- markus@cvs.openbsd.org 2004/08/26 16:00:55

[ssh.1 sshd.8] get rid of references to rhosts authentication; with jmc@
2004-08-29 16:37:24 +10:00 · 2004-08-29 16:37:24 +10:00 · db69390817
parent 34620d6f71
commit db69390817
3 changed files with 45 additions and 53 deletions
--- a/5
+++ b/5
@ -16,6 +16,9 @@
   - dtucker@cvs.openbsd.org 2004/08/23 14:29:23
     [ssh-keysign.c]
     Remove duplicate getuid(), suggested by & ok markus@
   - markus@cvs.openbsd.org 2004/08/26 16:00:55
     [ssh.1 sshd.8]
     get rid of references to rhosts authentication; with jmc@
 20040828
 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
@ -1683,4 +1686,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3526 2004/08/29 06:32:59 dtucker Exp $
+$Id: ChangeLog,v 1.3527 2004/08/29 06:37:24 dtucker Exp $
--- a/ssh.1
+++ b/ssh.1
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
+.\" $OpenBSD: ssh.1,v 1.195 2004/08/26 16:00:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@ -103,35 +103,25 @@ is specified,
 .Ar command
 is executed on the remote host instead of a login shell.
 .Ss SSH protocol version 1
-First, if the machine the user logs in from is listed in
+The first authentication method is the
 .Pa /etc/hosts.equiv
 or
 .Pa /etc/shosts.equiv
 on the remote machine, and the user names are
 the same on both sides, the user is immediately permitted to log in.
 Second, if
 .Pa .rhosts
 or
 .Pa .shosts
 exists in the user's home directory on the
 remote machine and contains a line containing the name of the client
 machine and the name of the user on that machine, the user is
 permitted to log in.
 This form of authentication alone is normally not
 allowed by the server because it is not secure.
 .Pp
 The second authentication method is the
 .Em rhosts
 or
 .Em hosts.equiv
 method combined with RSA-based host authentication.
-It means that if the login would be permitted by
+If the machine the user logs in from is listed in
-.Pa $HOME/.rhosts ,
+.Pa /etc/hosts.equiv
 .Pa $HOME/.shosts ,
 .Pa /etc/hosts.equiv ,
 or
-.Pa /etc/shosts.equiv ,
+.Pa /etc/shosts.equiv
-and if additionally the server can verify the client's
+on the remote machine, and the user names are
 the same on both sides, or if the files
 .Pa $HOME/.rhosts
 or
 .Pa $HOME/.shosts
 exist in the user's home directory on the
 remote machine and contain a line containing the name of the client
 machine and the name of the user on that machine, the user is
 considered for log in.
 Additionally, if the server can verify the client's
 host key (see
 .Pa /etc/ssh/ssh_known_hosts
 and
@ -147,7 +137,7 @@ spoofing, DNS spoofing and routing spoofing.
 and the rlogin/rsh protocol in general, are inherently insecure and should be
 disabled if security is desired.]
 .Pp
-As a third authentication method,
+As a second authentication method,
 .Nm
 supports RSA based authentication.
 The scheme is based on public-key cryptography: there are cryptosystems
@ -195,9 +185,6 @@ file corresponds to the conventional
 file, and has one key
 per line, though the lines can be very long).
 After this, the user can log in without giving the password.
 RSA authentication is much more secure than
 .Em rhosts
 authentication.
 .Pp
 The most convenient way to use RSA authentication may be with an
 authentication agent.
@ -1012,7 +999,9 @@ By default
 is not setuid root.
 .It Pa $HOME/.rhosts
 This file is used in
-.Em rhosts
+.Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 authentication to list the
 host/user pairs that are permitted to log in.
 (Note that this file is
@ -1031,12 +1020,10 @@ The recommended
 permission for most machines is read/write for the user, and not
 accessible by others.
 .Pp
-Note that by default
+Note that
 .Xr sshd 8
-will be installed so that it requires successful RSA host
+allows authentication only in combination with client host key
-authentication before permitting
+authentication before permitting log in.
 .Em rhosts
 authentication.
 If the server machine does not have the client's host key in
 .Pa /etc/ssh/ssh_known_hosts ,
 it can be stored in
@ -1049,15 +1036,19 @@ will automatically add the host key to
 This file is used exactly the same way as
 .Pa .rhosts .
 The purpose for
-having this file is to be able to use rhosts authentication with
+having this file is to be able to use
-.Nm
+.Cm RhostsRSAAuthentication
-without permitting login with
+and
 .Cm HostbasedAuthentication
 authentication without permitting login with
 .Xr rlogin
 or
 .Xr rsh 1 .
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 authentication.
 It contains
 canonical hosts names, one per line (the full format is described in the
@ -1066,8 +1057,7 @@ manual page).
 If the client host is found in this file, login is
 automatically permitted provided client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally
+Additionally, successful client host key authentication is required.
 required.
 This file should only be writable by root.
 .It Pa /etc/shosts.equiv
 This file is processed exactly as
--- a/sshd.8
+++ b/sshd.8
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.202 2004/08/26 16:00:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@ -106,8 +106,6 @@ to use from those offered by the server.
 Next, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 .Em .rhosts
 authentication,
 .Em .rhosts
 authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
@ -135,11 +133,6 @@ or
 .Ql \&*NP\&*
 ).
 .Pp
 .Em rhosts
 authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
 System security is not improved unless
 .Nm rshd ,
 .Nm rlogind ,
 and
@ -670,7 +663,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
 Further details are described in
 .Xr hosts_access 5 .
 .It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+This file is used during
 .Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 and contains host-username pairs, separated by a space, one per
 line.
 The given user on the corresponding host is permitted to log in
 without a password.
@ -691,7 +688,9 @@ However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
 .It Pa /etc/hosts.equiv
 This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
 and
 .Cm HostbasedAuthentication
 authentication.
 In the simplest form, this file contains host names, one per line.
 Users on
@ -710,7 +709,7 @@ Negated entries start with
 If the client host/user is successfully matched in this file, login is
 automatically permitted provided the client and server user names are the
 same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
 This file must be writable only by root; it is recommended
 that it be world-readable.
 .Pp