summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/ssh.170
-rw-r--r--usr.bin/ssh/sshd.820
2 files changed, 40 insertions, 50 deletions
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 0ff77ea296f..b9ee4c62b94 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
+.\" $OpenBSD: ssh.1,v 1.195 2004/08/26 16:00:55 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -103,35 +103,25 @@ is specified,
.Ar command
is executed on the remote host instead of a login shell.
.Ss SSH protocol version 1
-First, if the machine the user logs in from is listed in
+The first authentication method is the
+.Em rhosts
+or
+.Em hosts.equiv
+method combined with RSA-based host authentication.
+If the machine the user logs in from is listed in
.Pa /etc/hosts.equiv
or
.Pa /etc/shosts.equiv
on the remote machine, and the user names are
-the same on both sides, the user is immediately permitted to log in.
-Second, if
-.Pa .rhosts
+the same on both sides, or if the files
+.Pa $HOME/.rhosts
or
-.Pa .shosts
-exists in the user's home directory on the
-remote machine and contains a line containing the name of the client
+.Pa $HOME/.shosts
+exist in the user's home directory on the
+remote machine and contain a line containing the name of the client
machine and the name of the user on that machine, the user is
-permitted to log in.
-This form of authentication alone is normally not
-allowed by the server because it is not secure.
-.Pp
-The second authentication method is the
-.Em rhosts
-or
-.Em hosts.equiv
-method combined with RSA-based host authentication.
-It means that if the login would be permitted by
-.Pa $HOME/.rhosts ,
-.Pa $HOME/.shosts ,
-.Pa /etc/hosts.equiv ,
-or
-.Pa /etc/shosts.equiv ,
-and if additionally the server can verify the client's
+considered for log in.
+Additionally, if the server can verify the client's
host key (see
.Pa /etc/ssh/ssh_known_hosts
and
@@ -147,7 +137,7 @@ spoofing, DNS spoofing and routing spoofing.
and the rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
.Pp
-As a third authentication method,
+As a second authentication method,
.Nm
supports RSA based authentication.
The scheme is based on public-key cryptography: there are cryptosystems
@@ -195,9 +185,6 @@ file corresponds to the conventional
file, and has one key
per line, though the lines can be very long).
After this, the user can log in without giving the password.
-RSA authentication is much more secure than
-.Em rhosts
-authentication.
.Pp
The most convenient way to use RSA authentication may be with an
authentication agent.
@@ -1012,7 +999,9 @@ By default
is not setuid root.
.It Pa $HOME/.rhosts
This file is used in
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
authentication to list the
host/user pairs that are permitted to log in.
(Note that this file is
@@ -1031,12 +1020,10 @@ The recommended
permission for most machines is read/write for the user, and not
accessible by others.
.Pp
-Note that by default
+Note that
.Xr sshd 8
-will be installed so that it requires successful RSA host
-authentication before permitting
-.Em rhosts
-authentication.
+allows authentication only in combination with client host key
+authentication before permitting log in.
If the server machine does not have the client's host key in
.Pa /etc/ssh/ssh_known_hosts ,
it can be stored in
@@ -1049,15 +1036,19 @@ will automatically add the host key to
This file is used exactly the same way as
.Pa .rhosts .
The purpose for
-having this file is to be able to use rhosts authentication with
-.Nm
-without permitting login with
+having this file is to be able to use
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+authentication without permitting login with
.Xr rlogin
or
.Xr rsh 1 .
.It Pa /etc/hosts.equiv
This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
authentication.
It contains
canonical hosts names, one per line (the full format is described in the
@@ -1066,8 +1057,7 @@ manual page).
If the client host is found in this file, login is
automatically permitted provided client and server user names are the
same.
-Additionally, successful RSA host authentication is normally
-required.
+Additionally, successful client host key authentication is required.
This file should only be writable by root.
.It Pa /etc/shosts.equiv
This file is processed exactly as
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index d019ccb5bb8..b2ec23741bd 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.202 2004/08/26 16:00:55 markus Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -106,16 +106,10 @@ to use from those offered by the server.
Next, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
.Em rhosts
-authentication,
-.Em rhosts
authentication combined with RSA host
authentication, RSA challenge-response authentication, or password
based authentication.
.Pp
-.Em rhosts
-authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.
System security is not improved unless
.Nm rshd ,
.Nm rlogind ,
@@ -647,7 +641,11 @@ Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
.It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+and contains host-username pairs, separated by a space, one per
line.
The given user on the corresponding host is permitted to log in
without a password.
@@ -668,7 +666,9 @@ However, this file is
not used by rlogin and rshd, so using this permits access using SSH only.
.It Pa /etc/hosts.equiv
This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
authentication.
In the simplest form, this file contains host names, one per line.
Users on
@@ -687,7 +687,7 @@ Negated entries start with
If the client host/user is successfully matched in this file, login is
automatically permitted provided the client and server user names are the
same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
This file must be writable only by root; it is recommended
that it be world-readable.
.Pp
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-17 01:06:07 +0000