diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2008-06-10 23:06:20 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2008-06-10 23:06:20 +0000 |
| commit | 00999f3dca30c91ccbd4f51b23ead58bf9b61b92 (patch) | |
| tree | 3c3c9c42e56b5118e3b2de35acf3885c04d8e0f9 /usr.bin/ssh/sshd.8 | |
| parent | 548bf8f79057a402e214a7c5893fcfa396632fa4 (diff) | |
support CIDR address matching in .ssh/authorized_keys from="..." stanzas
ok and extensive testing dtucker@
Diffstat (limited to 'usr.bin/ssh/sshd.8')
| -rw-r--r-- | usr.bin/ssh/sshd.8 | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index 7b1533cacd4..0c557bd28a2 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $ .Dd $Mdocdate: June 10 2008 $ .Dt SSHD 8 .Os @@ -504,23 +504,27 @@ This option is automatically disabled if .Cm UseLogin is enabled. .It Cm from="pattern-list" -Specifies that in addition to public key authentication, the canonical name -of the remote host must be present in the comma-separated list of -patterns. -The purpose -of this option is to optionally increase security: public key authentication -by itself does not trust the network or name servers or anything (but -the key); however, if somebody somehow steals the key, the key -permits an intruder to log in from anywhere in the world. -This additional option makes using a stolen key more difficult (name -servers and/or routers would have to be compromised in addition to -just the key). -.Pp +Specifies that in addition to public key authentication, either the canonical +name of the remote host or its IP address must be present in the +comma-separated list of patterns. See .Sx PATTERNS in .Xr ssh_config 5 for more information on patterns. +.Pp +In addition to the wildcard matching that may be applied to hostnames or +addresses, a +.Cm from +stanza may match IP addressess using CIDR address/masklen notation. +.Pp +The purpose of this option is to optionally increase security: public key +authentication by itself does not trust the network or name servers or +anything (but the key); however, if somebody somehow steals the key, the key +permits an intruder to log in from anywhere in the world. +This additional option makes using a stolen key more difficult (name +servers and/or routers would have to be compromised in addition to +just the key). .It Cm no-agent-forwarding Forbids authentication agent forwarding when this key is used for authentication. |