diff options
author | des <des@FreeBSD.org> | 2004-01-07 11:16:27 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2004-01-07 11:16:27 +0000 |
commit | 7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866 (patch) | |
tree | 5fffd9d1fcec3a05be383fc9aa81e1eb5e7935de /crypto/openssh/sshd.8 | |
parent | b5f9e06a6d8d64c8429e25a1bc1ebfad436bf477 (diff) | |
download | FreeBSD-src-7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866.zip FreeBSD-src-7545fb1c7eaf9a0f07cf592ab1b5aa8f59a59866.tar.gz |
Resolve conflicts and remove obsolete files.
Sponsored by: registrar.no
Diffstat (limited to 'crypto/openssh/sshd.8')
-rw-r--r-- | crypto/openssh/sshd.8 | 68 |
1 files changed, 47 insertions, 21 deletions
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8 index b7eddc9..ca826f0 100644 --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $ .\" $FreeBSD$ .Dd September 25, 1999 .Dt SSHD 8 @@ -115,6 +115,29 @@ authentication combined with RSA host authentication, RSA challenge-response authentication, or password based authentication. .Pp +Regardless of the authentication type, the account is checked to +ensure that it is accessible. An account is not accessible if it is +locked, listed in +.Cm DenyUsers +or its group is listed in +.Cm DenyGroups +\&. The definition of a locked account is system dependant. Some platforms +have their own account database (eg AIX) and some modify the passwd field ( +.Ql \&*LK\&* +on Solaris, +.Ql \&* +on HP-UX, containing +.Ql Nologin +on Tru64 and a leading +.Ql \&!! +on Linux). If there is a requirement to disable password authentication +for the account while allowing still public-key, then the passwd field +should be set to something other than these values (eg +.Ql NP +or +.Ql \&*NP\&* +). +.Pp Rhosts authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. @@ -291,7 +314,6 @@ may also be used to prevent from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include -.Cm RhostsAuthentication , .Cm RhostsRSAAuthentication , .Cm HostbasedAuthentication and using a @@ -430,13 +452,13 @@ that option keywords are case-insensitive): Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns -.Pf ( Ql * +.Pf ( Ql \&* and -.Ql ? +.Ql \&? serve as wildcards). The list may also contain patterns negated by prefixing them with -.Ql ! ; +.Ql \&! ; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication @@ -498,9 +520,9 @@ IPv6 addresses can be specified with an alternative syntax: .Ar host/port . Multiple .Cm permitopen -options may be applied separated by commas. No pattern matching is -performed on the specified hostnames, they must be literal domains or -addresses. +options may be applied separated by commas. +No pattern matching is performed on the specified hostnames, +they must be literal domains or addresses. .El .Ss Examples 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar @@ -525,12 +547,16 @@ Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. .Pp -Hostnames is a comma-separated list of patterns ('*' and '?' act as +Hostnames is a comma-separated list of patterns +.Pf ( Ql \&* +and +.Ql \&? +act as wildcards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when authenticating a server). A pattern may also be preceded by -.Ql ! +.Ql \&! to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. @@ -768,17 +794,6 @@ This can be used to specify machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. .El -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. -Niels Provos and Markus Friedl contributed support -for privilege separation. .Sh SEE ALSO .Xr scp 1 , .Xr sftp 1 , @@ -810,3 +825,14 @@ for privilege separation. .%D January 2002 .%O work in progress material .Re +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. +Niels Provos and Markus Friedl contributed support +for privilege separation. |