mirror of git://anongit.mindrot.org/openssh.git
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ - (djm) Fix portable-specific uses of verify_reverse_mapping too
This commit is contained in:
parent
35276253a6
commit
3a961dc0d3
13
ChangeLog
13
ChangeLog
|
@ -1,6 +1,17 @@
|
|||
20030603
|
||||
- (djm) Replace setproctitle replacement with code derived from
|
||||
UCB sendmail
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- markus@cvs.openbsd.org 2003/06/02 09:17:34
|
||||
[auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
|
||||
[canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
|
||||
[sshd_config.5]
|
||||
deprecate VerifyReverseMapping since it's dangerous if combined
|
||||
with IP based access control as noted by Mike Harding; replace with
|
||||
a UseDNS option, UseDNS is on by default and includes the
|
||||
VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
|
||||
ok deraadt@, djm@
|
||||
- (djm) Fix portable-specific uses of verify_reverse_mapping too
|
||||
|
||||
20030602
|
||||
- (djm) Fix segv from bad reordering in auth-pam.c
|
||||
|
@ -1648,4 +1659,4 @@
|
|||
save auth method before monitor_reset_key_state(); bugzilla bug #284;
|
||||
ok provos@
|
||||
|
||||
$Id: ChangeLog,v 1.2764 2003/06/03 00:14:28 djm Exp $
|
||||
$Id: ChangeLog,v 1.2765 2003/06/03 00:25:48 djm Exp $
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-options.c,v 1.27 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "match.h"
|
||||
|
@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
|
|||
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
|
||||
const char *remote_ip = get_remote_ipaddr();
|
||||
const char *remote_host = get_canonical_hostname(
|
||||
options.verify_reverse_mapping);
|
||||
options.use_dns);
|
||||
char *patterns = xmalloc(strlen(opts) + 1);
|
||||
|
||||
opts += strlen(cp);
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
|
||||
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
|
||||
#include "includes.h"
|
||||
RCSID("$Id: auth-pam.c,v 1.63 2003/06/02 01:04:39 djm Exp $");
|
||||
RCSID("$Id: auth-pam.c,v 1.64 2003/06/03 00:25:48 djm Exp $");
|
||||
|
||||
#ifdef USE_PAM
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -299,8 +299,7 @@ sshpam_init(const char *user)
|
|||
sshpam_handle = NULL;
|
||||
return (-1);
|
||||
}
|
||||
pam_rhost = get_remote_name_or_ip(utmp_len,
|
||||
options.verify_reverse_mapping);
|
||||
pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
|
||||
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
|
||||
if (sshpam_err != PAM_SUCCESS) {
|
||||
|
|
|
@ -144,22 +144,24 @@ auth_password(Authctxt *authctxt, const char *password)
|
|||
HANDLE hToken = cygwin_logon_user(pw, password);
|
||||
|
||||
if (hToken == INVALID_HANDLE_VALUE)
|
||||
return 0;
|
||||
return (0);
|
||||
cygwin_set_impersonation_token(hToken);
|
||||
return 1;
|
||||
return (1);
|
||||
}
|
||||
# endif
|
||||
# ifdef WITH_AIXAUTHENTICATE
|
||||
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
|
||||
|
||||
if (authsuccess)
|
||||
if (authsuccess) {
|
||||
/* We don't have a pty yet, so just label the line as "ssh" */
|
||||
if (loginsuccess(authctxt->user,
|
||||
get_canonical_hostname(options.verify_reverse_mapping),
|
||||
"ssh", &aixloginmsg) < 0)
|
||||
aixloginmsg = NULL;
|
||||
get_canonical_hostname(options.use_dns),
|
||||
"ssh", &aixloginmsg) < 0) {
|
||||
aixloginmsg = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
return(authsuccess);
|
||||
return (authsuccess);
|
||||
# endif
|
||||
# ifdef KRB4
|
||||
if (options.kerberos_authentication == 1) {
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.35 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "uidswap.h"
|
||||
|
@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
|
|||
client_host_key->rsa == NULL)
|
||||
return 0;
|
||||
|
||||
chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
|
||||
chost = (char *)get_canonical_hostname(options.use_dns);
|
||||
debug("Rhosts RSA authentication: canonical host %.900s", chost);
|
||||
|
||||
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth-rhosts.c,v 1.30 2003/05/17 03:25:58 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "uidswap.h"
|
||||
|
@ -156,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
|
|||
{
|
||||
const char *hostname, *ipaddr;
|
||||
|
||||
hostname = get_canonical_hostname(options.verify_reverse_mapping);
|
||||
hostname = get_canonical_hostname(options.use_dns);
|
||||
ipaddr = get_remote_ipaddr();
|
||||
return auth_rhosts2(pw, client_user, hostname, ipaddr);
|
||||
}
|
||||
|
|
|
@ -52,7 +52,7 @@ auth_sia_password(Authctxt *authctxt, char *pass)
|
|||
SIAENTITY *ent = NULL;
|
||||
const char *host;
|
||||
|
||||
host = get_canonical_hostname(options.verify_reverse_mapping);
|
||||
host = get_canonical_hostname(options.use_dns);
|
||||
|
||||
if (!authctxt->user || pass == NULL || pass[0] == '\0')
|
||||
return (0);
|
||||
|
@ -81,7 +81,7 @@ session_setup_sia(struct passwd *pw, char *tty)
|
|||
SIAENTITY *ent = NULL;
|
||||
const char *host;
|
||||
|
||||
host = get_canonical_hostname(options.verify_reverse_mapping);
|
||||
host = get_canonical_hostname(options.use_dns);
|
||||
|
||||
if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
|
||||
tty, 0, NULL) != SIASUCCESS)
|
||||
|
|
4
auth.c
4
auth.c
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth.c,v 1.47 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth.c,v 1.48 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#ifdef HAVE_LOGIN_H
|
||||
#include <login.h>
|
||||
|
@ -141,7 +141,7 @@ allowed_user(struct passwd * pw)
|
|||
}
|
||||
|
||||
if (options.num_deny_users > 0 || options.num_allow_users > 0) {
|
||||
hostname = get_canonical_hostname(options.verify_reverse_mapping);
|
||||
hostname = get_canonical_hostname(options.use_dns);
|
||||
ipaddr = get_remote_ipaddr();
|
||||
}
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: auth2-hostbased.c,v 1.3 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: auth2-hostbased.c,v 1.4 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "ssh2.h"
|
||||
#include "xmalloc.h"
|
||||
|
@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
|||
HostStatus host_status;
|
||||
int len;
|
||||
|
||||
resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
|
||||
resolvedname = get_canonical_hostname(options.use_dns);
|
||||
ipaddr = get_remote_ipaddr();
|
||||
|
||||
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
|
||||
|
|
44
canohost.c
44
canohost.c
|
@ -12,7 +12,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
|
||||
RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "packet.h"
|
||||
#include "xmalloc.h"
|
||||
|
@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
|
|||
*/
|
||||
|
||||
static char *
|
||||
get_remote_hostname(int socket, int verify_reverse_mapping)
|
||||
get_remote_hostname(int socket, int use_dns)
|
||||
{
|
||||
struct sockaddr_storage from;
|
||||
int i;
|
||||
|
@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
|
|||
NULL, 0, NI_NUMERICHOST) != 0)
|
||||
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
|
||||
|
||||
if (!use_dns)
|
||||
return xstrdup(ntop);
|
||||
|
||||
if (from.ss_family == AF_INET)
|
||||
check_ip_options(socket, ntop);
|
||||
|
||||
|
@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
|
|||
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||
NULL, 0, NI_NAMEREQD) != 0) {
|
||||
/* Host name not found. Use ip address. */
|
||||
#if 0
|
||||
logit("Could not reverse map address %.100s.", ntop);
|
||||
#endif
|
||||
return xstrdup(ntop);
|
||||
}
|
||||
|
||||
/* Got host name. */
|
||||
name[sizeof(name) - 1] = '\0';
|
||||
/*
|
||||
* if reverse lookup result looks like a numeric hostname,
|
||||
* someone is trying to trick us by PTR record like following:
|
||||
* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
|
||||
*/
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
|
||||
hints.ai_flags = AI_NUMERICHOST;
|
||||
if (getaddrinfo(name, "0", &hints, &ai) == 0) {
|
||||
logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||
name, ntop);
|
||||
freeaddrinfo(ai);
|
||||
return xstrdup(ntop);
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert it to all lowercase (which is expected by the rest
|
||||
* of this software).
|
||||
|
@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
|
|||
for (i = 0; name[i]; i++)
|
||||
if (isupper(name[i]))
|
||||
name[i] = tolower(name[i]);
|
||||
|
||||
if (!verify_reverse_mapping)
|
||||
return xstrdup(name);
|
||||
/*
|
||||
* Map it back to an IP address and check that the given
|
||||
* address actually is an address of this host. This is
|
||||
|
@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr)
|
|||
*/
|
||||
|
||||
const char *
|
||||
get_canonical_hostname(int verify_reverse_mapping)
|
||||
get_canonical_hostname(int use_dns)
|
||||
{
|
||||
static char *canonical_host_name = NULL;
|
||||
static int verify_reverse_mapping_done = 0;
|
||||
static int use_dns_done = 0;
|
||||
|
||||
/* Check if we have previously retrieved name with same option. */
|
||||
if (canonical_host_name != NULL) {
|
||||
if (verify_reverse_mapping_done != verify_reverse_mapping)
|
||||
if (use_dns_done != use_dns)
|
||||
xfree(canonical_host_name);
|
||||
else
|
||||
return canonical_host_name;
|
||||
|
@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping)
|
|||
/* Get the real hostname if socket; otherwise return UNKNOWN. */
|
||||
if (packet_connection_is_on_socket())
|
||||
canonical_host_name = get_remote_hostname(
|
||||
packet_get_connection_in(), verify_reverse_mapping);
|
||||
packet_get_connection_in(), use_dns);
|
||||
else
|
||||
canonical_host_name = xstrdup("UNKNOWN");
|
||||
|
||||
verify_reverse_mapping_done = verify_reverse_mapping;
|
||||
use_dns_done = use_dns;
|
||||
return canonical_host_name;
|
||||
}
|
||||
|
||||
|
@ -294,11 +304,11 @@ get_remote_ipaddr(void)
|
|||
}
|
||||
|
||||
const char *
|
||||
get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
|
||||
get_remote_name_or_ip(u_int utmp_len, int use_dns)
|
||||
{
|
||||
static const char *remote = "";
|
||||
if (utmp_len > 0)
|
||||
remote = get_canonical_hostname(verify_reverse_mapping);
|
||||
remote = get_canonical_hostname(use_dns);
|
||||
if (utmp_len == 0 || strlen(remote) > utmp_len)
|
||||
remote = get_remote_ipaddr();
|
||||
return remote;
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: monitor.c,v 1.41 2003/05/24 09:30:40 djm Exp $");
|
||||
RCSID("$OpenBSD: monitor.c,v 1.42 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
|
@ -1157,7 +1157,7 @@ mm_record_login(Session *s, struct passwd *pw)
|
|||
}
|
||||
/* Record that there was a login on that tty from the remote host. */
|
||||
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
|
||||
get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
|
||||
get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
(struct sockaddr *)&from, fromlen);
|
||||
}
|
||||
|
||||
|
|
19
servconf.c
19
servconf.c
|
@ -10,7 +10,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
|
||||
RCSID("$OpenBSD: servconf.c,v 1.122 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#if defined(KRB4)
|
||||
#include <krb.h>
|
||||
|
@ -116,7 +116,7 @@ initialize_server_options(ServerOptions *options)
|
|||
options->max_startups_rate = -1;
|
||||
options->max_startups = -1;
|
||||
options->banner = NULL;
|
||||
options->verify_reverse_mapping = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
options->authorized_keys_file = NULL;
|
||||
|
@ -232,8 +232,8 @@ fill_default_server_options(ServerOptions *options)
|
|||
options->max_startups_rate = 100; /* 100% */
|
||||
if (options->max_startups_begin == -1)
|
||||
options->max_startups_begin = options->max_startups;
|
||||
if (options->verify_reverse_mapping == -1)
|
||||
options->verify_reverse_mapping = 0;
|
||||
if (options->use_dns == -1)
|
||||
options->use_dns = 1;
|
||||
if (options->client_alive_interval == -1)
|
||||
options->client_alive_interval = 0;
|
||||
if (options->client_alive_count_max == -1)
|
||||
|
@ -282,7 +282,7 @@ typedef enum {
|
|||
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
|
||||
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
|
||||
sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
|
||||
sUsePrivilegeSeparation,
|
||||
|
@ -366,8 +366,9 @@ static struct {
|
|||
{ "subsystem", sSubsystem },
|
||||
{ "maxstartups", sMaxStartups },
|
||||
{ "banner", sBanner },
|
||||
{ "verifyreversemapping", sVerifyReverseMapping },
|
||||
{ "reversemappingcheck", sVerifyReverseMapping },
|
||||
{ "usedns", sUseDNS },
|
||||
{ "verifyreversemapping", sDeprecated },
|
||||
{ "reversemappingcheck", sDeprecated },
|
||||
{ "clientaliveinterval", sClientAliveInterval },
|
||||
{ "clientalivecountmax", sClientAliveCountMax },
|
||||
{ "authorizedkeysfile", sAuthorizedKeysFile },
|
||||
|
@ -723,8 +724,8 @@ parse_flag:
|
|||
intptr = &options->gateway_ports;
|
||||
goto parse_flag;
|
||||
|
||||
case sVerifyReverseMapping:
|
||||
intptr = &options->verify_reverse_mapping;
|
||||
case sUseDNS:
|
||||
intptr = &options->use_dns;
|
||||
goto parse_flag;
|
||||
|
||||
case sLogFacility:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: servconf.h,v 1.60 2003/05/15 01:48:10 jakob Exp $ */
|
||||
/* $OpenBSD: servconf.h,v 1.61 2003/06/02 09:17:34 markus Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -112,7 +112,7 @@ typedef struct {
|
|||
int max_startups_rate;
|
||||
int max_startups;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
int verify_reverse_mapping; /* cross-check ip and dns */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
* see if it's still there
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
RCSID("$OpenBSD: session.c,v 1.157 2003/05/14 22:24:42 markus Exp $");
|
||||
RCSID("$OpenBSD: session.c,v 1.158 2003/06/02 09:17:34 markus Exp $");
|
||||
|
||||
#include "ssh.h"
|
||||
#include "ssh1.h"
|
||||
|
@ -694,7 +694,7 @@ do_pre_login(Session *s)
|
|||
}
|
||||
|
||||
record_utmp_only(pid, s->tty, s->pw->pw_name,
|
||||
get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
|
||||
get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
(struct sockaddr *)&from, fromlen);
|
||||
}
|
||||
#endif
|
||||
|
@ -749,7 +749,7 @@ do_login(Session *s, const char *command)
|
|||
if (!use_privsep)
|
||||
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
|
||||
get_remote_name_or_ip(utmp_len,
|
||||
options.verify_reverse_mapping),
|
||||
options.use_dns),
|
||||
(struct sockaddr *)&from, fromlen);
|
||||
|
||||
#ifdef USE_PAM
|
||||
|
@ -1353,7 +1353,7 @@ do_child(Session *s, const char *command)
|
|||
/* we have to stash the hostname before we close our socket. */
|
||||
if (options.use_login)
|
||||
hostname = get_remote_name_or_ip(utmp_len,
|
||||
options.verify_reverse_mapping);
|
||||
options.use_dns);
|
||||
/*
|
||||
* Close the connection descriptors; note that this is the child, and
|
||||
* the server will still have the socket open, and it is important
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
|
||||
# $OpenBSD: sshd_config,v 1.60 2003/06/02 09:17:34 markus Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
@ -88,7 +88,7 @@
|
|||
#MaxStartups 10
|
||||
# no default banner path
|
||||
#Banner /some/path
|
||||
#VerifyReverseMapping no
|
||||
#UseDNS yes
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.17 2003/05/20 12:09:32 jmc Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.18 2003/06/02 09:17:34 markus Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
|
@ -585,6 +585,14 @@ Gives the facility code that is used when logging messages from
|
|||
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm UseDNS
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
should lookup the remote host name and check that
|
||||
the resolved host name for the remote IP address maps back to the
|
||||
very same IP address.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm UseLogin
|
||||
Specifies whether
|
||||
.Xr login 1
|
||||
|
@ -622,14 +630,6 @@ The goal of privilege separation is to prevent privilege
|
|||
escalation by containing any corruption within the unprivileged processes.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.It Cm VerifyReverseMapping
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
should try to verify the remote host name and check that
|
||||
the resolved host name for the remote IP address maps back to the
|
||||
very same IP address.
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm X11DisplayOffset
|
||||
Specifies the first display number available for
|
||||
.Nm sshd Ns 's
|
||||
|
|
Loading…
Reference in New Issue