version 1.139.2.2, 2002/03/07 17:37:47 |
version 1.139.2.3, 2002/03/08 15:17:18 |
|
|
.Pa /etc/shosts.equiv , |
.Pa /etc/shosts.equiv , |
and if additionally the server can verify the client's |
and if additionally the server can verify the client's |
host key (see |
host key (see |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the |
in the |
|
|
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
in the user's home directory. |
in the user's home directory. |
Additionally, the file |
Additionally, the file |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
is automatically checked for known hosts. |
is automatically checked for known hosts. |
Any new hosts are automatically added to the user's file. |
Any new hosts are automatically added to the user's file. |
If a host's identification |
If a host's identification |
|
|
Specifies an alternative per-user configuration file. |
Specifies an alternative per-user configuration file. |
If a configuration file is given on the command line, |
If a configuration file is given on the command line, |
the system-wide configuration file |
the system-wide configuration file |
.Pq Pa /etc/ssh/ssh_config |
.Pq Pa /etc/ssh_config |
will be ignored. |
will be ignored. |
The default for the per-user configuration file is |
The default for the per-user configuration file is |
.Pa $HOME/.ssh/config . |
.Pa $HOME/.ssh/config . |
|
|
command line options, user's configuration file |
command line options, user's configuration file |
.Pq Pa $HOME/.ssh/config , |
.Pq Pa $HOME/.ssh/config , |
and system-wide configuration file |
and system-wide configuration file |
.Pq Pa /etc/ssh/ssh_config . |
.Pq Pa /etc/ssh_config . |
For each parameter, the first obtained value |
For each parameter, the first obtained value |
will be used. |
will be used. |
The configuration files contain sections bracketed by |
The configuration files contain sections bracketed by |
|
|
.It Cm GlobalKnownHostsFile |
.It Cm GlobalKnownHostsFile |
Specifies a file to use for the global |
Specifies a file to use for the global |
host key database instead of |
host key database instead of |
.Pa /etc/ssh/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
.It Cm HostbasedAuthentication |
.It Cm HostbasedAuthentication |
Specifies whether to try rhosts based authentication with public key |
Specifies whether to try rhosts based authentication with public key |
authentication. |
authentication. |
|
|
file, and refuses to connect to hosts whose host key has changed. |
file, and refuses to connect to hosts whose host key has changed. |
This provides maximum protection against trojan horse attacks, |
This provides maximum protection against trojan horse attacks, |
however, can be annoying when the |
however, can be annoying when the |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
file is poorly maintained, or connections to new hosts are |
file is poorly maintained, or connections to new hosts are |
frequently made. |
frequently made. |
This option forces the user to manually |
This option forces the user to manually |
|
|
.It Pa $HOME/.ssh/known_hosts |
.It Pa $HOME/.ssh/known_hosts |
Records host keys for all hosts the user has logged into that are not |
Records host keys for all hosts the user has logged into that are not |
in |
in |
.Pa /etc/ssh/ssh_known_hosts . |
.Pa /etc/ssh_known_hosts . |
See |
See |
.Xr sshd 8 . |
.Xr sshd 8 . |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
.It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa |
|
|
identity files. |
identity files. |
This file is not highly sensitive, but the recommended |
This file is not highly sensitive, but the recommended |
permissions are read/write for the user, and not accessible by others. |
permissions are read/write for the user, and not accessible by others. |
.It Pa /etc/ssh/ssh_known_hosts |
.It Pa /etc/ssh_known_hosts |
Systemwide list of known host keys. |
Systemwide list of known host keys. |
This file should be prepared by the |
This file should be prepared by the |
system administrator to contain the public host keys of all machines in the |
system administrator to contain the public host keys of all machines in the |
|
|
does not convert the user-supplied name to a canonical name before |
does not convert the user-supplied name to a canonical name before |
checking the key, because someone with access to the name servers |
checking the key, because someone with access to the name servers |
would then be able to fool host authentication. |
would then be able to fool host authentication. |
.It Pa /etc/ssh/ssh_config |
.It Pa /etc/ssh_config |
Systemwide configuration file. |
Systemwide configuration file. |
This file provides defaults for those |
This file provides defaults for those |
values that are not specified in the user's configuration file, and |
values that are not specified in the user's configuration file, and |
for those users who do not have a configuration file. |
for those users who do not have a configuration file. |
This file must be world-readable. |
This file must be world-readable. |
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key |
These three files contain the private parts of the host keys |
These three files contain the private parts of the host keys |
and are used for |
and are used for |
.Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
|
|
will be installed so that it requires successful RSA host |
will be installed so that it requires successful RSA host |
authentication before permitting \s+2.\s0rhosts authentication. |
authentication before permitting \s+2.\s0rhosts authentication. |
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh_known_hosts , |
it can be stored in |
it can be stored in |
.Pa $HOME/.ssh/known_hosts . |
.Pa $HOME/.ssh/known_hosts . |
The easiest way to do this is to |
The easiest way to do this is to |
|
|
This file may be useful to permit logins using |
This file may be useful to permit logins using |
.Nm |
.Nm |
but not using rsh/rlogin. |
but not using rsh/rlogin. |
.It Pa /etc/ssh/sshrc |
.It Pa /etc/sshrc |
Commands in this file are executed by |
Commands in this file are executed by |
.Nm |
.Nm |
when the user logs in just before the user's shell (or command) is started. |
when the user logs in just before the user's shell (or command) is started. |