| version 1.153.2.4, 2002/03/08 15:17:18 |
version 1.153.2.5, 2002/05/17 00:03:24 |
|
|
| because it is fundamentally insecure, but can be enabled in the server |
because it is fundamentally insecure, but can be enabled in the server |
| configuration file if desired. |
configuration file if desired. |
| System security is not improved unless |
System security is not improved unless |
| .Xr rshd 8 , |
.Nm rshd , |
| .Xr rlogind 8 , |
.Nm rlogind , |
| and |
and |
| .Xr rexecd 8 |
.Xr rexecd |
| are disabled (thus completely disabling |
are disabled (thus completely disabling |
| .Xr rlogin 1 |
.Xr rlogin |
| and |
and |
| .Xr rsh 1 |
.Xr rsh |
| into the machine). |
into the machine). |
| .Pp |
.Pp |
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
|
|
| .It Cm AFSTokenPassing |
.It Cm AFSTokenPassing |
| Specifies whether an AFS token may be forwarded to the server. |
Specifies whether an AFS token may be forwarded to the server. |
| Default is |
Default is |
| .Dq yes . |
.Dq no . |
| .It Cm AllowGroups |
.It Cm AllowGroups |
| This keyword can be followed by a list of group name patterns, separated |
This keyword can be followed by a list of group name patterns, separated |
| by spaces. |
by spaces. |
|
|
| The contents of the specified file are sent to the remote user before |
The contents of the specified file are sent to the remote user before |
| authentication is allowed. |
authentication is allowed. |
| This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
| |
By default, no banner is displayed. |
| .Pp |
.Pp |
| .It Cm ChallengeResponseAuthentication |
.It Cm ChallengeResponseAuthentication |
| Specifies whether challenge response authentication is allowed. |
Specifies whether challenge response authentication is allowed. |
|
|
| To use this option, the server needs a |
To use this option, the server needs a |
| Kerberos servtab which allows the verification of the KDC's identity. |
Kerberos servtab which allows the verification of the KDC's identity. |
| Default is |
Default is |
| .Dq yes . |
.Dq no . |
| .It Cm KerberosOrLocalPasswd |
.It Cm KerberosOrLocalPasswd |
| If set then if password authentication through Kerberos fails then |
If set then if password authentication through Kerberos fails then |
| the password will be validated via any additional local mechanism |
the password will be validated via any additional local mechanism |
|
|
| .Xr login 1 |
.Xr login 1 |
| does not know how to handle |
does not know how to handle |
| .Xr xauth 1 |
.Xr xauth 1 |
| cookies. |
cookies. If |
| |
.Cm UsePrivilegeSeparation |
| |
is specified, it will be disabled after authentication. |
| |
.It Cm UsePrivilegeSeparation |
| |
Specifies whether |
| |
.Nm |
| |
separated privileges by creating an unprivileged child process |
| |
to deal with incoming network traffic. After successful authentication, |
| |
another process will be created that has the privilege of the authenticated |
| |
user. The goal of privilege separation is to prevent privilege |
| |
escalation by containing any corruption within the unprivileged processes. |
| |
The default is |
| |
.Dq no . |
| .It Cm VerifyReverseMapping |
.It Cm VerifyReverseMapping |
| Specifies whether |
Specifies whether |
| .Nm |
.Nm |
|
|
| .Pa id_rsa.pub |
.Pa id_rsa.pub |
| file and edit it. |
file and edit it. |
| .Pp |
.Pp |
| |
.Nm |
| |
enforces a minimum RSA key modulus size for protocol 1 |
| |
and protocol 2 keys of 768 bits. |
| |
.Pp |
| The options (if present) consist of comma-separated option |
The options (if present) consist of comma-separated option |
| specifications. |
specifications. |
| No spaces are permitted, except within double quotes. |
No spaces are permitted, except within double quotes. |
|
|
| .It Pa $HOME/.ssh/rc |
.It Pa $HOME/.ssh/rc |
| If this file exists, it is run with /bin/sh after reading the |
If this file exists, it is run with /bin/sh after reading the |
| environment files but before starting the user's shell or command. |
environment files but before starting the user's shell or command. |
| If X11 spoofing is in use, this will receive the "proto cookie" pair in |
It must not produce any output on stdout; stderr must be used |
| standard input (and |
instead. |
| |
If X11 forwarding is in use, it will receive the "proto cookie" pair in |
| |
its standard input (and |
| .Ev DISPLAY |
.Ev DISPLAY |
| in environment). |
in its environment). |
| This must call |
The script must call |
| .Xr xauth 1 |
.Xr xauth 1 |
| in that case. |
because |
| |
.Nm |
| |
will not run xauth automatically to add X11 cookies. |
| .Pp |
.Pp |
| The primary purpose of this file is to run any initialization routines |
The primary purpose of this file is to run any initialization routines |
| which may be needed before the user's home directory becomes |
which may be needed before the user's home directory becomes |
|
|
| This file will probably contain some initialization code followed by |
This file will probably contain some initialization code followed by |
| something similar to: |
something similar to: |
| .Bd -literal |
.Bd -literal |
| if read proto cookie; then |
if read proto cookie && [ -n "$DISPLAY" ]; then |
| echo add $DISPLAY $proto $cookie | xauth -q - |
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
| |
# X11UseLocalhost=yes |
| |
xauth add unix:`echo $DISPLAY | |
| |
cut -c11-` $proto $cookie |
| |
else |
| |
# X11UseLocalhost=no |
| |
xauth add $DISPLAY $proto $cookie |
| fi |
fi |
| |
fi |
| .Ed |
.Ed |
| .Pp |
.Pp |
| If this file does not exist, |
If this file does not exist, |
| .Pa /etc/sshrc |
.Pa /etc/sshrc |
| is run, and if that |
is run, and if that |
| does not exist either, xauth is used to store the cookie. |
does not exist either, xauth is used to add the cookie. |
| .Pp |
.Pp |
| This file should be writable only by the user, and need not be |
This file should be writable only by the user, and need not be |
| readable by anyone else. |
readable by anyone else. |
|
|
| created OpenSSH. |
created OpenSSH. |
| Markus Friedl contributed the support for SSH |
Markus Friedl contributed the support for SSH |
| protocol versions 1.5 and 2.0. |
protocol versions 1.5 and 2.0. |
| |
Niels Provos and Markus Friedl contributed support |
| |
for privilege separation. |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr scp 1 , |
.Xr scp 1 , |
| .Xr sftp 1 , |
.Xr sftp 1 , |
|
|
| .%A T. Rinne |
.%A T. Rinne |
| .%A S. Lehtinen |
.%A S. Lehtinen |
| .%T "SSH Protocol Architecture" |
.%T "SSH Protocol Architecture" |
| .%N draft-ietf-secsh-architecture-09.txt |
.%N draft-ietf-secsh-architecture-12.txt |
| .%D July 2001 |
.%D January 2002 |
| .%O work in progress material |
.%O work in progress material |
| .Re |
.Re |
| .Rs |
.Rs |
|
|
| .%A N. Provos |
.%A N. Provos |
| .%A W. A. Simpson |
.%A W. A. Simpson |
| .%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" |
.%T "Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol" |
| .%N draft-ietf-secsh-dh-group-exchange-01.txt |
.%N draft-ietf-secsh-dh-group-exchange-02.txt |
| .%D April 2001 |
.%D January 2002 |
| .%O work in progress material |
.%O work in progress material |
| .Re |
.Re |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh