- jmc@cvs.openbsd.org 2006/02/13 11:27:25

[sshd.8] sort FILES and use a -compact list;
2025-09-25 19:08:56 +02:00 · 2006-03-15 11:33:56 +11:00 · 2006-03-15 11:33:56 +11:00 · d8702e865d
commit d8702e865d
parent c8f61cf199
2 changed files with 158 additions and 131 deletions
--- a/5
+++ b/5
@ -104,6 +104,9 @@
     [sshd.8]
     - avoid nasty line split
     - `*' does not need to be escaped
   - jmc@cvs.openbsd.org 2006/02/13 11:27:25
     [sshd.8]
     sort FILES and use a -compact list;
 20060313
 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@ -4005,4 +4008,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4168 2006/03/15 00:33:25 djm Exp $
+$Id: ChangeLog,v 1.4169 2006/03/15 00:33:56 djm Exp $
--- a/sshd.8
+++ b/sshd.8
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.222 2006/02/13 11:08:43 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.223 2006/02/13 11:27:25 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@ -591,77 +591,8 @@ cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
 AAAA1234.....=
 .Ed
 .Sh FILES
-.Bl -tag -width Ds
+.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
+.It ~/.hushlogin
 Contains configuration data for
 .Nm sshd .
 The file format and configuration options are described in
 .Xr sshd_config 5 .
 .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
 These three files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
 accessible to others.
 Note that
 .Nm
 does not start if this file is group/world-accessible.
 .It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
 These three files contain the public parts of the host keys.
 These files should be world-readable but writable only by
 root.
 Their contents should match the respective private parts.
 These files are not
 really used for anything; they are provided for the convenience of
 the user so their contents can be copied to known hosts files.
 These files are created using
 .Xr ssh-keygen 1 .
 .It Pa /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
 .It Pa /var/empty
 .Xr chroot 2
 directory used by
 .Nm
 during privilege separation in the pre-authentication phase.
 The directory should not contain any files and must be owned by root
 and not group or world-writable.
 .It Pa /var/run/sshd.pid
 Contains the process ID of the
 .Nm
 listening for connections (if there are several daemons running
 concurrently for different ports, this contains the process ID of the one
 started last).
 The content of this file is not sensitive; it can be world-readable.
 .It Pa ~/.ssh/authorized_keys
 Lists the public keys (RSA or DSA) that can be used to log into the user's account.
 This file must be readable by root (which may on some machines imply
 it being world-readable if the user's home directory resides on an NFS
 volume).
 It is recommended that it not be accessible by others.
 The format of this file is described above.
 Users will place the contents of their
 .Pa identity.pub ,
 .Pa id_dsa.pub
 and/or
 .Pa id_rsa.pub
 files into this file, as described in
 .Xr ssh-keygen 1 .
 .It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
 These files are consulted when using rhosts with RSA host
 authentication or protocol version 2 hostbased authentication
 to check the public key of the host.
 The key must be listed in one of these files to be accepted.
 The client uses the same files
 to verify that it is connecting to the correct remote host.
 These files should be writable only by root/the owner.
 .Pa /etc/ssh/ssh_known_hosts
 should be world-readable, and
 .Pa ~/.ssh/known_hosts
 can, but need not be, world-readable.
 .It Pa /etc/motd
 See
 .Xr motd 5 .
 .It Pa ~/.hushlogin
 This file is used to suppress printing the last login time and
 .Pa /etc/motd ,
 if
@ -672,19 +603,8 @@ respectively,
 are enabled.
 It does not suppress printing of the banner specified by
 .Cm Banner .
-.It Pa /etc/nologin
+.Pp
-If this file exists,
+.It ~/.rhosts
 .Nm
 refuses to let anyone except root log in.
 The contents of the file
 are displayed to anyone trying to log in, and non-root connections are
 refused.
 The file should be world-readable.
 .It Pa /etc/hosts.allow, /etc/hosts.deny
 Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .It Pa ~/.rhosts
 This file is used during
 .Cm RhostsRSAAuthentication
 and
@ -702,56 +622,30 @@ It is also possible to use netgroups in the file.
 Either host or user
 name may be of the form +@groupname to specify all hosts or all users
 in the group.
-.It Pa ~/.shosts
+.Pp
 .It ~/.shosts
 For ssh,
 this file is exactly the same as for
 .Pa .rhosts .
 However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
 .Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
 those hosts are permitted to log in without a password, provided they
 have the same user name on both machines.
 The host name may also be
 followed by a user name; such users are permitted to log in as
 .Em any
 user on this machine (except root).
 Additionally, the syntax
 .Dq +@group
 can be used to specify netgroups.
 Negated entries start with
 .Ql \&- .
 .Pp
-If the client host/user is successfully matched in this file, login is
+.It ~/.ssh/authorized_keys
-automatically permitted provided the client and server user names are the
+Lists the public keys (RSA or DSA) that can be used to log into the user's account.
-same.
+This file must be readable by root (which may on some machines imply
-Additionally, successful client host key authentication is required.
+it being world-readable if the user's home directory resides on an NFS
-This file must be writable only by root; it is recommended
+volume).
-that it be world-readable.
+It is recommended that it not be accessible by others.
 The format of this file is described above.
 Users will place the contents of their
 .Pa identity.pub ,
 .Pa id_dsa.pub
 and/or
 .Pa id_rsa.pub
 files into this file, as described in
 .Xr ssh-keygen 1 .
 .Pp
-.Sy "Warning: It is almost never a good idea to use user names in"
+.It ~/.ssh/environment
 .Pa hosts.equiv .
 Beware that it really means that the named user(s) can log in as
 .Em anybody ,
 which includes bin, daemon, adm, and other accounts that own critical
 binaries and directories.
 Using a user name practically grants the user root access.
 The only valid use for user names that I can think
 of is in negative entries.
 .Pp
 Note that this warning also applies to rsh/rlogin.
 .It Pa /etc/shosts.equiv
 This is processed exactly as
 .Pa /etc/hosts.equiv .
 However, this file may be useful in environments that want to run both
 rsh/rlogin and ssh.
 .It Pa ~/.ssh/environment
 This file is read into the environment at login (if it exists).
 It can only contain empty lines, comment lines (that start with
 .Ql # ) ,
@ -762,7 +656,22 @@ Environment processing is disabled by default and is
 controlled via the
 .Cm PermitUserEnvironment
 option.
-.It Pa ~/.ssh/rc
+.Pp
 .It ~/.ssh/known_hosts
 .It /etc/ssh/ssh_known_hosts
 These files are consulted when using rhosts with RSA host
 authentication or protocol version 2 hostbased authentication
 to check the public key of the host.
 The key must be listed in one of these files to be accepted.
 The client uses the same files
 to verify that it is connecting to the correct remote host.
 These files should be writable only by root/the owner.
 .Pa /etc/ssh/ssh_known_hosts
 should be world-readable, and
 .Pa ~/.ssh/known_hosts
 can, but need not be, world-readable.
 .Pp
 .It ~/.ssh/rc
 If this file exists, it is run with
 .Pa /bin/sh
 after reading the
@ -805,12 +714,127 @@ does not exist either, xauth is used to add the cookie.
 .Pp
 This file should be writable only by the user, and need not be
 readable by anyone else.
-.It Pa /etc/ssh/sshrc
+.Pp
 .It /etc/hosts.allow
 .It /etc/hosts.deny
 Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .Pp
 .It /etc/hosts.equiv
 This file is used during
 .Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
 those hosts are permitted to log in without a password, provided they
 have the same user name on both machines.
 The host name may also be
 followed by a user name; such users are permitted to log in as
 .Em any
 user on this machine (except root).
 Additionally, the syntax
 .Dq +@group
 can be used to specify netgroups.
 Negated entries start with
 .Ql \&- .
 .Pp
 If the client host/user is successfully matched in this file, login is
 automatically permitted provided the client and server user names are the
 same.
 Additionally, successful client host key authentication is required.
 This file must be writable only by root; it is recommended
 that it be world-readable.
 .Pp
 .Sy "Warning: It is almost never a good idea to use user names in"
 .Pa hosts.equiv .
 Beware that it really means that the named user(s) can log in as
 .Em anybody ,
 which includes bin, daemon, adm, and other accounts that own critical
 binaries and directories.
 Using a user name practically grants the user root access.
 The only valid use for user names that I can think
 of is in negative entries.
 .Pp
 Note that this warning also applies to rsh/rlogin.
 .Pp
 .It /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
 .Pp
 .It /etc/motd
 See
 .Xr motd 5 .
 .Pp
 .It /etc/nologin
 If this file exists,
 .Nm
 refuses to let anyone except root log in.
 The contents of the file
 are displayed to anyone trying to log in, and non-root connections are
 refused.
 The file should be world-readable.
 .Pp
 .It /etc/shosts.equiv
 This is processed exactly as
 .Pa /etc/hosts.equiv .
 However, this file may be useful in environments that want to run both
 rsh/rlogin and ssh.
 .Pp
 .It /etc/ssh/ssh_host_key
 .It /etc/ssh/ssh_host_dsa_key
 .It /etc/ssh/ssh_host_rsa_key
 These three files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
 accessible to others.
 Note that
 .Nm
 does not start if this file is group/world-accessible.
 .Pp
 .It /etc/ssh/ssh_host_key.pub
 .It /etc/ssh/ssh_host_dsa_key.pub
 .It /etc/ssh/ssh_host_rsa_key.pub
 These three files contain the public parts of the host keys.
 These files should be world-readable but writable only by
 root.
 Their contents should match the respective private parts.
 These files are not
 really used for anything; they are provided for the convenience of
 the user so their contents can be copied to known hosts files.
 These files are created using
 .Xr ssh-keygen 1 .
 .Pp
 .It /etc/ssh/sshd_config
 Contains configuration data for
 .Nm sshd .
 The file format and configuration options are described in
 .Xr sshd_config 5 .
 .Pp
 .It /etc/ssh/sshrc
 Like
 .Pa ~/.ssh/rc .
 This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 .Pp
 .It /var/empty
 .Xr chroot 2
 directory used by
 .Nm
 during privilege separation in the pre-authentication phase.
 The directory should not contain any files and must be owned by root
 and not group or world-writable.
 .Pp
 .It /var/run/sshd.pid
 Contains the process ID of the
 .Nm
 listening for connections (if there are several daemons running
 concurrently for different ports, this contains the process ID of the one
 started last).
 The content of this file is not sensitive; it can be world-readable.
 .El
 .Sh SEE ALSO
 .Xr scp 1 ,