled via the
.Cm PermitUserEnvironment
option.
.It Pa ~/.ssh/rc
.Pp
.It ~/.ssh/known_hosts
.It /etc/ssh/ssh_known_hosts
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.
The key must be listed in one of these files to be accepted.
The client uses the same files
to verify that it is connecting to the correct remote host.
These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
.Pp
.It ~/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the
@ -805,12 +714,127 @@ does not exist either, xauth is used to add the cookie.
.Pp
This file should be writable only by the user, and need not be
readable by anyone else.
.It Pa /etc/ssh/sshrc
.Pp
.It /etc/hosts.allow
.It /etc/hosts.deny
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.Pp
.It /etc/hosts.equiv
This file is used during
.Cm RhostsRSAAuthentication
and
.Cm HostbasedAuthentication
authentication.
In the simplest form, this file contains host names, one per line.
Users on
those hosts are permitted to log in without a password, provided they
have the same user name on both machines.
The host name may also be
followed by a user name; such users are permitted to log in as
.Em any
user on this machine (except root).
Additionally, the syntax
.Dq +@group
can be used to specify netgroups.
Negated entries start with
.Ql \&- .
.Pp
If the client host/user is successfully matched in this file, login is
automatically permitted provided the client and server user names are the
same.
Additionally, successful client host key authentication is required.
This file must be writable only by root; it is recommended
that it be world-readable.
.Pp
.Sy "Warning: It is almost never a good idea to use user names in"
.Pa hosts.equiv .
Beware that it really means that the named user(s) can log in as
.Em anybody ,
which includes bin, daemon, adm, and other accounts that own critical
binaries and directories.
Using a user name practically grants the user root access.
The only valid use for user names that I can think
of is in negative entries.
.Pp
Note that this warning also applies to rsh/rlogin.
.Pp
.It /etc/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
The file format is described in
.Xr moduli 5 .
.Pp
.It /etc/motd
See
.Xr motd 5 .
.Pp
.It /etc/nologin
If this file exists,
.Nm
refuses to let anyone except root log in.
The contents of the file
are displayed to anyone trying to log in, and non-root connections are
refused.
The file should be world-readable.
.Pp
.It /etc/shosts.equiv
This is processed exactly as
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
.Pp
.It /etc/ssh/ssh_host_key
.It /etc/ssh/ssh_host_dsa_key
.It /etc/ssh/ssh_host_rsa_key
These three files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
accessible to others.
Note that
.Nm
does not start if this file is group/world-accessible.
.Pp
.It /etc/ssh/ssh_host_key.pub
.It /etc/ssh/ssh_host_dsa_key.pub
.It /etc/ssh/ssh_host_rsa_key.pub
These three files contain the public parts of the host keys.
These files should be world-readable but writable only by
root.
Their contents should match the respective private parts.
These files are not
really used for anything; they are provided for the convenience of
the user so their contents can be copied to known hosts files.
These files are created using
.Xr ssh-keygen 1 .
.Pp
.It /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
The file format and configuration options are described in
.Xr sshd_config 5 .
.Pp
.It /etc/ssh/sshrc
Like
.Pa ~/.ssh/rc .
This can be used to specify
machine-specific login-time initializations globally.
This file should be writable only by root, and should be world-readable.
.Pp
.It /var/empty
.Xr chroot 2
directory used by
.Nm
during privilege separation in the pre-authentication phase.
The directory should not contain any files and must be owned by root
and not group or world-writable.
.Pp
.It /var/run/sshd.pid
Contains the process ID of the
.Nm
listening for connections (if there are several daemons running
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
.Sh SEE ALSO
.Xr scp 1 ,