| version 1.253, 2010/03/03 22:49:50 |
version 1.254, 2010/03/04 23:19:29 |
|
|
| maintained automatically: whenever the user connects from an unknown host, |
maintained automatically: whenever the user connects from an unknown host, |
| its key is added to the per-user file. |
its key is added to the per-user file. |
| .Pp |
.Pp |
| Each line in these files contains the following fields: hostnames, |
Each line in these files contains the following fields: markers (optional), |
| bits, exponent, modulus, comment. |
hostnames, bits, exponent, modulus, comment. |
| The fields are separated by spaces. |
The fields are separated by spaces. |
| .Pp |
.Pp |
| |
The marker is optional, but if it is present then it must be one of |
| |
.Dq @cert-authority , |
| |
to indicate that the line contains a certification authority (CA) key, |
| |
or |
| |
.Dq @revoked , |
| |
to indicate that the key contained on the line is revoked and must not ever |
| |
be accepted. |
| |
Only one marker should be used on a key line. |
| |
.Pp |
| Hostnames is a comma-separated list of patterns |
Hostnames is a comma-separated list of patterns |
| .Pf ( Ql * |
.Pf ( Ql * |
| and |
and |
|
|
| and empty lines are ignored as comments. |
and empty lines are ignored as comments. |
| .Pp |
.Pp |
| When performing host authentication, authentication is accepted if any |
When performing host authentication, authentication is accepted if any |
| matching line has the proper key. |
matching line has the proper key; either one that matches exactly or, |
| It is thus permissible (but not |
if the server has presented a certificate for authentication, the key |
| |
of the certification authority that signed the certificate. |
| |
For a key to be trusted as a certification authority, it must use the |
| |
.Dq @cert-authority |
| |
marker described above. |
| |
.Pp |
| |
The known hosts file also provides a facility to mark keys as revoked, |
| |
for example when it is known that the associated private key has been |
| |
stolen. |
| |
Revoked keys are specified by including the |
| |
.Dq @revoked |
| |
marker at the beginning of the key line, and are never accepted for |
| |
authentication or as certification authorities, but instead will |
| |
produce a warning from |
| |
.Xr ssh 1 |
| |
when they are encountered. |
| |
.Pp |
| |
It is permissible (but not |
| recommended) to have several lines or different host keys for the same |
recommended) to have several lines or different host keys for the same |
| names. |
names. |
| This will inevitably happen when short forms of host names |
This will inevitably happen when short forms of host names |
|
|
| .Pp |
.Pp |
| Note that the lines in these files are typically hundreds of characters |
Note that the lines in these files are typically hundreds of characters |
| long, and you definitely don't want to type in the host keys by hand. |
long, and you definitely don't want to type in the host keys by hand. |
| Rather, generate them by a script |
Rather, generate them by a script, |
| |
.Xr ssh-keyscan 1 |
| or by taking |
or by taking |
| .Pa /etc/ssh/ssh_host_key.pub |
.Pa /etc/ssh/ssh_host_key.pub |
| and adding the host names at the front. |
and adding the host names at the front. |
| |
.Xr ssh-keygen 1 |
| |
also offers some basic automated editing for |
| |
.Pa ~/.ssh/known_hosts |
| |
including removing hosts matching a host name and converting all host |
| |
names to their hashed representations. |
| .Pp |
.Pp |
| An example ssh_known_hosts file: |
An example ssh_known_hosts file: |
| .Bd -literal -offset 3n |
.Bd -literal -offset 3n |
|
|
| # A hashed hostname |
# A hashed hostname |
| |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
| AAAA1234.....= |
AAAA1234.....= |
| |
# A revoked key |
| |
@revoked * ssh-rsa AAAAB5W... |
| |
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org |
| |
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... |
| .Ed |
.Ed |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh