From 8a3e89d52f81cc7cc5ad41a9dd5ea8f9d5b3e21c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Apr 2013 01:00:11 +0000 Subject: document the requirment that the AuthorizedKeysCommand be owned by root; ok dtucker@ markus@ --- usr.bin/ssh/sshd_config.5 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'usr.bin/ssh/sshd_config.5') diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 459e04270d4..b82fdf9f3a8 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.157 2013/03/07 19:27:25 markus Exp $ -.Dd $Mdocdate: March 7 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.158 2013/04/19 01:00:10 djm Exp $ +.Dd $Mdocdate: April 19 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -202,7 +202,8 @@ The default is not to require multiple authentication; successful completion of a single authentication method is sufficient. .It Cm AuthorizedKeysCommand Specifies a program to be used to look up the user's public keys. -The program will be invoked with a single argument of the username +The program must be owned by root and not writable by group or others. +It will be invoked with a single argument of the username being authenticated, and should produce on standard output zero or more lines of authorized_keys output (see .Sx AUTHORIZED_KEYS -- cgit v1.2.3