diff options
-rw-r--r-- | usr.bin/ssh/ssh.1 | 43 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.8 | 64 |
2 files changed, 49 insertions, 58 deletions
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1 index 13c926fc8ca..064d1ed344f 100644 --- a/usr.bin/ssh/ssh.1 +++ b/usr.bin/ssh/ssh.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: ssh.1,v 1.11 1999/10/02 21:35:47 deraadt Exp $ +.\" $Id: ssh.1,v 1.12 1999/10/03 18:46:12 aaron Exp $ .\" .Dd September 25, 1999 .Dt SSH 1 @@ -25,14 +25,28 @@ .Pp .Nm ssh .Op Fl agknqtvxXC -.Op Fl c Ar blowfish|3des +.Op Fl c Ar blowfish | 3des .Op Fl e Ar escape_char .Op Fl i Ar identity_file .Op Fl l Ar login_name .Op Fl o Ar option .Op Fl p Ar port -.Op Fl L Ar port:host:hostport -.Op Fl R Ar port:host:hostport +.Oo Fl L Xo +.Sm off +.Ar host : +.Ar port : +.Ar hostport +.Sm on +.Xc +.Oc +.Oo Fl R Xo +.Sm off +.Ar host : +.Ar port : +.Ar hostport +.Sm on +.Xc +.Oc .Op Ar hostname | user@hostname .Op Ar command .Sh DESCRIPTION @@ -592,10 +606,6 @@ somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). .Pp -Note that -.Nm -can also be configured to support the SOCKS system using the ---with-socks compile-time configuration option. .It Cm RemoteForward Specifies that a TCP/IP port on the remote machine be forwarded over the secure channel to given host:port from the local machine. The @@ -692,19 +702,15 @@ manually copy any required authorization cookies). Set to the path of the user's home directory. .It Ev LOGNAME Synonym for -.Ev USER ; set for compatibility with systems that use -this variable. +.Ev USER ; +set for compatibility with systems that use this variable. .It Ev MAIL Set to point the user's mailbox. .It Ev PATH Set to the default .Ev PATH , as specified when compiling -.Nm -or, on some systems, -.Pa /etc/environment -or -.Pa /etc/default/login . +.Nm ssh . .It Ev SSH_AUTHENTICATION_FD This is set to an integer value if you are using the authentication agent and a connection to it has been forwarded. The value indicates @@ -734,15 +740,10 @@ Set to the name of the user logging in. Additionally, .Nm reads -.Pa /etc/environment -and .Pa $HOME/.ssh/environment , and adds lines of the format .Dq VARNAME=value -to the environment. Some systems may have -still additional mechanisms for setting up the environment, such as -.Pa /etc/default/login -on Solaris. +to the environment. .Sh FILES .Bl -tag -width $HOME/.ssh/known_hosts .It Pa $HOME/.ssh/known_hosts diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8 index 3a1da517079..e32a9ae89ee 100644 --- a/usr.bin/ssh/sshd.8 +++ b/usr.bin/ssh/sshd.8 @@ -9,7 +9,7 @@ .\" .\" Created: Sat Apr 22 21:55:14 1995 ylo .\" -.\" $Id: sshd.8,v 1.5 1999/10/02 13:10:26 deraadt Exp $ +.\" $Id: sshd.8,v 1.6 1999/10/03 18:46:12 aaron Exp $ .\" .Dd September 25, 1999 .Dt SSHD 8 @@ -182,8 +182,8 @@ are allowed to connect. Note that .Nm can also be configured to use tcp_wrappers using the -.Fl -with-libwrap -compile-time configuration option. +.Fl LIBWARP +compile-time option. .It Cm DenyHosts This keyword can be followed by any number of host name patterns, separated by spaces. If specified, login is disallowed from the hosts @@ -334,6 +334,12 @@ Specifies whether X11 forwarding is permitted. The default is .Dq yes . Note that disabling X11 forwarding does not improve security in any way, as users can always install their own forwarders. +.It Cm X11DisplayOffset +Specifies the first display number available for +.Nm sshd Ns 's +X11 forwarding. This prevents +.Nm +from interfering with real X11 servers. .El .Sh LOGIN PROCESS When a user successfully logs in, @@ -362,10 +368,6 @@ Changes to run with normal user privileges. Sets up basic environment. .It Reads -.Pa /etc/environment -if it exists. -.It -Reads .Pa $HOME/.ssh/environment if it exists. .It @@ -466,11 +468,7 @@ and files contain host public keys for all known hosts. The global file should be prepared by the admistrator (optional), and the per-user file is maintained automatically: whenever the user connects an unknown host -its key is added to the per-user file. The recommended way to create -.Pa /etc/ssh_known_hosts -is to use the -.Xr make-ssh-known-hosts 1 -command. +its key is added to the per-user file. .Pp Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. @@ -504,8 +502,7 @@ accepted if valid information can be found from either file. .Pp Note that the lines in these files are typically hundreds of characters long, and you definitely don't want to type in the host keys by hand. -Rather, generate them by a script (see -.Xr make-ssh-known-hosts 1 ) +Rather, generate them by a script or by taking .Pa /etc/ssh_host_key.pub and adding the host names at the front. @@ -545,32 +542,31 @@ This file must be readable by root (which may on some machines imply it being world-readable if the user's home directory resides on an NFS volume). It is recommended that it not be accessible by others. The format of this file is described above. -.It Pa "/etc/ssh_known_hosts" and "$HOME/.ssh/known_hosts" -These files are consulted when using rhosts with RSA host +.It Pa /etc/ssh_known_hosts +This file is consulted when using rhosts with RSA host authentication to check the public key of the host. The key must be -listed in one of these files to be accepted. (The client uses the -same files to verify that the remote host is the one we intended to -connect.) These files should be writable only by root/the owner. +listed in this file to be accepted. +.It Pa $HOME/.ssh/known_hosts +The client uses this file +and +.Pa /etc/ssh_known_hosts +to verify that the remote host is the one we intended to +connect. These files should be writable only by root/the owner. .Pa /etc/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts can but need not be world-readable. -.Pa /etc/nologin +.It Pa /etc/nologin If this file exists, .Nm refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable. -.Pa $HOME/.rhosts +.It Pa $HOME/.rhosts This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without password. The same file is used by rlogind and rshd. -Ssh differs from rlogind -and rshd in that it requires RSA host authentication in addition to -validating the host name retrieved from domain name servers (unless -compiled with the -.Fl -with-rhosts -configuration option). The file must +The file must be writable only by the user; it is recommended that it not be accessible by others. .Pp @@ -603,7 +599,7 @@ same. Additionally, successful RSA host authentication is normally required. This file must be writable only by root; it is recommended that it be world-readable. .Pp -.Sy Warning: It is almost never a good idea to use user names in +.Sy "Warning: It is almost never a good idea to use user names in" .Pa hosts.equiv . Beware that it really means that the named user(s) can log in as .Em anybody , @@ -618,18 +614,12 @@ This is processed exactly as .Pa /etc/hosts.equiv . However, this file may be useful in environments that want to run both rsh/rlogin and ssh. -.It Pa /etc/environment +.It Pa $HOME/.ssh/environment This file is read into the environment at login (if it exists). It can only contain empty lines, comment lines (that start with .Ql # ) , -and assignment lines of the form name=value. This file is processed in -all environments (normal rsh/rlogin only process it on AIX and -potentially some other systems). The file should be writable only by -root, and should be world-readable. -.It Pa $HOME/.ssh/environment -This file is read into the environment after /etc/environment. It has -the same format. The file should be writable only by the user; it -need not be readable by anyone else. +and assignment lines of the form name=value. The file should be writable +only by the user; it need not be readable by anyone else. .It Pa $HOME/.ssh/rc If this file exists, it is run with /bin/sh after reading the environment files but before starting the user's shell or command. If |