version 1.153.2.4, 2002/03/08 15:17:18 |
version 1.153.2.5, 2002/05/17 00:03:24 |
|
|
because it is fundamentally insecure, but can be enabled in the server |
because it is fundamentally insecure, but can be enabled in the server |
configuration file if desired. |
configuration file if desired. |
System security is not improved unless |
System security is not improved unless |
.Xr rshd 8 , |
.Nm rshd , |
.Xr rlogind 8 , |
.Nm rlogind , |
and |
and |
.Xr rexecd 8 |
.Xr rexecd |
are disabled (thus completely disabling |
are disabled (thus completely disabling |
.Xr rlogin 1 |
.Xr rlogin |
and |
and |
.Xr rsh 1 |
.Xr rsh |
into the machine). |
into the machine). |
.Pp |
.Pp |
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
|
|
.It Cm AFSTokenPassing |
.It Cm AFSTokenPassing |
Specifies whether an AFS token may be forwarded to the server. |
Specifies whether an AFS token may be forwarded to the server. |
Default is |
Default is |
.Dq yes . |
.Dq no . |
.It Cm AllowGroups |
.It Cm AllowGroups |
This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
by spaces. |
by spaces. |
|
|
The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
authentication is allowed. |
authentication is allowed. |
This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
|
By default, no banner is displayed. |
.Pp |
.Pp |
.It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
Specifies whether challenge response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
|
|
To use this option, the server needs a |
To use this option, the server needs a |
Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
Default is |
Default is |
.Dq yes . |
.Dq no . |
.It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
If set then if password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
|
|
.Xr login 1 |
.Xr login 1 |
does not know how to handle |
does not know how to handle |
.Xr xauth 1 |
.Xr xauth 1 |
cookies. |
cookies. If |
|
.Cm UsePrivilegeSeparation |
|
is specified, it will be disabled after authentication. |
|
.It Cm UsePrivilegeSeparation |
|
Specifies whether |
|
.Nm |
|
separated privileges by creating an unprivileged child process |
|
to deal with incoming network traffic. After successful authentication, |
|
another process will be created that has the privilege of the authenticated |
|
user. The goal of privilege separation is to prevent privilege |
|
escalation by containing any corruption within the unprivileged processes. |
|
The default is |
|
.Dq no . |
.It Cm VerifyReverseMapping |
.It Cm VerifyReverseMapping |
Specifies whether |
Specifies whether |
.Nm |
.Nm |
|
|
.Pa id_rsa.pub |
.Pa id_rsa.pub |
file and edit it. |
file and edit it. |
.Pp |
.Pp |
|
.Nm |
|
enforces a minimum RSA key modulus size for protocol 1 |
|
and protocol 2 keys of 768 bits. |
|
.Pp |
The options (if present) consist of comma-separated option |
The options (if present) consist of comma-separated option |
specifications. |
specifications. |
No spaces are permitted, except within double quotes. |
No spaces are permitted, except within double quotes. |
|
|
.It Pa $HOME/.ssh/rc |
.It Pa $HOME/.ssh/rc |
If this file exists, it is run with /bin/sh after reading the |
If this file exists, it is run with /bin/sh after reading the |
environment files but before starting the user's shell or command. |
environment files but before starting the user's shell or command. |
If X11 spoofing is in use, this will receive the "proto cookie" pair in |
It must not produce any output on stdout; stderr must be used |
standard input (and |
instead. |
|
If X11 forwarding is in use, it will receive the "proto cookie" pair in |
|
its standard input (and |
.Ev DISPLAY |
.Ev DISPLAY |
in environment). |
in its environment). |
This must call |
The script must call |
.Xr xauth 1 |
.Xr xauth 1 |
in that case. |
because |
|
.Nm |
|
will not run xauth automatically to add X11 cookies. |
.Pp |
.Pp |
The primary purpose of this file is to run any initialization routines |
The primary purpose of this file is to run any initialization routines |
which may be needed before the user's home directory becomes |
which may be needed before the user's home directory becomes |
|
|
This file will probably contain some initialization code followed by |
This file will probably contain some initialization code followed by |
something similar to: |
something similar to: |
.Bd -literal |
.Bd -literal |
if read proto cookie; then |
if read proto cookie && [ -n "$DISPLAY" ]; then |
echo add $DISPLAY $proto $cookie | xauth -q - |
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
|
# X11UseLocalhost=yes |
|
xauth add unix:`echo $DISPLAY | |
|
cut -c11-` $proto $cookie |
|
else |
|
# X11UseLocalhost=no |
|
xauth add $DISPLAY $proto $cookie |
fi |
fi |
|
fi |
.Ed |
.Ed |
.Pp |
.Pp |
If this file does not exist, |
If this file does not exist, |
.Pa /etc/sshrc |
.Pa /etc/sshrc |
is run, and if that |
is run, and if that |
does not exist either, xauth is used to store the cookie. |
does not exist either, xauth is used to add the cookie. |
.Pp |
.Pp |
This file should be writable only by the user, and need not be |
This file should be writable only by the user, and need not be |
readable by anyone else. |
readable by anyone else. |
|
|
created OpenSSH. |
created OpenSSH. |
Markus Friedl contributed the support for SSH |
Markus Friedl contributed the support for SSH |
protocol versions 1.5 and 2.0. |
protocol versions 1.5 and 2.0. |
|
Niels Provos and Markus Friedl contributed support |
|
for privilege separation. |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr scp 1 , |
.Xr scp 1 , |
.Xr sftp 1 , |
.Xr sftp 1 , |
|
|
.%A T. Rinne |
.%A T. Rinne |
.%A S. Lehtinen |
.%A S. Lehtinen |
.%T "SSH Protocol Architecture" |
.%T "SSH Protocol Architecture" |
.%N draft-ietf-secsh-architecture-09.txt |
.%N draft-ietf-secsh-architecture-12.txt |
.%D July 2001 |
.%D January 2002 |
.%O work in progress material |
.%O work in progress material |
.Re |
.Re |
.Rs |
.Rs |
|
|
.%A N. Provos |
.%A N. Provos |
.%A W. A. Simpson |
.%A W. A. Simpson |
.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" |
.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" |
.%N draft-ietf-secsh-dh-group-exchange-01.txt |
.%N draft-ietf-secsh-dh-group-exchange-02.txt |
.%D April 2001 |
.%D January 2002 |
.%O work in progress material |
.%O work in progress material |
.Re |
.Re |