mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-25 19:32:09 +00:00
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2003/03/28 10:11:43 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - killed whitespace - new sentence new line - .Bk for arguments ok markus@
This commit is contained in:
parent
f18462f5bf
commit
495dca3518
13
ChangeLog
13
ChangeLog
@ -1,3 +1,14 @@
|
||||
20030401
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- jmc@cvs.openbsd.org 2003/03/28 10:11:43
|
||||
[scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
|
||||
[ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
|
||||
- killed whitespace
|
||||
- new sentence new line
|
||||
- .Bk for arguments
|
||||
ok markus@
|
||||
|
||||
|
||||
20030326
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- deraadt@cvs.openbsd.org 2003/03/26 04:02:51
|
||||
@ -1259,4 +1270,4 @@
|
||||
save auth method before monitor_reset_key_state(); bugzilla bug #284;
|
||||
ok provos@
|
||||
|
||||
$Id: ChangeLog,v 1.2642 2003/03/26 05:01:11 djm Exp $
|
||||
$Id: ChangeLog,v 1.2643 2003/04/01 11:42:14 djm Exp $
|
||||
|
4
scp.1
4
scp.1
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||
.\"
|
||||
.\" $OpenBSD: scp.1,v 1.26 2003/01/28 17:24:51 stevesk Exp $
|
||||
.\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.Dd September 25, 1999
|
||||
.Dt SCP 1
|
||||
@ -19,6 +19,7 @@
|
||||
.Nd secure copy (remote file copy program)
|
||||
.Sh SYNOPSIS
|
||||
.Nm scp
|
||||
.Bk -words
|
||||
.Op Fl pqrvBC1246
|
||||
.Op Fl F Ar ssh_config
|
||||
.Op Fl S Ar program
|
||||
@ -40,6 +41,7 @@
|
||||
.Ar host2 No :
|
||||
.Oc Ar file2
|
||||
.Sm on
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
copies files between hosts on a network.
|
||||
|
26
sftp.1
26
sftp.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: sftp.1,v 1.40 2003/01/10 08:19:07 fgsch Exp $
|
||||
.\" $OpenBSD: sftp.1,v 1.41 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
|
||||
.\"
|
||||
@ -30,6 +30,7 @@
|
||||
.Nd Secure file transfer program
|
||||
.Sh SYNOPSIS
|
||||
.Nm sftp
|
||||
.Bk -words
|
||||
.Op Fl vC1
|
||||
.Op Fl b Ar batchfile
|
||||
.Op Fl o Ar ssh_option
|
||||
@ -40,10 +41,15 @@
|
||||
.Op Fl R Ar num_requests
|
||||
.Op Fl S Ar program
|
||||
.Ar host
|
||||
.Ek
|
||||
.Nm sftp
|
||||
.Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]]
|
||||
.Oo Oo Ar user Ns No @ Oc Ns
|
||||
.Ar host Ns Oo : Ns Ar file Oo
|
||||
.Ar file Oc Oc Oc
|
||||
.Nm sftp
|
||||
.Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]]
|
||||
.Oo Oo Ar user Ns No @ Oc Ns
|
||||
.Ar host Ns Oo : Ns Ar dir Ns
|
||||
.Oo Ar / Oc Oc Oc
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is an interactive file transfer program, similar to
|
||||
@ -77,13 +83,13 @@ non-interactive authentication.
|
||||
will abort if any of the following
|
||||
commands fail:
|
||||
.Ic get , put , rename , ln ,
|
||||
.Ic rm , mkdir , chdir , ls ,
|
||||
.Ic rm , mkdir , chdir , ls ,
|
||||
.Ic lchdir , chmod , chown , chgrp , lpwd
|
||||
and
|
||||
.Ic lmkdir .
|
||||
Termination on error can be suppressed on a command by command basis by
|
||||
prefixing the command with a
|
||||
.Ic '-'
|
||||
Termination on error can be suppressed on a command by command basis by
|
||||
prefixing the command with a
|
||||
.Ic '-'
|
||||
character (For example,
|
||||
.Ic -rm /tmp/blah*
|
||||
).
|
||||
@ -95,19 +101,19 @@ in the format used in
|
||||
This is useful for specifying options
|
||||
for which there is no separate
|
||||
.Nm sftp
|
||||
command-line flag. For example, to specify an alternate
|
||||
command-line flag. For example, to specify an alternate
|
||||
port use:
|
||||
.Ic sftp -oPort=24 .
|
||||
.It Fl s Ar subsystem | sftp_server
|
||||
Specifies the SSH2 subsystem or the path for an sftp server
|
||||
on the remote host. A path is useful for using sftp over
|
||||
on the remote host. A path is useful for using sftp over
|
||||
protocol version 1, or when the remote
|
||||
.Nm sshd
|
||||
does not have an sftp subsystem configured.
|
||||
.It Fl v
|
||||
Raise logging level. This option is also passed to ssh.
|
||||
.It Fl B Ar buffer_size
|
||||
Specify the size of the buffer that
|
||||
Specify the size of the buffer that
|
||||
.Nm
|
||||
uses when transferring files. Larger buffers require fewer round trips at
|
||||
the cost of higher memory consumption. The default is 32768 bytes.
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-add.1,v 1.37 2003/02/10 11:51:47 markus Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
@ -95,10 +95,11 @@ specified in
|
||||
.Xr sshd_config 5 .
|
||||
.It Fl c
|
||||
Indicates that added identities should be subject to confirmation before
|
||||
being used for authentication. Confirmation is performed by the
|
||||
being used for authentication.
|
||||
Confirmation is performed by the
|
||||
.Ev SSH_ASKPASS
|
||||
program mentioned below. Successful confirmation is signaled by a zero
|
||||
exit status from the
|
||||
program mentioned below.
|
||||
Successful confirmation is signaled by a zero exit status from the
|
||||
.Ev SSH_ASKPASS
|
||||
program, rather than text entered into the requester.
|
||||
.It Fl s Ar reader
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.36 2003/01/21 18:14:36 marc Exp $
|
||||
.\" $OpenBSD: ssh-agent.1,v 1.37 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -88,7 +88,7 @@ Kill the current agent (given by the
|
||||
.Ev SSH_AGENT_PID
|
||||
environment variable).
|
||||
.It Fl t Ar life
|
||||
Set a default value for the maximum lifetime of identities added to the agent.
|
||||
Set a default value for the maximum lifetime of identities added to the agent.
|
||||
The lifetime may be specified in seconds or in a time format specified in
|
||||
.Xr sshd 8 .
|
||||
A lifetime specified for an identity with
|
||||
@ -96,7 +96,8 @@ A lifetime specified for an identity with
|
||||
overrides this value.
|
||||
Without this option the default maximum lifetime is forever.
|
||||
.It Fl d
|
||||
Debug mode. When this option is specified
|
||||
Debug mode.
|
||||
When this option is specified
|
||||
.Nm
|
||||
will not fork.
|
||||
.El
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.55 2002/11/26 02:35:30 stevesk Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" -*- nroff -*-
|
||||
.\"
|
||||
@ -45,12 +45,14 @@
|
||||
.Nd authentication key generation, management and conversion
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-keygen
|
||||
.Bk -words
|
||||
.Op Fl q
|
||||
.Op Fl b Ar bits
|
||||
.Fl t Ar type
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl C Ar comment
|
||||
.Op Fl f Ar output_keyfile
|
||||
.Ek
|
||||
.Nm ssh-keygen
|
||||
.Fl p
|
||||
.Op Fl P Ar old_passphrase
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.14 2002/02/13 08:33:47 mpech Exp $
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
.\"
|
||||
@ -14,6 +14,7 @@
|
||||
.Nd gather ssh public keys
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-keyscan
|
||||
.Bk -words
|
||||
.Op Fl v46
|
||||
.Op Fl p Ar port
|
||||
.Op Fl T Ar timeout
|
||||
@ -21,10 +22,12 @@
|
||||
.Op Fl f Ar file
|
||||
.Op Ar host | addrlist namelist
|
||||
.Op Ar ...
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a utility for gathering the public ssh host keys of a number of
|
||||
hosts. It was designed to aid in building and verifying
|
||||
hosts.
|
||||
It was designed to aid in building and verifying
|
||||
.Pa ssh_known_hosts
|
||||
files.
|
||||
.Nm
|
||||
@ -33,9 +36,11 @@ scripts.
|
||||
.Pp
|
||||
.Nm
|
||||
uses non-blocking socket I/O to contact as many hosts as possible in
|
||||
parallel, so it is very efficient. The keys from a domain of 1,000
|
||||
parallel, so it is very efficient.
|
||||
The keys from a domain of 1,000
|
||||
hosts can be collected in tens of seconds, even when some of those
|
||||
hosts are down or do not run ssh. For scanning, one does not need
|
||||
hosts are down or do not run ssh.
|
||||
For scanning, one does not need
|
||||
login access to the machines that are being scanned, nor does the
|
||||
scanning process involve any encryption.
|
||||
.Pp
|
||||
@ -44,12 +49,13 @@ The options are as follows:
|
||||
.It Fl p Ar port
|
||||
Port to connect to on the remote host.
|
||||
.It Fl T Ar timeout
|
||||
Set the timeout for connection attempts. If
|
||||
Set the timeout for connection attempts.
|
||||
If
|
||||
.Pa timeout
|
||||
seconds have elapsed since a connection was initiated to a host or since the
|
||||
last time anything was read from that host, then the connection is
|
||||
closed and the host in question considered unavailable. Default is 5
|
||||
seconds.
|
||||
closed and the host in question considered unavailable.
|
||||
Default is 5 seconds.
|
||||
.It Fl t Ar type
|
||||
Specifies the type of the key to fetch from the scanned hosts.
|
||||
The possible values are
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.5 2002/11/24 21:46:24 stevesk Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
@ -62,8 +62,8 @@ Controls whether
|
||||
is enabled.
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
|
||||
These files contain the private parts of the host keys used to
|
||||
generate the digital signature. They
|
||||
should be owned by root, readable only by root, and not
|
||||
generate the digital signature.
|
||||
They should be owned by root, readable only by root, and not
|
||||
accessible to others.
|
||||
Since they are readable only by root,
|
||||
.Nm
|
||||
|
34
ssh.1
34
ssh.1
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
|
||||
.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
@ -48,6 +48,7 @@
|
||||
.Op Ar command
|
||||
.Pp
|
||||
.Nm ssh
|
||||
.Bk -words
|
||||
.Op Fl afgknqstvxACNTX1246
|
||||
.Op Fl b Ar bind_address
|
||||
.Op Fl c Ar cipher_spec
|
||||
@ -66,6 +67,8 @@
|
||||
.Sm on
|
||||
.Xc
|
||||
.Oc
|
||||
.Ek
|
||||
.Bk -words
|
||||
.Oo Fl R Xo
|
||||
.Sm off
|
||||
.Ar port :
|
||||
@ -77,6 +80,7 @@
|
||||
.Op Fl D Ar port
|
||||
.Ar hostname | user@hostname
|
||||
.Op Ar command
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
(SSH client) is a program for logging into a remote machine and for
|
||||
@ -361,7 +365,7 @@ variable is set to
|
||||
.Fl A
|
||||
and
|
||||
.Fl a
|
||||
options described later) and
|
||||
options described later) and
|
||||
the user is using an authentication agent, the connection to the agent
|
||||
is automatically forwarded to the remote side.
|
||||
.Pp
|
||||
@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection.
|
||||
Enables forwarding of the authentication agent connection.
|
||||
This can also be specified on a per-host basis in a configuration file.
|
||||
.Pp
|
||||
Agent forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the agent's
|
||||
Unix-domain socket) can access the local agent through the forwarded
|
||||
connection. An attacker cannot obtain key material from the agent,
|
||||
Agent forwarding should be enabled with caution.
|
||||
Users with the ability to bypass file permissions on the remote host
|
||||
(for the agent's Unix-domain socket)
|
||||
can access the local agent through the forwarded connection.
|
||||
An attacker cannot obtain key material from the agent,
|
||||
however they can perform operations on the keys that enable them to
|
||||
authenticate using the identities loaded into the agent.
|
||||
.It Fl b Ar bind_address
|
||||
@ -428,8 +433,8 @@ is only supported in the
|
||||
client for interoperability with legacy protocol 1 implementations
|
||||
that do not support the
|
||||
.Ar 3des
|
||||
cipher. Its use is strongly discouraged due to cryptographic
|
||||
weaknesses.
|
||||
cipher.
|
||||
Its use is strongly discouraged due to cryptographic weaknesses.
|
||||
.It Fl c Ar cipher_spec
|
||||
Additionally, for protocol version 2 a comma-separated list of ciphers can
|
||||
be specified in order of preference.
|
||||
@ -566,11 +571,11 @@ Disables X11 forwarding.
|
||||
Enables X11 forwarding.
|
||||
This can also be specified on a per-host basis in a configuration file.
|
||||
.Pp
|
||||
X11 forwarding should be enabled with caution. Users with the ability
|
||||
to bypass file permissions on the remote host (for the user's X
|
||||
authorization database) can access the local X11 display through the
|
||||
forwarded connection. An attacker may then be able to perform
|
||||
activities such as keystroke monitoring.
|
||||
X11 forwarding should be enabled with caution.
|
||||
Users with the ability to bypass file permissions on the remote host
|
||||
(for the user's X authorization database)
|
||||
can access the local X11 display through the forwarded connection.
|
||||
An attacker may then be able to perform activities such as keystroke monitoring.
|
||||
.It Fl C
|
||||
Requests compression of all data (including stdin, stdout, stderr, and
|
||||
data for forwarded X11 and TCP/IP connections).
|
||||
@ -637,7 +642,8 @@ This works by allocating a socket to listen to
|
||||
on the local side, and whenever a connection is made to this port, the
|
||||
connection is forwarded over the secure channel, and the application
|
||||
protocol is then used to determine where to connect to from the
|
||||
remote machine. Currently the SOCKS4 protocol is supported, and
|
||||
remote machine.
|
||||
Currently the SOCKS4 protocol is supported, and
|
||||
.Nm
|
||||
will act as a SOCKS4 server.
|
||||
Only root can forward privileged ports.
|
||||
|
48
ssh_config.5
48
ssh_config.5
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.6 2003/02/06 09:27:29 markus Exp $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
@ -176,8 +176,8 @@ is only supported in the
|
||||
client for interoperability with legacy protocol 1 implementations
|
||||
that do not support the
|
||||
.Ar 3des
|
||||
cipher. Its use is strongly discouraged due to cryptographic
|
||||
weaknesses.
|
||||
cipher.
|
||||
Its use is strongly discouraged due to cryptographic weaknesses.
|
||||
The default is
|
||||
.Dq 3des .
|
||||
.It Cm Ciphers
|
||||
@ -193,7 +193,8 @@ The default is
|
||||
.It Cm ClearAllForwardings
|
||||
Specifies that all local, remote and dynamic port forwardings
|
||||
specified in the configuration files or on the command line be
|
||||
cleared. This option is primarily useful when used from the
|
||||
cleared.
|
||||
This option is primarily useful when used from the
|
||||
.Nm ssh
|
||||
command line to clear port forwardings set in
|
||||
configuration files, and is automatically set by
|
||||
@ -230,13 +231,14 @@ The default is 1.
|
||||
Specifies that a TCP/IP port on the local machine be forwarded
|
||||
over the secure channel, and the application
|
||||
protocol is then used to determine where to connect to from the
|
||||
remote machine. The argument must be a port number.
|
||||
remote machine.
|
||||
The argument must be a port number.
|
||||
Currently the SOCKS4 protocol is supported, and
|
||||
.Nm ssh
|
||||
will act as a SOCKS4 server.
|
||||
Multiple forwardings may be specified, and
|
||||
additional forwardings can be given on the command line. Only
|
||||
the superuser can forward privileged ports.
|
||||
additional forwardings can be given on the command line.
|
||||
Only the superuser can forward privileged ports.
|
||||
.It Cm EscapeChar
|
||||
Sets the escape character (default:
|
||||
.Ql ~ ) .
|
||||
@ -259,10 +261,11 @@ or
|
||||
The default is
|
||||
.Dq no .
|
||||
.Pp
|
||||
Agent forwarding should be enabled with caution. Users with the
|
||||
ability to bypass file permissions on the remote host (for the agent's
|
||||
Unix-domain socket) can access the local agent through the forwarded
|
||||
connection. An attacker cannot obtain key material from the agent,
|
||||
Agent forwarding should be enabled with caution.
|
||||
Users with the ability to bypass file permissions on the remote host
|
||||
(for the agent's Unix-domain socket)
|
||||
can access the local agent through the forwarded connection.
|
||||
An attacker cannot obtain key material from the agent,
|
||||
however they can perform operations on the keys that enable them to
|
||||
authenticate using the identities loaded into the agent.
|
||||
.It Cm ForwardX11
|
||||
@ -277,18 +280,18 @@ or
|
||||
The default is
|
||||
.Dq no .
|
||||
.Pp
|
||||
X11 forwarding should be enabled with caution. Users with the ability
|
||||
to bypass file permissions on the remote host (for the user's X
|
||||
authorization database) can access the local X11 display through the
|
||||
forwarded connection. An attacker may then be able to perform
|
||||
activities such as keystroke monitoring.
|
||||
X11 forwarding should be enabled with caution.
|
||||
Users with the ability to bypass file permissions on the remote host
|
||||
(for the user's X authorization database)
|
||||
can access the local X11 display through the forwarded connection.
|
||||
An attacker may then be able to perform activities such as keystroke monitoring.
|
||||
.It Cm GatewayPorts
|
||||
Specifies whether remote hosts are allowed to connect to local
|
||||
forwarded ports.
|
||||
By default,
|
||||
.Nm ssh
|
||||
binds local port forwardings to the loopback address. This
|
||||
prevents other remote hosts from connecting to forwarded ports.
|
||||
binds local port forwardings to the loopback address.
|
||||
This prevents other remote hosts from connecting to forwarded ports.
|
||||
.Cm GatewayPorts
|
||||
can be used to specify that
|
||||
.Nm ssh
|
||||
@ -395,8 +398,9 @@ Gives the verbosity level that is used when logging messages from
|
||||
.Nm ssh .
|
||||
The possible values are:
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
|
||||
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
|
||||
and DEBUG3 each specify higher levels of verbose output.
|
||||
The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||
.It Cm MACs
|
||||
Specifies the MAC (message authentication code) algorithms
|
||||
in order of preference.
|
||||
@ -474,8 +478,8 @@ somewhere.
|
||||
Host key management will be done using the
|
||||
HostName of the host being connected (defaulting to the name typed by
|
||||
the user).
|
||||
Setting the command to
|
||||
.Dq none
|
||||
Setting the command to
|
||||
.Dq none
|
||||
disables this option entirely.
|
||||
Note that
|
||||
.Cm CheckHostIP
|
||||
|
@ -34,7 +34,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
|
||||
.Dd September 25, 1999
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
@ -211,8 +211,8 @@ Specifies whether remote hosts are allowed to connect to ports
|
||||
forwarded for the client.
|
||||
By default,
|
||||
.Nm sshd
|
||||
binds remote port forwardings to the loopback address. This
|
||||
prevents other remote hosts from connecting to forwarded ports.
|
||||
binds remote port forwardings to the loopback address.
|
||||
This prevents other remote hosts from connecting to forwarded ports.
|
||||
.Cm GatewayPorts
|
||||
can be used to specify that
|
||||
.Nm sshd
|
||||
@ -370,7 +370,8 @@ is not specified,
|
||||
will listen on the address and all prior
|
||||
.Cm Port
|
||||
options specified. The default is to listen on all local
|
||||
addresses. Multiple
|
||||
addresses.
|
||||
Multiple
|
||||
.Cm ListenAddress
|
||||
options are permitted. Additionally, any
|
||||
.Cm Port
|
||||
@ -385,10 +386,10 @@ Gives the verbosity level that is used when logging messages from
|
||||
.Nm sshd .
|
||||
The possible values are:
|
||||
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
|
||||
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
|
||||
and DEBUG3 each specify higher levels of debugging output.
|
||||
Logging with a DEBUG level violates the privacy of users
|
||||
and is not recommended.
|
||||
The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||
.It Cm MACs
|
||||
Specifies the available MAC (message authentication code) algorithms.
|
||||
The MAC algorithm is used in protocol version 2
|
||||
@ -599,16 +600,18 @@ will be disabled because
|
||||
.Xr login 1
|
||||
does not know how to handle
|
||||
.Xr xauth 1
|
||||
cookies. If
|
||||
cookies.
|
||||
If
|
||||
.Cm UsePrivilegeSeparation
|
||||
is specified, it will be disabled after authentication.
|
||||
.It Cm UsePrivilegeSeparation
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
separates privileges by creating an unprivileged child process
|
||||
to deal with incoming network traffic. After successful authentication,
|
||||
another process will be created that has the privilege of the authenticated
|
||||
user. The goal of privilege separation is to prevent privilege
|
||||
to deal with incoming network traffic.
|
||||
After successful authentication, another process will be created that has
|
||||
the privilege of the authenticated user.
|
||||
The goal of privilege separation is to prevent privilege
|
||||
escalation by containing any corruption within the unprivileged processes.
|
||||
The default is
|
||||
.Dq yes .
|
||||
@ -666,7 +669,8 @@ is enabled.
|
||||
Specifies whether
|
||||
.Nm sshd
|
||||
should bind the X11 forwarding server to the loopback address or to
|
||||
the wildcard address. By default,
|
||||
the wildcard address.
|
||||
By default,
|
||||
.Nm sshd
|
||||
binds the forwarding server to the loopback address and sets the
|
||||
hostname part of the
|
||||
|
Loading…
Reference in New Issue
Block a user