mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 10:00:14 +00:00
9ec2713d12
main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@ OpenBSD-Commit-ID: 9520801729bebcb3c9fe43ad7f9776ab4dd05ea3
94 lines
2.9 KiB
Groff
94 lines
2.9 KiB
Groff
.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
|
|
.\"
|
|
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd $Mdocdate: March 31 2022 $
|
|
.Dt SSH-KEYSIGN 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ssh-keysign
|
|
.Nd OpenSSH helper for host-based authentication
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is used by
|
|
.Xr ssh 1
|
|
to access the local host keys and generate the digital signature
|
|
required during host-based authentication.
|
|
.Pp
|
|
.Nm
|
|
is disabled by default and can only be enabled in the
|
|
global client configuration file
|
|
.Pa /etc/ssh/ssh_config
|
|
by setting
|
|
.Cm EnableSSHKeysign
|
|
to
|
|
.Dq yes .
|
|
.Pp
|
|
.Nm
|
|
is not intended to be invoked by the user, but from
|
|
.Xr ssh 1 .
|
|
See
|
|
.Xr ssh 1
|
|
and
|
|
.Xr sshd 8
|
|
for more information about host-based authentication.
|
|
.Sh FILES
|
|
.Bl -tag -width Ds -compact
|
|
.It Pa /etc/ssh/ssh_config
|
|
Controls whether
|
|
.Nm
|
|
is enabled.
|
|
.Pp
|
|
.It Pa /etc/ssh/ssh_host_dsa_key
|
|
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
|
.It Pa /etc/ssh/ssh_host_ed25519_key
|
|
.It Pa /etc/ssh/ssh_host_rsa_key
|
|
These files contain the private parts of the host keys used to
|
|
generate the digital signature.
|
|
They should be owned by root, readable only by root, and not
|
|
accessible to others.
|
|
Since they are readable only by root,
|
|
.Nm
|
|
must be set-uid root if host-based authentication is used.
|
|
.Pp
|
|
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
|
If these files exist, they are assumed to contain public certificate
|
|
information corresponding with the private keys above.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1 ,
|
|
.Xr ssh-keygen 1 ,
|
|
.Xr ssh_config 5 ,
|
|
.Xr sshd 8
|
|
.Sh HISTORY
|
|
.Nm
|
|
first appeared in
|
|
.Ox 3.2 .
|
|
.Sh AUTHORS
|
|
.An Markus Friedl Aq Mt markus@openbsd.org
|