Annotation of src/usr.bin/ssh/ssh-keysign.8, Revision 1.17
1.17 ! naddy 1: .\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $
1.1 markus 2: .\"
3: .\" Copyright (c) 2002 Markus Friedl. All rights reserved.
4: .\"
5: .\" Redistribution and use in source and binary forms, with or without
6: .\" modification, are permitted provided that the following conditions
7: .\" are met:
8: .\" 1. Redistributions of source code must retain the above copyright
9: .\" notice, this list of conditions and the following disclaimer.
10: .\" 2. Redistributions in binary form must reproduce the above copyright
11: .\" notice, this list of conditions and the following disclaimer in the
12: .\" documentation and/or other materials provided with the distribution.
13: .\"
14: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24: .\"
1.17 ! naddy 25: .Dd $Mdocdate: November 30 2019 $
1.1 markus 26: .Dt SSH-KEYSIGN 8
27: .Os
28: .Sh NAME
29: .Nm ssh-keysign
1.16 jmc 30: .Nd OpenSSH helper for host-based authentication
1.1 markus 31: .Sh SYNOPSIS
1.2 stevesk 32: .Nm
1.1 markus 33: .Sh DESCRIPTION
34: .Nm
35: is used by
36: .Xr ssh 1
1.2 stevesk 37: to access the local host keys and generate the digital signature
1.15 jmc 38: required during host-based authentication.
1.3 markus 39: .Pp
40: .Nm
41: is disabled by default and can only be enabled in the
1.5 stevesk 42: global client configuration file
1.3 markus 43: .Pa /etc/ssh/ssh_config
44: by setting
1.4 markus 45: .Cm EnableSSHKeysign
1.3 markus 46: to
47: .Dq yes .
48: .Pp
1.1 markus 49: .Nm
50: is not intended to be invoked by the user, but from
51: .Xr ssh 1 .
52: See
53: .Xr ssh 1
54: and
55: .Xr sshd 8
1.8 jmc 56: for more information about host-based authentication.
1.2 stevesk 57: .Sh FILES
1.11 jmc 58: .Bl -tag -width Ds -compact
1.3 markus 59: .It Pa /etc/ssh/ssh_config
60: Controls whether
61: .Nm
62: is enabled.
1.11 jmc 63: .Pp
64: .It Pa /etc/ssh/ssh_host_dsa_key
1.12 djm 65: .It Pa /etc/ssh/ssh_host_ecdsa_key
1.14 naddy 66: .It Pa /etc/ssh/ssh_host_ed25519_key
1.11 jmc 67: .It Pa /etc/ssh/ssh_host_rsa_key
1.2 stevesk 68: These files contain the private parts of the host keys used to
1.6 jmc 69: generate the digital signature.
70: They should be owned by root, readable only by root, and not
1.2 stevesk 71: accessible to others.
72: Since they are readable only by root,
73: .Nm
1.8 jmc 74: must be set-uid root if host-based authentication is used.
1.11 jmc 75: .Pp
76: .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
1.12 djm 77: .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
1.14 naddy 78: .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
1.11 jmc 79: .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
1.17 ! naddy 80: If these files exist, they are assumed to contain public certificate
1.10 djm 81: information corresponding with the private keys above.
1.2 stevesk 82: .El
1.1 markus 83: .Sh SEE ALSO
84: .Xr ssh 1 ,
1.2 stevesk 85: .Xr ssh-keygen 1 ,
1.3 markus 86: .Xr ssh_config 5 ,
1.1 markus 87: .Xr sshd 8
88: .Sh HISTORY
89: .Nm
90: first appeared in
91: .Ox 3.2 .
1.7 jmc 92: .Sh AUTHORS
1.13 schwarze 93: .An Markus Friedl Aq Mt markus@openbsd.org