=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshd.8,v retrieving revision 1.193 retrieving revision 1.193.2.2 diff -u -r1.193 -r1.193.2.2 --- src/usr.bin/ssh/sshd.8 2002/09/24 20:59:44 1.193 +++ src/usr.bin/ssh/sshd.8 2003/09/16 21:20:29 1.193.2.2 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $ +.\" $OpenBSD: sshd.8,v 1.193.2.2 2003/09/16 21:20:29 brad Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -43,6 +43,7 @@ .Nd OpenSSH SSH daemon .Sh SYNOPSIS .Nm sshd +.Bk -words .Op Fl deiqtD46 .Op Fl b Ar bits .Op Fl f Ar config_file @@ -52,6 +53,7 @@ .Op Fl o Ar option .Op Fl p Ar port .Op Fl u Ar len +.Ek .Sh DESCRIPTION .Nm (SSH Daemon) is the daemon program for @@ -75,7 +77,7 @@ .Nm supports both SSH protocol version 1 and 2 simultaneously. .Nm -works as follows. +works as follows: .Pp .Ss SSH protocol version 1 .Pp @@ -86,7 +88,7 @@ This key is normally regenerated every hour if it has been used, and is never stored on disk. .Pp -Whenever a client connects the daemon responds with its public +Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. @@ -119,7 +121,7 @@ .Nm rshd , .Nm rlogind , and -.Xr rexecd +.Nm rexecd are disabled (thus completely disabling .Xr rlogin and @@ -189,7 +191,9 @@ log, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. -Multiple -d options increase the debugging level. +Multiple +.Fl d +options increase the debugging level. Maximum is 3. .It Fl e When this option is specified, @@ -225,7 +229,8 @@ .It Fl i Specifies that .Nm -is being run from inetd. +is being run from +.Xr inetd 8 . .Nm is normally not run from inetd because it needs to generate the server key before it can @@ -282,12 +287,11 @@ .Pa utmp file. .Fl u0 -is also be used to prevent +may also be used to prevent .Nm from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include -.Cm RhostsAuthentication , .Cm RhostsRSAAuthentication , .Cm HostbasedAuthentication and using a @@ -424,13 +428,13 @@ Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns -.Pf ( Ql * +.Pf ( Ql \&* and -.Ql ? +.Ql \&? serve as wildcards). The list may also contain patterns negated by prefixing them with -.Ql ! ; +.Ql \&! ; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication @@ -446,7 +450,7 @@ The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. -If a 8-bit clean channel is required, +If an 8-bit clean channel is required, one must not request a pty or should specify .Cm no-pty . A quote may be included in the command by quoting it with a backslash. @@ -492,9 +496,9 @@ .Ar host/port . Multiple .Cm permitopen -options may be applied separated by commas. No pattern matching is -performed on the specified hostnames, they must be literal domains or -addresses. +options may be applied separated by commas. +No pattern matching is performed on the specified hostnames, +they must be literal domains or addresses. .El .Ss Examples 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar @@ -506,7 +510,7 @@ permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The -.Pa /etc/ssh/ssh_known_hosts , +.Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts files contain host public keys for all known hosts. @@ -519,12 +523,16 @@ bits, exponent, modulus, comment. The fields are separated by spaces. .Pp -Hostnames is a comma-separated list of patterns ('*' and '?' act as +Hostnames is a comma-separated list of patterns +.Pf ( Ql \&* +and +.Ql \&? +act as wildcards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when authenticating a server). A pattern may also be preceded by -.Ql ! +.Ql \&! to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. @@ -627,7 +635,7 @@ .Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts -can but need not be world-readable. +can, but need not be, world-readable. .It Pa /etc/nologin If this file exists, .Nm @@ -644,7 +652,7 @@ This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in -without password. +without a password. The same file is used by rlogind and rshd. The file must be writable only by the user; it is recommended that it not be @@ -713,7 +721,9 @@ .Cm PermitUserEnvironment option. .It Pa $HOME/.ssh/rc -If this file exists, it is run with /bin/sh after reading the +If this file exists, it is run with +.Pa /bin/sh +after reading the environment files but before starting the user's shell or command. It must not produce any output on stdout; stderr must be used instead. @@ -760,17 +770,6 @@ machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable. .El -.Sh AUTHORS -OpenSSH is a derivative of the original and free -ssh 1.2.12 release by Tatu Ylonen. -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -Theo de Raadt and Dug Song -removed many bugs, re-added newer features and -created OpenSSH. -Markus Friedl contributed the support for SSH -protocol versions 1.5 and 2.0. -Niels Provos and Markus Friedl contributed support -for privilege separation. .Sh SEE ALSO .Xr scp 1 , .Xr sftp 1 , @@ -802,3 +801,14 @@ .%D January 2002 .%O work in progress material .Re +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. +Niels Provos and Markus Friedl contributed support +for privilege separation.