summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.bin/ssh/ssh.143
-rw-r--r--usr.bin/ssh/sshd.864
2 files changed, 49 insertions, 58 deletions
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 13c926fc8ca..064d1ed344f 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: ssh.1,v 1.11 1999/10/02 21:35:47 deraadt Exp $
+.\" $Id: ssh.1,v 1.12 1999/10/03 18:46:12 aaron Exp $
.\"
.Dd September 25, 1999
.Dt SSH 1
@@ -25,14 +25,28 @@
.Pp
.Nm ssh
.Op Fl agknqtvxXC
-.Op Fl c Ar blowfish|3des
+.Op Fl c Ar blowfish | 3des
.Op Fl e Ar escape_char
.Op Fl i Ar identity_file
.Op Fl l Ar login_name
.Op Fl o Ar option
.Op Fl p Ar port
-.Op Fl L Ar port:host:hostport
-.Op Fl R Ar port:host:hostport
+.Oo Fl L Xo
+.Sm off
+.Ar host :
+.Ar port :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Oo Fl R Xo
+.Sm off
+.Ar host :
+.Ar port :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
.Op Ar hostname | user@hostname
.Op Ar command
.Sh DESCRIPTION
@@ -592,10 +606,6 @@ somewhere. Host key management will be done using the
HostName of the host being connected (defaulting to the name typed by
the user).
.Pp
-Note that
-.Nm
-can also be configured to support the SOCKS system using the
---with-socks compile-time configuration option.
.It Cm RemoteForward
Specifies that a TCP/IP port on the remote machine be forwarded over
the secure channel to given host:port from the local machine. The
@@ -692,19 +702,15 @@ manually copy any required authorization cookies).
Set to the path of the user's home directory.
.It Ev LOGNAME
Synonym for
-.Ev USER ; set for compatibility with systems that use
-this variable.
+.Ev USER ;
+set for compatibility with systems that use this variable.
.It Ev MAIL
Set to point the user's mailbox.
.It Ev PATH
Set to the default
.Ev PATH ,
as specified when compiling
-.Nm
-or, on some systems,
-.Pa /etc/environment
-or
-.Pa /etc/default/login .
+.Nm ssh .
.It Ev SSH_AUTHENTICATION_FD
This is set to an integer value if you are using the authentication
agent and a connection to it has been forwarded. The value indicates
@@ -734,15 +740,10 @@ Set to the name of the user logging in.
Additionally,
.Nm
reads
-.Pa /etc/environment
-and
.Pa $HOME/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
-to the environment. Some systems may have
-still additional mechanisms for setting up the environment, such as
-.Pa /etc/default/login
-on Solaris.
+to the environment.
.Sh FILES
.Bl -tag -width $HOME/.ssh/known_hosts
.It Pa $HOME/.ssh/known_hosts
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 3a1da517079..e32a9ae89ee 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -9,7 +9,7 @@
.\"
.\" Created: Sat Apr 22 21:55:14 1995 ylo
.\"
-.\" $Id: sshd.8,v 1.5 1999/10/02 13:10:26 deraadt Exp $
+.\" $Id: sshd.8,v 1.6 1999/10/03 18:46:12 aaron Exp $
.\"
.Dd September 25, 1999
.Dt SSHD 8
@@ -182,8 +182,8 @@ are allowed to connect.
Note that
.Nm
can also be configured to use tcp_wrappers using the
-.Fl -with-libwrap
-compile-time configuration option.
+.Fl LIBWARP
+compile-time option.
.It Cm DenyHosts
This keyword can be followed by any number of host name patterns,
separated by spaces. If specified, login is disallowed from the hosts
@@ -334,6 +334,12 @@ Specifies whether X11 forwarding is permitted. The default is
.Dq yes .
Note that disabling X11 forwarding does not improve security in any
way, as users can always install their own forwarders.
+.It Cm X11DisplayOffset
+Specifies the first display number available for
+.Nm sshd Ns 's
+X11 forwarding. This prevents
+.Nm
+from interfering with real X11 servers.
.El
.Sh LOGIN PROCESS
When a user successfully logs in,
@@ -362,10 +368,6 @@ Changes to run with normal user privileges.
Sets up basic environment.
.It
Reads
-.Pa /etc/environment
-if it exists.
-.It
-Reads
.Pa $HOME/.ssh/environment
if it exists.
.It
@@ -466,11 +468,7 @@ and
files contain host public keys for all known hosts. The global file should
be prepared by the admistrator (optional), and the per-user file is
maintained automatically: whenever the user connects an unknown host
-its key is added to the per-user file. The recommended way to create
-.Pa /etc/ssh_known_hosts
-is to use the
-.Xr make-ssh-known-hosts 1
-command.
+its key is added to the per-user file.
.Pp
Each line in these files contains the following fields: hostnames,
bits, exponent, modulus, comment. The fields are separated by spaces.
@@ -504,8 +502,7 @@ accepted if valid information can be found from either file.
.Pp
Note that the lines in these files are typically hundreds of characters
long, and you definitely don't want to type in the host keys by hand.
-Rather, generate them by a script (see
-.Xr make-ssh-known-hosts 1 )
+Rather, generate them by a script
or by taking
.Pa /etc/ssh_host_key.pub
and adding the host names at the front.
@@ -545,32 +542,31 @@ This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
volume). It is recommended that it not be accessible by others. The
format of this file is described above.
-.It Pa "/etc/ssh_known_hosts" and "$HOME/.ssh/known_hosts"
-These files are consulted when using rhosts with RSA host
+.It Pa /etc/ssh_known_hosts
+This file is consulted when using rhosts with RSA host
authentication to check the public key of the host. The key must be
-listed in one of these files to be accepted. (The client uses the
-same files to verify that the remote host is the one we intended to
-connect.) These files should be writable only by root/the owner.
+listed in this file to be accepted.
+.It Pa $HOME/.ssh/known_hosts
+The client uses this file
+and
+.Pa /etc/ssh_known_hosts
+to verify that the remote host is the one we intended to
+connect. These files should be writable only by root/the owner.
.Pa /etc/ssh_known_hosts
should be world-readable, and
.Pa $HOME/.ssh/known_hosts
can but need not be world-readable.
-.Pa /etc/nologin
+.It Pa /etc/nologin
If this file exists,
.Nm
refuses to let anyone except root log in. The contents of the file
are displayed to anyone trying to log in, and non-root connections are
refused. The file should be world-readable.
-.Pa $HOME/.rhosts
+.It Pa $HOME/.rhosts
This file contains host-username pairs, separated by a space, one per
line. The given user on the corresponding host is permitted to log in
without password. The same file is used by rlogind and rshd.
-Ssh differs from rlogind
-and rshd in that it requires RSA host authentication in addition to
-validating the host name retrieved from domain name servers (unless
-compiled with the
-.Fl -with-rhosts
-configuration option). The file must
+The file must
be writable only by the user; it is recommended that it not be
accessible by others.
.Pp
@@ -603,7 +599,7 @@ same. Additionally, successful RSA host authentication is normally
required. This file must be writable only by root; it is recommended
that it be world-readable.
.Pp
-.Sy Warning: It is almost never a good idea to use user names in
+.Sy "Warning: It is almost never a good idea to use user names in"
.Pa hosts.equiv .
Beware that it really means that the named user(s) can log in as
.Em anybody ,
@@ -618,18 +614,12 @@ This is processed exactly as
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
-.It Pa /etc/environment
+.It Pa $HOME/.ssh/environment
This file is read into the environment at login (if it exists). It
can only contain empty lines, comment lines (that start with
.Ql # ) ,
-and assignment lines of the form name=value. This file is processed in
-all environments (normal rsh/rlogin only process it on AIX and
-potentially some other systems). The file should be writable only by
-root, and should be world-readable.
-.It Pa $HOME/.ssh/environment
-This file is read into the environment after /etc/environment. It has
-the same format. The file should be writable only by the user; it
-need not be readable by anyone else.
+and assignment lines of the form name=value. The file should be writable
+only by the user; it need not be readable by anyone else.
.It Pa $HOME/.ssh/rc
If this file exists, it is run with /bin/sh after reading the
environment files but before starting the user's shell or command. If