- (djm) OpenBSD CVS Sync

- jmc@cvs.openbsd.org 2003/03/28 10:11:43
     [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
     [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
     - killed whitespace
     - new sentence new line
     - .Bk for arguments
     ok markus@
This commit is contained in:
Damien Miller 2003-04-01 21:42:14 +10:00
parent f18462f5bf
commit 495dca3518
11 changed files with 122 additions and 79 deletions

View File

@ -1,3 +1,14 @@
20030401
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2003/03/28 10:11:43
[scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
[ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
- killed whitespace
- new sentence new line
- .Bk for arguments
ok markus@
20030326
- (djm) OpenBSD CVS Sync
- deraadt@cvs.openbsd.org 2003/03/26 04:02:51
@ -1259,4 +1270,4 @@
save auth method before monitor_reset_key_state(); bugzilla bug #284;
ok provos@
$Id: ChangeLog,v 1.2642 2003/03/26 05:01:11 djm Exp $
$Id: ChangeLog,v 1.2643 2003/04/01 11:42:14 djm Exp $

4
scp.1
View File

@ -9,7 +9,7 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
.\" $OpenBSD: scp.1,v 1.26 2003/01/28 17:24:51 stevesk Exp $
.\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $
.\"
.Dd September 25, 1999
.Dt SCP 1
@ -19,6 +19,7 @@
.Nd secure copy (remote file copy program)
.Sh SYNOPSIS
.Nm scp
.Bk -words
.Op Fl pqrvBC1246
.Op Fl F Ar ssh_config
.Op Fl S Ar program
@ -40,6 +41,7 @@
.Ar host2 No :
.Oc Ar file2
.Sm on
.Ek
.Sh DESCRIPTION
.Nm
copies files between hosts on a network.

26
sftp.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: sftp.1,v 1.40 2003/01/10 08:19:07 fgsch Exp $
.\" $OpenBSD: sftp.1,v 1.41 2003/03/28 10:11:43 jmc Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@ -30,6 +30,7 @@
.Nd Secure file transfer program
.Sh SYNOPSIS
.Nm sftp
.Bk -words
.Op Fl vC1
.Op Fl b Ar batchfile
.Op Fl o Ar ssh_option
@ -40,10 +41,15 @@
.Op Fl R Ar num_requests
.Op Fl S Ar program
.Ar host
.Ek
.Nm sftp
.Op [\fIuser\fR@]\fIhost\fR[:\fIfile\fR [\fIfile\fR]]
.Oo Oo Ar user Ns No @ Oc Ns
.Ar host Ns Oo : Ns Ar file Oo
.Ar file Oc Oc Oc
.Nm sftp
.Op [\fIuser\fR@]\fIhost\fR[:\fIdir\fR[\fI/\fR]]
.Oo Oo Ar user Ns No @ Oc Ns
.Ar host Ns Oo : Ns Ar dir Ns
.Oo Ar / Oc Oc Oc
.Sh DESCRIPTION
.Nm
is an interactive file transfer program, similar to
@ -77,13 +83,13 @@ non-interactive authentication.
will abort if any of the following
commands fail:
.Ic get , put , rename , ln ,
.Ic rm , mkdir , chdir , ls ,
.Ic rm , mkdir , chdir , ls ,
.Ic lchdir , chmod , chown , chgrp , lpwd
and
.Ic lmkdir .
Termination on error can be suppressed on a command by command basis by
prefixing the command with a
.Ic '-'
Termination on error can be suppressed on a command by command basis by
prefixing the command with a
.Ic '-'
character (For example,
.Ic -rm /tmp/blah*
).
@ -95,19 +101,19 @@ in the format used in
This is useful for specifying options
for which there is no separate
.Nm sftp
command-line flag. For example, to specify an alternate
command-line flag. For example, to specify an alternate
port use:
.Ic sftp -oPort=24 .
.It Fl s Ar subsystem | sftp_server
Specifies the SSH2 subsystem or the path for an sftp server
on the remote host. A path is useful for using sftp over
on the remote host. A path is useful for using sftp over
protocol version 1, or when the remote
.Nm sshd
does not have an sftp subsystem configured.
.It Fl v
Raise logging level. This option is also passed to ssh.
.It Fl B Ar buffer_size
Specify the size of the buffer that
Specify the size of the buffer that
.Nm
uses when transferring files. Larger buffers require fewer round trips at
the cost of higher memory consumption. The default is 32768 bytes.

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-add.1,v 1.37 2003/02/10 11:51:47 markus Exp $
.\" $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -95,10 +95,11 @@ specified in
.Xr sshd_config 5 .
.It Fl c
Indicates that added identities should be subject to confirmation before
being used for authentication. Confirmation is performed by the
being used for authentication.
Confirmation is performed by the
.Ev SSH_ASKPASS
program mentioned below. Successful confirmation is signaled by a zero
exit status from the
program mentioned below.
Successful confirmation is signaled by a zero exit status from the
.Ev SSH_ASKPASS
program, rather than text entered into the requester.
.It Fl s Ar reader

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.36 2003/01/21 18:14:36 marc Exp $
.\" $OpenBSD: ssh-agent.1,v 1.37 2003/03/28 10:11:43 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -88,7 +88,7 @@ Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
.It Fl t Ar life
Set a default value for the maximum lifetime of identities added to the agent.
Set a default value for the maximum lifetime of identities added to the agent.
The lifetime may be specified in seconds or in a time format specified in
.Xr sshd 8 .
A lifetime specified for an identity with
@ -96,7 +96,8 @@ A lifetime specified for an identity with
overrides this value.
Without this option the default maximum lifetime is forever.
.It Fl d
Debug mode. When this option is specified
Debug mode.
When this option is specified
.Nm
will not fork.
.El

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.55 2002/11/26 02:35:30 stevesk Exp $
.\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@ -45,12 +45,14 @@
.Nd authentication key generation, management and conversion
.Sh SYNOPSIS
.Nm ssh-keygen
.Bk -words
.Op Fl q
.Op Fl b Ar bits
.Fl t Ar type
.Op Fl N Ar new_passphrase
.Op Fl C Ar comment
.Op Fl f Ar output_keyfile
.Ek
.Nm ssh-keygen
.Fl p
.Op Fl P Ar old_passphrase

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keyscan.1,v 1.14 2002/02/13 08:33:47 mpech Exp $
.\" $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
@ -14,6 +14,7 @@
.Nd gather ssh public keys
.Sh SYNOPSIS
.Nm ssh-keyscan
.Bk -words
.Op Fl v46
.Op Fl p Ar port
.Op Fl T Ar timeout
@ -21,10 +22,12 @@
.Op Fl f Ar file
.Op Ar host | addrlist namelist
.Op Ar ...
.Ek
.Sh DESCRIPTION
.Nm
is a utility for gathering the public ssh host keys of a number of
hosts. It was designed to aid in building and verifying
hosts.
It was designed to aid in building and verifying
.Pa ssh_known_hosts
files.
.Nm
@ -33,9 +36,11 @@ scripts.
.Pp
.Nm
uses non-blocking socket I/O to contact as many hosts as possible in
parallel, so it is very efficient. The keys from a domain of 1,000
parallel, so it is very efficient.
The keys from a domain of 1,000
hosts can be collected in tens of seconds, even when some of those
hosts are down or do not run ssh. For scanning, one does not need
hosts are down or do not run ssh.
For scanning, one does not need
login access to the machines that are being scanned, nor does the
scanning process involve any encryption.
.Pp
@ -44,12 +49,13 @@ The options are as follows:
.It Fl p Ar port
Port to connect to on the remote host.
.It Fl T Ar timeout
Set the timeout for connection attempts. If
Set the timeout for connection attempts.
If
.Pa timeout
seconds have elapsed since a connection was initiated to a host or since the
last time anything was read from that host, then the connection is
closed and the host in question considered unavailable. Default is 5
seconds.
closed and the host in question considered unavailable.
Default is 5 seconds.
.It Fl t Ar type
Specifies the type of the key to fetch from the scanned hosts.
The possible values are

View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keysign.8,v 1.5 2002/11/24 21:46:24 stevesk Exp $
.\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@ -62,8 +62,8 @@ Controls whether
is enabled.
.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature. They
should be owned by root, readable only by root, and not
generate the digital signature.
They should be owned by root, readable only by root, and not
accessible to others.
Since they are readable only by root,
.Nm

34
ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@ -48,6 +48,7 @@
.Op Ar command
.Pp
.Nm ssh
.Bk -words
.Op Fl afgknqstvxACNTX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
@ -66,6 +67,8 @@
.Sm on
.Xc
.Oc
.Ek
.Bk -words
.Oo Fl R Xo
.Sm off
.Ar port :
@ -77,6 +80,7 @@
.Op Fl D Ar port
.Ar hostname | user@hostname
.Op Ar command
.Ek
.Sh DESCRIPTION
.Nm
(SSH client) is a program for logging into a remote machine and for
@ -361,7 +365,7 @@ variable is set to
.Fl A
and
.Fl a
options described later) and
options described later) and
the user is using an authentication agent, the connection to the agent
is automatically forwarded to the remote side.
.Pp
@ -403,10 +407,11 @@ Disables forwarding of the authentication agent connection.
Enables forwarding of the authentication agent connection.
This can also be specified on a per-host basis in a configuration file.
.Pp
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the agent's
Unix-domain socket) can access the local agent through the forwarded
connection. An attacker cannot obtain key material from the agent,
Agent forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the remote host
(for the agent's Unix-domain socket)
can access the local agent through the forwarded connection.
An attacker cannot obtain key material from the agent,
however they can perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
.It Fl b Ar bind_address
@ -428,8 +433,8 @@ is only supported in the
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
cipher. Its use is strongly discouraged due to cryptographic
weaknesses.
cipher.
Its use is strongly discouraged due to cryptographic weaknesses.
.It Fl c Ar cipher_spec
Additionally, for protocol version 2 a comma-separated list of ciphers can
be specified in order of preference.
@ -566,11 +571,11 @@ Disables X11 forwarding.
Enables X11 forwarding.
This can also be specified on a per-host basis in a configuration file.
.Pp
X11 forwarding should be enabled with caution. Users with the ability
to bypass file permissions on the remote host (for the user's X
authorization database) can access the local X11 display through the
forwarded connection. An attacker may then be able to perform
activities such as keystroke monitoring.
X11 forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the remote host
(for the user's X authorization database)
can access the local X11 display through the forwarded connection.
An attacker may then be able to perform activities such as keystroke monitoring.
.It Fl C
Requests compression of all data (including stdin, stdout, stderr, and
data for forwarded X11 and TCP/IP connections).
@ -637,7 +642,8 @@ This works by allocating a socket to listen to
on the local side, and whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine. Currently the SOCKS4 protocol is supported, and
remote machine.
Currently the SOCKS4 protocol is supported, and
.Nm
will act as a SOCKS4 server.
Only root can forward privileged ports.

View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.6 2003/02/06 09:27:29 markus Exp $
.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@ -176,8 +176,8 @@ is only supported in the
client for interoperability with legacy protocol 1 implementations
that do not support the
.Ar 3des
cipher. Its use is strongly discouraged due to cryptographic
weaknesses.
cipher.
Its use is strongly discouraged due to cryptographic weaknesses.
The default is
.Dq 3des .
.It Cm Ciphers
@ -193,7 +193,8 @@ The default is
.It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings
specified in the configuration files or on the command line be
cleared. This option is primarily useful when used from the
cleared.
This option is primarily useful when used from the
.Nm ssh
command line to clear port forwardings set in
configuration files, and is automatically set by
@ -230,13 +231,14 @@ The default is 1.
Specifies that a TCP/IP port on the local machine be forwarded
over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine. The argument must be a port number.
remote machine.
The argument must be a port number.
Currently the SOCKS4 protocol is supported, and
.Nm ssh
will act as a SOCKS4 server.
Multiple forwardings may be specified, and
additional forwardings can be given on the command line. Only
the superuser can forward privileged ports.
additional forwardings can be given on the command line.
Only the superuser can forward privileged ports.
.It Cm EscapeChar
Sets the escape character (default:
.Ql ~ ) .
@ -259,10 +261,11 @@ or
The default is
.Dq no .
.Pp
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the agent's
Unix-domain socket) can access the local agent through the forwarded
connection. An attacker cannot obtain key material from the agent,
Agent forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the remote host
(for the agent's Unix-domain socket)
can access the local agent through the forwarded connection.
An attacker cannot obtain key material from the agent,
however they can perform operations on the keys that enable them to
authenticate using the identities loaded into the agent.
.It Cm ForwardX11
@ -277,18 +280,18 @@ or
The default is
.Dq no .
.Pp
X11 forwarding should be enabled with caution. Users with the ability
to bypass file permissions on the remote host (for the user's X
authorization database) can access the local X11 display through the
forwarded connection. An attacker may then be able to perform
activities such as keystroke monitoring.
X11 forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the remote host
(for the user's X authorization database)
can access the local X11 display through the forwarded connection.
An attacker may then be able to perform activities such as keystroke monitoring.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports.
By default,
.Nm ssh
binds local port forwardings to the loopback address. This
prevents other remote hosts from connecting to forwarded ports.
binds local port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm ssh
@ -395,8 +398,9 @@ Gives the verbosity level that is used when logging messages from
.Nm ssh .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
and DEBUG3 each specify higher levels of verbose output.
The default is INFO.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
.It Cm MACs
Specifies the MAC (message authentication code) algorithms
in order of preference.
@ -474,8 +478,8 @@ somewhere.
Host key management will be done using the
HostName of the host being connected (defaulting to the name typed by
the user).
Setting the command to
.Dq none
Setting the command to
.Dq none
disables this option entirely.
Note that
.Cm CheckHostIP

View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.14 2003/01/23 08:58:47 jmc Exp $
.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@ -211,8 +211,8 @@ Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
By default,
.Nm sshd
binds remote port forwardings to the loopback address. This
prevents other remote hosts from connecting to forwarded ports.
binds remote port forwardings to the loopback address.
This prevents other remote hosts from connecting to forwarded ports.
.Cm GatewayPorts
can be used to specify that
.Nm sshd
@ -370,7 +370,8 @@ is not specified,
will listen on the address and all prior
.Cm Port
options specified. The default is to listen on all local
addresses. Multiple
addresses.
Multiple
.Cm ListenAddress
options are permitted. Additionally, any
.Cm Port
@ -385,10 +386,10 @@ Gives the verbosity level that is used when logging messages from
.Nm sshd .
The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users
and is not recommended.
The default is INFO.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
@ -599,16 +600,18 @@ will be disabled because
.Xr login 1
does not know how to handle
.Xr xauth 1
cookies. If
cookies.
If
.Cm UsePrivilegeSeparation
is specified, it will be disabled after authentication.
.It Cm UsePrivilegeSeparation
Specifies whether
.Nm sshd
separates privileges by creating an unprivileged child process
to deal with incoming network traffic. After successful authentication,
another process will be created that has the privilege of the authenticated
user. The goal of privilege separation is to prevent privilege
to deal with incoming network traffic.
After successful authentication, another process will be created that has
the privilege of the authenticated user.
The goal of privilege separation is to prevent privilege
escalation by containing any corruption within the unprivileged processes.
The default is
.Dq yes .
@ -666,7 +669,8 @@ is enabled.
Specifies whether
.Nm sshd
should bind the X11 forwarding server to the loopback address or to
the wildcard address. By default,
the wildcard address.
By default,
.Nm sshd
binds the forwarding server to the loopback address and sets the
hostname part of the