version 1.194, 2004/08/12 21:41:13 |
version 1.195, 2004/08/26 16:00:55 |
|
|
.Ar command |
.Ar command |
is executed on the remote host instead of a login shell. |
is executed on the remote host instead of a login shell. |
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
First, if the machine the user logs in from is listed in |
The first authentication method is the |
|
.Em rhosts |
|
or |
|
.Em hosts.equiv |
|
method combined with RSA-based host authentication. |
|
If the machine the user logs in from is listed in |
.Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
or |
or |
.Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
on the remote machine, and the user names are |
on the remote machine, and the user names are |
the same on both sides, the user is immediately permitted to log in. |
the same on both sides, or if the files |
Second, if |
.Pa $HOME/.rhosts |
.Pa .rhosts |
|
or |
or |
.Pa .shosts |
.Pa $HOME/.shosts |
exists in the user's home directory on the |
exist in the user's home directory on the |
remote machine and contains a line containing the name of the client |
remote machine and contain a line containing the name of the client |
machine and the name of the user on that machine, the user is |
machine and the name of the user on that machine, the user is |
permitted to log in. |
considered for log in. |
This form of authentication alone is normally not |
Additionally, if the server can verify the client's |
allowed by the server because it is not secure. |
|
.Pp |
|
The second authentication method is the |
|
.Em rhosts |
|
or |
|
.Em hosts.equiv |
|
method combined with RSA-based host authentication. |
|
It means that if the login would be permitted by |
|
.Pa $HOME/.rhosts , |
|
.Pa $HOME/.shosts , |
|
.Pa /etc/hosts.equiv , |
|
or |
|
.Pa /etc/shosts.equiv , |
|
and if additionally the server can verify the client's |
|
host key (see |
host key (see |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
and |
and |
|
|
and the rlogin/rsh protocol in general, are inherently insecure and should be |
and the rlogin/rsh protocol in general, are inherently insecure and should be |
disabled if security is desired.] |
disabled if security is desired.] |
.Pp |
.Pp |
As a third authentication method, |
As a second authentication method, |
.Nm |
.Nm |
supports RSA based authentication. |
supports RSA based authentication. |
The scheme is based on public-key cryptography: there are cryptosystems |
The scheme is based on public-key cryptography: there are cryptosystems |
|
|
file, and has one key |
file, and has one key |
per line, though the lines can be very long). |
per line, though the lines can be very long). |
After this, the user can log in without giving the password. |
After this, the user can log in without giving the password. |
RSA authentication is much more secure than |
|
.Em rhosts |
|
authentication. |
|
.Pp |
.Pp |
The most convenient way to use RSA authentication may be with an |
The most convenient way to use RSA authentication may be with an |
authentication agent. |
authentication agent. |
|
|
is not setuid root. |
is not setuid root. |
.It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
This file is used in |
This file is used in |
.Em rhosts |
.Cm RhostsRSAAuthentication |
|
and |
|
.Cm HostbasedAuthentication |
authentication to list the |
authentication to list the |
host/user pairs that are permitted to log in. |
host/user pairs that are permitted to log in. |
(Note that this file is |
(Note that this file is |
|
|
permission for most machines is read/write for the user, and not |
permission for most machines is read/write for the user, and not |
accessible by others. |
accessible by others. |
.Pp |
.Pp |
Note that by default |
Note that |
.Xr sshd 8 |
.Xr sshd 8 |
will be installed so that it requires successful RSA host |
allows authentication only in combination with client host key |
authentication before permitting |
authentication before permitting log in. |
.Em rhosts |
|
authentication. |
|
If the server machine does not have the client's host key in |
If the server machine does not have the client's host key in |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts , |
it can be stored in |
it can be stored in |
|
|
This file is used exactly the same way as |
This file is used exactly the same way as |
.Pa .rhosts . |
.Pa .rhosts . |
The purpose for |
The purpose for |
having this file is to be able to use rhosts authentication with |
having this file is to be able to use |
.Nm |
.Cm RhostsRSAAuthentication |
without permitting login with |
and |
|
.Cm HostbasedAuthentication |
|
authentication without permitting login with |
.Xr rlogin |
.Xr rlogin |
or |
or |
.Xr rsh 1 . |
.Xr rsh 1 . |
.It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
This file is used during |
This file is used during |
.Em rhosts |
.Cm RhostsRSAAuthentication |
|
and |
|
.Cm HostbasedAuthentication |
authentication. |
authentication. |
It contains |
It contains |
canonical hosts names, one per line (the full format is described in the |
canonical hosts names, one per line (the full format is described in the |
|
|
If the client host is found in this file, login is |
If the client host is found in this file, login is |
automatically permitted provided client and server user names are the |
automatically permitted provided client and server user names are the |
same. |
same. |
Additionally, successful RSA host authentication is normally |
Additionally, successful client host key authentication is required. |
required. |
|
This file should only be writable by root. |
This file should only be writable by root. |
.It Pa /etc/shosts.equiv |
.It Pa /etc/shosts.equiv |
This file is processed exactly as |
This file is processed exactly as |