| version 1.200.2.2, 2005/03/10 17:15:05 |
version 1.201, 2004/05/02 11:54:31 |
|
|
| Next, the server and the client enter an authentication dialog. |
Next, the server and the client enter an authentication dialog. |
| The client tries to authenticate itself using |
The client tries to authenticate itself using |
| .Em rhosts |
.Em rhosts |
| |
authentication, |
| |
.Em rhosts |
| authentication combined with RSA host |
authentication combined with RSA host |
| authentication, RSA challenge-response authentication, or password |
authentication, RSA challenge-response authentication, or password |
| based authentication. |
based authentication. |
| .Pp |
.Pp |
| |
.Em rhosts |
| |
authentication is normally disabled |
| |
because it is fundamentally insecure, but can be enabled in the server |
| |
configuration file if desired. |
| System security is not improved unless |
System security is not improved unless |
| .Nm rshd , |
.Nm rshd , |
| .Nm rlogind , |
.Nm rlogind , |
|
|
| .Dq ssh-rsa . |
.Dq ssh-rsa . |
| .Pp |
.Pp |
| Note that lines in this file are usually several hundred bytes long |
Note that lines in this file are usually several hundred bytes long |
| (because of the size of the public key encoding) up to a limit of |
(because of the size of the public key encoding). |
| 8 kilobytes, which permits DSA keys up to 8 kilobits and RSA |
|
| keys up to 16 kilobits. |
|
| You don't want to type them in; instead, copy the |
You don't want to type them in; instead, copy the |
| .Pa identity.pub , |
.Pa identity.pub , |
| .Pa id_dsa.pub |
.Pa id_dsa.pub |
|
|
| pattern, it is not accepted (by that line) even if it matched another |
pattern, it is not accepted (by that line) even if it matched another |
| pattern on the line. |
pattern on the line. |
| .Pp |
.Pp |
| Alternately, hostnames may be stored in a hashed form which hides host names |
|
| and addresses should the file's contents be disclosed. |
|
| Hashed hostnames start with a |
|
| .Ql | |
|
| character. |
|
| Only one hashed hostname may appear on a single line and none of the above |
|
| negation or wildcard operators may be applied. |
|
| .Pp |
|
| Bits, exponent, and modulus are taken directly from the RSA host key; they |
Bits, exponent, and modulus are taken directly from the RSA host key; they |
| can be obtained, e.g., from |
can be obtained, e.g., from |
| .Pa /etc/ssh/ssh_host_key.pub . |
.Pa /etc/ssh/ssh_host_key.pub . |
|
|
| closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
| cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
| .Ed |
.Ed |
| .Bd -literal |
|
| # A hashed hostname |
|
| |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
|
| AAAA1234.....= |
|
| .Ed |
|
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
|
|
| should be world-readable, and |
should be world-readable, and |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| can, but need not be, world-readable. |
can, but need not be, world-readable. |
| .It Pa /etc/motd |
|
| See |
|
| .Xr motd 5 . |
|
| .It Pa $HOME/.hushlogin |
|
| This file is used to suppress printing the last login time and |
|
| .Pa /etc/motd , |
|
| if |
|
| .Cm PrintLastLog |
|
| and |
|
| .Cm PrintMotd , |
|
| respectively, |
|
| are enabled. |
|
| It does not suppress printing of the banner specified by |
|
| .Cm Banner . |
|
| .It Pa /etc/nologin |
.It Pa /etc/nologin |
| If this file exists, |
If this file exists, |
| .Nm |
.Nm |
|
|
| Further details are described in |
Further details are described in |
| .Xr hosts_access 5 . |
.Xr hosts_access 5 . |
| .It Pa $HOME/.rhosts |
.It Pa $HOME/.rhosts |
| This file is used during |
This file contains host-username pairs, separated by a space, one per |
| .Cm RhostsRSAAuthentication |
|
| and |
|
| .Cm HostbasedAuthentication |
|
| and contains host-username pairs, separated by a space, one per |
|
| line. |
line. |
| The given user on the corresponding host is permitted to log in |
The given user on the corresponding host is permitted to log in |
| without a password. |
without a password. |
|
|
| not used by rlogin and rshd, so using this permits access using SSH only. |
not used by rlogin and rshd, so using this permits access using SSH only. |
| .It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
| This file is used during |
This file is used during |
| .Cm RhostsRSAAuthentication |
.Em rhosts |
| and |
|
| .Cm HostbasedAuthentication |
|
| authentication. |
authentication. |
| In the simplest form, this file contains host names, one per line. |
In the simplest form, this file contains host names, one per line. |
| Users on |
Users on |
|
|
| If the client host/user is successfully matched in this file, login is |
If the client host/user is successfully matched in this file, login is |
| automatically permitted provided the client and server user names are the |
automatically permitted provided the client and server user names are the |
| same. |
same. |
| Additionally, successful client host key authentication is required. |
Additionally, successful RSA host authentication is normally required. |
| This file must be writable only by root; it is recommended |
This file must be writable only by root; it is recommended |
| that it be world-readable. |
that it be world-readable. |
| .Pp |
.Pp |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh