=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v retrieving revision 1.176.2.6 retrieving revision 1.177 diff -u -r1.176.2.6 -r1.177 --- src/usr.bin/ssh/sshd.8 2003/04/03 22:35:18 1.176.2.6 +++ src/usr.bin/ssh/sshd.8 2002/04/21 16:19:27 1.177 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.176.2.6 2003/04/03 22:35:18 miod Exp $ +.\" $OpenBSD: sshd.8,v 1.177 2002/04/21 16:19:27 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -43,7 +43,6 @@ .Nd OpenSSH SSH daemon .Sh SYNOPSIS .Nm sshd -.Bk -words .Op Fl deiqtD46 .Op Fl b Ar bits .Op Fl f Ar config_file @@ -53,7 +52,6 @@ .Op Fl o Ar option .Op Fl p Ar port .Op Fl u Ar len -.Ek .Sh DESCRIPTION .Nm (SSH Daemon) is the daemon program for @@ -77,7 +75,7 @@ .Nm supports both SSH protocol version 1 and 2 simultaneously. .Nm -works as follows: +works as follows. .Pp .Ss SSH protocol version 1 .Pp @@ -88,7 +86,7 @@ This key is normally regenerated every hour if it has been used, and is never stored on disk. .Pp -Whenever a client connects, the daemon responds with its public +Whenever a client connects the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. @@ -118,14 +116,14 @@ because it is fundamentally insecure, but can be enabled in the server configuration file if desired. System security is not improved unless -.Nm rshd , -.Nm rlogind , +.Xr rshd 8 , +.Xr rlogind 8 , and -.Nm rexecd +.Xr rexecd 8 are disabled (thus completely disabling -.Xr rlogin +.Xr rlogin 1 and -.Xr rsh +.Xr rsh 1 into the machine). .Pp .Ss SSH protocol version 2 @@ -191,9 +189,7 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. -Multiple -.Fl d -options increase the debugging level. +Multiple -d options increase the debugging level. Maximum is 3. .It Fl e When this option is specified, @@ -207,7 +203,7 @@ refuses to start if there is no configuration file. .It Fl g Ar login_grace_time Gives the grace time for clients to authenticate themselves (default -120 seconds). +600 seconds). If the client fails to authenticate the user within this many seconds, the server disconnects and exits. A value of zero indicates no limit. @@ -229,8 +225,7 @@ .It Fl i Specifies that .Nm -is being run from -.Xr inetd 8 . +is being run from inetd. .Nm is normally not run from inetd because it needs to generate the server key before it can @@ -287,7 +282,7 @@ .Pa utmp file. .Fl u0 -may also be used to prevent +is also be used to prevent .Nm from making DNS requests unless the authentication mechanism or configuration requires it. @@ -325,8 +320,630 @@ (or the file specified with .Fl f on the command line). -The file format and configuration options are described in -.Xr sshd_config 5 . +The file contains keyword-argument pairs, one per line. +Lines starting with +.Ql # +and empty lines are interpreted as comments. +.Pp +The possible +keywords and their meanings are as follows (note that +keywords are case-insensitive and arguments are case-sensitive): +.Bl -tag -width Ds +.It Cm AFSTokenPassing +Specifies whether an AFS token may be forwarded to the server. +Default is +.Dq no . +.It Cm AllowGroups +This keyword can be followed by a list of group name patterns, separated +by spaces. +If specified, login is allowed only for users whose primary +group or supplementary group list matches one of the patterns. +.Ql \&* +and +.Ql ? +can be used as +wildcards in the patterns. +Only group names are valid; a numerical group ID is not recognized. +By default, login is allowed for all groups. +.Pp +.It Cm AllowTcpForwarding +Specifies whether TCP forwarding is permitted. +The default is +.Dq yes . +Note that disabling TCP forwarding does not improve security unless +users are also denied shell access, as they can always install their +own forwarders. +.Pp +.It Cm AllowUsers +This keyword can be followed by a list of user name patterns, separated +by spaces. +If specified, login is allowed only for users names that +match one of the patterns. +.Ql \&* +and +.Ql ? +can be used as +wildcards in the patterns. +Only user names are valid; a numerical user ID is not recognized. +By default, login is allowed for all users. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, restricting logins to particular +users from particular hosts. +.Pp +.It Cm AuthorizedKeysFile +Specifies the file that contains the public keys that can be used +for user authentication. +.Cm AuthorizedKeysFile +may contain tokens of the form %T which are substituted during connection +set-up. The following tokens are defined: %% is replaced by a literal '%', +%h is replaced by the home directory of the user being authenticated and +%u is replaced by the username of that user. +After expansion, +.Cm AuthorizedKeysFile +is taken to be an absolute path or one relative to the user's home +directory. +The default is +.Dq .ssh/authorized_keys . +.It Cm Banner +In some jurisdictions, sending a warning message before authentication +may be relevant for getting legal protection. +The contents of the specified file are sent to the remote user before +authentication is allowed. +This option is only available for protocol version 2. +By default, no banner is displayed. +.Pp +.It Cm ChallengeResponseAuthentication +Specifies whether challenge response authentication is allowed. +All authentication styles from +.Xr login.conf 5 +are supported. +The default is +.Dq yes . +.It Cm Ciphers +Specifies the ciphers allowed for protocol version 2. +Multiple ciphers must be comma-separated. +The default is +.Pp +.Bd -literal + ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, + aes192-cbc,aes256-cbc'' +.Ed +.It Cm ClientAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the client, +.Nm +will send a message through the encrypted +channel to request a response from the client. +The default +is 0, indicating that these messages will not be sent to the client. +This option applies to protocol version 2 only. +.It Cm ClientAliveCountMax +Sets the number of client alive messages (see above) which may be +sent without +.Nm +receiving any messages back from the client. If this threshold is +reached while client alive messages are being sent, +.Nm +will disconnect the client, terminating the session. It is important +to note that the use of client alive messages is very different from +.Cm KeepAlive +(below). The client alive messages are sent through the +encrypted channel and therefore will not be spoofable. The TCP keepalive +option enabled by +.Cm KeepAlive +is spoofable. The client alive mechanism is valuable when the client or +server depend on knowing when a connection has become inactive. +.Pp +The default value is 3. If +.Cm ClientAliveInterval +(above) is set to 15, and +.Cm ClientAliveCountMax +is left at the default, unresponsive ssh clients +will be disconnected after approximately 45 seconds. +.It Cm DenyGroups +This keyword can be followed by a list of group name patterns, separated +by spaces. +Login is disallowed for users whose primary group or supplementary +group list matches one of the patterns. +.Ql \&* +and +.Ql ? +can be used as +wildcards in the patterns. +Only group names are valid; a numerical group ID is not recognized. +By default, login is allowed for all groups. +.Pp +.It Cm DenyUsers +This keyword can be followed by a list of user name patterns, separated +by spaces. +Login is disallowed for user names that match one of the patterns. +.Ql \&* +and +.Ql ? +can be used as wildcards in the patterns. +Only user names are valid; a numerical user ID is not recognized. +By default, login is allowed for all users. +If the pattern takes the form USER@HOST then USER and HOST +are separately checked, restricting logins to particular +users from particular hosts. +.It Cm GatewayPorts +Specifies whether remote hosts are allowed to connect to ports +forwarded for the client. +By default, +.Nm +binds remote port forwardings to the loopback addresss. This +prevents other remote hosts from connecting to forwarded ports. +.Cm GatewayPorts +can be used to specify that +.Nm +should bind remote port forwardings to the wildcard address, +thus allowing remote hosts to connect to forwarded ports. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq no . +.It Cm HostbasedAuthentication +Specifies whether rhosts or /etc/hosts.equiv authentication together +with successful public key client host authentication is allowed +(hostbased authentication). +This option is similar to +.Cm RhostsRSAAuthentication +and applies to protocol version 2 only. +The default is +.Dq no . +.It Cm HostKey +Specifies a file containing a private host key +used by SSH. +The default is +.Pa /etc/ssh/ssh_host_key +for protocol version 1, and +.Pa /etc/ssh/ssh_host_rsa_key +and +.Pa /etc/ssh/ssh_host_dsa_key +for protocol version 2. +Note that +.Nm +will refuse to use a file if it is group/world-accessible. +It is possible to have multiple host key files. +.Dq rsa1 +keys are used for version 1 and +.Dq dsa +or +.Dq rsa +are used for version 2 of the SSH protocol. +.It Cm IgnoreRhosts +Specifies that +.Pa .rhosts +and +.Pa .shosts +files will not be used in +.Cm RhostsAuthentication , +.Cm RhostsRSAAuthentication +or +.Cm HostbasedAuthentication . +.Pp +.Pa /etc/hosts.equiv +and +.Pa /etc/shosts.equiv +are still used. +The default is +.Dq yes . +.It Cm IgnoreUserKnownHosts +Specifies whether +.Nm +should ignore the user's +.Pa $HOME/.ssh/known_hosts +during +.Cm RhostsRSAAuthentication +or +.Cm HostbasedAuthentication . +The default is +.Dq no . +.It Cm KeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +On the other hand, if keepalives are not sent, +sessions may hang indefinitely on the server, leaving +.Dq ghost +users and consuming server resources. +.Pp +The default is +.Dq yes +(to send keepalives), and the server will notice +if the network goes down or the client host crashes. +This avoids infinitely hanging sessions. +.Pp +To disable keepalives, the value should be set to +.Dq no . +.It Cm KerberosAuthentication +Specifies whether Kerberos authentication is allowed. +This can be in the form of a Kerberos ticket, or if +.Cm PasswordAuthentication +is yes, the password provided by the user will be validated through +the Kerberos KDC. +To use this option, the server needs a +Kerberos servtab which allows the verification of the KDC's identity. +Default is +.Dq yes . +.It Cm KerberosOrLocalPasswd +If set then if password authentication through Kerberos fails then +the password will be validated via any additional local mechanism +such as +.Pa /etc/passwd . +Default is +.Dq yes . +.It Cm KerberosTgtPassing +Specifies whether a Kerberos TGT may be forwarded to the server. +Default is +.Dq no , +as this only works when the Kerberos KDC is actually an AFS kaserver. +.It Cm KerberosTicketCleanup +Specifies whether to automatically destroy the user's ticket cache +file on logout. +Default is +.Dq yes . +.It Cm KeyRegenerationInterval +In protocol version 1, the ephemeral server key is automatically regenerated +after this many seconds (if it has been used). +The purpose of regeneration is to prevent +decrypting captured sessions by later breaking into the machine and +stealing the keys. +The key is never stored anywhere. +If the value is 0, the key is never regenerated. +The default is 3600 (seconds). +.It Cm ListenAddress +Specifies the local addresses +.Nm +should listen on. +The following forms may be used: +.Pp +.Bl -item -offset indent -compact +.It +.Cm ListenAddress +.Sm off +.Ar host No | Ar IPv4_addr No | Ar IPv6_addr +.Sm on +.It +.Cm ListenAddress +.Sm off +.Ar host No | Ar IPv4_addr No : Ar port +.Sm on +.It +.Cm ListenAddress +.Sm off +.Oo +.Ar host No | Ar IPv6_addr Oc : Ar port +.Sm on +.El +.Pp +If +.Ar port +is not specified, +.Nm +will listen on the address and all prior +.Cm Port +options specified. The default is to listen on all local +addresses. Multiple +.Cm ListenAddress +options are permitted. Additionally, any +.Cm Port +options must precede this option for non port qualified addresses. +.It Cm LoginGraceTime +The server disconnects after this time if the user has not +successfully logged in. +If the value is 0, there is no time limit. +The default is 600 (seconds). +.It Cm LogLevel +Gives the verbosity level that is used when logging messages from +.Nm sshd . +The possible values are: +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. +The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 +and DEBUG3 each specify higher levels of debugging output. +Logging with a DEBUG level violates the privacy of users +and is not recommended. +.It Cm MACs +Specifies the available MAC (message authentication code) algorithms. +The MAC algorithm is used in protocol version 2 +for data integrity protection. +Multiple algorithms must be comma-separated. +The default is +.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm MaxStartups +Specifies the maximum number of concurrent unauthenticated connections to the +.Nm +daemon. +Additional connections will be dropped until authentication succeeds or the +.Cm LoginGraceTime +expires for a connection. +The default is 10. +.Pp +Alternatively, random early drop can be enabled by specifying +the three colon separated values +.Dq start:rate:full +(e.g., "10:30:60"). +.Nm +will refuse connection attempts with a probability of +.Dq rate/100 +(30%) +if there are currently +.Dq start +(10) +unauthenticated connections. +The probability increases linearly and all connection attempts +are refused if the number of unauthenticated connections reaches +.Dq full +(60). +.It Cm PasswordAuthentication +Specifies whether password authentication is allowed. +The default is +.Dq yes . +.It Cm PermitEmptyPasswords +When password authentication is allowed, it specifies whether the +server allows login to accounts with empty password strings. +The default is +.Dq no . +.It Cm PermitRootLogin +Specifies whether root can login using +.Xr ssh 1 . +The argument must be +.Dq yes , +.Dq without-password , +.Dq forced-commands-only +or +.Dq no . +The default is +.Dq yes . +.Pp +If this option is set to +.Dq without-password +password authentication is disabled for root. +.Pp +If this option is set to +.Dq forced-commands-only +root login with public key authentication will be allowed, +but only if the +.Ar command +option has been specified +(which may be useful for taking remote backups even if root login is +normally not allowed). All other authentication methods are disabled +for root. +.Pp +If this option is set to +.Dq no +root is not allowed to login. +.It Cm PidFile +Specifies the file that contains the process identifier of the +.Nm +daemon. +The default is +.Pa /var/run/sshd.pid . +.It Cm Port +Specifies the port number that +.Nm +listens on. +The default is 22. +Multiple options of this type are permitted. +See also +.Cm ListenAddress . +.It Cm PrintLastLog +Specifies whether +.Nm +should print the date and time when the user last logged in. +The default is +.Dq yes . +.It Cm PrintMotd +Specifies whether +.Nm +should print +.Pa /etc/motd +when a user logs in interactively. +(On some systems it is also printed by the shell, +.Pa /etc/profile , +or equivalent.) +The default is +.Dq yes . +.It Cm Protocol +Specifies the protocol versions +.Nm +should support. +The possible values are +.Dq 1 +and +.Dq 2 . +Multiple versions must be comma-separated. +The default is +.Dq 2,1 . +.It Cm PubkeyAuthentication +Specifies whether public key authentication is allowed. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. +.It Cm RhostsAuthentication +Specifies whether authentication using rhosts or /etc/hosts.equiv +files is sufficient. +Normally, this method should not be permitted because it is insecure. +.Cm RhostsRSAAuthentication +should be used +instead, because it performs RSA-based host authentication in addition +to normal rhosts or /etc/hosts.equiv authentication. +The default is +.Dq no . +This option applies to protocol version 1 only. +.It Cm RhostsRSAAuthentication +Specifies whether rhosts or /etc/hosts.equiv authentication together +with successful RSA host authentication is allowed. +The default is +.Dq no . +This option applies to protocol version 1 only. +.It Cm RSAAuthentication +Specifies whether pure RSA authentication is allowed. +The default is +.Dq yes . +This option applies to protocol version 1 only. +.It Cm ServerKeyBits +Defines the number of bits in the ephemeral protocol version 1 server key. +The minimum value is 512, and the default is 768. +.It Cm StrictModes +Specifies whether +.Nm +should check file modes and ownership of the +user's files and home directory before accepting login. +This is normally desirable because novices sometimes accidentally leave their +directory or files world-writable. +The default is +.Dq yes . +.It Cm Subsystem +Configures an external subsystem (e.g., file transfer daemon). +Arguments should be a subsystem name and a command to execute upon subsystem +request. +The command +.Xr sftp-server 8 +implements the +.Dq sftp +file transfer subsystem. +By default no subsystems are defined. +Note that this option applies to protocol version 2 only. +.It Cm SyslogFacility +Gives the facility code that is used when logging messages from +.Nm sshd . +The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, +LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. +The default is AUTH. +.It Cm UseLogin +Specifies whether +.Xr login 1 +is used for interactive login sessions. +The default is +.Dq no . +Note that +.Xr login 1 +is never used for remote command execution. +Note also, that if this is enabled, +.Cm X11Forwarding +will be disabled because +.Xr login 1 +does not know how to handle +.Xr xauth 1 +cookies. If +.Cm UsePrivilegeSeparation +is specified, it will be disabled after authentication. +.It Cm UsePrivilegeSeparation +Specifies whether +.Nm +separated privileges by creating an unprivileged child process +to deal with incoming network traffic. After successful authentication, +another process will be created that has the privilege of the authenticated +user. The goal of privilege separation is to prevent privilege +escalation by containing any corruption within the unprivileged processes. +The default is +.Dq no . +.It Cm VerifyReverseMapping +Specifies whether +.Nm +should try to verify the remote host name and check that +the resolved host name for the remote IP address maps back to the +very same IP address. +The default is +.Dq no . +.It Cm X11DisplayOffset +Specifies the first display number available for +.Nm sshd Ns 's +X11 forwarding. +This prevents +.Nm +from interfering with real X11 servers. +The default is 10. +.It Cm X11Forwarding +Specifies whether X11 forwarding is permitted. +The default is +.Dq no . +Note that disabling X11 forwarding does not improve security in any +way, as users can always install their own forwarders. +X11 forwarding is automatically disabled if +.Cm UseLogin +is enabled. +.It Cm X11UseLocalhost +Specifies whether +.Nm +should bind the X11 forwarding server to the loopback address or to +the wildcard address. By default, +.Nm +binds the forwarding server to the loopback address and sets the +hostname part of the +.Ev DISPLAY +environment variable to +.Dq localhost . +This prevents remote hosts from connecting to the fake display. +However, some older X11 clients may not function with this +configuration. +.Cm X11UseLocalhost +may be set to +.Dq no +to specify that the forwarding server should be bound to the wildcard +address. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq yes . +.It Cm XAuthLocation +Specifies the location of the +.Xr xauth 1 +program. +The default is +.Pa /usr/X11R6/bin/xauth . +.El +.Ss Time Formats +.Pp +.Nm +command-line arguments and configuration file options that specify time +may be expressed using a sequence of the form: +.Sm off +.Ar time Oo Ar qualifier Oc , +.Sm on +where +.Ar time +is a positive integer value and +.Ar qualifier +is one of the following: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It Cm +seconds +.It Cm s | Cm S +seconds +.It Cm m | Cm M +minutes +.It Cm h | Cm H +hours +.It Cm d | Cm D +days +.It Cm w | Cm W +weeks +.El +.Pp +Each member of the sequence is added together to calculate +the total time value. +.Pp +Time format examples: +.Pp +.Bl -tag -width Ds -compact -offset indent +.It 600 +600 seconds (10 minutes) +.It 10m +10 minutes +.It 1h30m +1 hour 30 minutes (90 minutes) +.El .Sh LOGIN PROCESS When a user successfully logs in, .Nm @@ -355,11 +972,7 @@ .It Reads .Pa $HOME/.ssh/environment -if it exists and users are allowed to change their environment. -See the -.Cm PermitUserEnvironment -option in -.Xr sshd_config 5 . +if it exists. .It Changes to user's home directory. .It @@ -394,9 +1007,9 @@ spaces: options, bits, exponent, modulus, comment. Each protocol version 2 public key consists of: options, keytype, base64 encoded key, comment. -The options field -is optional; its presence is determined by whether the line starts -with a number or not (the options field never starts with a number). +The options fields +are optional; its presence is determined by whether the line starts +with a number or not (the option field never starts with a number). The bits, exponent, modulus and comment fields give the RSA key for protocol version 1; the comment field is not used for anything (but may be convenient for the @@ -407,7 +1020,7 @@ .Dq ssh-rsa . .Pp Note that lines in this file are usually several hundred bytes long -(because of the size of the public key encoding). +(because of the size of the RSA key modulus). You don't want to type them in; instead, copy the .Pa identity.pub , .Pa id_dsa.pub @@ -426,7 +1039,7 @@ that option keywords are case-insensitive): .Bl -tag -width Ds .It Cm from="pattern-list" -Specifies that in addition to public key authentication, the canonical name +Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns .Pf ( Ql * @@ -438,7 +1051,7 @@ .Ql ! ; if the canonical host name matches a negated pattern, the key is not accepted. The purpose -of this option is to optionally increase security: public key authentication +of this option is to optionally increase security: RSA authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. @@ -451,12 +1064,12 @@ The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. -If an 8-bit clean channel is required, +If a 8-bit clean channel is required, one must not request a pty or should specify .Cm no-pty . A quote may be included in the command by quoting it with a backslash. This option might be useful -to restrict certain public keys to perform just a specific operation. +to restrict certain RSA keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited. @@ -467,10 +1080,6 @@ Environment variables set this way override other default environment values. Multiple options of this type are permitted. -Environment processing is disabled by default and is -controlled via the -.Cm PermitUserEnvironment -option. This option is automatically disabled if .Cm UseLogin is enabled. @@ -511,7 +1120,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh/ssh_known_hosts +.Pa /etc/ssh/ssh_known_hosts , and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. @@ -570,8 +1179,8 @@ .It Pa /etc/ssh/sshd_config Contains configuration data for .Nm sshd . -The file format and configuration options are described in -.Xr sshd_config 5 . +This file should be writable by root only, but it is recommended +(though not necessary) that it be world-readable. .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. These files should only be owned by root, readable only by root, and not @@ -591,20 +1200,11 @@ .Xr ssh-keygen 1 . .It Pa /etc/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". -The file format is described in -.Xr moduli 5 . -.It Pa /var/empty -.Xr chroot 2 -directory used by -.Nm -during privilege separation in the pre-authentication phase. -The directory should not contain any files and must be owned by root -and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the .Nm listening for connections (if there are several daemons running -concurrently for different ports, this contains the process ID of the one +concurrently for different ports, this contains the pid of the one started last). The content of this file is not sensitive; it can be world-readable. .It Pa $HOME/.ssh/authorized_keys @@ -632,7 +1232,7 @@ .Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts -can, but need not be, world-readable. +can but need not be world-readable. .It Pa /etc/nologin If this file exists, .Nm @@ -649,7 +1249,7 @@ This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in -without a password. +without password. The same file is used by rlogind and rshd. The file must be writable only by the user; it is recommended that it not be @@ -713,14 +1313,8 @@ and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. -Environment processing is disabled by default and is -controlled via the -.Cm PermitUserEnvironment -option. .It Pa $HOME/.ssh/rc -If this file exists, it is run with -.Pa /bin/sh -after reading the +If this file exists, it is run with /bin/sh after reading the environment files but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. @@ -744,12 +1338,12 @@ if read proto cookie && [ -n "$DISPLAY" ]; then if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then # X11UseLocalhost=yes - echo add unix:`echo $DISPLAY | + xauth add unix:`echo $DISPLAY | cut -c11-` $proto $cookie else # X11UseLocalhost=no - echo add $DISPLAY $proto $cookie - fi | xauth -q - + xauth add $DISPLAY $proto $cookie + fi fi .Ed .Pp @@ -787,7 +1381,6 @@ .Xr ssh-keygen 1 , .Xr login.conf 5 , .Xr moduli 5 , -.Xr sshd_config 5 , .Xr sftp-server 8 .Rs .%A T. Ylonen