=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v retrieving revision 1.176 retrieving revision 1.176.2.6 diff -u -r1.176 -r1.176.2.6 --- src/usr.bin/ssh/sshd.8 2002/04/05 20:56:21 1.176 +++ src/usr.bin/ssh/sshd.8 2003/04/03 22:35:18 1.176.2.6 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.176 2002/04/05 20:56:21 stevesk Exp $ +.\" $OpenBSD: sshd.8,v 1.176.2.6 2003/04/03 22:35:18 miod Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -43,6 +43,7 @@ .Nd OpenSSH SSH daemon .Sh SYNOPSIS .Nm sshd +.Bk -words .Op Fl deiqtD46 .Op Fl b Ar bits .Op Fl f Ar config_file @@ -52,6 +53,7 @@ .Op Fl o Ar option .Op Fl p Ar port .Op Fl u Ar len +.Ek .Sh DESCRIPTION .Nm (SSH Daemon) is the daemon program for @@ -75,7 +77,7 @@ .Nm supports both SSH protocol version 1 and 2 simultaneously. .Nm -works as follows. +works as follows: .Pp .Ss SSH protocol version 1 .Pp @@ -86,7 +88,7 @@ This key is normally regenerated every hour if it has been used, and is never stored on disk. .Pp -Whenever a client connects the daemon responds with its public +Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. @@ -116,14 +118,14 @@ because it is fundamentally insecure, but can be enabled in the server configuration file if desired. System security is not improved unless -.Xr rshd 8 , -.Xr rlogind 8 , +.Nm rshd , +.Nm rlogind , and -.Xr rexecd 8 +.Nm rexecd are disabled (thus completely disabling -.Xr rlogin 1 +.Xr rlogin and -.Xr rsh 1 +.Xr rsh into the machine). .Pp .Ss SSH protocol version 2 @@ -189,7 +191,9 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. -Multiple -d options increase the debugging level. +Multiple +.Fl d +options increase the debugging level. Maximum is 3. .It Fl e When this option is specified, @@ -203,7 +207,7 @@ refuses to start if there is no configuration file. .It Fl g Ar login_grace_time Gives the grace time for clients to authenticate themselves (default -600 seconds). +120 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. @@ -225,7 +229,8 @@ .It Fl i Specifies that .Nm -is being run from inetd. +is being run from +.Xr inetd 8 . .Nm is normally not run from inetd because it needs to generate the server key before it can @@ -282,7 +287,7 @@ .Pa utmp file. .Fl u0 -is also be used to prevent +may also be used to prevent .Nm from making DNS requests unless the authentication mechanism or configuration requires it. @@ -320,630 +325,8 @@ (or the file specified with .Fl f on the command line). -The file contains keyword-argument pairs, one per line. -Lines starting with -.Ql # -and empty lines are interpreted as comments. -.Pp -The possible -keywords and their meanings are as follows (note that -keywords are case-insensitive and arguments are case-sensitive): -.Bl -tag -width Ds -.It Cm AFSTokenPassing -Specifies whether an AFS token may be forwarded to the server. -Default is -.Dq yes . -.It Cm AllowGroups -This keyword can be followed by a list of group name patterns, separated -by spaces. -If specified, login is allowed only for users whose primary -group or supplementary group list matches one of the patterns. -.Ql \&* -and -.Ql ? -can be used as -wildcards in the patterns. -Only group names are valid; a numerical group ID is not recognized. -By default, login is allowed for all groups. -.Pp -.It Cm AllowTcpForwarding -Specifies whether TCP forwarding is permitted. -The default is -.Dq yes . -Note that disabling TCP forwarding does not improve security unless -users are also denied shell access, as they can always install their -own forwarders. -.Pp -.It Cm AllowUsers -This keyword can be followed by a list of user name patterns, separated -by spaces. -If specified, login is allowed only for users names that -match one of the patterns. -.Ql \&* -and -.Ql ? -can be used as -wildcards in the patterns. -Only user names are valid; a numerical user ID is not recognized. -By default, login is allowed for all users. -If the pattern takes the form USER@HOST then USER and HOST -are separately checked, restricting logins to particular -users from particular hosts. -.Pp -.It Cm AuthorizedKeysFile -Specifies the file that contains the public keys that can be used -for user authentication. -.Cm AuthorizedKeysFile -may contain tokens of the form %T which are substituted during connection -set-up. The following tokens are defined: %% is replaced by a literal '%', -%h is replaced by the home directory of the user being authenticated and -%u is replaced by the username of that user. -After expansion, -.Cm AuthorizedKeysFile -is taken to be an absolute path or one relative to the user's home -directory. -The default is -.Dq .ssh/authorized_keys . -.It Cm Banner -In some jurisdictions, sending a warning message before authentication -may be relevant for getting legal protection. -The contents of the specified file are sent to the remote user before -authentication is allowed. -This option is only available for protocol version 2. -By default, no banner is displayed. -.Pp -.It Cm ChallengeResponseAuthentication -Specifies whether challenge response authentication is allowed. -All authentication styles from -.Xr login.conf 5 -are supported. -The default is -.Dq yes . -.It Cm Ciphers -Specifies the ciphers allowed for protocol version 2. -Multiple ciphers must be comma-separated. -The default is -.Pp -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, - aes192-cbc,aes256-cbc'' -.Ed -.It Cm ClientAliveInterval -Sets a timeout interval in seconds after which if no data has been received -from the client, -.Nm -will send a message through the encrypted -channel to request a response from the client. -The default -is 0, indicating that these messages will not be sent to the client. -This option applies to protocol version 2 only. -.It Cm ClientAliveCountMax -Sets the number of client alive messages (see above) which may be -sent without -.Nm -receiving any messages back from the client. If this threshold is -reached while client alive messages are being sent, -.Nm -will disconnect the client, terminating the session. It is important -to note that the use of client alive messages is very different from -.Cm KeepAlive -(below). The client alive messages are sent through the -encrypted channel and therefore will not be spoofable. The TCP keepalive -option enabled by -.Cm KeepAlive -is spoofable. The client alive mechanism is valuable when the client or -server depend on knowing when a connection has become inactive. -.Pp -The default value is 3. If -.Cm ClientAliveInterval -(above) is set to 15, and -.Cm ClientAliveCountMax -is left at the default, unresponsive ssh clients -will be disconnected after approximately 45 seconds. -.It Cm DenyGroups -This keyword can be followed by a list of group name patterns, separated -by spaces. -Login is disallowed for users whose primary group or supplementary -group list matches one of the patterns. -.Ql \&* -and -.Ql ? -can be used as -wildcards in the patterns. -Only group names are valid; a numerical group ID is not recognized. -By default, login is allowed for all groups. -.Pp -.It Cm DenyUsers -This keyword can be followed by a list of user name patterns, separated -by spaces. -Login is disallowed for user names that match one of the patterns. -.Ql \&* -and -.Ql ? -can be used as wildcards in the patterns. -Only user names are valid; a numerical user ID is not recognized. -By default, login is allowed for all users. -If the pattern takes the form USER@HOST then USER and HOST -are separately checked, restricting logins to particular -users from particular hosts. -.It Cm GatewayPorts -Specifies whether remote hosts are allowed to connect to ports -forwarded for the client. -By default, -.Nm -binds remote port forwardings to the loopback addresss. This -prevents other remote hosts from connecting to forwarded ports. -.Cm GatewayPorts -can be used to specify that -.Nm -should bind remote port forwardings to the wildcard address, -thus allowing remote hosts to connect to forwarded ports. -The argument must be -.Dq yes -or -.Dq no . -The default is -.Dq no . -.It Cm HostbasedAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together -with successful public key client host authentication is allowed -(hostbased authentication). -This option is similar to -.Cm RhostsRSAAuthentication -and applies to protocol version 2 only. -The default is -.Dq no . -.It Cm HostKey -Specifies a file containing a private host key -used by SSH. -The default is -.Pa /etc/ssh/ssh_host_key -for protocol version 1, and -.Pa /etc/ssh/ssh_host_rsa_key -and -.Pa /etc/ssh/ssh_host_dsa_key -for protocol version 2. -Note that -.Nm -will refuse to use a file if it is group/world-accessible. -It is possible to have multiple host key files. -.Dq rsa1 -keys are used for version 1 and -.Dq dsa -or -.Dq rsa -are used for version 2 of the SSH protocol. -.It Cm IgnoreRhosts -Specifies that -.Pa .rhosts -and -.Pa .shosts -files will not be used in -.Cm RhostsAuthentication , -.Cm RhostsRSAAuthentication -or -.Cm HostbasedAuthentication . -.Pp -.Pa /etc/hosts.equiv -and -.Pa /etc/shosts.equiv -are still used. -The default is -.Dq yes . -.It Cm IgnoreUserKnownHosts -Specifies whether -.Nm -should ignore the user's -.Pa $HOME/.ssh/known_hosts -during -.Cm RhostsRSAAuthentication -or -.Cm HostbasedAuthentication . -The default is -.Dq no . -.It Cm KeepAlive -Specifies whether the system should send TCP keepalive messages to the -other side. -If they are sent, death of the connection or crash of one -of the machines will be properly noticed. -However, this means that -connections will die if the route is down temporarily, and some people -find it annoying. -On the other hand, if keepalives are not sent, -sessions may hang indefinitely on the server, leaving -.Dq ghost -users and consuming server resources. -.Pp -The default is -.Dq yes -(to send keepalives), and the server will notice -if the network goes down or the client host crashes. -This avoids infinitely hanging sessions. -.Pp -To disable keepalives, the value should be set to -.Dq no . -.It Cm KerberosAuthentication -Specifies whether Kerberos authentication is allowed. -This can be in the form of a Kerberos ticket, or if -.Cm PasswordAuthentication -is yes, the password provided by the user will be validated through -the Kerberos KDC. -To use this option, the server needs a -Kerberos servtab which allows the verification of the KDC's identity. -Default is -.Dq yes . -.It Cm KerberosOrLocalPasswd -If set then if password authentication through Kerberos fails then -the password will be validated via any additional local mechanism -such as -.Pa /etc/passwd . -Default is -.Dq yes . -.It Cm KerberosTgtPassing -Specifies whether a Kerberos TGT may be forwarded to the server. -Default is -.Dq no , -as this only works when the Kerberos KDC is actually an AFS kaserver. -.It Cm KerberosTicketCleanup -Specifies whether to automatically destroy the user's ticket cache -file on logout. -Default is -.Dq yes . -.It Cm KeyRegenerationInterval -In protocol version 1, the ephemeral server key is automatically regenerated -after this many seconds (if it has been used). -The purpose of regeneration is to prevent -decrypting captured sessions by later breaking into the machine and -stealing the keys. -The key is never stored anywhere. -If the value is 0, the key is never regenerated. -The default is 3600 (seconds). -.It Cm ListenAddress -Specifies the local addresses -.Nm -should listen on. -The following forms may be used: -.Pp -.Bl -item -offset indent -compact -.It -.Cm ListenAddress -.Sm off -.Ar host No | Ar IPv4_addr No | Ar IPv6_addr -.Sm on -.It -.Cm ListenAddress -.Sm off -.Ar host No | Ar IPv4_addr No : Ar port -.Sm on -.It -.Cm ListenAddress -.Sm off -.Oo -.Ar host No | Ar IPv6_addr Oc : Ar port -.Sm on -.El -.Pp -If -.Ar port -is not specified, -.Nm -will listen on the address and all prior -.Cm Port -options specified. The default is to listen on all local -addresses. Multiple -.Cm ListenAddress -options are permitted. Additionally, any -.Cm Port -options must precede this option for non port qualified addresses. -.It Cm LoginGraceTime -The server disconnects after this time if the user has not -successfully logged in. -If the value is 0, there is no time limit. -The default is 600 (seconds). -.It Cm LogLevel -Gives the verbosity level that is used when logging messages from -.Nm sshd . -The possible values are: -QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. -The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 -and DEBUG3 each specify higher levels of debugging output. -Logging with a DEBUG level violates the privacy of users -and is not recommended. -.It Cm MACs -Specifies the available MAC (message authentication code) algorithms. -The MAC algorithm is used in protocol version 2 -for data integrity protection. -Multiple algorithms must be comma-separated. -The default is -.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . -.It Cm MaxStartups -Specifies the maximum number of concurrent unauthenticated connections to the -.Nm -daemon. -Additional connections will be dropped until authentication succeeds or the -.Cm LoginGraceTime -expires for a connection. -The default is 10. -.Pp -Alternatively, random early drop can be enabled by specifying -the three colon separated values -.Dq start:rate:full -(e.g., "10:30:60"). -.Nm -will refuse connection attempts with a probability of -.Dq rate/100 -(30%) -if there are currently -.Dq start -(10) -unauthenticated connections. -The probability increases linearly and all connection attempts -are refused if the number of unauthenticated connections reaches -.Dq full -(60). -.It Cm PasswordAuthentication -Specifies whether password authentication is allowed. -The default is -.Dq yes . -.It Cm PermitEmptyPasswords -When password authentication is allowed, it specifies whether the -server allows login to accounts with empty password strings. -The default is -.Dq no . -.It Cm PermitRootLogin -Specifies whether root can login using -.Xr ssh 1 . -The argument must be -.Dq yes , -.Dq without-password , -.Dq forced-commands-only -or -.Dq no . -The default is -.Dq yes . -.Pp -If this option is set to -.Dq without-password -password authentication is disabled for root. -.Pp -If this option is set to -.Dq forced-commands-only -root login with public key authentication will be allowed, -but only if the -.Ar command -option has been specified -(which may be useful for taking remote backups even if root login is -normally not allowed). All other authentication methods are disabled -for root. -.Pp -If this option is set to -.Dq no -root is not allowed to login. -.It Cm PidFile -Specifies the file that contains the process identifier of the -.Nm -daemon. -The default is -.Pa /var/run/sshd.pid . -.It Cm Port -Specifies the port number that -.Nm -listens on. -The default is 22. -Multiple options of this type are permitted. -See also -.Cm ListenAddress . -.It Cm PrintLastLog -Specifies whether -.Nm -should print the date and time when the user last logged in. -The default is -.Dq yes . -.It Cm PrintMotd -Specifies whether -.Nm -should print -.Pa /etc/motd -when a user logs in interactively. -(On some systems it is also printed by the shell, -.Pa /etc/profile , -or equivalent.) -The default is -.Dq yes . -.It Cm Protocol -Specifies the protocol versions -.Nm -should support. -The possible values are -.Dq 1 -and -.Dq 2 . -Multiple versions must be comma-separated. -The default is -.Dq 2,1 . -.It Cm PubkeyAuthentication -Specifies whether public key authentication is allowed. -The default is -.Dq yes . -Note that this option applies to protocol version 2 only. -.It Cm RhostsAuthentication -Specifies whether authentication using rhosts or /etc/hosts.equiv -files is sufficient. -Normally, this method should not be permitted because it is insecure. -.Cm RhostsRSAAuthentication -should be used -instead, because it performs RSA-based host authentication in addition -to normal rhosts or /etc/hosts.equiv authentication. -The default is -.Dq no . -This option applies to protocol version 1 only. -.It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together -with successful RSA host authentication is allowed. -The default is -.Dq no . -This option applies to protocol version 1 only. -.It Cm RSAAuthentication -Specifies whether pure RSA authentication is allowed. -The default is -.Dq yes . -This option applies to protocol version 1 only. -.It Cm ServerKeyBits -Defines the number of bits in the ephemeral protocol version 1 server key. -The minimum value is 512, and the default is 768. -.It Cm StrictModes -Specifies whether -.Nm -should check file modes and ownership of the -user's files and home directory before accepting login. -This is normally desirable because novices sometimes accidentally leave their -directory or files world-writable. -The default is -.Dq yes . -.It Cm Subsystem -Configures an external subsystem (e.g., file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem -request. -The command -.Xr sftp-server 8 -implements the -.Dq sftp -file transfer subsystem. -By default no subsystems are defined. -Note that this option applies to protocol version 2 only. -.It Cm SyslogFacility -Gives the facility code that is used when logging messages from -.Nm sshd . -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -The default is AUTH. -.It Cm UseLogin -Specifies whether -.Xr login 1 -is used for interactive login sessions. -The default is -.Dq no . -Note that -.Xr login 1 -is never used for remote command execution. -Note also, that if this is enabled, -.Cm X11Forwarding -will be disabled because -.Xr login 1 -does not know how to handle -.Xr xauth 1 -cookies. If -.Cm UsePrivilegeSeparation -is specified, it will be disabled after authentication. -.It Cm UsePrivilegeSeparation -Specifies whether -.Nm -separated privileges by creating an unprivileged child process -to deal with incoming network traffic. After successful authentication, -another process will be created that has the privilege of the authenticated -user. The goal of privilege separation is to prevent privilege -escalation by containing any corruption within the unprivileged processes. -The default is -.Dq no . -.It Cm VerifyReverseMapping -Specifies whether -.Nm -should try to verify the remote host name and check that -the resolved host name for the remote IP address maps back to the -very same IP address. -The default is -.Dq no . -.It Cm X11DisplayOffset -Specifies the first display number available for -.Nm sshd Ns 's -X11 forwarding. -This prevents -.Nm -from interfering with real X11 servers. -The default is 10. -.It Cm X11Forwarding -Specifies whether X11 forwarding is permitted. -The default is -.Dq no . -Note that disabling X11 forwarding does not improve security in any -way, as users can always install their own forwarders. -X11 forwarding is automatically disabled if -.Cm UseLogin -is enabled. -.It Cm X11UseLocalhost -Specifies whether -.Nm -should bind the X11 forwarding server to the loopback address or to -the wildcard address. By default, -.Nm -binds the forwarding server to the loopback address and sets the -hostname part of the -.Ev DISPLAY -environment variable to -.Dq localhost . -This prevents remote hosts from connecting to the fake display. -However, some older X11 clients may not function with this -configuration. -.Cm X11UseLocalhost -may be set to -.Dq no -to specify that the forwarding server should be bound to the wildcard -address. -The argument must be -.Dq yes -or -.Dq no . -The default is -.Dq yes . -.It Cm XAuthLocation -Specifies the location of the -.Xr xauth 1 -program. -The default is -.Pa /usr/X11R6/bin/xauth . -.El -.Ss Time Formats -.Pp -.Nm -command-line arguments and configuration file options that specify time -may be expressed using a sequence of the form: -.Sm off -.Ar time Oo Ar qualifier Oc , -.Sm on -where -.Ar time -is a positive integer value and -.Ar qualifier -is one of the following: -.Pp -.Bl -tag -width Ds -compact -offset indent -.It Cm -seconds -.It Cm s | Cm S -seconds -.It Cm m | Cm M -minutes -.It Cm h | Cm H -hours -.It Cm d | Cm D -days -.It Cm w | Cm W -weeks -.El -.Pp -Each member of the sequence is added together to calculate -the total time value. -.Pp -Time format examples: -.Pp -.Bl -tag -width Ds -compact -offset indent -.It 600 -600 seconds (10 minutes) -.It 10m -10 minutes -.It 1h30m -1 hour 30 minutes (90 minutes) -.El +The file format and configuration options are described in +.Xr sshd_config 5 . .Sh LOGIN PROCESS When a user successfully logs in, .Nm @@ -972,7 +355,11 @@ .It Reads .Pa $HOME/.ssh/environment -if it exists. +if it exists and users are allowed to change their environment. +See the +.Cm PermitUserEnvironment +option in +.Xr sshd_config 5 . .It Changes to user's home directory. .It @@ -1007,9 +394,9 @@ spaces: options, bits, exponent, modulus, comment. Each protocol version 2 public key consists of: options, keytype, base64 encoded key, comment. -The options fields -are optional; its presence is determined by whether the line starts -with a number or not (the option field never starts with a number). +The options field +is optional; its presence is determined by whether the line starts +with a number or not (the options field never starts with a number). The bits, exponent, modulus and comment fields give the RSA key for protocol version 1; the comment field is not used for anything (but may be convenient for the @@ -1020,7 +407,7 @@ .Dq ssh-rsa . .Pp Note that lines in this file are usually several hundred bytes long -(because of the size of the RSA key modulus). +(because of the size of the public key encoding). You don't want to type them in; instead, copy the .Pa identity.pub , .Pa id_dsa.pub @@ -1039,7 +426,7 @@ that option keywords are case-insensitive): .Bl -tag -width Ds .It Cm from="pattern-list" -Specifies that in addition to RSA authentication, the canonical name +Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns .Pf ( Ql * @@ -1051,7 +438,7 @@ .Ql ! ; if the canonical host name matches a negated pattern, the key is not accepted. The purpose -of this option is to optionally increase security: RSA authentication +of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. @@ -1064,12 +451,12 @@ The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. -If a 8-bit clean channel is required, +If an 8-bit clean channel is required, one must not request a pty or should specify .Cm no-pty . A quote may be included in the command by quoting it with a backslash. This option might be useful -to restrict certain RSA keys to perform just a specific operation. +to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited. @@ -1080,6 +467,10 @@ Environment variables set this way override other default environment values. Multiple options of this type are permitted. +Environment processing is disabled by default and is +controlled via the +.Cm PermitUserEnvironment +option. This option is automatically disabled if .Cm UseLogin is enabled. @@ -1120,7 +511,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. @@ -1179,8 +570,8 @@ .It Pa /etc/ssh/sshd_config Contains configuration data for .Nm sshd . -This file should be writable by root only, but it is recommended -(though not necessary) that it be world-readable. +The file format and configuration options are described in +.Xr sshd_config 5 . .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not @@ -1200,11 +591,20 @@ .Xr ssh-keygen 1 . .It Pa /etc/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". +The file format is described in +.Xr moduli 5 . +.It Pa /var/empty +.Xr chroot 2 +directory used by +.Nm +during privilege separation in the pre-authentication phase. +The directory should not contain any files and must be owned by root +and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the .Nm listening for connections (if there are several daemons running -concurrently for different ports, this contains the pid of the one +concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. .It Pa $HOME/.ssh/authorized_keys @@ -1232,7 +632,7 @@ .Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts -can but need not be world-readable. +can, but need not be, world-readable. .It Pa /etc/nologin If this file exists, .Nm @@ -1249,7 +649,7 @@ This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in -without password. +without a password. The same file is used by rlogind and rshd. The file must be writable only by the user; it is recommended that it not be @@ -1313,8 +713,14 @@ and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. +Environment processing is disabled by default and is +controlled via the +.Cm PermitUserEnvironment +option. .It Pa $HOME/.ssh/rc -If this file exists, it is run with /bin/sh after reading the +If this file exists, it is run with +.Pa /bin/sh +after reading the environment files but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. @@ -1338,12 +744,12 @@ if read proto cookie && [ -n "$DISPLAY" ]; then if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then # X11UseLocalhost=yes - xauth add unix:`echo $DISPLAY | + echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie else # X11UseLocalhost=no - xauth add $DISPLAY $proto $cookie - fi + echo add $DISPLAY $proto $cookie + fi | xauth -q - fi .Ed .Pp @@ -1381,6 +787,7 @@ .Xr ssh-keygen 1 , .Xr login.conf 5 , .Xr moduli 5 , +.Xr sshd_config 5 , .Xr sftp-server 8 .Rs .%A T. Ylonen