diff options
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/openssh/ssh.1 | 13 | ||||
-rw-r--r-- | crypto/openssh/ssh_config.5 | 4 | ||||
-rw-r--r-- | crypto/openssh/sshd.8 | 23 | ||||
-rw-r--r-- | crypto/openssh/sshd_config.5 | 25 |
4 files changed, 41 insertions, 24 deletions
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1 index 8ada41f..230e48e 100644 --- a/crypto/openssh/ssh.1 +++ b/crypto/openssh/ssh.1 @@ -35,6 +35,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $OpenBSD: ssh.1,v 1.158 2002/06/20 19:56:07 stevesk Exp $ +.\" $FreeBSD$ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -99,7 +100,7 @@ depending on the protocol version used: First, if the machine the user logs in from is listed in .Pa /etc/hosts.equiv or -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if @@ -123,7 +124,7 @@ It means that if the login would be permitted by .Pa $HOME/.shosts , .Pa /etc/hosts.equiv , or -.Pa /etc/shosts.equiv , +.Pa /etc/ssh/shosts.equiv , and if additionally the server can verify the client's host key (see .Pa /etc/ssh/ssh_known_hosts @@ -330,6 +331,7 @@ The user should not manually set .Ev DISPLAY . Forwarding of X11 connections can be configured on the command line or in configuration files. +Take note that X11 forwarding can represent a security hazard. .Pp The .Ev DISPLAY @@ -666,7 +668,7 @@ It is automatically set by to point to a value of the form .Dq hostname:n where hostname indicates -the host where the shell runs, and n is an integer >= 1. +the host where the shell runs, and n is an integer \*(>= 1. .Nm uses this special value to forward X11 connections over the secure channel. @@ -893,7 +895,8 @@ or .Xr rsh 1 . .It Pa /etc/hosts.equiv This file is used during -.Pa \&.rhosts authentication. +.Pa \&.rhosts +authentication. It contains canonical hosts names, one per line (the full format is described on the @@ -905,7 +908,7 @@ same. Additionally, successful RSA host authentication is normally required. This file should only be writable by root. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This file is processed exactly as .Pa /etc/hosts.equiv . This file may be useful to permit logins using diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5 index 53cb0fe..9ae6c78 100644 --- a/crypto/openssh/ssh_config.5 +++ b/crypto/openssh/ssh_config.5 @@ -35,6 +35,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $ +.\" $FreeBSD$ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -583,6 +584,9 @@ having to remember to give the user name on the command line. Specifies a file to use for the user host key database instead of .Pa $HOME/.ssh/known_hosts . +.It Cm VersionAddendum +Specifies a string to append to the regular version string to identify +OS- or site-specific modifications. .It Cm XAuthLocation Specifies the location of the .Xr xauth 1 diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8 index 22f8143..e6f2410 100644 --- a/crypto/openssh/sshd.8 +++ b/crypto/openssh/sshd.8 @@ -35,6 +35,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $OpenBSD: sshd.8,v 1.184 2002/06/20 19:56:07 stevesk Exp $ +.\" $FreeBSD$ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -65,7 +66,7 @@ install and use as possible. .Nm is the daemon that listens for connections from clients. It is normally started at boot from -.Pa /etc/rc . +.Pa /etc/rc.d/sshd . It forks a new daemon for each incoming connection. The forked daemons handle @@ -340,8 +341,9 @@ section). If the login is on a tty, records login time. .It Checks -.Pa /etc/nologin ; -if it exists, prints contents and quits +.Pa /etc/nologin and +.Pa /var/run/nologin ; +if one exists, it prints the contents and quits (unless root). .It Changes to run with normal user privileges. @@ -359,11 +361,12 @@ If exists, runs it; else if .Pa /etc/ssh/sshrc exists, runs -it; otherwise runs xauth. +it; otherwise runs +.Xr xauth 1 . The .Dq rc files are given the X11 -authentication protocol and cookie in standard input. +authentication protocol and cookie (if applicable) in standard input. .It Runs user's shell or command. .El @@ -498,7 +501,7 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hu permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. @@ -576,7 +579,7 @@ really used for anything; they are provided for the convenience of the user so their contents can be copied to known hosts files. These files are created using .Xr ssh-keygen 1 . -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". .It Pa /var/run/sshd.pid Contains the process ID of the @@ -679,7 +682,7 @@ The only valid use for user names that I can think of is in negative entries. .Pp Note that this warning also applies to rsh/rlogin. -.It Pa /etc/shosts.equiv +.It Pa /etc/ssh/shosts.equiv This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both @@ -692,7 +695,9 @@ and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. .It Pa $HOME/.ssh/rc -If this file exists, it is run with /bin/sh after reading the +If this file exists, it is run with +.Pa /bin/sh +after reading the environment files but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 1aecd48..4327e63 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -35,6 +35,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $OpenBSD: sshd_config.5,v 1.3 2002/06/20 23:37:12 markus Exp $ +.\" $FreeBSD$ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -266,7 +267,7 @@ or .Pp .Pa /etc/hosts.equiv and -.Pa /etc/shosts.equiv +.Pa /etc/ssh/shosts.equiv are still used. The default is .Dq yes . @@ -305,10 +306,6 @@ To disable keepalives, the value should be set to .It Cm KerberosAuthentication Specifies whether Kerberos authentication is allowed. This can be in the form of a Kerberos ticket, or if -.It Cm PAMAuthenticationViaKbdInt -Specifies whether PAM challenge response authentication is allowed. This -allows the use of most PAM challenge response authentication modules, but -it will allow password authentication regardless of whether .Cm PasswordAuthentication is yes, the password provided by the user will be validated through the Kerberos KDC. @@ -383,7 +380,7 @@ options must precede this option for non port qualified addresses. The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. -The default is 600 (seconds). +The default is 120 (seconds). .It Cm LogLevel Gives the verbosity level that is used when logging messages from .Nm sshd . @@ -444,7 +441,7 @@ The argument must be or .Dq no . The default is -.Dq yes . +.Dq no . .Pp If this option is set to .Dq without-password @@ -511,18 +508,23 @@ The default is .Dq yes . Note that this option applies to protocol version 2 only. .It Cm RhostsAuthentication -Specifies whether authentication using rhosts or /etc/hosts.equiv +Specifies whether authentication using rhosts or +.Pa /etc/hosts.equiv files is sufficient. Normally, this method should not be permitted because it is insecure. .Cm RhostsRSAAuthentication should be used instead, because it performs RSA-based host authentication in addition -to normal rhosts or /etc/hosts.equiv authentication. +to normal rhosts or +.Pa /etc/hosts.equiv +authentication. The default is .Dq no . This option applies to protocol version 1 only. .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or +.Pa /etc/hosts.equiv +authentication together with successful RSA host authentication is allowed. The default is .Dq no . @@ -597,6 +599,9 @@ the resolved host name for the remote IP address maps back to the very same IP address. The default is .Dq no . +.It Cm VersionAddendum +Specifies a string to append to the regular version string to identify +OS- or site-specific modifications. .It Cm X11DisplayOffset Specifies the first display number available for .Nm sshd Ns 's |