diff options
Diffstat (limited to 'usr/src/man')
| -rw-r--r-- | usr/src/man/man1/Makefile | 27 | ||||
| -rw-r--r-- | usr/src/man/man1/scp.sunssh.1 | 234 | ||||
| -rw-r--r-- | usr/src/man/man1/sftp.sunssh.1 | 592 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-add.sunssh.1 | 245 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-agent.sunssh.1 | 187 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-http-proxy-connect.sunssh.1 | 208 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-keygen.sunssh.1 | 409 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-keyscan.sunssh.1 | 248 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh-socks5-proxy-connect.sunssh.1 | 202 | ||||
| -rw-r--r-- | usr/src/man/man1/ssh.sunssh.1 | 979 | ||||
| -rw-r--r-- | usr/src/man/man1m/Makefile | 9 | ||||
| -rw-r--r-- | usr/src/man/man1m/sftp-server.sunssh.1m | 125 | ||||
| -rw-r--r-- | usr/src/man/man1m/ssh-keysign.sunssh.1m | 105 | ||||
| -rw-r--r-- | usr/src/man/man1m/sshd.sunssh.1m | 1433 | ||||
| -rw-r--r-- | usr/src/man/man4/Makefile | 6 | ||||
| -rw-r--r-- | usr/src/man/man4/ssh_config.sunssh.4 | 909 | ||||
| -rw-r--r-- | usr/src/man/man4/sshd_config.sunssh.4 | 1006 | ||||
| -rw-r--r-- | usr/src/man/man5/filesystem.5 | 14 |
18 files changed, 0 insertions, 6938 deletions
diff --git a/usr/src/man/man1/Makefile b/usr/src/man/man1/Makefile index d5415d5f5c..4f73ebc9ee 100644 --- a/usr/src/man/man1/Makefile +++ b/usr/src/man/man1/Makefile @@ -328,7 +328,6 @@ MANFILES= acctcom.1 \ rusers.1 \ rwho.1 \ sar.1 \ - scp.sunssh.1 \ script.1 \ sdiff.1 \ sed.1 \ @@ -337,7 +336,6 @@ MANFILES= acctcom.1 \ setfacl.1 \ setlabel.1 \ setpgrp.1 \ - sftp.sunssh.1 \ shcomp.1 \ shell_builtins.1 \ shift.1 \ @@ -351,13 +349,6 @@ MANFILES= acctcom.1 \ spell.1 \ split.1 \ srchtxt.1 \ - ssh.sunssh.1 \ - ssh-add.sunssh.1 \ - ssh-agent.sunssh.1 \ - ssh-http-proxy-connect.sunssh.1 \ - ssh-keygen.sunssh.1 \ - ssh-keyscan.sunssh.1 \ - ssh-socks5-proxy-connect.sunssh.1 \ strchg.1 \ strings.1 \ strip.1 \ @@ -514,22 +505,13 @@ MANLINKS= batch.1 \ rmail.1 \ rmdir.1 \ rmumount.1 \ - scp.1 \ select.1 \ setenv.1 \ settime.1 \ - sftp.1 \ sh.1 \ snca.1 \ source.1 \ spellin.1 \ - ssh.1 \ - ssh-add.1 \ - ssh-agent.1 \ - ssh-http-proxy-connect.1 \ - ssh-keygen.1 \ - ssh-keyscan.1 \ - ssh-socks5-proxy-connect.1 \ stop.1 \ strconf.1 \ switch.1 \ @@ -717,15 +699,6 @@ hashcheck.1 := LINKSRC = spell.1 hashmake.1 := LINKSRC = spell.1 spellin.1 := LINKSRC = spell.1 -scp.1 := LINKSRC = scp.sunssh.1 -sftp.1 := LINKSRC = sftp.sunssh.1 -ssh.1 := LINKSRC = ssh.sunssh.1 -ssh-add.1 := LINKSRC = ssh-add.sunssh.1 -ssh-agent.1 := LINKSRC = ssh-agent.sunssh.1 -ssh-http-proxy-connect.1 := LINKSRC = ssh-http-proxy-connect.sunssh.1 -ssh-keygen.1 := LINKSRC = ssh-keygen.sunssh.1 -ssh-keyscan.1 := LINKSRC = ssh-keyscan.sunssh.1 -ssh-socks5-proxy-connect.1 := LINKSRC = ssh-socks5-proxy-connect.sunssh.1 strconf.1 := LINKSRC = strchg.1 diff --git a/usr/src/man/man1/scp.sunssh.1 b/usr/src/man/man1/scp.sunssh.1 deleted file mode 100644 index 5e61218d3d..0000000000 --- a/usr/src/man/man1/scp.sunssh.1 +++ /dev/null @@ -1,234 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved. -.TH SCP 1 "Jun 22, 2007" -.SH NAME -scp \- secure copy (remote file copy program) -.SH SYNOPSIS -.LP -.nf -\fBscp\fR [\fB-pqrvBC46\fR] [\fB-F\fR \fIssh_config\fR] [\fB-S\fR \fIprogram\fR] [\fB-P\fR \fIport\fR] - [\fB-c\fR \fIcipher\fR] [\fB-i\fR \fIidentity_file\fR] [\fB-o\fR \fIssh_option\fR] - [ [\fIuser\fR@]\fIhost1\fR:]\fIfile1\fR []... [ [\fIuser\fR@]\fIhost2\fR:]\fIfile2\fR -.fi - -.SH DESCRIPTION -.LP -The \fBscp\fR utility copies files between hosts on a network. It uses -\fBssh\fR(1) for data transfer, and uses the same authentication and provides -the same security as \fBssh\fR(1). Unlike \fBrcp\fR(1), \fBscp\fR will ask for -passwords or passphrases if they are needed for authentication. -.sp -.LP -Any file name may contain a host and user specification to indicate that the -file is to be copied to/from that host. Copies between two remote hosts are -permitted. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-4\fR\fR -.ad -.RS 20n -Forces \fBscp\fR to use IPv4 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-6\fR\fR -.ad -.RS 20n -Forces \fBscp\fR to use IPv6 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-B\fR\fR -.ad -.RS 20n -Selects batch mode. (Prevents asking for passwords or passphrases.) -.RE - -.sp -.ne 2 -.na -\fB\fB-c\fR \fIcipher\fR\fR -.ad -.RS 20n -Selects the cipher to use for encrypting the data transfer. This option is -directly passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-C\fR\fR -.ad -.RS 20n -Compression enable. Passes the \fB-C\fR flag to \fBssh\fR(1) to enable -compression. -.RE - -.sp -.ne 2 -.na -\fB\fB-F\fR \fIssh_config\fR\fR -.ad -.RS 20n -Specifies an alternative per-user configuration file for \fBssh\fR(1.). -.RE - -.sp -.ne 2 -.na -\fB\fB-i\fR \fIidentity_file\fR\fR -.ad -.RS 20n -Selects the file from which the identity (private key) for \fBRSA\fR -authentication is read. This option is directly passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-o\fR \fIssh_option\fR\fR -.ad -.RS 20n -The given option is directly passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR\fR -.ad -.RS 20n -Preserves modification times, access times, and modes from the original file. -.RE - -.sp -.ne 2 -.na -\fB\fB-P\fR \fIport\fR\fR -.ad -.RS 20n -Specifies the port to connect to on the remote host. Notice that this option is -written with a capital `P', because \fB-p\fR is already reserved for preserving -the times and modes of the file in \fBrcp\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-q\fR\fR -.ad -.RS 20n -Disables the progress meter. -.RE - -.sp -.ne 2 -.na -\fB\fB-r\fR\fR -.ad -.RS 20n -Recursively copies entire directories. -.RE - -.sp -.ne 2 -.na -\fB\fB-S\fR \fIprogram\fR\fR -.ad -.RS 20n -Specifies the name of the program to use for the encrypted connection. The -program must understand \fBssh\fR(1) options. -.RE - -.sp -.ne 2 -.na -\fB\fB-v\fR\fR -.ad -.RS 20n -Verbose mode. Causes \fBscp\fR and \fBssh\fR(1) to print debugging messages -about their progress. This is helpful in debugging connection, authentication, -and configuration problems. -.RE - -.SH OPERANDS -.LP -The following operands are supported: -.sp -.ne 2 -.na -\fB\fIhost1, host2,\fR...\fR -.ad -.RS 20n -The name(s) of the host from or to which the file is to be copied. -.RE - -.sp -.ne 2 -.na -\fB\fIfile1, file2,\fR...\fR -.ad -.RS 20n -The file(s) to be copied. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 5n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR\fR -.ad -.RS 5n -An error occurred. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Evolving -.TE - -.SH SEE ALSO -.LP -\fBrcp\fR(1), \fBssh\fR(1), \fBssh-add\fR(1), \fBssh-agent\fR(1), -\fBssh-keygen\fR(1), \fBsshd\fR(1M), \fBssh_config\fR(4), \fBattributes\fR(5) -.SH NOTES -.LP -Generally, use of \fBscp\fR with password or keyboard-interactive -authentication method and two remote hosts does not work. It does work with -either the \fBpubkey\fR, \fBhostbased\fR or \fBgssapi-keyex\fR authentication -method. For the \fBpubkey\fR authentication method, either private keys not -protected by a passphrase, or an explicit \fBssh\fR agent forwarding have to -be used. The \fBgssapi-keyex\fR authentication method works with the -\fBkerberos_v5\fR GSS-API mechanism, but only if the -\fBGSSAPIDelegateCredentials\fR option is enabled. diff --git a/usr/src/man/man1/sftp.sunssh.1 b/usr/src/man/man1/sftp.sunssh.1 deleted file mode 100644 index 3e7a285660..0000000000 --- a/usr/src/man/man1/sftp.sunssh.1 +++ /dev/null @@ -1,592 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the specified path to access -.\" the file at the installed location. -.\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved. -.TH SFTP 1 "Nov 8, 2007" -.SH NAME -sftp \- secure file transfer program -.SH SYNOPSIS -.LP -.nf -\fBsftp\fR [\fB-1Cv\fR] [\fB-B\fR \fIbuffer_size\fR] [\fB-b\fR \fIbatchfile\fR] [\fB-F\fR \fIssh_config\fR] - [\fB-o\fR \fIssh_option\fR] [\fB-P\fR \fIsftp_server_path\fR] [\fB-R\fR \fInum_requests\fR] - [\fB-S\fR \fIprogram\fR] [\fB-s\fR \fIsubsystem\fR | \fIsftp_server\fR] \fIhost\fR -.fi - -.LP -.nf -\fBsftp\fR [[\fIuser\fR\fB@\fR]\fIhost\fR[\fB:\fR\fIfile\fR [\fIfile\fR]]] -.fi - -.LP -.nf -\fBsftp\fR [[\fIuser\fR\fB@\fR]\fIhost\fR[:\fIdir\fR[\fB/\fR]]] -.fi - -.LP -.nf -\fBsftp\fR \fB-b\fR \fIbatchfile\fR [\fIuser\fR\fB@\fR]\fIhost\fR -.fi - -.SH DESCRIPTION -.LP -The \fBsftp\fR utility is an interactive file transfer program with a user -interface similar to \fBftp\fR(1) that uses the \fBssh\fR(1) command to create -a secure connection to the server. -.sp -.LP -\fBsftp\fR implements the SSH File Transfer Protocol as defined in IETF -\fBdraft-ietf-secsh-filexfer\fR. There is no relationship between the protocol -used by \fBsftp\fR and the FTP protocol (\fIRFC 959\fR) provided by -\fBftp\fR(1). -.sp -.LP -The first usage format causes \fBsftp\fR to connect to the specified host and -enter an interactive mode. If a username was provided then \fBsftp\fR tries to -log in as the specified user. If a directory is provided then \fBsftp\fR tries -to change the current directory on the server to the specified directory before -entering the interactive mode. -.sp -.LP -The second usage format retrieves the specified file from the server and copies -it to the specified target file or directory on the client. If a username is -specified \fBsftp\fR tries to log in as the specified user. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-b\fR \fIbatchfile\fR\fR -.ad -.RS 30n -Batch mode reads a series of commands from an input \fIbatchfile\fR instead of -\fBstdin\fR. Since it lacks user interaction, it should be used in conjunction -with non-interactive authentication. A batchfile of \fB-\fR can be used to -indicate standard input. \fBsftp\fR aborts if any of the following commands -fail: \fBget\fR, \fBput\fR, \fBrm\fR, \fBrename\fR, \fBln\fR, \fBrm\fR, -\fBmkdir\fR, \fBchdir\fR, \fBls\fR, \fBlchdir\fR, \fBchmod\fR, \fBchown\fR, -\fBchgrp\fR, \fBlpwd\fR, and \fBlmkdir\fR. Termination on error can be -suppressed on a command by command basis by prefixing the command with a -\fB-\fR character (for example, \fB-rm /tmp/blah*\fR). -.RE - -.sp -.ne 2 -.na -\fB\fB-B\fR \fIbuffer_size\fR\fR -.ad -.RS 30n -Specifies the size of the buffer that \fBsftp\fR uses when transferring files. -Larger buffers require fewer round trips at the cost of higher memory -consumption. The default is 32768 bytes. -.RE - -.sp -.ne 2 -.na -\fB\fB-C\fR\fR -.ad -.RS 30n -Enables compression, using the \fB-C\fR flag in \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-F\fR \fIssh_config\fR\fR -.ad -.RS 30n -Specifies an alternative per-user configuration file for \fBssh\fR. This option -is directly passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-o\fR \fIssh_option\fR\fR -.ad -.RS 30n -Specifies an option to be directly passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-P\fR \fIsftp_server path\fR\fR -.ad -.RS 30n -Executes the specified path as an \fIsftp-server\fR and uses a pipe, rather -than an \fBssh\fR connection, to communicate with it. This option can be useful -in debugging the \fBsftp\fR client and server. The \fB-P\fR and \fB-S\fR -options are mutually exclusive. -.RE - -.sp -.ne 2 -.na -\fB\fB-R\fR \fInum_requests\fR\fR -.ad -.RS 30n -Specifies how many requests can be outstanding at any one time. Increasing this -can slightly improve file transfer speed but increases memory usage. The -default is 16 outstanding requests. -.RE - -.sp -.ne 2 -.na -\fB\fB-s\fR \fIsubsystem\fR | \fIsftp_server\fR\fR -.ad -.RS 30n -Specifies the \fBSSH2\fR subsystem or the path for an \fBsftp\fR server on the -remote host. A path is useful for using \fBsftp\fR over protocol version 1, or -when the remote \fBsshd\fR does not have an \fBsftp\fR subsystem configured. -.RE - -.sp -.ne 2 -.na -\fB\fB-S\fR \fIssh_program\fR \fIpath\fR\fR -.ad -.RS 30n -Uses the specified program instead of \fBssh\fR(1) to connect to the \fBsftp\fR -server. The \fB-P\fR and \fB-S\fR options are mutually exclusive. The program -must understand \fBssh\fR(1) options. -.RE - -.sp -.ne 2 -.na -\fB\fB-v\fR\fR -.ad -.RS 30n -Raises logging level. This option is also passed to \fBssh\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB-1\fR\fR -.ad -.RS 30n -Specifies the use of protocol version 1. -.RE - -.SH OPERANDS -.LP -The following operands are supported: -.sp -.ne 2 -.na -\fB\fIhostname\fR | \fIuser@hostname\fR\fR -.ad -.RS 28n -The name of the host to which \fBsftp\fR connects and logs into. -.RE - -.SH INTERACTIVE COMMANDS -.LP -Once in interactive mode, \fBsftp\fR understands a set of commands similar to -those of \fBftp\fR(1). Commands are case insensitive and path names can be -enclosed in quotes if they contain spaces. -.sp -.ne 2 -.na -\fB\fBbye\fR\fR -.ad -.sp .6 -.RS 4n -Quits \fBsftp\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBcd\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Changes remote directory to \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBchgrp\fR \fIgrp path\fR\fR -.ad -.sp .6 -.RS 4n -Changes group of file \fIpath\fR to \fIgrp\fR. \fIgrp\fR must be a numeric -\fBGID\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBchmod\fR \fImode path\fR\fR -.ad -.sp .6 -.RS 4n -Changes permissions of file \fIpath\fR to \fImode\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBchown\fR \fIown path\fR\fR -.ad -.sp .6 -.RS 4n -Changes owner of file \fIpath\fR to \fIown\fR. \fIown\fR must be a numeric -\fBUID\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBexit\fR\fR -.ad -.sp .6 -.RS 4n -Quits \fBsftp\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBget\fR [\fIflags\fR] \fIremote-path\fR [\fIlocal-path\fR]\fR -.ad -.sp .6 -.RS 4n -Retrieves the \fIremote-path\fR and stores it on the local machine. If the -local path name is not specified, it is specified the same name it has on the -remote machine. If the \fB-P\fR flag is specified, then the file's full -permission and access time are copied too. -.RE - -.sp -.ne 2 -.na -\fB\fBhelp\fR\fR -.ad -.sp .6 -.RS 4n -Displays help text. -.sp -Identical to the \fB?\fR command. -.RE - -.sp -.ne 2 -.na -\fB\fBlcd\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Changes local directory to \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBlls\fR [\fIls-options\fR [\fIpath\fR]]\fR -.ad -.sp .6 -.RS 4n -Displays local directory listing of either \fIpath\fR or current directory if -\fIpath\fR is not specified. -.RE - -.sp -.ne 2 -.na -\fB\fBlmkdir\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Creates local directory specified by \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBln\fR \fIoldpath\fR \fInewpath\fR\fR -.ad -.sp .6 -.RS 4n -Creates a link from \fIoldpath\fR to \fInewpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBlpwd\fR\fR -.ad -.sp .6 -.RS 4n -Prints local working directory. -.RE - -.sp -.ne 2 -.na -\fB\fBls\fR [\fB-1aflnrSt\fR] [\fIpath\fR]\fR -.ad -.sp .6 -.RS 4n -Displays remote directory listing of either \fIpath\fR or current directory if -\fIpath\fR is not specified. \fIpath\fR can contain wildcards. -.sp -The \fBls\fR supports the following options: -.sp -.ne 2 -.na -\fB\fB-a\fR\fR -.ad -.RS 6n -Lists files beginning with a dot (\fB\&.\fR). -.RE - -.sp -.ne 2 -.na -\fB\fB-f\fR\fR -.ad -.RS 6n -Does not sort the listing. The default sort order is lexicographical. -.RE - -.sp -.ne 2 -.na -\fB\fB-l\fR\fR -.ad -.RS 6n -Displays additional details including permissions and ownership information. -.RE - -.sp -.ne 2 -.na -\fB\fB-n\fR\fR -.ad -.RS 6n -Produces a long listing with user and group information presented numerically. -.RE - -.sp -.ne 2 -.na -\fB\fB-r\fR\fR -.ad -.RS 6n -Reverses the sort order of the listing. -.RE - -.sp -.ne 2 -.na -\fB\fB-S\fR\fR -.ad -.RS 6n -Sorts the listing by file size. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR\fR -.ad -.RS 6n -Sorts the listing by last modification time. -.RE - -.sp -.ne 2 -.na -\fB\fB-1\fR\fR -.ad -.RS 6n -Produces single column output. -.RE - -.RE - -.sp -.ne 2 -.na -\fB\fBlumask\fR \fIumask\fR\fR -.ad -.sp .6 -.RS 4n -Sets local \fBumask\fR to \fIumask\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBmkdir\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Creates remote directory specified by \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBput\fR [\fIflags\fR] \fIlocal-path\fR [\fIlocal-path\fR]\fR -.ad -.sp .6 -.RS 4n -Uploads \fIlocal-path\fR and stores it on the remote machine. If the remote -path name is not specified, it is specified the same name it has on the local -machine. If the \fB-P\fR flag is specified, then the file's full permission and -access time are copied too. -.RE - -.sp -.ne 2 -.na -\fB\fBpwd\fR\fR -.ad -.sp .6 -.RS 4n -Displays remote working directory. -.RE - -.sp -.ne 2 -.na -\fB\fBquit\fR\fR -.ad -.sp .6 -.RS 4n -Quits \fBsftp\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBrename\fR \fIoldpath newpath\fR\fR -.ad -.sp .6 -.RS 4n -Renames remote file from \fIoldpath\fR to \fInewpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBrm\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Deletes remote file specified by \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBrmdir\fR \fIpath\fR\fR -.ad -.sp .6 -.RS 4n -Removes remote directory specified by \fIpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBsymlink\fR \fIoldpath\fR \fInewpath\fR\fR -.ad -.sp .6 -.RS 4n -Creates a symbolic link from \fIoldpath\fR to \fInewpath\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBversion\fR\fR -.ad -.sp .6 -.RS 4n -Displays the \fBsftp\fR protocol version. -.RE - -.sp -.ne 2 -.na -\fB\fB#\fR [\fIcomment\fR]\fR -.ad -.sp .6 -.RS 4n -Include a comment. This is useful in batch files. -.RE - -.sp -.ne 2 -.na -\fB\fB!\fR [\fIcommand\fR]\fR -.ad -.sp .6 -.RS 4n -If \fIcommand\fR is not specified, escapes to the local shell. -.sp -If \fIcommand\fR is specified, executes \fIcommand\fR in the local shell. -.RE - -.sp -.ne 2 -.na -\fB\fB?\fR\fR -.ad -.sp .6 -.RS 4n -Displays help text. -.sp -Identical to the \fBhelp\fR command. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 6n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB>0\fR\fR -.ad -.RS 6n -An error occurred. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Committed -.TE - -.SH SEE ALSO -.LP -\fBftp\fR(1), \fBscp\fR(1), \fBssh\fR(1), \fBssh-add\fR(1), -\fBssh-keygen\fR(1), \fBsshd\fR(1M), \fBattributes\fR(5) diff --git a/usr/src/man/man1/ssh-add.sunssh.1 b/usr/src/man/man1/ssh-add.sunssh.1 deleted file mode 100644 index 7de85f56fa..0000000000 --- a/usr/src/man/man1/ssh-add.sunssh.1 +++ /dev/null @@ -1,245 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH SSH-ADD 1 "May 20, 2009" -.SH NAME -ssh-add \- add RSA or DSA identities to the authentication agent -.SH SYNOPSIS -.LP -.nf -\fBssh-add\fR [\fB-lLdDxX\fR] [\fB-t\fR \fIlife\fR] [ \fIfile\fR ]... -.fi - -.SH DESCRIPTION -.LP -The \fBssh-add\fR utility adds \fBRSA\fR or \fBDSA\fR identities to the -authentication agent, \fBssh-agent\fR(1). When run without arguments, it -attempts to add all of the files \fB$HOME/.ssh/identity\fR (RSA v1), -\fB$HOME/.ssh/id_rsa\fR (RSA v2), and \fB$HOME/.ssh/id_dsa\fR (DSA v2) that -exist. If more than one of the private keys exists, an attempt to decrypt each -with the same passphrase is made before reprompting for a different passphrase. -The passphrase is read from the user's tty or by running the program defined in -\fBSSH_ASKPASS\fR (see below). -.sp -.LP -The authentication agent must be running. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-d\fR\fR -.ad -.RS 11n -Instead of adding the identity, this option \fBremoves\fR the identity from the -agent. -.RE - -.sp -.ne 2 -.na -\fB\fB-D\fR\fR -.ad -.RS 11n -Deletes all identities from the agent. -.RE - -.sp -.ne 2 -.na -\fB\fB-l\fR\fR -.ad -.RS 11n -Lists fingerprints of all identities currently represented by the agent. -.RE - -.sp -.ne 2 -.na -\fB\fB-L\fR\fR -.ad -.RS 11n -Lists public key parameters of all identities currently represented by the -agent. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR \fIlife\fR\fR -.ad -.RS 11n -Sets a maximum lifetime when adding identities to an agent. The lifetime can be -specified in seconds or in a time format specified in \fBsshd\fR(1M). -.RE - -.sp -.ne 2 -.na -\fB\fB-x\fR\fR -.ad -.RS 11n -Locks the agent with a password. -.RE - -.sp -.ne 2 -.na -\fB\fB-X\fR\fR -.ad -.RS 11n -Unlocks the agent. -.RE - -.SH ENVIRONMENT VARIABLES -.ne 2 -.na -\fB\fBDISPLAY\fR\fR -.ad -.br -.na -\fB\fBSSH_ASKPASS\fR\fR -.ad -.RS 17n -If \fBssh-add\fR needs a passphrase, it reads the passphrase from the current -terminal if it was run from a terminal. If \fBssh-add\fR does not have a -terminal associated with it but \fBDISPLAY\fR and \fBSSH_ASKPASS\fR are set, it -executes the program specified by \fBSSH_ASKPASS\fR and open an X11 window to -read the passphrase. This is particularly useful when calling \fBssh-add\fR -from a .Xsession or related script. The system is shipped with -\fB/usr/lib/ssh/ssh-askpass\fR which is the default value for -\fBSSH_ASKPASS\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_AUTH_SOCK\fR\fR -.ad -.RS 17n -Identifies the path of a unix-domain socket used to communicate with the agent. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 5n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR\fR -.ad -.RS 5n -An error occurred. -.RE - -.SH FILES -.LP -These files should not be readable by anyone but the user. Notice that -\fBssh-add\fR ignores a file if it is accessible by others. It is possible to -specify a passphrase when generating the key; that passphrase is used to -encrypt the private part of this file. -.sp -.LP -If these files are stored on a network file system it is assumed that either -the protection provided in the file themselves or the transport layer of the -network file system provides sufficient protection for the site policy. If this -is not the case, then it is recommended the key files are stored on removable -media or locally on the relevant hosts. -.sp -.LP -Recommended names for the \fBDSA\fR and \fBRSA\fR key files: -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/identity\fR\fR -.ad -.RS 28n -Contains the \fBRSA\fR authentication identity of the user for protocol version -1. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/identity.pub\fR\fR -.ad -.RS 28n -Contains the public part of the \fBRSA\fR authentication identity of the user -for protocol version 1. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_dsa\fR\fR -.ad -.RS 28n -Contains the private \fBDSA\fR authentication identity of the user. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_dsa.pub\fR\fR -.ad -.RS 28n -Contains the public part of the DSA authentication identity of the user. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_rsa\fR\fR -.ad -.RS 28n -Contains the private \fBRSA\fR authentication identity of the user. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_rsa.pub\fR\fR -.ad -.RS 28n -Contains the public part of the \fBRSA\fR authentication identity of the user. -.RE - -.sp -.ne 2 -.na -\fB\fB/usr/lib/ssh/ssh-askpass\fR\fR -.ad -.RS 28n -Contains the default value for SSH_ASKPASS. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Committed -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBssh-agent\fR(1), \fBssh-keygen\fR(1), \fBsshd\fR(1M), -\fBattributes\fR(5) diff --git a/usr/src/man/man1/ssh-agent.sunssh.1 b/usr/src/man/man1/ssh-agent.sunssh.1 deleted file mode 100644 index cabafb3e59..0000000000 --- a/usr/src/man/man1/ssh-agent.sunssh.1 +++ /dev/null @@ -1,187 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH SSH-AGENT 1 "Aug 17, 2009" -.SH NAME -ssh-agent \- authentication agent -.SH SYNOPSIS -.LP -.nf -\fBssh-agent\fR [\fB-a\fR \fIbind_address\fR] [\fB-c\fR | \fB-s\fR ] [\fB-d\fR] - [-t \fIlife\fR] [\fIcommand\fR [\fIargs\fR]...] -.fi - -.LP -.nf -\fBssh-agent\fR [\fB-c\fR | \fB-s\fR] \fB-k\fR -.fi - -.SH DESCRIPTION -.LP -\fBssh-agent\fR is a program to hold private keys used for public key -authentication (\fBRSA\fR, \fBDSA\fR). \fBssh-agent\fR is often started at the -beginning of a login session. All other windows or programs are started as -clients to the \fBssh-agent\fR program. Through use of environment variables, -the agent can be located and automatically used for authentication when logging -in to other machines using \fBssh\fR(1). See the \fISystem Administration -Guide: Security Services\fR. -.sp -.LP -If a command line is given, this is executed as a subprocess of the agent. When -the command dies, so does the agent. -.sp -.LP -The agent initially does not have any private keys. Keys are added using -\fBssh-add\fR(1), which sends the identity to the agent. Several identities can -be stored in the agent; the agent can automatically use any of these -identities. Use the \fB-l\fR option in \fBssh-add\fR(1) to display the -identities currently held by the agent. -.sp -.LP -The agent is run in the user's local host. Authentication data need not be -stored on any other machine, and authentication passphrases never go over the -network. However, if the connection to the agent is forwarded over \fBSSH\fR -remote logins, the user can use the privileges given by the identities anywhere -in the network in a secure way. -.sp -.LP -There are two main ways to get an agent setup. Either you let the agent start a -new subcommand into which some environment variables are exported, or you let -the agent print the needed shell commands (either \fBsh\fR(1) or \fBcsh\fR(1) -syntax can be generated) which can be evalled in the calling shell. Later, use -\fBssh\fR(1) to look at these variables and use them to establish a connection -to the agent. -.sp -.LP -A unix-domain socket is created (\fB/tmp/ssh-XXXXXXXX/agent.\fIpid\fR\fR) and -the name of this socket is stored in the \fBSSH_AUTH_SOCK\fR environment -variable. The socket is made accessible only to the current user. This method -is easily abused by root or another instance of the same user. -.sp -.LP -The \fBSSH_AGENT_PID\fR environment variable holds the agent's \fBPID\fR. -.sp -.LP -The agent exits automatically when the command given on the command line -terminates. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-a\fR \fIbind_address\fR\fR -.ad -.RS 19n -Binds the agent to the unix-domain socket bind_address. The default is -\fB/tmp/ssh-XXXXXXXX/agent.\fIpid\fR\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-c\fR\fR -.ad -.RS 19n -Generates C-shell commands on stdout. This is the default if \fBSHELL\fR -indicates that it is a csh style of shell. -.RE - -.sp -.ne 2 -.na -\fB\fB-d\fR\fR -.ad -.RS 19n -Debug mode. When this option is specified, \fBssh-agent\fR does not fork. -.RE - -.sp -.ne 2 -.na -\fB\fB-k\fR\fR -.ad -.RS 19n -Kills the current agent (given by the \fBSSH_AGENT_PID\fR environment -variable). -.RE - -.sp -.ne 2 -.na -\fB\fB-s\fR\fR -.ad -.RS 19n -Generates Bourne shell commands on stdout. This is the default if \fBSHELL\fR -does not indicate that it is a csh style of shell. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR \fIlife\fR\fR -.ad -.RS 19n -Set a default value for the maximum lifetime (\fIlife\fR) of identities added -to the agent. \fIlife\fR can be specified in seconds or in a time format -specified in \fBsshd_config\fR(4). \fIlife\fR specified for an identity with -\fBssh-add\fR(1) overrides this value. Without this option the default maximum -\fIlife\fR is forever. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 5n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR\fR -.ad -.RS 5n -An error occurred. -.RE - -.SH FILES -.ne 2 -.na -\fB\fB/tmp/ssh-XXXXXXXX/agent.\fIpid\fR\fR\fR -.ad -.sp .6 -.RS 4n -Unix-domain sockets used to contain the connection to the authentication agent. -These sockets should only be readable by the owner. The sockets are removed -when the agent exits. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Committed -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBssh-add\fR(1), \fBssh-keygen\fR(1), \fBsshd\fR(1M), -\fBsshd_config\fR(4), \fBattributes\fR(5) -.sp -.LP -\fISystem Administration Guide: Security Services\fR diff --git a/usr/src/man/man1/ssh-http-proxy-connect.sunssh.1 b/usr/src/man/man1/ssh-http-proxy-connect.sunssh.1 deleted file mode 100644 index a12395ccb4..0000000000 --- a/usr/src/man/man1/ssh-http-proxy-connect.sunssh.1 +++ /dev/null @@ -1,208 +0,0 @@ -'\" te -.\" Copyright (c) 2001, Sun Microsystems, Inc. All Rights Reserved -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. -.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. -.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSH-HTTP-PROXY-CONNECT 1 "Oct 24, 2001" -.SH NAME -ssh-http-proxy-connect \- Secure Shell proxy for HTTP -.SH SYNOPSIS -.LP -.nf -\fB/usr/lib/ssh/ssh-http-proxy-connect\fR [\fB-h\fR \fIhttp_proxy_host\fR] - [\fB-p\fR \fIhttp_proxy_port\fR] \fIconnect_host\fR \fIconnect_port\fR -.fi - -.SH DESCRIPTION -.LP -A proxy command for \fBssh\fR(1) that uses HTTP CONNECT. Typical use is where -connections external to a network are only allowed via a proxy web server. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-h\fR \fIhttp_proxy_host\fR\fR -.ad -.RS 22n -Specifies the proxy web server through which to connect. Overrides the -\fBHTTPPROXY\fR and \fBhttp_proxy\fR environment variables if they are set. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR \fIhttp_proxy_port\fR\fR -.ad -.RS 22n -Specifies the port on which the proxy web server runs. If not specified, port -80 is assumed. Overrides the \fBHTTPPROXYPORT\fR and \fBhttp_proxy\fR -environment variables if they are set. -.RE - -.SH OPERANDS -.LP -The following operands are supported: -.sp -.ne 2 -.na -\fB\fIhttp_proxy_host\fR\fR -.ad -.RS 19n -The host name or IP address (IPv4 or IPv6) of the proxy. -.RE - -.sp -.ne 2 -.na -\fB\fIhttp_proxy_port\fR\fR -.ad -.RS 19n -The numeric port number to connect to on \fIhttp_proxy_host\fR. -.RE - -.sp -.ne 2 -.na -\fB\fIconnect_host\fR\fR -.ad -.RS 19n -The name of the remote host to which the proxy web server is to connect you. -.RE - -.sp -.ne 2 -.na -\fB\fIconnect_port\fR\fR -.ad -.RS 19n -The numeric port number of the proxy web server to connect you to on -\fIhttp_proxy_host\fR. -.RE - -.SH EXAMPLES -.LP -The recommended way to use a proxy connection command is to configure the -\fBProxyCommand\fR in \fBssh_config\fR(4) (see Example 1 and Example 2). -Example 3 shows how the proxy command can be specified on the command line when -running \fBssh\fR(1). -.LP -\fBExample 1 \fRSetting the proxy from the environment -.sp -.LP -The following example uses \fBssh-http-proxy-connect\fR in \fBssh_config\fR(4) -when the proxy is set from the environment: - -.sp -.in +2 -.nf -\fBHost playtime.foo.com - ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect \e - playtime.foo.com 22\fR -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fROverriding proxy environment variables -.sp -.LP -The following example uses \fBssh-http-proxy-connect\fR in \fBssh_config\fR(4) -to override (or if not set) proxy environment variables: - -.sp -.in +2 -.nf -\fBHost playtime.foo.com - ProxyCommand /usr/lib/ssh/ssh-http-proxy-connect -h webcache \e - -p 8080 playtime.foo.com 22\fR -.fi -.in -2 -.sp - -.LP -\fBExample 3 \fRUsing the command line -.sp -.LP -The following example uses \fBssh-http-proxy-connect\fR from the \fBssh\fR(1) -command line: - -.sp -.in +2 -.nf -example$ \fBssh -o'ProxyCommand="/usr/lib/ssh/ssh-http-proxy-connect \e - -h webcache -p 8080 playtime.foo.com 22"' playtime.foo.com\fR -.fi -.in -2 -.sp - -.SH ENVIRONMENT VARIABLES -.ne 2 -.na -\fB\fBHTTPPROXY\fR\fR -.ad -.RS 17n -Takes the \fIhttp_proxy_host\fR operand to specify the default proxy host. -Overrides \fBhttp_proxy\fR if both are set. -.RE - -.sp -.ne 2 -.na -\fB\fBHTTPPROXYPORT\fR\fR -.ad -.RS 17n -Takes the \fIhttp_proxy_port\fR operand to specify the default proxy port. -Ignored if \fBHTTPPROXY\fR is not set. -.RE - -.sp -.ne 2 -.na -\fB\fBhttp_proxy\fR\fR -.ad -.RS 17n -\fBURL\fR format for specifying proxy host and port. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR \fR -.ad -.RS 6n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR \fR -.ad -.RS 6n -An error occurred. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Stable -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBssh-socks5-proxy-connect\fR(1), \fBssh_config\fR(4), -\fBattributes\fR(5) diff --git a/usr/src/man/man1/ssh-keygen.sunssh.1 b/usr/src/man/man1/ssh-keygen.sunssh.1 deleted file mode 100644 index 7468f97e7f..0000000000 --- a/usr/src/man/man1/ssh-keygen.sunssh.1 +++ /dev/null @@ -1,409 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH SSH-KEYGEN 1 "Feb 17, 2009" -.SH NAME -ssh-keygen \- authentication key generation -.SH SYNOPSIS -.LP -.nf -\fBssh-keygen\fR [\fB-q\fR] [\fB-b\fR \fIbits\fR ] \fB-t\fR \fItype\fR [\fB-N\fR \fInew_passphrase\fR] - [\fB-C\fR \fIcomment\fR] [\fB-f\fR \fIoutput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-p\fR [\fB-P\fR \fIold_passphrase\fR] [\fB-N\fR \fInew_passphrase\fR] - [\fB-f\fR \fIkeyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-i\fR [\fB-f\fR \fIinput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-e\fR [\fB-f\fR \fIinput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-y\fR [\fB-f\fR \fIinput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-c\fR [\fB-P\fR \fIpassphrase\fR] [\fB-C\fR \fIcomment\fR] [\fB-f\fR \fIkeyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-l\fR [\fB-f\fR \fIinput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-B\fR [\fB-f\fR \fIinput_keyfile\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-F\fR \fIhostname\fR [\fB-f\fR \fIknown_hosts_file\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-H\fR [\fB-f\fR \fIknown_hosts_file\fR] -.fi - -.LP -.nf -\fBssh-keygen\fR \fB-R\fR \fIhostname\fR [\fB-f\fR \fIknown_hosts_file\fR] -.fi - -.SH DESCRIPTION -.LP -The \fBssh-keygen\fR utility generates, manages, and converts authentication -keys for \fBssh\fR(1). \fBssh-keygen\fR can create RSA keys for use by SSH -protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The -type of key to be generated is specified with the \fB-t\fR option. -.sp -.LP -Normally, each user wishing to use \fBSSH\fR with \fBRSA\fR or \fBDSA\fR -authentication runs this once to create the authentication key in -\fB$HOME/.ssh/identity\fR, \fB$HOME/.ssh/id_dsa\fR, or \fB$HOME/.ssh/id_rsa\fR. -The system administrator can also use this to generate host keys.. -.sp -.LP -Ordinarily, this program generates the key and asks for a file in which to -store the private key. The public key is stored in a file with the same name -but with the ``\fB\&.pub\fR'' extension appended. The program also asks for a -passphrase. The passphrase can be empty to indicate no passphrase (host keys -must have empty passphrases), or it can be a string of arbitrary length. Good -passphrases are 10-30 characters long, are not simple sentences or otherwise -easy to guess, and contain a mix of uppercase and lowercase letters, numbers, -and non-alphanumeric characters. (English prose has only 1-2 bits of entropy -per word and provides very poor passphrases.) If a passphrase is set, it must -be at least 4 characters long. -.sp -.LP -The passphrase can be changed later by using the \fB-p\fR option. -.sp -.LP -There is no way to recover a lost passphrase. If the passphrase is lost or -forgotten, you have to generate a new key and copy the corresponding public key -to other machines. -.sp -.LP -For \fBRSA\fR, there is also a comment field in the key file that is only for -convenience to the user to help identify the key. The \fIcomment\fR can tell -what the key is for, or whatever is useful. The comment is initialized to -``\fBuser@host\fR'' when the key is created, but can be changed using the -\fB-c\fR option. -.sp -.LP -After a key is generated, instructions below detail where to place the keys to -activate them. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-b\fR \fIbits\fR\fR -.ad -.RS 21n -Specifies the number of bits in the key to create. The minimum number is 512 -bits. Generally, 1024 bits is considered sufficient. Key sizes above that no -longer improve security but make things slower. The default is 1024 bits. -.RE - -.sp -.ne 2 -.na -\fB\fB-B\fR\fR -.ad -.RS 21n -Shows the bubblebabble digest of the specified private or public key file. -.RE - -.sp -.ne 2 -.na -\fB\fB-c\fR\fR -.ad -.RS 21n -Requests changing the comment in the private and public key files. The program -prompts for the file containing the private keys, for the passphrase if the key -has one, and for the new comment. -.sp -This option only applies to \fBrsa1\fR (\fBSSHv1\fR) keys. -.RE - -.sp -.ne 2 -.na -\fB\fB-C\fR \fIcomment\fR\fR -.ad -.RS 21n -Provides the new comment. -.RE - -.sp -.ne 2 -.na -\fB\fB-e\fR\fR -.ad -.RS 21n -This option reads a private or public OpenSSH key file and prints the key in a -"SECSH" Public Key File Format to stdout. This option allows exporting keys for -use by several other SSH implementations. -.RE - -.sp -.ne 2 -.na -\fB\fB-f\fR\fR -.ad -.RS 21n -Specifies the filename of the key file. -.RE - -.sp -.ne 2 -.na -\fB\fB-F\fR\fR -.ad -.RS 21n -Search for the specified \fIhostname\fR in a \fBknown_hosts\fR file, listing -any occurrences found. This option is useful to find hashed host names or -addresses and can also be used in conjunction with the \fB-H\fR option to print -found keys in a hashed format. -.RE - -.sp -.ne 2 -.na -\fB\fB-H\fR\fR -.ad -.RS 21n -Hash a \fBknown_hosts\fR file. This replaces all host names and addresses with -hashed representations within the specified file. The original content is moved -to a file with a \fB\&.old\fR suffix. These hashes may be used normally by -\fBssh\fR and \fBsshd\fR, but they do not reveal identifying information should -the file's contents be disclosed. This option does not modify existing hashed -host names and is therefore safe to use on files that mix hashed and non-hashed -names. -.RE - -.sp -.ne 2 -.na -\fB\fB-i\fR\fR -.ad -.RS 21n -This option reads an unencrypted private (or public) key file in -SSH2-compatible format and prints an OpenSSH compatible private (or public) key -to stdout. \fBssh-keygen\fR also reads the "SECSH" Public Key File Format. This -option allows importing keys from several other SSH implementations. -.RE - -.sp -.ne 2 -.na -\fB\fB-l\fR\fR -.ad -.RS 21n -Shows the fingerprint of the specified private or public key file. -.RE - -.sp -.ne 2 -.na -\fB\fB-N\fR \fInew_passphrase\fR\fR -.ad -.RS 21n -Provides the new passphrase. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR\fR -.ad -.RS 21n -Requests changing the passphrase of a private key file instead of creating a -new private key. The program prompts for the file containing the private key, -for the old passphrase, and prompts twice for the new passphrase. -.RE - -.sp -.ne 2 -.na -\fB\fB-P\fR \fIpassphrase\fR\fR -.ad -.RS 21n -Provides the (old) passphrase. -.RE - -.sp -.ne 2 -.na -\fB\fB-q\fR\fR -.ad -.RS 21n -Silences \fBssh-keygen\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.RS 21n -Specifies the algorithm used for the key, where \fItype\fR is one of \fBrsa\fR, -\fBdsa\fR, and \fBrsa1\fR. Type \fBrsa1\fR is used only for the SSHv1 protocol. -.RE - -.sp -.ne 2 -.na -\fB\fB-R\fR \fIhostname\fR\fR -.ad -.RS 21n -Removes all keys belonging to \fIhostname\fR from a \fBknown_hosts\fR file. -This option is useful to delete hashed hosts. See \fB-H\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-x\fR\fR -.ad -.RS 21n -Obsolete. Replaced by the \fB-e\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fB-X\fR\fR -.ad -.RS 21n -Obsolete. Replaced by the \fB-i\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fB-y\fR\fR -.ad -.RS 21n -This option reads a private OpenSSH format file and prints an OpenSSH public -key to stdout. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 5n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR\fR -.ad -.RS 5n -An error occurred. -.RE - -.SH FILES -.ne 2 -.na -\fB\fB$HOME/.ssh/identity\fR\fR -.ad -.RS 27n -This file contains the RSA private key for the SSHv1 protocol. This file should -not be readable by anyone but the user. It is possible to specify a passphrase -when generating the key; that passphrase is used to encrypt the private part of -this file using 3DES. This file is not automatically accessed by -\fBssh-keygen\fR, but it is offered as the default file for the private key. -\fBsshd\fR(1M) reads this file when a login attempt is made. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/identity.pub\fR\fR -.ad -.RS 27n -This file contains the RSA public key for the SSHv1 protocol. The contents of -this file should be added to \fB$HOME/.ssh/authorized_keys\fR on all machines -where you wish to log in using \fBRSA\fR authentication. There is no need to -keep the contents of this file secret. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_dsa\fR\fR -.ad -.br -.na -\fB\fB$HOME/.ssh/id_rsa\fR\fR -.ad -.RS 27n -These files contain, respectively, the DSA or RSA private key for the SSHv2 -protocol. These files should not be readable by anyone but the user. It is -possible to specify a passphrase when generating the key; that passphrase is -used to encrypt the private part of the file using 3DES. Neither of these files -is automatically accessed by \fBssh-keygen\fR but is offered as the default -file for the private key. \fBsshd\fR(1M) reads this file when a login attempt -is made. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/id_dsa.pub\fR\fR -.ad -.br -.na -\fB\fB$HOME/.ssh/id_rsa.pub\fR\fR -.ad -.RS 27n -These files contain, respectively, the DSA or RSA public key for the SSHv2 -protocol. The contents of these files should be added, respectively, to -\fB$HOME/.ssh/authorized_keys\fR on all machines where you wish to log in using -DSA or RSA authentication. There is no need to keep the contents of these files -secret. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Committed -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBssh-add\fR(1), \fBssh-agent\fR(1), \fBsshd\fR(1M), -\fBattributes\fR(5) diff --git a/usr/src/man/man1/ssh-keyscan.sunssh.1 b/usr/src/man/man1/ssh-keyscan.sunssh.1 deleted file mode 100644 index f4491fccc3..0000000000 --- a/usr/src/man/man1/ssh-keyscan.sunssh.1 +++ /dev/null @@ -1,248 +0,0 @@ -'\" te -.\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved. -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. -.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. -.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSH-KEYSCAN 1 "Jul 24, 2004" -.SH NAME -ssh-keyscan \- gather public ssh host keys of a number of hosts -.SH SYNOPSIS -.LP -.nf -\fBssh-keyscan\fR [\fB-v46\fR] [\fB-p\fR \fIport\fR] [\fB-T\fR \fItimeout\fR] [\fB-t\fR \fItype\fR] - [\fB-f\fR \fIfile\fR] [\fB-\fR] [\fIhost\fR... | \fIaddrlist\fR \fInamelist\fR] [...] -.fi - -.SH DESCRIPTION -.LP -\fBssh-keyscan\fR is a utility for gathering the public ssh host keys of a -number of hosts. It was designed to aid in building and verifying -\fBssh_known_hosts\fR files. \fBssh-keyscan\fR provides a minimal interface -suitable for use by shell and perl scripts. The output of \fBssh-keyscan\fR is -directed to standard output. -.sp -.LP -\fBssh-keyscan\fR uses non-blocking socket I/O to contact as many hosts as -possible in parallel, so it is very efficient. The keys from a domain of 1,000 -hosts can be collected in tens of seconds, even when some of those hosts are -down or do not run ssh. For scanning, one does not need login access to the -machines that are being scanned, nor does the scanning process involve any -encryption. -.SS "File Format" -.LP -Input format: -.sp -.in +2 -.nf -1.2.3.4,1.2.4.4 -\fIname.my.domain,name,n.my.domain,n,\fR1.2.3.4,1.2.4.4 -.fi -.in -2 -.sp - -.sp -.LP -Output format for \fBrsa1\fR keys: -.sp -.in +2 -.nf -\fIhost-or-namelist bits exponent modulus\fR -.fi -.in -2 -.sp - -.sp -.LP -Output format for \fBrsa\fR and \fBdsa\fR keys, where \fIkeytype\fR is either -\fBssh-rsa\fR or `\fBssh-dsa\fR: -.sp -.in +2 -.nf -\fIhost-or-namelist keytype base64-encoded-key\fR -.fi -.in -2 -.sp - -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-f\fR \fIfilename\fR\fR -.ad -.RS 28n -Read hosts or addrlist namelist pairs from this file, one per line. If you -specity - instead of a filename, \fBssh-keyscan\fR reads hosts or addrlist -namelist pairs from the standard input. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.RS 28n -Port to connect to on the remote host. -.RE - -.sp -.ne 2 -.na -\fB\fB-T\fR \fItimeout\fR\fR -.ad -.RS 28n -Set the timeout for connection attempts. If \fItimeout\fR seconds have elapsed -since a connection was initiated to a host or since the last time anything was -read from that host, the connection is closed and the host in question is -considered unavailable. The default is for \fItimeout\fR is 5 seconds. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR \fItype\fR\fR -.ad -.RS 28n -Specify the type of the key to fetch from the scanned hosts. The possible -values for \fItype\fR are \fBrsa1\fR for protocol version 1 and \fBrsa\fR or -\fBdsa\fR for protocol version 2. Specify multiple values by separating them -with commas. The default is \fBrsa1\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-v\fR\fR -.ad -.RS 28n -Specify verbose mode. Print debugging messages about progress. -.RE - -.sp -.ne 2 -.na -\fB\fB-4\fR\fR -.ad -.RS 28n -Force to use IPv4 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-6\fR\fR -.ad -.RS 28n -Forces to use IPv6 addresses only. -.RE - -.SH SECURITY -.LP -If a \fBssh_known_hosts\fR file is constructed using \fBssh-keyscan\fR without -verifying the keys, users are vulnerable to man-in-the-middle attacks. If the -security model allows such a risk, \fBssh-keyscan\fR can help in the detection -of tampered keyfiles or man-in-the-middle attacks which have begun after the -\fBssh_known_hosts\fR file was created. -.SH EXAMPLES -.LP -\fBExample 1 \fRPrinting the \fBrsa1\fR Host Key -.sp -.LP -The following example prints the \fBrsa1\fR host key for machine -\fBhostname\fR: - -.sp -.in +2 -.nf -$ ssh-keyscan hostname -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fRFinding All Hosts -.sp -.LP -The following commands finds all hosts from the file \fBssh_hosts\fR which have -new or different keys from those in the sorted file \fBssh_known_hosts\fR: - -.sp -.in +2 -.nf -$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e - sort -u - ssh_known_hosts | diff ssh_known_hosts - -.fi -.in -2 -.sp - -.SH FILES -.ne 2 -.na -\fB\fB/etc/ssh_known_hosts\fR \fR -.ad -.RS 25n - -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR \fR -.ad -.RS 6n -No usage errors. \fBssh-keyscan\fR might or might not have succeeded or failed -to scan one, more or all of the given hosts. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR\fR -.ad -.RS 6n -Usage error. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Evolving -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBsshd\fR(1M), \fBattributes\fR(5) -.SH AUTHORS -.LP -David Mazieres wrote the initial version, and Wayne Davison added suppport for -protocol version 2. -.SH BUGS -.LP -\fBssh\(emkeyscan\fR generates -.sp -.in +2 -.nf -Connection closed by remote host -.fi -.in -2 -.sp - -.sp -.LP -messages on the consoles of all machines it scans if the server is older than -version 2.9. This is because \fBssh-keyscan\fR opens a connection to the -\fBssh\fR port, reads the public key, and drops the connection as soon as it -gets the key. diff --git a/usr/src/man/man1/ssh-socks5-proxy-connect.sunssh.1 b/usr/src/man/man1/ssh-socks5-proxy-connect.sunssh.1 deleted file mode 100644 index 44903c0b9b..0000000000 --- a/usr/src/man/man1/ssh-socks5-proxy-connect.sunssh.1 +++ /dev/null @@ -1,202 +0,0 @@ -'\" te -.\" Copyright (c) 2002, Sun Microsystems, Inc. All Rights Reserved -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. -.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. -.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSH-SOCKS5-PROXY-CONNECT 1 "Oct 30, 2002" -.SH NAME -ssh-socks5-proxy-connect \- Secure Shell proxy for SOCKS5 -.SH SYNOPSIS -.LP -.nf -\fB/usr/lib/ssh/ssh-socks5-proxy-connect\fR - [\fB-h\fR \fIsocks5_proxy_host\fR] - [\fB-p\fR \fIsocks5_proxy_port\fR] \fIconnect_host\fR \fIconnect_port\fR -.fi - -.SH DESCRIPTION -.LP -A proxy command for \fBssh\fR(1) that uses SOCKS5 (RFC 1928). Typical use is -where connections external to a network are only allowed via a socks gateway -server. -.sp -.LP -This proxy command does not provide any of the SOCKS5 authentication mechanisms -defined in RFC 1928. Only anonymous connections are possible. -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-h\fR \fIsocks5_proxy_host\fR\fR -.ad -.RS 24n -Specifies the proxy web server through which to connect. Overrides the -\fBSOCKS5_SERVER\fR environment variable. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR \fIsocks5_proxy_port\fR\fR -.ad -.RS 24n -Specifies the port on which the proxy web server runs. If not specified, port -80 is assumed. Overrides the \fBSOCKS5_PORT\fR environment variable. -.RE - -.SH OPERANDS -.LP -The following operands are supported: -.sp -.ne 2 -.na -\fB\fIsocks5_proxy_host\fR\fR -.ad -.RS 21n -The host name or IP address (IPv4 or IPv6) of the proxy. -.RE - -.sp -.ne 2 -.na -\fB\fIsocks5_proxy_port\fR\fR -.ad -.RS 21n -The numeric port number to connect to on \fIsocks5_proxy_host\fR. -.RE - -.sp -.ne 2 -.na -\fB\fIconnect_host\fR\fR -.ad -.RS 21n -The name of the remote host to which the socks gateway is to connect you. -.RE - -.sp -.ne 2 -.na -\fB\fIconnect_port\fR\fR -.ad -.RS 21n -The numeric port number of the socks gateway to connect you to on -\fIconnect_host\fR. -.RE - -.SH EXAMPLES -.LP -The recommended way to use a proxy connection command is to configure the -\fBProxyCommand\fR in \fBssh_config\fR(4) (see Example 1 and Example 2). -Example 3 shows how the proxy command can be specified on the command line when -running \fBssh\fR(1). -.LP -\fBExample 1 \fRSetting the proxy from the environment -.sp -.LP -The following example uses \fBssh-socks5-proxy-connect\fR in -\fBssh_config\fR(4) when the proxy is set from the environment: - -.sp -.in +2 -.nf -\fBHost playtime.foo.com - ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect \e - playtime.foo.com 22\fR -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fROverriding proxy environment variables -.sp -.LP -The following example uses \fBssh-socks5-proxy-connect\fR in -\fBssh_config\fR(4) to override (or if not set) proxy environment variables: - -.sp -.in +2 -.nf -\fBHost playtime.foo.com - ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect -h socks-gw \e - -p 1080 playtime.foo.com 22\fR -.fi -.in -2 -.sp - -.LP -\fBExample 3 \fRUsing the command line -.sp -.LP -The following example uses \fBssh-socks5-proxy-connect\fR from the \fBssh\fR(1) -command line: - -.sp -.in +2 -.nf -example$ \fBssh -o'ProxyCommand=/usr/lib/ssh/ssh-socks5-proxy-connect \e - -h socks-gw -p 1080 playtime.foo.com 22' playtime.foo.com\fR -.fi -.in -2 -.sp - -.SH ENVIRONMENT VARIABLES -.ne 2 -.na -\fB\fBSOCKS5_SERVER\fR\fR -.ad -.RS 17n -Takes \fIsocks5_proxy_host\fR operand to specify the default proxy host. -.RE - -.sp -.ne 2 -.na -\fB\fBSOCKS5_PORT\fR\fR -.ad -.RS 17n -Takes \fIsocks5_proxy_port \fR operand to specify the default proxy port. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR \fR -.ad -.RS 6n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB\fB1\fR \fR -.ad -.RS 6n -An error occurred. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Stable -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBssh-http-proxy-connect\fR(1), \fBssh_config\fR(4), -\fBattributes\fR(5) diff --git a/usr/src/man/man1/ssh.sunssh.1 b/usr/src/man/man1/ssh.sunssh.1 deleted file mode 100644 index 88d8c56fdc..0000000000 --- a/usr/src/man/man1/ssh.sunssh.1 +++ /dev/null @@ -1,979 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the specified path to access the file at -.\" the installed location. -.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.TH SSH 1 "May 20, 2009" -.SH NAME -ssh \- secure shell client (remote login program) -.SH SYNOPSIS -.LP -.nf -\fBssh\fR [\fB-l\fR \fIlogin_name\fR] \fIhostname\fR | \fIuser@hostname\fR [ \fIcommand\fR] -.fi - -.LP -.nf -\fBssh\fR [\fB-afgknqstvxACNTX1246\fR] [\fB-b\fR \fIbind_address\fR] [\fB-m\fR \fImac_spec\fR] - [\fB-c\fR \fIcipher_spec\fR] [\fB-e\fR \fIescape_char\fR] [\fB-i\fR \fIidentity_file\fR] - [\fB-l\fR \fIlogin_name\fR] [\fB-F\fR \fIconfigfile\fR] [\fB-o\fR \fIoption\fR] [\fB-p\fR \fIport\fR] - [\fB-L\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fB:\fR\fIhost\fR\fB:\fR\fIhostport\fR] - [\fB-R\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fB:\fR\fIhost\fR\fB:\fR\fIhostport\fR] - [\fB-D\fR [\fIbind_address\fR\fB:\fR]\fIport\fR] \fIhostname\fR | \fIuser\fR\fB@\fR\fIhostname\fR [\fIcommand\fR] -.fi - -.SH DESCRIPTION -.LP -\fBssh\fR (Secure Shell) is a program for logging into a remote machine and for -executing commands on a remote machine. It is intended to replace \fBrlogin\fR -and \fBrsh\fR, and to provide secure encrypted communications between two -untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP -ports can also be forwarded over the secure channel. -.sp -.LP -\fBssh\fR connects and logs into the specified hostname. The user must prove -his or her identity to the remote machine using one of several methods -depending on the protocol version used: -.SS "SSH Protocol Version 1" -.LP -First, if the machine the user logs in from is listed in \fB/etc/hosts.equiv\fR -or \fB/etc/shosts.equiv\fR on the remote machine, and the user names are the -same on both sides, the user is immediately permitted to log in. Second, -if .\fBrhosts\fR or \fB\&.shosts\fR exists in the user's home directory on the -remote machine and contains a line containing the name of the client machine -and the name of the user on that machine, the user is permitted to log in. This -form of authentication alone is normally not allowed by the server because it -is not secure. -.sp -.LP -The second (and primary) authentication method is the \fBrhosts\fR or -\fBhosts.equiv\fR method combined with RSA-based host authentication. It means -that if the login would be permitted by \fB$HOME/.rhosts\fR, -\fB$HOME/.shosts\fR, \fB/etc/hosts.equiv\fR, or \fB/etc/shosts.equiv\fR, and if -additionally the server can verify the client's host key (see -\fB/etc/ssh_known_hosts\fR in the FILES section), only then is login permitted. -This authentication method closes security holes due to \fBIP\fR spoofing, -\fBDNS\fR spoofing, and routing spoofing. -.sp -.LP -\fBNote to the administrator:\fR \fB/etc/hosts.equiv\fR, \fB$HOME/.rhosts\fR, -and the rlogin/rsh protocol in general, are inherently insecure and should be -disabled if security is desired. -.sp -.LP -As a third authentication method, \fBssh\fR supports \fBRSA\fR-based -authentication. The scheme is based on public-key cryptography. There are -cryptosystems where encryption and decryption are done using separate keys, and -it is not possible to derive the decryption key from the encryption key. -\fBRSA\fR is one such system. The idea is that each user creates a -public/private key pair for authentication purposes. The server knows the -public key, and only the user knows the private key. The file -\fB$HOME/.ssh/authorized_keys\fR lists the public keys that are permitted for -logging in. When the user logs in, the \fBssh\fR program tells the server which -key pair it would like to use for authentication. The server checks if this key -is permitted, and if so, sends the user (actually the \fBssh\fR program running -on behalf of the user) a challenge in the form of a random number, encrypted by -the user's public key. The challenge can only be decrypted using the proper -private key. The user's client then decrypts the challenge using the private -key, proving that he or she knows the private key but without disclosing it to -the server. -.sp -.LP -\fBssh\fR implements the \fBRSA\fR authentication protocol automatically. The -user creates his or her \fBRSA\fR key pair by running \fBssh-keygen\fR(1). This -stores the private key in \fB$HOME/.ssh/identity\fR and the public key in -\fB$HOME/.ssh/identity.pub\fR in the user's home directory. The user should -then copy the \fBidentity.pub\fR to \fB$HOME/.ssh/authorized_keys\fR in his or -her home directory on the remote machine (the \fBauthorized_keys\fR file -corresponds to the conventional \fB$HOME/.rhosts\fR file, and has one key per -line, though the lines can be very long). After this, the user can log in -without giving the password. \fBRSA\fR authentication is much more secure than -\fBrhosts\fR authentication. -.sp -.LP -The most convenient way to use \fBRSA\fR authentication can be with an -authentication agent. See \fBssh-agent\fR(1) for more information. -.sp -.LP -If other authentication methods fail, \fBssh\fR prompts the user for a -password. The password is sent to the remote host for checking. However, since -all communications are encrypted, the password cannot be seen by someone -listening on the network. -.SS "SSH Protocol Version 2" -.LP -The SSH version 2 protocol supports multiple user authentication methods, some -of which are similar to those available with the SSH protocol version 1. These -authentication mechanisms are negotiated by the client and server, with the -client trying methods in the order specified in the -\fBPreferredAuthentications\fR client configuration option. The server decides -when enough authentication methods have passed successfully so as to complete -the authentication phase of the protocol. -.sp -.LP -When a user connects by using protocol version 2, similar authentication -methods are available. Using the default values for -\fBPreferredAuthentications\fR, the client tries to authenticate first by using -the hostbased method. If this method fails, public key authentication is -attempted. Finally, if this method fails, keyboard-interactive and password -authentication are tried. -.sp -.LP -The public key method is similar to \fBRSA\fR authentication described in the -previous section and allows the \fBRSA\fR or \fBDSA\fR algorithm to be used: -The client uses his or her private key, \fB$HOME/.ssh/id_dsa\fR or -\fB$HOME/.ssh/id_rsa\fR, to sign the session identifier and sends the result to -the server. The server checks whether the matching public key is listed in -\fB$HOME/.ssh/authorized_keys\fR and grants access if both the key is found and -the signature is correct. The session identifier is derived from a shared -Diffie-Hellman value and is only known to the client and the server. -.sp -.LP -If public key authentication fails or is not available, a password can be sent -encrypted to the remote host for proving the user's identity, or an extended -prompt/reply protocol can be engaged. -.sp -.LP -Additionally, \fBssh\fR supports hostbased or challenge response -authentication. -.sp -.LP -Protocol 2 provides additional mechanisms for confidentiality (the traffic is -encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity -(\fBhmac-sha1\fR, \fBhmac-md5\fR). Protocol 1 lacks a strong mechanism for -ensuring the integrity of the connection. -.SS "Login Session and Remote Execution" -.LP -When the user's identity has been accepted by the server, the server either -executes the specified command, or logs into the machine and gives the user a -normal shell on the remote machine. All communication with the remote command -or shell is automatically encrypted. -.sp -.LP -If a pseudo-terminal has been allocated (normal login session), the user can -use the escape characters noted below. If a pseudo-terminal has been allocated -(normal login session), the user can disconnect with \fB~.\fR, and suspend -\fBssh\fR with \fB~^Z\fR. All forwarded connections can be listed with -\fB~#\fR. If the session blocks waiting for forwarded X11 or TCP/IP connections -to terminate, \fBssh\fR can be backgrounded with \fB~&\fR, although this should -not be used while the user shell is active, as it can cause the shell to hang. -All available escapes can be listed with \fB~?\fR. -.sp -.LP -A single tilde character can be sent as \fB~~\fR, or by following the tilde -with a character other than those described above. The escape character must -always follow a newline to be interpreted as special. The escape character can -be changed in configuration files or on the command line. -.sp -.LP -If no pseudo tty has been allocated, the session is transparent and can be used -to reliably transfer binary data. On most systems, setting the escape character -to "\fBnone\fR" also makes the session transparent even if a tty is used. -.sp -.LP -The session terminates when the command or shell on the remote machine exits -and all X11 and TCP/IP connections have been closed. The exit status of the -remote program is returned as the exit status of \fBssh\fR. -.SS "Escape Characters" -.LP -When a pseudo-terminal has been requested, \fBssh\fR supports a number of -functions through the use of an escape character. -.sp -.LP -A single tilde character can be sent as \fB~~\fR or by following the tilde with -a character other than those described below. The escape character must always -follow a newline to be interpreted as special. The escape character can be -changed in configuration files using the \fBEscapeChar\fR configuration -directive or on the command line by the \fB-e\fR option. -.sp -.LP -The supported escapes, assuming the default \fB~\fR, are: -.sp -.ne 2 -.na -\fB\fB~.\fR\fR -.ad -.RS 7n -Disconnect. -.RE - -.sp -.ne 2 -.na -\fB\fB~^Z\fR\fR -.ad -.RS 7n -Background \fBssh\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB~#\fR\fR -.ad -.RS 7n -List forwarded connections. -.RE - -.sp -.ne 2 -.na -\fB\fB~&\fR\fR -.ad -.RS 7n -Background \fBssh\fR at logout when waiting for forwarded connection / X11 -sessions to terminate. -.RE - -.sp -.ne 2 -.na -\fB\fB~?\fR\fR -.ad -.RS 7n -Display a list of escape characters. -.RE - -.sp -.ne 2 -.na -\fB\fB~B\fR\fR -.ad -.RS 7n -Send a break to the remote system. Only useful for SSH protocol version 2 and -if the peer supports it. -.RE - -.sp -.ne 2 -.na -\fB\fB~C\fR\fR -.ad -.RS 7n -Open command line. Only useful for adding port forwardings using the \fB-L\fR -and \fB-R\fR options). -.RE - -.sp -.ne 2 -.na -\fB\fB~R\fR\fR -.ad -.RS 7n -Request rekeying of the connection. Only useful for SSH protocol version 2 and -if the peer supports it. -.RE - -.SS "X11 and TCP Forwarding" -.LP -If the \fBForwardX11\fR variable is set to ``\fByes\fR'' (or, see the -description of the \fB-X\fR and \fB-x\fR options described later) and the user -is using X11 (the \fBDISPLAY\fR environment variable is set), the connection to -the X11 display is automatically forwarded to the remote side in such a way -that any X11 programs started from the shell (or command) goes through the -encrypted channel, and the connection to the real X server is made from the -local machine. The user should not manually set \fBDISPLAY\fR. Forwarding of -X11 connections can be configured on the command line or in configuration -files. -.sp -.LP -The \fBDISPLAY\fR value set by \fBssh\fR points to the server machine, but with -a display number greater than zero. This is normal behavior, because \fBssh\fR -creates a "proxy" X11 server on the server machine for forwarding the -connections over the encrypted channel. -.sp -.LP -\fBssh\fR also automatically sets up \fBXauthority\fR data on the server -machine. For this purpose, it generates a random authorization cookie, store it -in \fBXauthority\fR on the server, and verify that any forwarded connections -carry this cookie and replace it by the real cookie when the connection is -opened. The real authentication cookie is never sent to the server machine (and -no cookies are sent in the plain). -.sp -.LP -If the \fBForwardAgent\fR variable is set to "\fByes\fR" (or, see the -description of the \fB-A\fR and \fB-a\fR options described later) and the user -is using an authentication agent, the connection to the agent is automatically -forwarded to the remote side. -.sp -.LP -Forwarding of arbitrary TCP/IP connections over the secure channel can be -specified either on the command line or in a configuration file. One possible -application of TCP/IP forwarding is a secure connection to an electronic purse. -Another possible application is firewall traversal. -.SS "Server Authentication" -.LP -\fBssh\fR automatically maintains and checks a database containing -identifications for all hosts it has ever been used with. Host keys are stored -in \fB$HOME/.ssh/known_hosts\fR in the user's home directory. Additionally, the -file \fB/etc/ssh_known_hosts\fR is automatically checked for known hosts. The -behavior of \fBssh\fR with respect to unknown host keys is controlled by the -\fBStrictHostKeyChecking\fR parameter. If a host's identification ever changes, -\fBssh\fR warns about this and disables password authentication to prevent a -trojan horse from getting the user's password. Another purpose of this -mechanism is to prevent attacks by intermediaries which could otherwise be used -to circumvent the encryption. The \fBStrictHostKeyChecking\fR option can be -used to prevent logins to machines whose host key is not known or has changed. -.sp -.LP -However, when using key exchange protected by GSS-API, the server can advertise -a host key. The client automatically adds this host key to its known hosts -file, \fB$HOME/.ssh/known_hosts\fR, regardless of the setting of the -\fBStrictHostKeyChecking\fR option, unless the advertised host key collides -with an existing known hosts entry. -.sp -.LP -When the user's GSS-API credentials expire, the client continues to be able to -rekey the session using the server's public host key to protect the key -exchanges. -.SS "GSS-API User and Server Authentication" -.LP -\fBssh\fR uses the user's GSS-API credentials to authenticate the client to the -server wherever possible, if \fBGssKeyEx\fR and/or \fBGssAuthentication\fR are -set. -.sp -.LP -With \fBGssKeyEx\fR, one can have an SSHv2 server that has no host public keys, -so that only \fBGssKeyEx\fR can be used. With such servers, rekeying fails if -the client's credentials are expired. -.sp -.LP -GSS-API user authentication has the disadvantage that it does not obviate the -need for SSH host keys, but its failure does not impact rekeying. \fBssh\fR can -try other authentication methods (such as public key, password, and so on) if -GSS-API authentication fails. -.sp -.LP -Delegation of GSS-API credentials can be quite useful, but is not without -danger. As with passwords, users should not delegate GSS credentials to -untrusted servers, since a compromised server can use a user's delegated GSS -credentials to impersonate the user. -.sp -.LP -GSS-API user authorization is covered in \fBgss_auth_rules\fR(5). -.sp -.LP -Rekeying can be used to redelegate credentials when \fBGssKeyEx\fR is -"\fByes\fR". (See \fB~R\fR under \fBEscape Characters\fR above.) -.SH OPTIONS -.LP -The following options are supported: -.sp -.ne 2 -.na -\fB\fB-1\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBssh\fR to try protocol version 1 only. -.RE - -.sp -.ne 2 -.na -\fB\fB-2\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBssh\fR to try protocol version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBssh\fR to use IPv4 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBssh\fR to use IPv6 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-a\fR\fR -.ad -.sp .6 -.RS 4n -Disables forwarding of the authentication agent connection. -.RE - -.sp -.ne 2 -.na -\fB\fB-A\fR\fR -.ad -.sp .6 -.RS 4n -Enables forwarding of the authentication agent connection. This can also be -specified on a per-host basis in a configuration file. -.sp -Agent forwarding should be enabled with caution. Users with the ability to -bypass file permissions on the remote host (for the agent's UNIX-domain socket) -can access the local agent through the forwarded connection. An attacker cannot -obtain key material from the agent. However, the attacker can perform -operations on the keys that enable the attacker to authenticate using the -identities loaded into the agent. -.RE - -.sp -.ne 2 -.na -\fB\fB-b\fR \fIbind_address\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the interface to transmit from on machines with multiple interfaces -or aliased addresses. -.RE - -.sp -.ne 2 -.na -\fB\fB-c\fR \fIcipher_spec\fR\fR -.ad -.sp .6 -.RS 4n -Selects the cipher specification for encrypting the session. -.sp -For protocol version 1, \fIcipher_spec\fR is a single cipher. See the -\fBCipher\fR option in \fBssh_config\fR(4) for more information. -.sp -For protocol version 2, \fIcipher_spec\fR is a comma-separated list of ciphers -listed in order of preference. See the \fICiphers\fR option in -\fBssh_config\fR(4) for more information. -.RE - -.sp -.ne 2 -.na -\fB\fB-C\fR\fR -.ad -.sp .6 -.RS 4n -Requests compression of all data (including stdin, stdout, stderr, and data for -forwarded X11 and TCP/IP connections). The compression algorithm is the same -used by \fBgzip\fR(1). The \fBgzip\fR man page is available in the -\fBSUNWsfman\fR package. The "level" can be controlled by the -\fBCompressionLevel\fR option (see \fBssh_config\fR(4)). Compression is -desirable on modem lines and other slow connections, but only slows down things -on fast networks. The default value can be set on a host-by-host basis in the -configuration files. See the \fBCompression\fR option in \fBssh_config\fR(4). -.RE - -.sp -.ne 2 -.na -\fB\fB-D\fR [\fIbind_address\fR\fB:\fR]\fIport\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a local \fBdynamic\fR application-level port forwarding. This works -by allocating a socket to listen to port on the local side, optionally bound to -the specified \fIbind_address\fR. Whenever a connection is made to this port, -the connection is forwarded over the secure channel. The application protocol -is then used to determine where to connect to from the remote machine. -Currently, the \fBSOCKS4\fR and \fBSOCKS5\fR protocols are supported and -\fBssh\fR acts as a SOCKS server. Only a user with enough privileges can -forward privileged ports. Dynamic port forwardings can also be specified in the -configuration file. -.sp -IPv6 addresses can be specified with an alternative syntax: -\fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR or by enclosing the address in -square brackets. By default, the local port is bound in accordance with the -\fBGatewayPorts\fR setting. However, an explicit \fIbind_address\fR can be used -to bind the connection to a specific address. The \fIbind_address\fR of -\fBlocalhost\fR indicates that the listening port be bound for local use only, -while an empty address or \fB*\fR indicates that the port should be available -from all interfaces. -.RE - -.sp -.ne 2 -.na -\fB\fB-e\fR \fIch\fR | ^\fIch\fR | none\fR -.ad -.sp .6 -.RS 4n -Sets the escape character for sessions with a pty (default: `\fB~\fR'). The -escape character is only recognized at the beginning of a line. The escape -character followed by a dot (\fB\&.\fR) closes the connection. If followed by -CTRL-z, the escape character suspends the connection. If followed by itself, -the escape character sends itself once. Setting the character to \fBnone\fR -disables any escapes and makes the session fully transparent. -.RE - -.sp -.ne 2 -.na -\fB\fB-f\fR\fR -.ad -.sp .6 -.RS 4n -Requests \fBssh\fR to go to background just before command execution. This is -useful if \fBssh\fR is going to ask for passwords or passphrases, but the user -wants it in the background. This implies the \fB-n\fR option. The recommended -way to start X11 programs at a remote site is with something like \fBssh\fR -\fB-f\fR \fIhost\fR \fIxterm\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-F\fR \fIconfigfile\fR\fR -.ad -.sp .6 -.RS 4n -Specifies an alternative per-user configuration file. If a configuration file -is specified on the command line, the system-wide configuration file, -\fB/etc/ssh_config\fR, is ignored. The default for the per-user configuration -file is \fB$HOME/.ssh/config\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-g\fR\fR -.ad -.sp .6 -.RS 4n -Allows remote hosts to connect to local forwarded ports. -.RE - -.sp -.ne 2 -.na -\fB\fB-i\fR \fIidentity_file\fR\fR -.ad -.sp .6 -.RS 4n -Selects a file from which the identity (private key) for \fBRSA\fR or \fBDSA\fR -authentication is read. The default is \fB$HOME/.ssh/identity\fR for protocol -version 1, and \fB$HOME/.ssh/id_rsa\fR and \fB$HOME/.ssh/id_dsa\fR for protocol -version 2. Identity files can also be specified on a per-host basis in the -configuration file. It is possible to have multiple \fB-i\fR options (and -multiple identities specified in configuration files). -.RE - -.sp -.ne 2 -.na -\fB\fB-l\fR \fIlogin_name\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the user to log in as on the remote machine. This also can be -specified on a per-host basis in the configuration file. -.RE - -.sp -.ne 2 -.na -\fB\fB-L\fR [\fIbind_address:\fR]\fIport\fR:\fIhost\fR:\fIhostport\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that the specified port on the local (client) host is to be forwarded -to the specified host and port on the remote side. This works by allocating a -socket to listen to the port on the local side, optionally bound to the -specified \fIbind_address\fR. Then, whenever a connection is made to this port, -the connection is forwarded over the secure channel and a connection is made to -host port \fIhostport\fR from the remote machine. Port forwardings can also be -specified in the configuration file. Only a user with enough privileges can -forward privileged ports. IPv6 addresses can be specified with an alternative -syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR\fB/\fR\fIhost\fR\fB/\fR\fIh -ostport\fR or by enclosing the address in square brackets. -.sp -By default, the local port is bound in accordance with the \fBGatewayPorts\fR -setting. However, an explicit \fIbind_address\fR can be used to bind the -connection to a specific address. The \fIbind_address\fR of \fBlocalhost\fR -indicates that the listening port be bound for local use only, while an empty -address or \fB*\fR indicates that the port should be available from all -interfaces. -.RE - -.sp -.ne 2 -.na -\fB\fB-m\fR \fImac_spec\fR\fR -.ad -.sp .6 -.RS 4n -Additionally, for protocol version 2 a comma-separated list of \fBMAC\fR -(message authentication code) algorithms can be specified in order of -preference. See the MACs keyword for more information. -.RE - -.sp -.ne 2 -.na -\fB\fB-n\fR\fR -.ad -.sp .6 -.RS 4n -Redirects \fBstdin\fR from \fB/dev/null\fR (actually, prevents reading from -\fBstdin\fR). This must be used when \fBssh\fR is run in the background. A -common trick is to use this to run X11 programs on a remote machine. For -example, -.sp -.in +2 -.nf -ssh -n shadows.cs.hut.fi emacs & -.fi -.in -2 -.sp - -starts an \fBemacs\fR on \fBshadows.cs.hut.fi\fR, and the X11 connection is -automatically forwarded over an encrypted channel. The \fBssh\fR program is put -in the background. This does not work if \fBssh\fR needs to ask for a password -or passphrase. See also the \fB-f\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fB-N\fR\fR -.ad -.sp .6 -.RS 4n -Does not execute a remote command. This is useful if you just want to forward -ports (protocol version 2 only). -.RE - -.sp -.ne 2 -.na -\fB\fB-o\fR \fIoption\fR\fR -.ad -.sp .6 -.RS 4n -Can be used to give options in the format used in the configuration file. This -is useful for specifying options for which there is no separate command-line -flag. The option has the same format as a line in the configuration file. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the port to connect to on the remote host. This can be specified on a -per-host basis in the configuration file. -.RE - -.sp -.ne 2 -.na -\fB\fB-P\fR\fR -.ad -.sp .6 -.RS 4n -Obsoleted option. SSHv1 connections from privileged ports are not supported. -.RE - -.sp -.ne 2 -.na -\fB\fB-q\fR\fR -.ad -.sp .6 -.RS 4n -Quiet mode. Causes all warning and diagnostic messages to be suppressed. Only -fatal errors are displayed. -.RE - -.sp -.ne 2 -.na -\fB\fB-R\fR [\fIbind_address\fR:]\fIport\fR:\fIhost\fR:\fIhostport\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that the specified port on the remote (server) host is to be -forwarded to the specified host and port on the local side. This works by -allocating a socket to listen to the port on the remote side. Then, whenever a -connection is made to this port, the connection is forwarded over the secure -channel and a connection is made to host port \fIhostport\fR from the local -machine. Port forwardings can also be specified in the configuration file. -Privileged ports can be forwarded only when logging in on the remote machine as -a user with enough privileges. -.sp -IPv6 addresses can be specified by enclosing the address in square braces or -using an alternative syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIhost\fR\fB/\fR -\fIport\fR\fB/\fR\fIhostport\fR. -.sp -By default, the listening socket on the server is bound to the loopback -interface only. This can be overridden by specifying a \fIbind_address\fR. An -empty \fIbind_address\fR, or the address \fB*\fR, indicates that the remote -socket should listen on all interfaces. Specifying a remote \fIbind_address\fR -only succeeds if the server's \fBGatewayPorts\fR option is enabled. See -\fBsshd_config\fR(4). -.RE - -.sp -.ne 2 -.na -\fB\fB-s\fR\fR -.ad -.sp .6 -.RS 4n -Can be used to request invocation of a subsystem on the remote system. -Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH -as a secure transport for other applications, for example, \fBsftp\fR. The -subsystem is specified as the remote command. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR\fR -.ad -.sp .6 -.RS 4n -Forces pseudo-tty allocation. This can be used to execute arbitrary -screen-based programs on a remote machine, which can be very useful, for -example, when implementing menu services. Multiple \fB-t\fR options force -allocation, even if \fBssh\fR has no local \fBtty\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-T\fR\fR -.ad -.sp .6 -.RS 4n -Disables pseudo-tty allocation (protocol version 2 only). -.RE - -.sp -.ne 2 -.na -\fB\fB-v\fR\fR -.ad -.sp .6 -.RS 4n -Verbose mode. Causes \fBssh\fR to print debugging messages about its progress. -This is helpful in debugging connection, authentication, and configuration -problems. Multiple \fB-v\fR options increase the verbosity. Maximum is 3. -.RE - -.sp -.ne 2 -.na -\fB\fB-x\fR\fR -.ad -.sp .6 -.RS 4n -Disables X11 forwarding. -.RE - -.sp -.ne 2 -.na -\fB\fB-X\fR\fR -.ad -.sp .6 -.RS 4n -Enables X11 forwarding. This can also be specified on a per-host basis in a -configuration file. -.sp -X11 forwarding should be enabled with caution. Users with the ability to bypass -file permissions on the remote host (for the user's X authorization database) -can access the local X11 display through the forwarded connection. An attacker -can then be able to perform activities such as keystroke monitoring. -.sp -For this reason, X11 forwarding might be subjected to X11 SECURITY extension -restrictions. Refer to the \fBForwardX11Trusted\fR directive in -\fBssh_config\fR(4) for more information. -.sp -If X11 forwarding is enabled, remote X11 clients is trusted by default. This -means that they have full access to the original X11 display. -.RE - -.SH ENVIRONMENT VARIABLES -.LP -\fBssh\fR normally sets the following environment variables: -.sp -.ne 2 -.na -\fB\fBDISPLAY\fR\fR -.ad -.sp .6 -.RS 4n -The \fBDISPLAY\fR variable must be set for X11 display forwarding to work. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_ASKPASS\fR\fR -.ad -.sp .6 -.RS 4n -If \fBssh\fR needs a passphrase, it reads the passphrase from the current -terminal if it was run from a terminal. If \fBssh\fR does not have a terminal -associated with it but \fBDISPLAY\fR and \fBSSH_ASKPASS\fR are set, it executes -the program specified by \fBSSH_ASKPASS\fR and opens an X11 window to read the -passphrase. This is particularly useful when calling \fBssh\fR from a .Xsession -or related script. On some machines it might be necessary to redirect the input -from \fB/dev/null\fR to make this work. The system is shipped with -\fB/usr/lib/ssh/ssh-askpass\fR which is the default value for \fBSSH_ASKPASS\fR -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_AUTH_SOCK\fR\fR -.ad -.sp .6 -.RS 4n -Indicates the path of a unix-domain socket used to communicate with the agent. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_LANGS\fR\fR -.ad -.sp .6 -.RS 4n -A comma-separated list of IETF language tags (see RFC3066) indicating the -languages that the user can read and write. Used for negotiation of the locale -on the server. -.RE - -.sp -.ne 2 -.na -\fB\fBLANG\fR, \fBLC_ALL\fR, \fBLC_COLLATE\fR, \fBLC_CTYPE\fR,\fR -.ad -.br -.na -\fB\fBLC_MESSAGES\fR, \fBLC_MONETARY\fR, \fBLC_NUMERIC\fR, \fBLC_TIME\fR\fR -.ad -.sp .6 -.RS 4n -The values of these environment variables can be set in remote sessions -according to the locale settings on the client side and availability of support -for those locales on the server side. Environment Variable Passing (see \fIRFC -4254\fR) is used for passing them over to the server side. -.RE - -.sp -.LP -See the \fBENVIRONMENT VARIABLES\fR section in the \fBsshd\fR(1M) man page for -more information on how locale setting can be further changed depending on -server side configuration. -.SH EXIT STATUS -.LP -The status of the remote program is returned as the exit status of \fBssh\fR. -\fB255\fR is returned if an error occurred at anytime during the \fBssh\fR -connection, including the initial key exchange. -.SH FILES -.ne 2 -.na -\fB\fB$HOME/.ssh/known_hosts\fR\fR -.ad -.RS 26n -Records host keys for all hosts the user has logged into that are not in -\fB/etc/ssh/ssh_known_hosts\fR. See \fBsshd\fR(1M). -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/identity\fR\fR -.ad -.br -.na -\fB\fB$HOME/.ssh/id_dsa\fR\fR -.ad -.br -.na -\fB\fB$HOME/.ssh/id_ssa\fR\fR -.ad -.RS 26n -Contains the authentication identity of the user. These files are for protocol -1 \fBRSA\fR, protocol 2 \fBDSA\fR, and protocol 2 \fBRSA\fR, respectively. -These files contain sensitive data and should be readable by the user but not -accessible by others (read/write/execute). \fBssh\fR ignores a private key file -if it is accessible by others. It is possible to specify a passphrase when -generating the key. The passphrase is used to encrypt the sensitive part of -this file using \fB3DES\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/sshrc\fR\fR -.ad -.RS 26n -Commands in this file are executed by \fBssh\fR when the user logs in just -before the user's shell or command is started. See \fBsshd\fR(1M) for more -information. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/rc\fR\fR -.ad -.RS 26n -Commands in this file are executed by \fBssh\fR when the user logs in just -before the user's shell or command is started. See \fBsshd\fR(1M) for more -information. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/environment\fR\fR -.ad -.RS 26n -Contains additional definitions for environment variables. See ENVIRONMENT -VARIABLES. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability See below. -.TE - -.sp -.LP -The command line syntax is Committed. The remote locale selection through -passing \fBLC_*\fR environment variables is Uncommitted. -.SH SEE ALSO -.LP -\fBrlogin\fR(1), \fBrsh\fR(1), \fBscp\fR(1), \fBssh-add\fR(1), -\fBssh-agent\fR(1), \fBssh-keygen\fR(1), \fBssh-http-proxy-connect\fR(1), -\fBssh-socks5-proxy-connect\fR(1), \fBtelnet\fR(1), \fBsshd\fR(1M), -\fBssh_config\fR(4), \fBsshd_config\fR(4), \fBattributes\fR(5), -\fBgss_auth_rules\fR(5), \fBkerberos\fR(5), \fBprivileges\fR(5) -.sp -.LP -\fIRFC 1928\fR -.sp -.LP -\fIRFC 4254\fR diff --git a/usr/src/man/man1m/Makefile b/usr/src/man/man1m/Makefile index b00898cce4..bdf284a437 100644 --- a/usr/src/man/man1m/Makefile +++ b/usr/src/man/man1m/Makefile @@ -458,7 +458,6 @@ _MANFILES= 6to4relay.1m \ sdpadm.1m \ sendmail.1m \ setuname.1m \ - sftp-server.sunssh.1m \ share.1m \ share_nfs.1m \ shareall.1m \ @@ -483,8 +482,6 @@ _MANFILES= 6to4relay.1m \ soconfig.1m \ sppptun.1m \ spray.1m \ - ssh-keysign.sunssh.1m \ - sshd.sunssh.1m \ statd.1m \ stmfadm.1m \ stmsboot.1m \ @@ -646,9 +643,6 @@ MANLINKS= acctcon1.1m \ sa1.1m \ sa2.1m \ sadc.1m \ - sftp-server.1m \ - ssh-keysign.1m \ - sshd.1m \ shutacct.1m \ sprayd.1m \ startup.1m \ @@ -723,9 +717,6 @@ hal-set-property.1m := LINKSRC = hal-get-property.1m poweroff.1m := LINKSRC = halt.1m -sftp-server.1m := LINKSRC = sftp-server.sunssh.1m -ssh-keysign.1m := LINKSRC = ssh-keysign.sunssh.1m -sshd.1m := LINKSRC = sshd.sunssh.1m comsat.1m := LINKSRC = in.comsat.1m fingerd.1m := LINKSRC = in.fingerd.1m diff --git a/usr/src/man/man1m/sftp-server.sunssh.1m b/usr/src/man/man1m/sftp-server.sunssh.1m deleted file mode 100644 index c258aa81fb..0000000000 --- a/usr/src/man/man1m/sftp-server.sunssh.1m +++ /dev/null @@ -1,125 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved. -.TH SFTP-SERVER 1M "Oct 24, 2007" -.SH NAME -sftp-server \- SFTP server subsystem -.SH SYNOPSIS -.LP -.nf -\fB/usr/lib/ssh/sftp-server\fR [\fB-f\fR \fIlog_facility\fR] [\fB-l\fR \fIlog_level\fR] -.fi - -.SH DESCRIPTION -.LP -\fBsftp-server\fR implements the server side of the SSH File Transfer Protocol -as defined in the IETF \fBdraft-ietf-secsh-filexfer\fR. -.sp -.LP -\fBsftp-server\fR is a subsystem for \fBsshd\fR(1M) and must not be run -directly. Command-line flags to \fBsftp-server\fR should be specified in the -Subsystem declaration. See \fBsshd_config\fR(4) for more information. -.sp -.LP -To enable the \fBsftp-server\fR subsystem for \fBsshd\fR add the following to -\fB/etc/ssh/sshd_config\fR: -.sp -.in +2 -.nf -Subsystem sftp /usr/lib/ssh/sftp-server -.fi -.in -2 -.sp - -.sp -.LP -See \fBsshd_config\fR(4) for a description of the format and contents of that -file. -.sp -.LP -There is no relationship between the protocol used by \fBsftp-server\fR and the -FTP protocol (RFC 959). -.SH OPTIONS -.LP -Valid options are listed below. As stated above, these are to be specified in -the Subsystem declation of \fBsshd_config\fR. -.sp -.ne 2 -.na -\fB\fB-f\fR \fIlog_facility\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the facility code that is used when logging messages from -\fBsftp-server\fR. The possible values are: \fBDAEMON\fR, \fBUSER\fR, -\fBAUTH\fR, \fBLOCAL0\fR, \fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, -\fBLOCAL4\fR, \fBLOCAL5\fR, \fBLOCAL6\fR, \fBLOCAL7\fR. The default is -\fBAUTH\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-l\fR \fIlog_level\fR\fR -.ad -.sp .6 -.RS 4n -Specifies which messages will be logged by \fBsftp-server\fR. The possible -values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR, \fBVERBOSE\fR, -\fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. \fBINFO\fR and -\fBVERBOSE\fR log transactions that \fBsftp-server\fR performs on behalf of the -client. \fBDEBUG\fR and \fBDEBUG1\fR are equivalent. \fBDEBUG2\fR and -\fBDEBUG3\fR each specify higher levels of debugging output. The default is -\fBERROR\fR. -.RE - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 6n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB>\fB0\fR\fR -.ad -.RS 6n -An error occurred. -.RE - -.SH FILES -.ne 2 -.na -\fB\fB/usr/lib/ssh/sftp-server\fR\fR -.ad -.RS 28n -Server-side binary. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Evolving -.TE - -.SH SEE ALSO -.LP -\fBsftp\fR(1), \fBssh\fR(1), \fBssh-add\fR(1), \fBssh-keygen\fR(1), -\fBsshd\fR(1M), \fBsshd_config\fR(4), \fBattributes\fR(5) diff --git a/usr/src/man/man1m/ssh-keysign.sunssh.1m b/usr/src/man/man1m/ssh-keysign.sunssh.1m deleted file mode 100644 index 8b3836e8de..0000000000 --- a/usr/src/man/man1m/ssh-keysign.sunssh.1m +++ /dev/null @@ -1,105 +0,0 @@ -'\" te -.\" Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. -.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. -.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSH-KEYSIGN 1M "Jun 9, 2004" -.SH NAME -ssh-keysign \- ssh helper program for host-based authentication -.SH SYNOPSIS -.LP -.nf -\fBssh-keysign\fR -.fi - -.SH DESCRIPTION -.LP -\fBssh-keysign\fR is used by \fBssh\fR(1) to access the local host keys and -generate the digital signature required during host-based authentication with -SSH protocol version 2. This signature is of data that includes, among other -items, the name of the client host and the name of the client user. -.sp -.LP -\fBssh-keysign\fR is disabled by default and can be enabled only in the global -client configuration file \fB/etc/ssh/ssh_config\fR by setting -\fBHostbasedAuthentication\fR to \fByes\fR. -.sp -.LP -\fBssh-keysign\fR is not intended to be invoked by the user, but from -\fBssh\fR. See \fBssh\fR(1) and \fBsshd\fR(1M) for more information about -host-based authentication. -.SH FILES -.ne 2 -.na -\fB\fB/etc/ssh/ssh_config\fR\fR -.ad -.RS 29n -Controls whether \fBssh-keysign\fR is enabled. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/ssh_host_dsa_key\fR\fR -.ad -.br -.na -\fB\fB/etc/ssh/ssh_host_rsa_key\fR\fR -.ad -.RS 29n -These files contain the private parts of the host keys used to generate the -digital signature. They should be owned by root, readable only by root, and not -accessible to others. Because they are readable only by root, \fBssh-keysign\fR -must be \fBset-uid\fR root if host-based authentication is used. -.RE - -.SH SECURITY -.LP -ssh-keysign will not sign host-based authentication data under the following -conditions: -.RS +4 -.TP -.ie t \(bu -.el o -If the \fBHostbasedAuthentication\fR client configuration parameter is not set -to \fByes\fR in \fB/etc/ssh/ssh_config\fR. This setting cannot be overriden in -users' \fB~/.ssh/ssh_config\fR files. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -If the client hostname and username in \fB/etc/ssh/ssh_config\fR do not match -the canonical hostname of the client where \fBssh-keysign\fR is invoked and the -name of the user invoking \fBssh-keysign\fR. -.RE -.sp -.LP -In spite of \fBssh-keysign\fR's restrictions on the contents of the host-based -authentication data, there remains the ability of users to use it as an avenue -for obtaining the client's private host keys. For this reason host-based -authentication is turned off by default. -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Evolving -.TE - -.SH SEE ALSO -.LP -\fBssh\fR(1), \fBsshd\fR(1M), \fBssh_config\fR(4), \fBattributes\fR(5) -.SH AUTHORS -.LP -Markus Friedl, \fBmarkus@openbsd.org\fR -.SH HISTORY -.LP -\fBssh-keysign\fR first appeared in Ox 3.2. diff --git a/usr/src/man/man1m/sshd.sunssh.1m b/usr/src/man/man1m/sshd.sunssh.1m deleted file mode 100644 index 8df6378332..0000000000 --- a/usr/src/man/man1m/sshd.sunssh.1m +++ /dev/null @@ -1,1433 +0,0 @@ -'\" te -.\" To view license terms, attribution, and copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the -.\" installed location. -.\" Portions Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved. -.TH SSHD 1M "Oct 29, 2015" -.SH NAME -sshd \- secure shell daemon -.SH SYNOPSIS -.LP -.nf -\fBsshd\fR [\fB-deiqtD46\fR] [\fB-b\fR \fIbits\fR] [\fB-f\fR \fIconfig_file\fR] - [\fB-g\fR \fIlogin_grace_time\fR] [\fB-h\fR \fIhost_key_file\fR] - [\fB-k\fR \fIkey_gen_time\fR] [\fB-p\fR \fIport\fR] [\fB-V\fR \fIclient_protocol_id\fR] -.fi - -.SH DESCRIPTION -.LP -The \fBsshd\fR (Secure Shell daemon) is the daemon program for \fBssh\fR(1). -Together these programs replace \fBrlogin\fR and \fBrsh\fR, and provide secure -encrypted communications between two untrusted hosts over an insecure network. -The programs are intended to be as easy to install and use as possible. -.sp -.LP -\fBsshd\fR is the daemon that listens for connections from clients. It forks a -new daemon for each incoming connection. The forked daemons handle key -exchange, encryption, authentication, command execution, and data exchange. -.sp -.LP -This implementation of \fBsshd\fR supports both SSH protocol versions 1 and 2 -simultaneously. Because of security weaknesses in the v1 protocol, sites should -run only v2, if possible. In the default configuration, only protocol v2 is -enabled for the server. To enable v1 and v2 simultaneously, see the -instructions in \fBsshd_config\fR(4). -.sp -.LP -Support for v1 is provided to help sites with existing \fBssh\fR v1 clients and -servers to transition to v2. v1 might not be supported in a future release. -.SS "SSH Protocol Version 1" -.LP -Each host has a host-specific RSA key (normally 1024 bits) used to identify the -host. Additionally, when the daemon starts, it generates a server RSA key -(normally 768 bits). This key is normally regenerated every hour if it has been -used, and is never stored on disk. -.sp -.LP -Whenever a client connects the daemon responds with its public host and server -keys. The client compares the RSA host key against its own database to verify -that it has not changed. The client then generates a 256-bit random number. It -encrypts this random number using both the host key and the server key, and -sends the encrypted number to the server. Both sides then use this random -number as a session key which is used to encrypt all further communications in -the session. The rest of the session is encrypted using a conventional cipher, -currently Blowfish or 3DES, with 3DES being used by default. The client selects -the encryption algorithm to use from those offered by the server. -.sp -.LP -Next, the server and the client enter an authentication dialog. The client -tries to authenticate itself using \fB\&.rhosts\fR authentication, -\fB\&.rhosts\fR authentication combined with RSA host authentication, RSA -challenge-response authentication, or password-based authentication. -.sp -.LP -Rhosts authentication is normally disabled because it is fundamentally -insecure, but can be enabled in the server configuration file if desired. -System security is not improved unless \fBrshd\fR(1M), \fBrlogind\fR(1M), -\fBrexecd\fR(1M), and \fBrexd\fR(1M) are disabled (thus completely disabling -\fBrlogin\fR(1) and \fBrsh\fR(1) into the machine). -.SS "SSH Protocol Version 2" -.LP -Version 2 works similarly to version 1: Each host has a host-specific DSA/RSA -key. However, when the daemon starts, it does not generate a server key. -Forward security is provided through a Diffie-Hellman key agreement. This key -agreement results in a shared session key. The rest of the session is encrypted -using a symmetric cipher, currently 128-bit AES, Blowfish, 3DES, or AES. The -client selects the encryption algorithm to use from those offered by the -server. Additionally, session integrity is provided through a cryptographic -message authentication code (\fBhmac-sha1\fR or \fBhmac-md5\fR). -.sp -.LP -Protocol version 2 provides a public key based user authentication method -(PubKeyAuthentication) GSS-API based user authentication, conventional password -authentication, and a generic prompt/reply protocol for password-based -authentication. -.SS "Command Execution and Data Forwarding" -.LP -If the client successfully authenticates itself, a dialog for preparing the -session is entered. At this time the client can request things like allocating -a pseudo-tty, forwarding X11 connections, forwarding TCP/IP connections, or -forwarding the authentication agent connection over the secure channel. -.sp -.LP -Finally, the client either requests a shell or execution of a command. The -sides then enter session mode. In this mode, either side may send data at any -time, and such data is forwarded to/from the shell or command on the server -side, and the user terminal on the client side. -.sp -.LP -When the user program terminates and all forwarded X11 and other connections -have been closed, the server sends command exit status to the client, and both -sides exit. -.sp -.LP -\fBsshd\fR can be configured using command-line options or the configuration -file \fB/etc/ssh/ssh_config\fR, described in \fBssh_config\fR(4). Command-line -options override values specified in the configuration file. -.sp -.LP -\fBsshd\fR rereads its configuration file when it receives a hangup signal, -\fBSIGHUP\fR, by executing itself with the name it was started as, that is, -\fB/usr/lib/ssh/sshd\fR. -.SS "Host Access Control" -.LP -The \fBsshd\fR daemon uses TCP Wrappers to restrict access to hosts. It uses -the service name of \fBsshd\fR for \fBhosts_access()\fR. For more information -on TCP Wrappers see \fBtcpd(1M)\fR and \fBhosts_access(3)\fR man pages, which -are part of the \fBSUNWsfman\fR package (they are not SunOS man pages). TCP -wrappers binaries, including \fBlibwrap\fR, are in \fBSUNWtcpd\fR, a required -package for \fBSUNWsshdu\fR, the package containing \fBsshd\fR. -.SH OPTIONS -.LP -The options for \fBsshd\fR are as follows: -.sp -.ne 2 -.na -\fB\fB-b\fR \fIbits\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the number of bits in the server key (the default is 768). -.RE - -.sp -.ne 2 -.na -\fB\fB-d\fR\fR -.ad -.sp .6 -.RS 4n -Debug mode. The server sends verbose debug output to the system log, and does -not put itself in the background. The server also will not fork and will only -process one connection. This option is only intended for debugging for the -server. Multiple \fB-d\fR options increase the debugging level. Maximum is 3. -.RE - -.sp -.ne 2 -.na -\fB\fB-e\fR\fR -.ad -.sp .6 -.RS 4n -When this option is specified, \fBsshd\fR will send the output to standard -error instead of to the system log. -.RE - -.sp -.ne 2 -.na -\fB\fB-f\fR \fIconfiguration_file\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the name of the configuration file. The default is -\fB/etc/ssh/sshd_config\fR. \fBsshd\fR refuses to start if there is no -configuration file. -.RE - -.sp -.ne 2 -.na -\fB\fB-g\fR \fIlogin_grace_time\fR\fR -.ad -.sp .6 -.RS 4n -Gives the grace time for clients to authenticate themselves (the default is 300 -seconds). If the client fails to authenticate the user within this number of -seconds, the server disconnects and exits. A value of zero indicates no limit. -.RE - -.sp -.ne 2 -.na -\fB\fB-h\fR \fIhost_key_file\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a file from which a host key is read. This option must be given if -\fBsshd\fR is not run as root (as the normal host key files are normally not -readable by anyone but root). The default is \fB/etc/ssh/ssh_host_key\fR for -protocol version 1, and \fB/etc/ssh/ssh_host_rsa_key\fR and -\fB/etc/ssh/ssh_host_dsa_key\fR for protocol version 2. It is possible to have -multiple host key files for the different protocol versions and host key -algorithms. -.RE - -.sp -.ne 2 -.na -\fB\fB-i\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that \fBsshd\fR is being run from \fBinetd\fR. \fBsshd\fR is normally -not run from \fBinetd\fR because it needs to generate the server key before it -can respond to the client, and this may take tens of seconds. Clients would -have to wait too long if the key was regenerated every time. However, with -small key sizes (for example, 512) using \fBsshd\fR from \fBinetd\fR may be -reasonable. -.RE - -.sp -.ne 2 -.na -\fB\fB-k\fR \fIkey_gen_time\fR\fR -.ad -.sp .6 -.RS 4n -(SSHv1-specific) Specifies how often the server key is regenerated (the default -is 3600 seconds, or one hour). The motivation for regenerating the key fairly -often is that the key is not stored anywhere, and after about an hour, it -becomes impossible to recover the key for decrypting intercepted communications -even if the machine is cracked into or physically seized. A value of zero -indicates that the key will never be regenerated. -.RE - -.sp -.ne 2 -.na -\fB\fB-o\fR \fIoption\fR\fR -.ad -.sp .6 -.RS 4n -Can be used to specify options in the format used in the configuration file. -This is useful for specifying options for which there are no separate -command-line flags. -.RE - -.sp -.ne 2 -.na -\fB\fB-p\fR \fIport\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the port on which the server listens for connections (the default is -22). -.RE - -.sp -.ne 2 -.na -\fB\fB-q\fR\fR -.ad -.sp .6 -.RS 4n -Quiet mode. Nothing is sent to the system log. Normally the beginning, -authentication, and termination of each connection is logged. -.RE - -.sp -.ne 2 -.na -\fB\fB-t\fR\fR -.ad -.sp .6 -.RS 4n -Test mode. Check only the validity of the configuration file and the sanity of -the keys. This is useful for updating sshd reliably as configuration options -might change. -.RE - -.sp -.ne 2 -.na -\fB\fB-D\fR\fR -.ad -.sp .6 -.RS 4n -When this option is specified \fBsshd\fR does not detach and does not become a -daemon. This allows easy monitoring of \fBsshd\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB-4\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBsshd\fR to use IPv4 addresses only. -.RE - -.sp -.ne 2 -.na -\fB\fB-6\fR\fR -.ad -.sp .6 -.RS 4n -Forces \fBsshd\fR to use IPv6 addresses only. -.RE - -.SH EXTENDED DESCRIPTION -.SS "\fBauthorized_keys\fR File Format" -.LP -The \fB$HOME/.ssh/authorized_keys\fR file lists the public keys that are -permitted for RSA authentication in protocol version 1 and for public key -authentication (\fBPubkeyAuthentication\fR) in protocol version 2. The -\fBAuthorizedKeysFile\fR configuration option can be used to specify an -alternative file. -.sp -.LP -Each line of the file contains one key (empty lines and lines starting with a -hash mark [\fB#\fR] are ignored as comments). -.sp -.LP -For each RSA key for protocol version 1, the file consists of the following -space-separated fields: -.sp -.in +2 -.nf -\fIoptions\fR \fIbits\fR \fIexponent\fR \fImodulus\fR \fIcomment\fR -.fi -.in -2 -.sp - -.sp -.LP -For the public key for protocol version 2, the file consists of the following -space-separated fields: -.sp -.in +2 -.nf -\fIoptions\fR \fIkey-type\fR \fIbase64-encoding-key\fR \fIcomment\fR -.fi -.in -2 -.sp - -.sp -.LP -For protocol version 2, \fIkey-type\fR is one of \fBssh-rsa\fR or -\fBssh-dsa\fR. -.sp -.LP -The options field is optional; its presence is determined by whether the line -starts with a number. (The option field never starts with a number.) The bits, -exponent, and modulus fields give the RSA key; the comment field is a -convenient place for you to identify the key. -.sp -.LP -Lines in this file are usually several hundred bytes long (because of the size -of the key modulus). You will find it very inconvenient to type them in; -instead, copy the public key file and edit it. -.sp -.LP -Permissions of this file must be set so that it is not world or group writable. -See the \fBStrictModes\fR option of \fBsshd_config\fR(4). -.sp -.LP -The options (if present) consist of comma-separated option specifications. No -spaces are permitted, except within double quotes. The following option -specifications are supported: -.sp -.ne 2 -.na -\fB\fBfrom="\fIpattern-list\fR"\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that, in addition to public key authentication, the canonical name of -the remote host must be present in the comma-separated list of patterns -(`\fB*\fR' and `\fB?\fR' serve as wildcards). The list can also contain negated -patterns by prefixing the patterns with `\fB!\fR'. If the canonical host name -matches a negated pattern, the key is not accepted. -.sp -The purpose of this option is to give you the option of increasing security: -public key authentication by itself does not trust the network or name servers -or anything but the key. However, if someone manages to steal the key, -possession of the key would permit the intruder to log in from anywhere in the -world. This option makes using a stolen key more difficult, because name -servers and routers would have to be compromised, in addition to just the key. -.RE - -.sp -.ne 2 -.na -\fB\fBcommand="\fIcommand\fR"\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that the \fIcommand\fR is executed whenever this key is used for -authentication. The command supplied by the user (if any) is ignored. The -command is run on a \fBpty\fR if the client requests a \fBpty\fR; otherwise it -is run without a \fBtty\fR. If an 8-bit clean channel is required, one must not -request a \fBpty\fR or should specify \fBno-pty\fR. You can include a quote in -the command by escaping it with a backslash. This option might be useful to -restrict certain public keys from performing a specific operation. An example -is a key that permits remote backups but nothing else. Note that the client can -specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited from -doing so. Also note that this option applies to shell, command, or subsystem -execution. -.RE - -.sp -.ne 2 -.na -\fB\fBenvironment="\fINAME\fR=\fIvalue\fR"\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that the string \fINAME\fR=\fIvalue\fR is to be added to the -environment when logging in using this key. Environment variables set this way -override other default environment values. Multiple options of this type are -permitted. Environment processing is disabled by default and is controlled via -the \fBPermitUserEnvironment\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fBno-port-forwarding\fR\fR -.ad -.sp .6 -.RS 4n -Forbids TCP/IP forwarding when this key is used for authentication. Any port -forward requests by the client will return an error. This might be used, for -example, in connection with the \fBcommand\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fBno-X11-forwarding\fR\fR -.ad -.sp .6 -.RS 4n -Forbids X11 forwarding when this key is used for authentication. Any X11 -forward requests by the client will return an error. -.RE - -.sp -.ne 2 -.na -\fB\fBno-agent-forwarding\fR\fR -.ad -.sp .6 -.RS 4n -Forbids authentication agent forwarding when this key is used for -authentication. -.RE - -.sp -.ne 2 -.na -\fB\fBno-pty\fR\fR -.ad -.sp .6 -.RS 4n -Prevents \fBtty\fR allocation (a request to allocate a \fBpty\fR will fail). -.RE - -.sp -.ne 2 -.na -\fB\fBpermitopen="\fIhost\fR:\fIport\fR"\fR\fR -.ad -.sp .6 -.RS 4n -Limit local \fBssh\fR \fB-L\fR port forwarding such that it can connect only to -the specified host and port. IPv6 addresses can be specified with an -alternative syntax: \fIhost\fR/\fIport\fR. You can invoke multiple -\fBpermitopen\fR options, with each instance separated by a comma. No pattern -matching is performed on the specified hostnames. They must be literal domains -or addresses. -.RE - -.SS "\fBssh_known_hosts\fR File Format" -.LP -The \fB/etc/ssh/ssh_known_hosts\fR and \fB$HOME/.ssh/known_hosts\fR files -contain host public keys for all known hosts. The global file should be -prepared by the administrator (optional), and the per-user file is maintained -automatically: whenever the user connects from an unknown host its key is added -to the per-user file. -.sp -.LP -For the RSA key for protocol version 1, these files consist of the following -space-separated fields: -.sp -.in +2 -.nf -\fIhostnames\fR \fIbits\fR \fIexponent\fR \fImodulus\fR \fIcomment\fR -.fi -.in -2 -.sp - -.sp -.LP -For the public key for protocol version 2, these files consist of the following -space-separated fields: -.sp -.in +2 -.nf -\fIhostnames\fR \fIkey-type\fR \fIbase64-encoding-key\fR \fIcomment\fR -.fi -.in -2 -.sp - -.sp -.LP -For protocol version 2, \fIkey-type\fR is one of \fBssh-rsa\fR or -\fBssh-dsa\fR. -.sp -.LP -Hostnames is a comma-separated list of patterns (\fB*\fR and \fB?\fR act as -wildcards); each pattern in turn is matched against the canonical host name -(when authenticating a client) or against the user-supplied name (when -authenticating a server). A pattern can also be preceded by \fB!\fR to indicate -negation: if the host name matches a negated pattern, it is not accepted (by -that line) even if it matched another pattern on the line. -.sp -.LP -Alternately, hostnames can be stored in a hashed form, which hides host names -and addresses should the file's contents be disclosed. Hashed hostnames start -with a vertical bar (\fB|\fR) character. Only one hashed hostname can appear on -a single line and none of the above negation or wildcard operators may be -applied. -.sp -.LP -Bits, exponent, and modulus are taken directly from the RSA host key; they can -be obtained, for example, from \fB/etc/ssh/ssh_host_rsa_key.pub\fR. The -optional comment field continues to the end of the line, and is not used. -.sp -.LP -Lines starting with a hash mark (\fB#\fR) and empty lines are ignored as -comments. -.sp -.LP -When performing host authentication, authentication is accepted if any matching -line has the proper key. It is thus permissible (but not recommended) to have -several lines or different host keys for the same names. This will inevitably -happen when short forms of host names from different domains are put in the -file. It is possible that the files contain conflicting information; -authentication is accepted if valid information can be found from either file. -.sp -.LP -The lines in these files are typically hundreds of characters long. You should -definitely not type in the host keys by hand. Rather, generate them by a script -or by taking \fB/etc/ssh/ssh_host_rsa_key.pub\fR and adding the host names at -the front. -.SH ENVIRONMENT VARIABLES -.LP -\fBsshd\fR sets the following environment variables for commands executed by -\fBssh\fR users: -.sp -.ne 2 -.na -\fB\fBDISPLAY\fR\fR -.ad -.sp .6 -.RS 4n -Indicates the location of the X11 server. It is automatically set by \fBsshd\fR -to point to a value of the form \fIhostname\fR:\fIn\fR, where \fIhostname\fR -indicates the host where the shell runs, and \fIn\fR is an integer greater than -or equal to 1. \fBssh\fR uses this special value to forward X11 connections -over the secure channel. Unless you have important reasons to do otherwise, you -should not set \fBDISPLAY\fR explicitly, as that will render the X11 connection -insecure and will require you to manually copy any required authorization -cookies. -.RE - -.sp -.ne 2 -.na -\fB\fBHOME\fR\fR -.ad -.sp .6 -.RS 4n -Set to the path of the user's home directory. -.RE - -.sp -.ne 2 -.na -\fB\fBLANG\fR, \fBLC_ALL\fR, \fBLC_COLLATE\fR, \fBLC_CTYPE\fR, -\fBLC_MESSAGES\fR, \fBLC_MONETARY\fR, \fBLC_NUMERIC\fR, \fBLC_TIME\fR\fR -.ad -.sp .6 -.RS 4n -A locale setting. The locale defaults to that of \fBsshd\fR (usually the -system-wide default locale), or is negotiated between the client and server -during initial key exchange (as per RFC 4253). -.sp -Following initial key exchange, each of the variables can be overriden in the -following sequence: -.RS +4 -.TP -1. -If a locale setting is set in a client's environment and that client -supports "Environment Variable Passing" (see RFC 4254), then the setting will -be passed over to the server side. -.RE -.RS +4 -.TP -2. -If the public key authentication method was used to authenticate the server -and the \fBPermitUserEnvironment\fR variable in \fBsshd_config\fR(4) is set to -\fByes\fR on the server side, then the setting can be changed through the use -of the \fBenvironment\fR option in the client's \fBAuthorizedKeysFile\fR file. -.RE -.RS +4 -.TP -3. -The setting can be change in the client's \fB~/.ssh/environment\fR file on -the server. -.RE -See \fBPermitUserEnvironment\fR in \fBsshd_config\fR(4) as to when the -\fBAuthorizedKeysFile\fR and \fB~/.ssh/environment\fR files are processed and -used for setting the user environment. -.RE - -.sp -.ne 2 -.na -\fB\fBLOGNAME\fR\fR -.ad -.sp .6 -.RS 4n -Synonym for \fBUSER\fR. Set for compatibility with systems that use this -variable. -.RE - -.sp -.ne 2 -.na -\fB\fBMAIL\fR\fR -.ad -.sp .6 -.RS 4n -Set to point to the user's mailbox. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_AUTH_SOCK\fR\fR -.ad -.sp .6 -.RS 4n -Indicates the path of a \fBunix-domain\fR socket used to communicate with the -agent. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_CONNECTION\fR\fR -.ad -.sp .6 -.RS 4n -Identifies the client and server ends of the connection. The variable contains -four space-separated values: client IP address, client port number, server IP -address and server port number. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_CLIENT\fR\fR -.ad -.sp .6 -.RS 4n -Identifies the client end of the connection. The variable contains three -space-separated values: client IP address, client port number, and server port -number. -.RE - -.sp -.ne 2 -.na -\fB\fBSSH_TTY\fR\fR -.ad -.sp .6 -.RS 4n -Set to the name of the \fBtty\fR (path to the device) associated with the -current shell or command. If the current session has no \fBtty\fR, this -variable is not set. -.RE - -.sp -.ne 2 -.na -\fB\fBTZ\fR\fR -.ad -.sp .6 -.RS 4n -Indicates the present timezone, if \fBTIMEZONE\fR is set in -\fB/etc/default/login\fR or if \fBTZ\fR was set when the daemon was started. -.RE - -.sp -.ne 2 -.na -\fB\fBHZ\fR\fR -.ad -.sp .6 -.RS 4n -If set in \fB/etc/default/login\fR, the daemon sets it to the same value. -.RE - -.sp -.ne 2 -.na -\fB\fBSHELL\fR\fR -.ad -.sp .6 -.RS 4n -The user's shell, if \fBALTSHELL=YES\fR in \fB/etc/default/login\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBPATH\fR\fR -.ad -.sp .6 -.RS 4n -Set to the value of \fBPATH\fR or \fBSUPATH\fR (see \fBlogin\fR(1)) in -\fB/etc/default/login\fR, or, if not set, to \fB/usr/bin:/bin\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUSER\fR\fR -.ad -.sp .6 -.RS 4n -Set to the name of the user logging in. -.RE - -.sp -.LP -Additionally, \fBsshd\fR reads \fB$HOME/.ssh/environment\fR and adds lines of -the format \fBVARNAME=\fIvalue\fR\fR to the environment. -.SH EXAMPLES -.LP -In the following examples, certain lines might wrap due to line length limits -in your display. You should nevertheless consider the wrapped line as a single -line. -.LP -\fBExample 1 \fR\fBauthorized_key\fR File Entries -.sp -.LP -The following are examples of \fBauthorized_key\fR file entries for protocol 1: - -.sp -.in +2 -.nf -1024 33 12121...312314325 ylo@foo.bar - -from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula - -command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi -.fi -.in -2 -.sp - -.LP -\fBExample 2 \fR\fBauthorized_key\fR File Entries for Protocol 2 -.sp -.LP -The following are examples of \fBauthorized_key\fR file entries for protocol 2: - -.sp -.in +2 -.nf -ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8= ylo@foo.bar -from="*.niksula.hut.fi" ssh-rsa AAAAB3NzaC...uw8= ylo@niksula -command="dump /home",no-pty,no-port-forwarding ssh-rsa AA..8= backup.hut.fi -.fi -.in -2 -.sp - -.LP -\fBExample 3 \fR\fBssh_known_hosts\fR File Entries for Protocol 1 -.sp -.LP -The following are examples of \fBssh_known_hosts\fR file entries for protocol -1: - -.sp -.in +2 -.nf -closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi -.fi -.in -2 -.sp - -.LP -\fBExample 4 \fR\fBssh_known_hosts\fR File Entries for Protocol 2 -.sp -.LP -The following are examples of \fBssh_known_hosts\fR file entries for protocol -2: - -.sp -.in +2 -.nf -closenet,closenet.hut.fi,...,130.233.208.41 ssh-rsa AA..8= closenet.hut.fi -.fi -.in -2 -.sp - -.SH EXIT STATUS -.LP -The following exit values are returned: -.sp -.ne 2 -.na -\fB\fB0\fR\fR -.ad -.RS 13n -Successful completion. -.RE - -.sp -.ne 2 -.na -\fB>\fB0\fR\fR -.ad -.RS 13n -An error occurred. -.RE - -.SH FILES -.ne 2 -.na -\fB\fB/etc/default/login\fR\fR -.ad -.sp .6 -.RS 4n -Contains defaults for several \fBsshd_config\fR parameters, environment -variables, and other environmental factors. -.sp -The following parameters affect environment variables (see \fBlogin\fR(1) and -descriptions of these variables, above): -.RS +4 -.TP -.ie t \(bu -.el o -\fBTIMEZONE\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBHZ\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBALTSHELL\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBPATH\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBSUPATH\fR -.RE -The following \fB/etc/default/login\fR parameters supply default values for -corresponding \fBsshd_config\fR(4) parameters: -.RS +4 -.TP -.ie t \(bu -.el o -\fBCONSOLE\fR (see \fBPermitRootLogin\fR in \fBsshd_config\fR(4)) -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBPASSREQ\fR (see \fBPermitEmptyPasswords\fR in \fBsshd_config\fR(4)) -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBTIMEOUT\fR (see \fBLoginGraceTime\fR in \fBsshd_config\fR(4)) -.RE -The following \fB/etc/default/login\fR parameters: -.RS +4 -.TP -.ie t \(bu -.el o -\fBUMASK\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBULIMIT\fR -.RE -\&...set the \fBumask\fR(2) and file size limit of, respectively, the shells -and commands spawned by \fBsshd\fR. -.sp -Finally, two \fB/etc/default/login\fR parameters affect the maximum allowed -login attempts per-connection using interactive user authentication methods -(for example, \fBkeyboard-interactive\fR but not \fBpublickey\fR), as per -\fBlogin\fR(1): -.RS +4 -.TP -.ie t \(bu -.el o -\fBRETRIES\fR -.RE -.RS +4 -.TP -.ie t \(bu -.el o -\fBSYSLOG_FAILED_LOGINS\fR -.RE -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/sshd_config\fR\fR -.ad -.sp .6 -.RS 4n -Contains configuration data for \fBsshd\fR. This file should be writable by -root only, but it is recommended (though not necessary) that it be -world-readable. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/ssh_host_key\fR\fR -.ad -.br -.na -\fB\fB/etc/ssh/ssh_host_dsa_key\fR\fR -.ad -.br -.na -\fB\fB/etc/ssh/ssh_host_rsa_key\fR\fR -.ad -.sp .6 -.RS 4n -Contains the private part of the host key. This file should only be owned by -root, readable only by root, and not accessible to others. \fBsshd\fR does not -start if this file is group/world-accessible. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/ssh_host_key.pub\fR\fR -.ad -.br -.na -\fB\fB/etc/ssh/ssh_host_dsa_key.pub\fR\fR -.ad -.br -.na -\fB\fB/etc/ssh/ssh_host_rsa_key.pub\fR\fR -.ad -.sp .6 -.RS 4n -Contains the public part of the host key. This file should be world-readable -but writable only by root. Its contents should match the private part. This -file is not used for encryption; it is provided only for the convenience of the -user so its contents can be copied to known hosts files. These two files are -created using \fBssh-keygen\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB/var/run/sshd.pid\fR\fR -.ad -.sp .6 -.RS 4n -Contains the process ID of the \fBsshd\fR listening for connections. If there -are several daemons running concurrently for different ports, this contains the -pid of the one started last. The content of this file is not sensitive; it can -be world-readable. You can use the \fBPidFile\fR keyword in \fBsshd_config\fR -to specify a file other than \fB/var/run/sshd.pid\fR. See \fBsshd_config\fR(4). -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/ssh_known_hosts\fR and \fB$HOME/.ssh/known_hosts\fR\fR -.ad -.sp .6 -.RS 4n -These files are consulted when using \fBrhosts\fR with public key host -authentication to check the public key of the host. The key must be listed in -one of these files to be accepted. The client uses the same files to verify -that the remote host is the one it intended to connect. These files should be -writable only by root or the owner. \fB/etc/ssh/ssh_known_hosts\fR should be -world-readable, and \fB$HOME/.ssh/known_hosts\fR can but need not be -world-readable. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/nologin\fR\fR -.ad -.sp .6 -.RS 4n -If this file exists, \fBsshd\fR refuses to let anyone except root log in. The -contents of the file are displayed to anyone trying to log in, and non-root -connections are refused. The file should be world-readable. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/authorized_keys\fR\fR -.ad -.sp .6 -.RS 4n -Lists the public keys (RSA or DSA) that can be used to log into the user's -account. This file must be readable by root. This might, on some machines, -imply that it is world-readable if the user's home directory resides on an NFS -volume. It is recommended that it not be accessible by others. The format of -this file is described above. Users will place the contents of their -\fBidentity.pub\fR, \fBid_dsa.pub\fR and/or \fBid_rsa.pub\fR files into this -file, as described in \fBssh-keygen\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.rhosts\fR\fR -.ad -.sp .6 -.RS 4n -This file contains host-username pairs, separated by a space, one per line. The -given user on the corresponding host is permitted to log in without password. -The same file is used by \fBrlogind\fR and \fBrshd\fR. The file must be -writable only by the user; it is recommended that it not be accessible by -others. It is also possible to use \fBnetgroups\fR in the file. Either host or -user name may be of the form \fB+@\fIgroupname\fR\fR to specify all hosts or -all users in the group. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.shosts\fR\fR -.ad -.sp .6 -.RS 4n -For \fBssh\fR, this file is exactly the same as for \fB\&.rhosts\fR. However, -this file is not used by \fBrlogin\fR and \fBrshd\fR, so using this permits -access using SSH only. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/hosts.equiv\fR\fR -.ad -.sp .6 -.RS 4n -This file is used during \fB\&.rhosts\fR authentication. In its simplest form, -this file contains host names, one per line. Users on these hosts are permitted -to log in without a password, provided they have the same user name on both -machines. The host name can also be followed by a user name; such users are -permitted to log in as any user on this machine (except root). Additionally, -the syntax \fB+@\fIgroup\fR\fR can be used to specify netgroups. Negated -entries start with a hyphen (\fB-\fR). -.sp -If the client host/user is successfully matched in this file, login is -automatically permitted, provided the client and server user names are the -same. Additionally, successful RSA host authentication is normally required. -This file must be writable only by root; it is recommended that it be -world-readable. -.sp -Warning: It is almost never a good idea to use user names in \fBhosts.equiv\fR. -Beware that it really means that the named user(s) can log in as anybody, which -includes \fBbin\fR, \fBdaemon\fR, \fBadm\fR, and other accounts that own -critical binaries and directories. For practical purposes, using a user name -grants the user root access. Probably the only valid use for user names is in -negative entries. This warning also applies to \fBrsh\fR/\fBrlogin\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/moduli\fR\fR -.ad -.sp .6 -.RS 4n -A private file. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/shosts.equiv\fR\fR -.ad -.sp .6 -.RS 4n -This file is processed exactly as \fB/etc/hosts.equiv\fR. However, this file -might be useful in environments that want to run both \fBrsh\fR/\fBrlogin\fR -and \fBssh\fR. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/environment\fR\fR -.ad -.sp .6 -.RS 4n -This file is read into the environment at login (if it exists). It can contain -only empty lines, comment lines (that start with \fB#\fR), and assignment lines -of the form \fB\fIname\fR=\fIvalue\fR\fR. The file should be writable only by -the user; it need not be readable by anyone else. Environment processing is -disabled by default and is controlled by means of the -\fBPermitUserEnvironment\fR option. -.RE - -.sp -.ne 2 -.na -\fB\fB$HOME/.ssh/rc\fR\fR -.ad -.sp .6 -.RS 4n -If this file exists, it is run with \fB/bin/sh\fR after reading the environment -files but before starting the user's shell or command. If X11 spoofing is in -use, this will receive the \fBproto cookie\fR pair in standard input (and -\fBDISPLAY\fR in environment). This must call \fBxauth\fR in that case. -.sp -The primary purpose of \fB$HOME/.ssh/rc\fR is to run any initialization -routines that might be needed before the user's home directory becomes -accessible; AFS is a particular example of such an environment. If this file -exists, it is run with \fB/bin/sh\fR after reading the environment files, but -before starting the user's shell or command. It must not produce any output on -stdout; stderr must be used instead. If X11 forwarding is in use, it will -receive the \fBproto cookie\fR pair in its standard input and \fBDISPLAY\fR in -its environment. The script must call \fBxauth\fR because \fBsshd\fR will not -run \fBxauth\fR automatically to add X11 cookies. -.sp -This file will probably contain some initialization code followed by something -similar to: -.sp -.in +2 -.nf -if read proto cookie && [ -n "$DISPLAY" ] -then - if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ] - then - # X11UseLocalhost=yes - echo add unix:`echo $DISPLAY | - cut -c11-` $proto $cookie - else - # X11UseLocalhost=no - echo add $DISPLAY $proto $cookie - fi | xauth -q - -fi -.fi -.in -2 -.sp - -If this file does not exist, \fB/etc/ssh/sshrc\fR is run, and if that does not -exist, \fBxauth\fR is used to store the cookie. \fB$HOME/.ssh/rc\fR should be -writable only by the user, and need not be readable by anyone else. -.RE - -.sp -.ne 2 -.na -\fB\fB/etc/ssh/sshrc\fR\fR -.ad -.sp .6 -.RS 4n -Similar to \fB$HOME/.ssh/rc\fR. This can be used to specify machine-specific -login-time initializations globally. This file should be writable only by root, -and should be world-readable. -.RE - -.SH SECURITY -.LP -\fBsshd\fR supports the use of several user authentication mechanisms: a public -key system where keys are associated with users (through users' -\fBauthorized_keys\fR files), a public key system where keys are associated -with hosts (see the \fBHostbasedAuthentication\fR configuration parameter), a -GSS-API based method (see the \fBGssAuthentication\fR and \fBGssKeyEx\fR -configuration parameters) and three initial authentication methods: \fBnone\fR, -\fBpassword\fR, and a generic prompt/reply protocol, -\fBkeyboard-interactive\fR. -.sp -.LP -\fBsshd\fR negotiates the use of the GSS-API with clients only if it has a -GSS-API acceptor credential for the "host" service. This means that, for -GSS-API based authentication, the server must have a Kerberos V \fBkeytab\fR -entry (see below) or the equivalent for any other GSS-API mechanism that might -be installed. -.sp -.LP -In order for Kerberos authentication to work, a \fBhost/\fR\fI<FQDN>\fR -Kerberos principal must exist for each Fully Qualified Domain Name associated -with the \fBin.sshd\fR server. Each of these \fBhost/\fR\fI<FQDN>\fR principals -must have a \fBkeytab\fR entry in the \fB/etc/krb5/krb5.keytab\fR file on the -\fBin.sshd\fR server. An example principal might be: -.sp -.LP -\fBhost/bigmachine.eng.example.com\fR -.sp -.LP -See \fBkadmin\fR(1M) for instructions on adding a principal to a -\fBkrb5.keytab\fR file. See \fI\fR for a discussion of Kerberos -authentication. -.sp -.LP -GSS-API authorization is covered in \fBgss_auth_rules\fR(5). -.sp -.LP -\fBsshd\fR uses \fBpam\fR(3PAM) for the three initial authentication methods as -well as for account management, session management, and password management for -all authentication methods. -.sp -.LP -Specifically, \fBsshd\fR calls \fBpam_authenticate()\fR for the "none," -"password" and "keyboard-interactive" SSHv2 \fBuserauth\fR types, as well as -for for the null and password authentication methods for SSHv1. Other SSHv2 -authentication methods do not call \fBpam_authenticate()\fR. -\fBpam_acct_mgmt()\fR is called for each authentication method that succeeds. -.sp -.LP -\fBpam_setcred()\fR and \fBpam_open_session()\fR are called when authentication -succeeds and \fBpam_close_session()\fR is called when connections are closed. -.sp -.LP -\fBpam_open_session()\fR and \fBpam_close_session()\fR are also called when -SSHv2 channels with \fBpty\fRs are opened and closed. -.sp -.LP -Each SSHv2 \fBuserauth\fR type has its own PAM service name: -.sp - -.sp -.TS -box; -c | c -l | l . -SSHv2 Userauth PAM Service Name -_ -none sshd-none -_ -password sshd-password -_ -keyboard-interactive sshd-kbdint -_ -pubkey sshd-pubkey -_ -hostbased sshd-hostbased -_ -gssapi-with-mic sshd-gssapi -_ -gssapi-keyex sshd-gssapi -.TE - -.sp -.LP -For SSHv1, \fBsshd-v1\fR is always used. -.sp -.LP -If \fBpam_acct_mgmt()\fR returns \fBPAM_NEW_AUTHTOK_REQD\fR (indicating that -the user's authentication tokens have expired), then \fBsshd\fR forces the use -of "keyboard-interactive" \fBuserauth\fR, if version 2 of the protocol is in -use. The "keyboard-interactive" \fBuserauth\fR will call \fBpam_chauthtok()\fR -if \fBpam_acct_mgmt()\fR once again returns \fBPAM_NEW_AUTHTOK_REQD\fR. By this -means, administrators are able to control what authentication methods are -allowed for SSHv2 on a per-user basis. -.SS "Setting up Host-based Authentication" -.LP -To establish host-based authentication, you must perform the following steps: -.RS +4 -.TP -.ie t \(bu -.el o -Configure the client. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Configure the server. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Publish known hosts. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Make appropriate entries in \fB/etc/ssh/shosts.equiv\fR and \fB~/.shosts\fR. -.RE -.sp -.LP -These steps are expanded in the following paragraphs. -.RS +4 -.TP -.ie t \(bu -.el o -On a client machine, in the system-wide client configuration file, -\fB/etc/ssh/ssh_config\fR, you must have the entry: -.sp -.in +2 -.nf -HostbasedAuthentication yes -.fi -.in -2 - -See \fBssh_config\fR(4) and \fBssh-keysign\fR(1M). -.RE -.RS +4 -.TP -.ie t \(bu -.el o -On the server, in the system-wide server configuration file, -\fB/etc/ssh/sshd_config\fR, you must have the entry: -.sp -.in +2 -.nf -HostbasedAuthentication yes -.fi -.in -2 - -If per-user \fB\&.shost\fR files are to be allowed (see last step), in the same -file, you must have: -.sp -.in +2 -.nf -IgnoreRhosts no -.fi -.in -2 - -See \fBsshd_config\fR(4) for a description of these keywords. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -To publish known hosts, you must have entries for the clients from which users -will be allowed host-based authentication. Make these entries in either or both -of the system-wide file (\fB/etc/ssh/ssh_known_hosts\fR) or the per-user file -(\fB~/.ssh/known_hosts\fR). -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Note that \fBsshd\fR uses \fB\&.shosts\fR, not \fB\&.rhosts\fR. If you want the -functionality provided by \fB\&.rhosts\fR, but do not want to use \fBrlogin\fR -or \fBrsh\fR because of their security shortcomings, you can use -\fB\&.shosts\fR in conjunction with \fBsshd\fR. To use this feature, make -appropriate entries in \fB/etc/ssh/shosts.equiv\fR and \fB~/.shosts\fR, in the -format specified in \fBrhosts\fR(4). -.sp -For the vast majority of network environments, \fB\&.shosts\fR is preferred -over \fB\&.rhosts\fR. -.RE -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Evolving -.TE - -.sp -.LP -The interface stability of \fB/etc/ssh/moduli\fR is Private. -.SH SEE ALSO -.LP -\fBlogin\fR(1), \fBscp\fR(1), \fBssh\fR(1), \fBssh-add\fR(1), -\fBssh-agent\fR(1), \fBssh-keygen\fR(1), \fBsvcs\fR(1), -\fBkadmin\fR(1M), \fBsftp-server\fR(1M), \fBssh-keysign\fR(1M), -\fBsvcadm\fR(1M), \fBpam\fR(3PAM), \fBrhosts\fR(4), \fBssh_config\fR(4), -\fBsshd_config\fR(4), \fBattributes\fR(5), \fBgss_auth_rules\fR(5), -\fBkerberos\fR(5), \fBpam_roles\fR(5), \fBsmf\fR(5) -.sp -.LP -\fI\fR -.SH NOTES -.LP -The \fBsshd\fR service is managed by the service management facility, -\fBsmf\fR(5), under the service identifier: -.sp -.in +2 -.nf -svc:/network/ssh:default -.fi -.in -2 -.sp - -.sp -.LP -Administrative actions on this service, such as enabling, disabling, or -requesting restart, can be performed using \fBsvcadm\fR(1M). The service's -status can be queried using the \fBsvcs\fR(1) command. -.sp -.LP -\fBsshd\fR always sets \fBPAM_RHOST\fR and sets \fBPAM_AUSER\fR in the case of -host-based \fBuserauth\fR. This behavior allows for remote logins to roles -using host-based authentication. See \fBpam_roles\fR(5). diff --git a/usr/src/man/man4/Makefile b/usr/src/man/man4/Makefile index a4a64fbd8f..26e46b0532 100644 --- a/usr/src/man/man4/Makefile +++ b/usr/src/man/man4/Makefile @@ -187,8 +187,6 @@ _MANFILES= Intro.4 \ sndr.4 \ sock2path.d.4 \ space.4 \ - ssh_config.sunssh.4 \ - sshd_config.sunssh.4 \ sulog.4 \ syslog.conf.4 \ system.4 \ @@ -243,8 +241,6 @@ _MANLINKS= addresses.4 \ rhosts.4 \ sendmail.cf.4 \ snapshot_cache.4 \ - ssh_config.4 \ - sshd_config.4 \ submit.cf.4 \ volume-defaults.4 \ wtmp.4 \ @@ -296,8 +292,6 @@ pcie.4 := LINKSRC = pci.4 sendmail.cf.4 := LINKSRC = sendmail.4 submit.cf.4 := LINKSRC = sendmail.4 -ssh_config.4 := LINKSRC = ssh_config.sunssh.4 -sshd_config.4 := LINKSRC = sshd_config.sunssh.4 isa.4 := LINKSRC = sysbus.4 diff --git a/usr/src/man/man4/ssh_config.sunssh.4 b/usr/src/man/man4/ssh_config.sunssh.4 deleted file mode 100644 index 57a94dd03c..0000000000 --- a/usr/src/man/man4/ssh_config.sunssh.4 +++ /dev/null @@ -1,909 +0,0 @@ -'\" te -.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved. -.\" To view Portions Copyright for OpenSSH, the default path is /var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris operating environment has been installed anywhere other than the default, modify the specified path to access the file at the installed location. -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. -.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with -.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSH_CONFIG 4 "Jan 17, 2013" -.SH NAME -ssh_config \- ssh configuration file -.SH SYNOPSIS -.LP -.nf -\fB/etc/ssh/ssh_config\fR -.fi - -.LP -.nf -\fB$HOME/.ssh/config\fR -.fi - -.SH DESCRIPTION -.LP -The first \fBssh_config\fR path, above, provides the system-wide defaults for -\fBssh\fR(1). The second version is user-specific defaults for \fBssh\fR. -.sp -.LP -\fBssh\fR obtains configuration data from the following sources, in this order: -command line options, user's configuration file (\fB$HOME/.ssh/config\fR), and -system-wide configuration file (\fB/etc/ssh/ssh_config\fR). For each parameter, -the first obtained value is used. The configuration files contain sections -bracketed by \fBHost\fR specifications, and that section is applied only for -hosts that match one of the patterns given in the specification. The matched -host name is the one given on the command line. -.sp -.LP -Since the first obtained value for each parameter is used, host-specific -declarations should be given near the beginning of the file, and general -defaults at the end. -.sp -.LP -The configuration file has the following format and syntax: -.RS +4 -.TP -.ie t \(bu -.el o -Empty lines and lines starting with \fB#\fR are comments. -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Non-commented lines are of the form: -.sp -.in +2 -.nf -\fIkeyword\fR \fIarguments\fR -.fi -.in -2 -.sp - -.RE -.RS +4 -.TP -.ie t \(bu -.el o -Configuration options can be separated by white space or optional whitespace -and exactly one equal sign. The latter format allows you to avoid the need to -quote white space when specifying configuration options using the \fB-o\fR -option to \fBssh\fR, \fBscp\fR, and \fBsftp\fR. -.RE -.sp -.LP -The possible keywords and their meanings are listed in the following -list.Keywords are case-insensitive and arguments are case-sensitive. -.sp -.ne 2 -.na -\fB\fBBatchMode\fR\fR -.ad -.sp .6 -.RS 4n -The argument must be \fByes\fR or \fBno\fR. If set to \fByes\fR, -passphrase/password querying is disabled. This option is useful in scripts and -other batch jobs where you have no user to supply the password. -.RE - -.sp -.ne 2 -.na -\fB\fBBindAddress\fR\fR -.ad -.sp .6 -.RS 4n -Specify the interface to transmit from on machines with multiple interfaces or -aliased addresses. This option does not work if \fBUsePrivilegedPort\fR is set -to \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBCheckHostIP\fR\fR -.ad -.sp .6 -.RS 4n -If this flag is set to \fByes\fR, \fBssh\fR additionally checks the host IP -address in the \fBknown_hosts\fR file. This allows \fBssh\fR to detect if a -host key changed due to DNS spoofing. If the option is set to \fBno\fR, the -check is not executed. -.RE - -.sp -.ne 2 -.na -\fB\fBCipher\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the cipher to use for encrypting the session in protocol version 1. -Only a single cipher can be specified. Currently, \fBblowfish, 3des,\fR and -\fBdes\fR are supported. \fB3des\fR (triple-\fBdes\fR) is an -encrypt-decrypt-encrypt triple with three different keys. It is believed to be -secure. \fBblowfish\fR is a fast block cipher. It appears very secure and is -much faster than \fB3des\fR. \fBdes\fR is only supported in the \fBssh\fR -client for interoperability with legacy protocol 1 implementations that do not -support the \fB3des\fR cipher. Its use is strongly discouraged due to -cryptographic weaknesses. The default is \fB3des\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBCiphers\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the ciphers allowed for protocol version 2 in order of preference. -Multiple ciphers must be comma separated. -.sp -The default cipher list contains all supported ciphers in this order: -.sp -.in +2 -.nf -aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, aes128-cbc, -aes192-cbc, aes256-cbc, arcfour, 3des-cbc,blowfish-cbc -.fi -.in -2 -.sp - -While CBC modes are not considered as secure as other modes in connection with -the SSH protocol 2 they are present at the back of the default client cipher -list for backward compatibility with SSH servers that do not support other -cipher modes. -.RE - -.sp -.ne 2 -.na -\fB\fBClearAllForwardings\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that all local, remote, and dynamic port forwardings specified in the -configuration files or on the command line be cleared. This option is primarily -useful when used from the \fBssh\fR command line to clear port forwardings set -in configuration files and is automatically set by \fBscp\fR(1) and -\fBsftp\fR(1). The argument must be \fByes\fR or \fBno\fR. The default is -\fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBCompression\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to use compression. The argument must be \fByes\fR or -\fBno\fR. Defaults to \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBCompressionLevel\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the compression level to use if compression is enabled. The argument -must be an integer from 1 (fast) to 9 (slow, best). The default level is 6, -which is good for most applications. This option applies to protocol version 1 -only. -.RE - -.sp -.ne 2 -.na -\fB\fBConnectionAttempts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the number of tries (one per second) to make before falling back to -\fBrsh\fR or exiting. The argument must be an integer. This can be useful in -scripts if the connection sometimes fails. The default is 1. -.RE - -.sp -.ne 2 -.na -\fB\fBConnectTimeout\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the timeout (in seconds) used when connecting to the \fBssh\fR -server, instead of using the default system TCP timeout. This value is used -only when the target is down or truly unreachable, not when it refuses the -connection. -.RE - -.sp -.ne 2 -.na -\fB\fBDisableBanner\fR\fR -.ad -.sp .6 -.RS 4n -If set to \fByes\fR, disables the display of the banner message. If set to -\fBin-exec-mode\fR, disables the display of banner message when in remote -command mode only. -.sp -The default value is \fBno\fR, which means that the banner is displayed unless -the log level is \fBQUIET\fR, \fBFATAL\fR, or \fBERROR\fR. See also the -\fBBanner\fR option in \fBsshd_config\fR(4). This option applies to protocol -version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBDynamicForward\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that a TCP/IP port on the local machine be forwarded over the secure -channel. The application protocol is then used to determine where to connect to -from the remote machine. -.sp -The argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR. IPv6 -addresses can be specified by enclosing addresses in square brackets or by -using an alternative syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR. By -default, the local port is bound in accordance with the \fBGatewayPorts\fR -setting. However, an explicit \fIbind_address\fR can be used to bind the -connection to a specific address. The \fIbind_address\fR of \fBlocalhost\fR -indicates that the listening port be bound for local use only, while an empty -address or \fB*\fR indicates that the port should be available from all -interfaces. -.sp -Currently the \fBSOCKS4\fR and \fBSOCKS5\fR protocols are supported, and -\fBssh\fR acts as a \fBSOCKS\fR server. Multiple forwardings can be specified -and additional forwardings can be specified on the command line. Only a user -with enough privileges can forward privileged ports. -.RE - -.sp -.ne 2 -.na -\fB\fBEscapeChar\fR\fR -.ad -.sp .6 -.RS 4n -Sets the escape character. The default is tilde (\fB~\fR). The escape character -can also be set on the command line. The argument should be a single character, -\fB^\fR, followed by a letter, or \fBnone\fR to disable the escape character -entirely (making the connection transparent for binary data). -.RE - -.sp -.ne 2 -.na -\fB\fBFallBackToRsh\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that if connecting with \fBssh\fR fails due to a connection refused -error (there is no \fBsshd\fR(1M) listening on the remote host), \fBrsh\fR(1) -should automatically be used instead (after a suitable warning about the -session being unencrypted). The argument must be \fByes\fR or \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBForwardAgent\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether the connection to the authentication agent (if any) is -forwarded to the remote machine. The argument must be \fByes\fR or \fBno\fR. -The default is \fBno\fR. -.sp -Agent forwarding should be enabled with caution. Users with the ability to -bypass file permissions on the remote host (for the agent's Unix-domain socket) -can access the local agent through the forwarded connection. An attacker cannot -obtain key material from the agent, however he can perform operations on the -keys that enable him to authenticate using the identities loaded into the -agent. -.RE - -.sp -.ne 2 -.na -\fB\fBForwardX11\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether X11 connections are automatically redirected over the secure -channel and \fBDISPLAY\fR set. The argument must be \fByes\fR or \fBno\fR. The -default is \fBno\fR. -.sp -X11 forwarding should be enabled with caution. Users with the ability to bypass -file permissions on the remote host (for the user's X authorization database) -can access the local \fBX11\fR display through the forwarded connection. An -attacker might then be able to perform activities such as keystroke monitoring. -See the \fBForwardX11Trusted\fR option for more information how to prevent -this. -.RE - -.sp -.ne 2 -.na -\fB\fBForwardX11Trusted\fR\fR -.ad -.sp .6 -.RS 4n -If this option is set to \fByes\fR, remote X11 clients have full access to the -original X11 display. This option is set to \fByes\fR by default. -.sp -If this option is set to \fBno\fR, remote X11 clients are considered untrusted -and prevented from stealing or tampering with data belonging to trusted X11 -clients. Furthermore, the \fBxauth\fR(1) token used for the session is set to -expire after 20 minutes. Remote clients are refused access after this time. -.sp -See the X11 SECURITY extension specification for full details on the -restrictions imposed on untrusted clients. -.RE - -.sp -.ne 2 -.na -\fB\fBGatewayPorts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether remote hosts are allowed to connect to local forwarded ports. -By default, \fBssh\fR binds local port forwardings to the loopback address. -This prevents other remote hosts from connecting to forwarded ports. -\fBGatewayPorts\fR can be used to specify that \fBssh\fR should bind local port -forwardings to the wildcard address, thus allowing remote hosts to connect to -forwarded ports. The argument must be \fByes\fR or \fBno\fR. The default is -\fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBGlobalKnownHostsFile\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a file to use instead of \fB/etc/ssh/ssh_known_hosts\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables GSS-API user authentication. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIDelegateCredentials\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables GSS-API credential forwarding. The default is \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIKeyExchange\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR. -.sp -This option is intended primarily to allow users to disable the use of GSS-API -key exchange for SSHv2 when it would otherwise be selected and then fail (due -to server misconfiguration, for example). SSHv2 key exchange failure always -results in disconnection. -.sp -This option also enables the use of the GSS-API to authenticate the user to the -server after the key exchange. GSS-API key exchange can succeed but the -subsequent authentication using the GSS-API fail if the server does not -authorize the user's GSS principal name to the target user account. -.RE - -.sp -.ne 2 -.na -\fB\fBHashKnownHosts\fR\fR -.ad -.sp .6 -.RS 4n -Indicates that \fBssh\fR(1), should hash host names and addresses when they are -added to \fB~/.ssh/known_hosts\fR. These hashed names can be used normally by -\fBssh\fR(1) and \fBsshd\fR(1M), but they do not reveal identifying information -should the file's contents be disclosed. The default is \fBno\fR. Existing -names and addresses in known hosts files are not be converted automatically, -but can be manually hashed using \fBssh-keygen\fR(1). -.RE - -.sp -.ne 2 -.na -\fB\fBHost\fR\fR -.ad -.sp .6 -.RS 4n -Restricts the following declarations (up to the next \fBHost\fR keyword) to be -only for those hosts that match one of the patterns given after the keyword. An -asterisk (\fB*\fR) and a question mark (\fB?\fR) can be used as wildcards in -the patterns. A single asterisk as a pattern can be used to provide global -defaults for all hosts. The host is the host name argument given on the command -line (that is, the name is not converted to a canonicalized host name before -matching). -.RE - -.sp -.ne 2 -.na -\fB\fBHostbasedAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to try \fBrhosts\fR-based authentication with public key -authentication. The argument must be \fByes\fR or \fBno\fR. The default is -\fBno\fR. This option applies to protocol version 2 only and is similar to -\fBRhostsRSAAuthentication\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBHostKeyAlgorithms\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the protocol version 2 host key algorithms that the client wants to -use in order of preference. The default for this option is: -\fBssh-rsa,ssh-dss\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBHostKeyAlias\fR\fR -.ad -.sp .6 -.RS 4n -Specifies an alias that should be used instead of the real host name when -looking up or saving the host key in the host key database files. This option -is useful for tunneling \fBssh\fR connections or for multiple servers running -on a single host. -.RE - -.sp -.ne 2 -.na -\fB\fBHostName\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the real host name to log into. This can be used to specify nicknames -or abbreviations for hosts. Default is the name given on the command line. -Numeric IP addresses are also permitted (both on the command line and in -\fBHostName\fR specifications). -.RE - -.sp -.ne 2 -.na -\fB\fBIdentityFile\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a file from which the user's RSA or DSA authentication identity is -read. The default is \fB$HOME/.ssh/identity\fR for protocol version 1 and -\fB$HOME/.ssh/id_rsa\fR and \fB$HOME/.ssh/id_dsa\fR for protocol version 2. -Additionally, any identities represented by the authentication agent is used -for authentication. The file name can use the tilde syntax to refer to a user's -home directory. It is possible to have multiple identity files specified in -configuration files; all these identities is tried in sequence. -.RE - -.sp -.ne 2 -.na -\fB\fBIgnoreIfUnknown\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a comma-separated list of \fBssh_config\fR parameters, which, if -unknown to \fBssh\fR(1), are to be ignored by \fBssh\fR. -.sp -This parameter is primarily intended to be used in the per-user -\fBssh_config\fR, \fB~/.ssh/config\fR. While this parameter can also be used in -the system wide \fB/etc/ssh/ssh_config\fR file, it is generally useless as the -capabilities of the \fBssh\fR(1) client on that host should match that file. -.RE - -.sp -.ne 2 -.na -\fB\fBTCPKeepAlive\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether the system should send TCP keepalive messages to the other -side. If they are sent, death of the connection or crash of one of the machines -is properly noticed. However, this means that connections die if the route is -down temporarily, which can be a source of annoyance. -.sp -The default is \fByes\fR (to send keepalives), which means the client notices -if the network goes down or the remote host dies. This is important in scripts, -and many users want it too. To disable keepalives, the value should be set to -\fBno\fR in both the server and the client configuration files. -.RE - -.sp -.ne 2 -.na -\fB\fBLocalForward\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that a TCP/IP port on the local machine be forwarded over the secure -channel to a given \fIhost\fR:\fIport\fR from the remote machine. The first -argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR and the second -must be \fIhost\fR\fB:\fR\fIport\fR. IPv6 addresses can be specified by -enclosing addresses in square brackets or by using an alternative syntax: -\fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR and \fIhost\fR\fB/\fR\fIport\fR. -Multiple forwardings can be specified and additional forwardings can be given -on the command line. Only a user with enough privileges can forward privileged -ports. By default, the local port is bound in accordance with the -\fBGatewayPorts\fR setting. However, an explicit \fIbind_address\fR can be used -to bind the connection to a specific address. The \fIbind_address\fR of -\fIlocalhost\fR indicates that the listening port be bound for local use only, -while an empty address or \fB*\fR indicates that the port should be available -from all interfaces. -.RE - -.sp -.ne 2 -.na -\fB\fBLogLevel\fR\fR -.ad -.sp .6 -.RS 4n -Gives the verbosity level that is used when logging messages from \fBssh\fR. -The possible values are: \fBFATAL\fR, \fBERROR\fR, \fBQUIET\fR, \fBINFO\fR, -\fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The -default is \fBINFO\fR. \fBDEBUG\fR and \fBDEBUG1\fR are equivalent. -\fBDEBUG2\fR and \fBDEBUG3\fR each specify higher levels of verbose output. -.RE - -.sp -.ne 2 -.na -\fB\fBMACs\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the MAC (message authentication code) algorithms in order of -preference. The MAC algorithm is used in protocol version 2 for data integrity -protection. Multiple algorithms must be comma-separated. The default is -\fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBNoHostAuthenticationForLocalhost\fR\fR -.ad -.sp .6 -.RS 4n -This option can be used if the home directory is shared across machines. In -this case \fBlocalhost\fR refers to a different machine on each of the machines -and the user gets many warnings about changed host keys. However, this option -disables host authentication for \fBlocalhost\fR. The argument to this keyword -must be \fByes\fR or \fBno\fR. The default is to check the host key for -\fBlocalhost\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBNumberOfPasswordPrompts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the number of attempts before giving up for password and -keyboard-interactive methods. Attempts for each method are counted separately. -The argument to this keyword must be an integer. The default is 3. -.RE - -.sp -.ne 2 -.na -\fB\fBPasswordAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to use password authentication. The argument to this keyword -must be \fByes\fR or \fBno\fR. This option applies to both protocol versions 1 -and 2. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBPort\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the port number to connect on the remote host. The default is 22. -.RE - -.sp -.ne 2 -.na -\fB\fBPreferredAuthentications\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the order in which the client should try protocol 2 authentication -methods. This allows a client to prefer one method (for example, -\fBkeyboard-interactive\fR) over another method (for example, \fBpassword\fR). -The default for this option is: -\fBhostbased,publickey,keyboard-interactive,password\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBProtocol\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the protocol versions \fBssh\fR should support in order of -preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must -be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries -version 2 and falls back to version 1 if version 2 is not available. -.RE - -.sp -.ne 2 -.na -\fB\fBProxyCommand\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the command to use to connect to the server. The command string -extends to the end of the line, and is executed with \fB/bin/sh\fR. In the -command string, \fB%h\fR is substituted by the host name to connect and -\fB%p\fR by the port. The string can be any valid command, and should read from -its standard input and write to its standard output. It should eventually -connect an \fBsshd\fR(1M) server running on some machine, or execute \fBsshd\fR -\fB-i\fR somewhere. Host key management is done using the \fBHostName\fR of the -host being connected (defaulting to the name typed by the user). -\fBCheckHostIP\fR is not available for connects with a proxy command. -.RE - -.sp -.ne 2 -.na -\fB\fBPubkeyAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to try public key authentication. The argument to this -keyword must be \fByes\fR or \fBno\fR. The default is \fByes\fR. This option -applies to protocol version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBRekeyLimit\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the maximum amount of data that can be transmitted before the session -key is renegotiated. The argument is the number of bytes, with an optional -suffix of \fBK\fR, \fBM\fR, or \fBG\fR to indicate Kilobytes, Megabytes, or -Gigabytes, respectively. The default is between \fB1G\fR and \fB4G\fR, -depending on the cipher. This option applies to protocol version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBRemoteForward\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that a TCP/IP port on the remote machine be forwarded over the secure -channel to a given \fB\fIhost\fR:\fIport\fR\fR from the local machine. The -first argument must be \fB[\fR\fIbind_address\fR\fB:]\fR\fIport\fR and the -second argument must be \fIhost\fR\fB:\fR\fIport\fR. IPv6 addresses can be -specified by enclosing addresses in square brackets or by using an alternative -syntax: \fB[\fR\fIbind_address\fR\fB/]\fR\fIport\fR and -\fIhost\fR\fB/\fR\fIport\fR. You can specify multiple forwardings and give -additional forwardings on the command line. Only a user with enough privileges -can forward privileged ports. -.sp -If the \fIbind_address\fR is not specified, the default is to only bind to -loopback addresses. If the \fIbind_address\fR is \fB*\fR or an empty string, -then the forwarding is requested to listen on all interfaces. Specifying a -remote \fIbind_address\fR only succeeds if the server's \fBGatewayPorts\fR -option is enabled. See \fBsshd_config\fR(4). -.RE - -.sp -.ne 2 -.na -\fB\fBRhostsAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to try \fBrhosts\fR-based authentication. This declaration -affects only the client side and has no effect whatsoever on security. -Disabling \fBrhosts\fR authentication can reduce authentication time on slow -connections when \fBrhosts\fR authentication is not used. Most servers do not -permit \fBRhostsAuthentication\fR because it is not secure (see -\fBRhostsRSAAuthentication\fR). The argument to this keyword must be \fByes\fR -or \fBno\fR. This option applies only to the protocol version 1 and requires -that \fBssh\fR be \fBsetuid\fR root and that \fBUsePrivilegedPort\fR be set to -\fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBRhostsRSAAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to try \fBrhosts\fR-based authentication with RSA host -authentication. This is the primary authentication method for most sites. The -argument must be \fByes\fR or \fBno\fR. This option applies only to the -protocol version 1 and requires that \fBssh\fR be \fBsetuid\fR root and that -\fBUsePrivilegedPort\fR be set to \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBServerAliveCountMax\fR\fR -.ad -.sp .6 -.RS 4n -Sets the number of server alive messages which can be sent without \fBssh\fR(1) -receiving messages back from the server. If this threshold is reached while -server alive messages are being sent, \fBssh\fR disconnects from the server, -terminating the session. The use of server alive messages differs from -\fBTCPKeepAlive\fR. Server alive messages are sent through the encrypted -channel and are not spoofable. The TCP keep alive option enabled by -\fBTCPKeepAlive\fR is spoofable. The server alive mechanism is valuable when -the client or server depend on knowing when a connection has become inactive. -.sp -The default value is 3. If, for example, \fBServerAliveInterval\fR is set to 15 -and \fBServerAliveCountMax\fR is left at the default, \fBssh\fR disconnects in -45-60 seconds if the server becomes unresponsive. This option applies to -protocol version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBServerAliveInterval\fR\fR -.ad -.sp .6 -.RS 4n -Sets a timeout interval in seconds after which if no data has been received -from the server, \fBssh\fR(1) sends a message through the encrypted channel to -request a response from the server. The default is 0, indicating that these -messages are not sent to the server. This option applies to protocol version 2 -only. -.RE - -.sp -.ne 2 -.na -\fB\fBStrictHostKeyChecking\fR\fR -.ad -.sp .6 -.RS 4n -If this flag is set to \fByes\fR, \fBssh\fR never automatically adds host keys -to the \fB$HOME/.ssh/known_hosts\fR file, and refuses to connect hosts whose -host key has changed. This provides maximum protection against trojan horse -attacks. However, it can be a source of inconvenience if you do not have good -\fB/etc/ssh/ssh_known_hosts\fR files installed and frequently connect new -hosts. This option forces the user to manually add any new hosts. Normally this -option is disabled, and new hosts are automatically added to the known host -files. The host keys of known hosts are verified automatically in either case. -The argument must be \fByes\fR or \fBno\fR or \fBask\fR. The default is -\fBask\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUseOpenSSLEngine\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBssh\fR should use the OpenSSL PKCS#11 engine for -offloading cryptographic operations to the Cryptographic Framework. -Cryptographic operations are accelerated according to the available installed -plug-ins. When no suitable plug-ins are present this option does not have an -effect. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUsePrivilegedPort\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to use a privileged port for outgoing connections. The -argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR. Setting this -option to \fBno\fR turns off \fBRhostsAuthentication\fR and -\fBRhostsRSAAuthentication\fR. If set to \fByes\fR \fBssh\fR must be -\fBsetuid\fR root. Defaults to \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUser\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the user to log in as. This can be useful if you have different user -names on different machines. This saves you the trouble of having to remember -to enter the user name on the command line. -.RE - -.sp -.ne 2 -.na -\fB\fBUserKnownHostsFile\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a file to use instead of \fB$HOME/.ssh/known_hosts\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUseRsh\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that \fBrlogin\fR or \fBrsh\fR should be used for this host. It is -possible that the host does not support the \fBssh\fR protocol. This causes -\fBssh\fR to immediately execute \fBrsh\fR(1). All other options (except -\fBHostName\fR) are ignored if this has been specified. The argument must be -\fByes\fR or \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBXAuthLocation\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the location of the \fBxauth\fR(1) program. The default is -\fB/usr/openwin/bin/xauth\fR. -.RE - -.SH SEE ALSO -.LP -\fBrsh\fR(1), \fBssh\fR(1), \fBssh-http-proxy-connect\fR(1), -\fBssh-keygen\fR(1), \fBssh-socks5-proxy-connect\fR(1), \fBsshd\fR(1M), -\fBsshd_config\fR(4), \fBkerberos\fR(5) -.sp -.LP -\fIRFC 4252\fR diff --git a/usr/src/man/man4/sshd_config.sunssh.4 b/usr/src/man/man4/sshd_config.sunssh.4 deleted file mode 100644 index ef134886a2..0000000000 --- a/usr/src/man/man4/sshd_config.sunssh.4 +++ /dev/null @@ -1,1006 +0,0 @@ -'\" te -.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. -.\" Copyright (c) 2013, Joyent, Inc. All Rights Reserved. -.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. -.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the -.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] -.TH SSHD_CONFIG 4 "Jan 17, 2013" -.SH NAME -sshd_config \- sshd configuration file -.SH SYNOPSIS -.LP -.nf -\fB/etc/ssh/sshd_config\fR -.fi - -.SH DESCRIPTION -.LP -The \fBsshd\fR(1M) daemon reads configuration data from -\fB/etc/ssh/sshd_config\fR (or the file specified with \fBsshd\fR \fB-f\fR on -the command line). The file contains keyword-value pairs, one per line. A line -starting with a hash mark (\fB#\fR) and empty lines are interpreted as -comments. -.sp -.LP -The \fBsshd_config\fR file supports the following keywords. Unless otherwise -noted, keywords and their arguments are case-insensitive. -.sp -.ne 2 -.na -\fB\fBAllowGroups\fR\fR -.ad -.sp .6 -.RS 4n -This keyword can be followed by a number of group names, separated by spaces. -If specified, login is allowed only for users whose primary group or -supplementary group list matches one of the patterns. Asterisk (\fB*\fR) and -question mark (\fB?\fR) can be used as wildcards in the patterns. Only group -names are valid; a numerical group ID is not recognized. By default, login is -allowed regardless of the primary group. -.RE - -.sp -.ne 2 -.na -\fB\fBAllowTcpForwarding\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether TCP forwarding is permitted. The default is \fByes\fR. -Disabling TCP forwarding does not improve security unless users are also denied -shell access, as they can always install their own forwarders. -.RE - -.sp -.ne 2 -.na -\fB\fBAllowUsers\fR\fR -.ad -.sp .6 -.RS 4n -This keyword can be followed by a number of user names, separated by spaces. If -specified, login is allowed only for user names that match one of the patterns. -Asterisk (\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the -patterns. Only user names are valid; a numerical user ID is not recognized. By -default login is allowed regardless of the user name. -.sp -If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and -\fIhost\fR are checked separately, restricting logins to particular users from -particular hosts. -.RE - -.sp -.ne 2 -.na -\fB\fBAuthorizedKeysFile\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the file that contains the public keys that can be used for user -authentication. \fBAuthorizedKeysFile\fR can contain tokens of the form -\fB%T\fR, which are substituted during connection set-up. The following tokens -are defined: \fB%%\fR is replaced by a literal \fB%\fR, \fB%h\fR is replaced by -the home directory of the user being authenticated and \fB%u\fR is replaced by -the username of that user. After expansion, \fBAuthorizedKeysFile\fR is taken -to be an absolute path or one relative to the user's home directory. The -default is \fB\&.ssh/authorized_keys\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBBanner\fR\fR -.ad -.sp .6 -.RS 4n -In some jurisdictions, sending a warning message before authentication can be -relevant for getting legal protection. The contents of the specified file are -sent to the remote user before authentication is allowed. This option is only -available for protocol version 2. By default, no banner is displayed. -.RE - -.sp -.ne 2 -.na -\fB\fBChrootDirectory\fR\fR -.ad -.sp .6 -.RS 4n -Specifies a path to \fBchroot\fR(2) to after authentication. This path, and all -its components, must be root-owned directories that are not writable by any -other user or group. -.sp -The server always tries to change to the user's home directory locally under -the chrooted environment but a failure to do so is not considered an error. In -addition, the path might contain the following tokens that are expanded at -runtime once the connecting user has been authenticated: \fB%%\fR is replaced -by a literal \fB%\fR, \fB%h\fR is replaced by the home directory of the user -being authenticated, and \fB%u\fR is replaced by the username of that user. -.sp -The \fBChrootDirectory\fR must contain the necessary files and directories to -support the user's session. For an interactive SSH session this requires at -least a user's shell, shared libraries needed by the shell, dynamic linker, and -possibly basic \fB/dev\fR nodes such as \fBnull\fR, \fBzero\fR, \fBstdin\fR, -\fBstdout\fR, \fBstderr\fR, \fBrandom\fR, and \fBtty\fR. Additionally, terminal -databases are needed for screen oriented applications. For file transfer -sessions using \fBsftp\fR with the SSH protocol version 2, no additional -configuration of the environment is necessary if the in-process \fBsftp\fR -server is used. See \fBSubsystem\fR for details. -.sp -The default is not to \fBchroot\fR(2). -.RE - -.sp -.ne 2 -.na -\fB\fBCiphers\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the ciphers allowed for protocol version 2. Cipher ordering on the -server side is not relevant. Multiple ciphers must be comma separated. -.sp -Valid ciphers are: \fBaes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, -aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc\fR, and -\fBblowfish-cbc\fR. -.sp -The default cipher list is: -.sp -.in +2 -.nf -aes128-ctr,aes192-ctr,aes256-ctr,arcfour128, -arcfour256,arcfour -.fi -.in -2 -.sp - -Using CBC modes on the server side is not recommended due to potential security -issues in connection with the SSH protocol version 2. -.RE - -.sp -.ne 2 -.na -\fB\fBClientAliveCountMax\fR\fR -.ad -.sp .6 -.RS 4n -Sets the number of client alive messages, (see \fBClientAliveInterval\fR), that -can be sent without \fBsshd\fR receiving any messages back from the client. If -this threshold is reached while client alive messages are being sent, -\fBsshd\fR disconnects the client, terminating the session. The use of client -alive messages is very different from \fBTCPKeepAlive\fR. The client alive -messages are sent through the encrypted channel and therefore are not -spoofable. The TCP keepalive option enabled by \fBTCPKeepAlive\fR is spoofable. -The client alive mechanism is valuable when a client or server depend on -knowing when a connection has become inactive. -.sp -The default value is 3. If \fBClientAliveInterval\fR is set to 15, and -\fBClientAliveCountMax\fR is left at the default, unresponsive \fBssh\fR -clients are disconnected after approximately 45 seconds. -.RE - -.sp -.ne 2 -.na -\fB\fBClientAliveInterval\fR\fR -.ad -.sp .6 -.RS 4n -Sets a timeout interval in seconds after which, if no data has been received -from the client, \fBsshd\fR sends a message through the encrypted channel to -request a response from the client. The default is 0, indicating that these -messages are not sent to the client. This option applies only to protocol -version 2. -.RE - -.sp -.ne 2 -.na -\fB\fBCompression\fR\fR -.ad -.sp .6 -.RS 4n -Controls whether the server allows the client to negotiate the use of -compression. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBDenyGroups\fR\fR -.ad -.sp .6 -.RS 4n -Can be followed by a number of group names, separated by spaces. Users whose -primary group matches one of the patterns are not allowed to log in. Asterisk -(\fB*\fR) and question mark (\fB?\fR) can be used as wildcards in the patterns. -Only group names are valid; a numerical group ID is not recognized. By default, -login is allowed regardless of the primary group. -.RE - -.sp -.ne 2 -.na -\fB\fBDenyUsers\fR\fR -.ad -.sp .6 -.RS 4n -Can be followed by a number of user names, separated by spaces. Login is -disallowed for user names that match one of the patterns. Asterisk (\fB*\fR) -and question mark (\fB?\fR) can be used as wildcards in the patterns. Only user -names are valid; a numerical user ID is not recognized. By default, login is -allowed regardless of the user name. -.sp -If a specified pattern takes the form \fIuser\fR@\fIhost\fR then \fIuser\fR and -\fIhost\fR are checked separately, disallowing logins to particular users from -particular hosts. -.RE - -.sp -.ne 2 -.na -\fB\fBGatewayPorts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether remote hosts are allowed to connect to ports forwarded for -the client. By default, \fBsshd\fR binds remote port forwardings to the -loopback address. This prevents other remote hosts from connecting to forwarded -ports. \fBGatewayPorts\fR can be used to specify that \fBsshd\fR should bind -remote port forwardings to the wildcard address, thus allowing remote hosts to -connect to forwarded ports. -.sp -The argument can be \fBno\fR to force remote port forwardings to be available -to the local host only, \fByes\fR to force remote port forwardings to bind to -the wildcard address, or \fBclientspecified\fR to allow the client to select -the address to which the forwarding is bound. The default is \fBno\fR. See also -\fBRemoteForward\fR in \fBssh_config\fR(4). -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables GSS-API user authentication. The default is \fByes\fR. -.sp -Currently \fBsshd\fR authorizes client user principals to user accounts as -follows: if the principal name matches the requested user account, then the -principal is authorized. Otherwise, GSS-API authentication fails. -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIKeyExchange\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables GSS-API-authenticated key exchanges. The default is \fByes\fR. -.sp -This option also enables the use of the GSS-API to authenticate the user to -server after the key exchange. GSS-API key exchange can succeed but the -subsequent authentication using the GSS-API fail if the server does not -authorize the user's GSS principal name to the target user account. -.sp -Currently \fBsshd\fR authorizes client user principals to user accounts as -follows: if the principal name matches the requested user account, then the -principal is authorized. Otherwise, GSS-API authentication fails. -.RE - -.sp -.ne 2 -.na -\fB\fBGSSAPIStoreDelegatedCredentials\fR\fR -.ad -.sp .6 -.RS 4n -Enables/disables the use of delegated GSS-API credentials on the server-side. -The default is \fByes\fR. -.sp -Specifically, this option, when enabled, causes the server to store delegated -GSS-API credentials in the user's default GSS-API credential store (which for -the Kerberos V mechanism means \fB/tmp/krb5cc_\fI<uid>\fR\fR). -.LP -Note - -.sp -.RS 2 -\fBsshd\fR does not take any steps to explicitly destroy stored delegated -GSS-API credentials upon logout. It is the responsibility of PAM modules to -destroy credentials associated with a session. -.RE -.RE - -.sp -.ne 2 -.na -\fB\fBHostbasedAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether to try \fBrhosts\fR-based authentication with public key -authentication. The argument must be \fByes\fR or \fBno\fR. The default is -\fBno\fR. This option applies to protocol version 2 only and is similar to -\fBRhostsRSAAuthentication\fR. See \fBsshd\fR(1M) for guidelines on setting up -host-based authentication. -.RE - -.sp -.ne 2 -.na -\fB\fBHostbasedUsesNameFromPacketOnly\fR\fR -.ad -.sp .6 -.RS 4n -Controls which hostname is searched for in the files \fB~/.shosts\fR, -\fB/etc/shosts.equiv\fR, and \fB/etc/hosts.equiv\fR. If this parameter is set -to \fByes\fR, the server uses the name the client claimed for itself and signed -with that host's key. If set to \fBno\fR, the default, the server uses the name -to which the client's IP address resolves. -.sp -Setting this parameter to \fBno\fR disables host-based authentication when -using NAT or when the client gets to the server indirectly through a -port-forwarding firewall. -.RE - -.sp -.ne 2 -.na -\fB\fBHostKey\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the file containing the private host key used by SSH. The default is -\fB/etc/ssh/ssh_host_key\fR for protocol version 1, and -\fB/etc/ssh/ssh_host_rsa_key\fR and \fB/etc/ssh/ssh_host_dsa_key\fR for -protocol version 2. \fBsshd\fR refuses to use a file if it is -group/world-accessible. It is possible to have multiple host key files. -\fBrsa1\fR keys are used for version 1 and \fBdsa\fR or \fBrsa\fR are used for -version 2 of the SSH protocol. -.RE - -.sp -.ne 2 -.na -\fB\fBIgnoreRhosts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies that \fB\&.rhosts\fR and \fB\&.shosts\fR files are not used in -authentication. \fB/etc/hosts.equiv\fR and \fB/etc/shosts.equiv\fR are still -used. The default is \fByes\fR. This parameter applies to both protocol -versions 1 and 2. -.RE - -.sp -.ne 2 -.na -\fB\fBIgnoreUserKnownHosts\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should ignore the user's -\fB$HOME/.ssh/known_hosts\fR during \fBRhostsRSAAuthentication\fR. The default -is \fBno\fR. This parameter applies to both protocol versions 1 and 2. -.RE - -.sp -.ne 2 -.na -\fB\fBKbdInteractiveAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether authentication by means of the "keyboard-interactive" -authentication method (and PAM) is allowed. Defaults to \fByes\fR. (Deprecated: -this parameter can only be set to \fByes\fR.) -.RE - -.sp -.ne 2 -.na -\fB\fBTCPKeepAlive\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether the system should send keepalive messages to the other side. -If they are sent, death of the connection or crash of one of the machines is -properly noticed. However, this means that connections die if the route is down -temporarily, which can be an annoyance. On the other hand, if keepalives are -not sent, sessions can hang indefinitely on the server, leaving ghost users and -consuming server resources. -.sp -The default is \fByes\fR (to send keepalives), and the server notices if the -network goes down or the client host reboots. This avoids infinitely hanging -sessions. -.sp -To disable keepalives, the value should be set to \fBno\fR in both the server -and the client configuration files. -.RE - -.sp -.ne 2 -.na -\fB\fBKeyRegenerationInterval\fR\fR -.ad -.sp .6 -.RS 4n -In protocol version 1, the ephemeral server key is automatically regenerated -after this many seconds (if it has been used). The purpose of regeneration is -to prevent decrypting captured sessions by later breaking into the machine and -stealing the keys. The key is never stored anywhere. If the value is 0, the key -is never regenerated. The default is 3600 (seconds). -.RE - -.sp -.ne 2 -.na -\fB\fBListenAddress\fR\fR -.ad -.sp .6 -.RS 4n -Specifies what local address \fBsshd\fR should listen on. The following forms -can be used: -.sp -.in +2 -.nf -ListenAddress \fIhost\fR|\fIIPv4_addr\fR|\fIIPv6_addr\fR -ListenAddress \fIhost\fR|\fIIPv4_addr\fR:\fIport\fR -ListenAddress [\fIhost\fR|\fIIPv6_addr\fR]:\fIport\fR -.fi -.in -2 - -If \fIport\fR is not specified, \fBsshd\fR listens on the address and all prior -\fBPort\fR options specified. The default is to listen on all local addresses. -Multiple \fBListenAddress\fR options are permitted. Additionally, any -\fBPort\fR options must precede this option for non-port qualified addresses. -.sp -The default is to listen on all local addresses. Multiple options of this type -are permitted. Additionally, the \fBPorts\fR options must precede this option. -.RE - -.sp -.ne 2 -.na -\fB\fBLoginGraceTime\fR\fR -.ad -.sp .6 -.RS 4n -The server disconnects after this time (in seconds) if the user has not -successfully logged in. If the value is 0, there is no time limit. The default -is 120 (seconds). -.RE - -.sp -.ne 2 -.na -\fB\fBLogLevel\fR\fR -.ad -.sp .6 -.RS 4n -Gives the verbosity level that is used when logging messages from \fBsshd\fR. -The possible values are: \fBQUIET\fR, \fBFATAL\fR, \fBERROR\fR, \fBINFO\fR, -\fBVERBOSE\fR, \fBDEBUG\fR, \fBDEBUG1\fR, \fBDEBUG2\fR, and \fBDEBUG3\fR. The -default is \fBINFO\fR. DEBUG2 and DEBUG3 each specify higher levels of -debugging output. Logging with level \fBDEBUG\fR violates the privacy of users -and is not recommended. -.RE - -.sp -.ne 2 -.na -\fB\fBLookupClientHostnames\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether or not to lookup the names of client's addresses. Defaults to -yes. -.RE - -.sp -.ne 2 -.na -\fBMACs\fR -.ad -.sp .6 -.RS 4n -Specifies the available MAC (message authentication code) algorithms. The MAC -algorithm is used in protocol version 2 for data integrity protection. Multiple -algorithms must be comma-separated. The default is -\fBhmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBMaxStartups\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the maximum number of concurrent unauthenticated connections to the -\fBsshd\fR daemon. Additional connections are dropped until authentication -succeeds or the \fBLoginGraceTime\fR expires for a connection. The default is -\fB10\fR. -.sp -Alternatively, random early drop can be enabled by specifying the three -colon-separated values \fB\fIstart\fR:\fIrate\fR:\fIfull\fR\fR (for example, -\fB10:30:60\fR). Referring to this example, \fBsshd\fR refuse connection -attempts with a probability of \fIrate\fR/100 (30% in our example) if there are -currently 10 (from the \fIstart\fR field) unauthenticated connections. The -probability increases linearly and all connection attempts are refused if the -number of unauthenticated connections reaches \fIfull\fR (60 in our example). -.RE - -.sp -.ne 2 -.na -\fB\fBPasswordAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether password authentication is allowed. The default is \fByes\fR. -This option applies to both protocol versions 1 and 2. -.RE - -.sp -.ne 2 -.na -\fB\fBPermitEmptyPasswords\fR\fR -.ad -.sp .6 -.RS 4n -When password or keyboard-interactive authentication is allowed, it specifies -whether the server allows login to accounts with empty password strings. -.sp -If not set then the \fB/etc/default/login\fR \fBPASSREQ\fR value is used -instead. -.sp -\fBPASSREQ=no\fR is equivalent to \fBPermitEmptyPasswords yes\fR. -\fBPASSREQ=yes\fR is equivalent to \fBPermitEmptyPasswords no\fR. If neither -\fBPermitEmptyPasswords\fR or \fBPASSREQ\fR are set the default is \fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBPermitRootLogin\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether the root can log in using \fBssh\fR(1). The argument must be -\fByes\fR, \fBwithout-password\fR, \fBforced-commands-only\fR, or \fBno\fR. -\fBwithout-password\fR means that root cannot be authenticated using the -"password" or "keyboard-interactive" methods (see description of -\fBKbdInteractiveAuthentication\fR). \fBforced-commands-only\fR means that -authentication is allowed only for \fBpublickey\fR (for SSHv2, or RSA, for -SSHv1) and only if the matching \fBauthorized_keys entry\fR for root has a -\fBcommand=\fR\fI<cmd>\fR option. -.sp -In Solaris, the default \fB/etc/ssh/sshd_config\fR file is shipped with -\fBPermitRootLogin\fR set to \fBno\fR. If unset by the administrator, then -\fBCONSOLE\fR parameter from \fB/etc/default/login\fR supplies the default -value as follows: if the \fBCONSOLE\fR parameter is not commented out (it can -even be empty, that is, "\fBCONSOLE=\fR"), then \fBwithout-password\fR is used -as default value. If \fBCONSOLE\fR is commented out, then the default for -\fBPermitRootLogin\fR is \fByes\fR. -.sp -The \fBwithout-password\fR and \fBforced-commands-only\fR settings are useful -for, for example, performing remote administration and backups using trusted -public keys for authentication of the remote client, without allowing access to -the root account using passwords. -.RE - -.sp -.ne 2 -.na -\fB\fBPermitUserEnvironment\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether a user's \fB~/.ssh/environment\fR on the server side and -\fBenvironment\fR options in the \fBAuthorizedKeysFile\fR file are processed by -\fBsshd\fR. The default is \fBno\fR. Enabling environment processing can enable -users to bypass access restrictions in some configurations using mechanisms -such as \fBLD_PRELOAD\fR. -.sp -Environment setting from a relevant entry in \fBAuthorizedKeysFile\fR file is -processed only if the user was authenticated using the public key -authentication method. Of the two files used, values of variables set in -\fB~/.ssh/environment\fR are of higher priority. -.RE - -.sp -.ne 2 -.na -\fB\fBPidFile\fR\fR -.ad -.sp .6 -.RS 4n -Allows you to specify an alternative to \fB/var/run/sshd.pid\fR, the default -file for storing the PID of the \fBsshd\fR listening for connections. See -\fBsshd\fR(1M). -.RE - -.sp -.ne 2 -.na -\fB\fBPort\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the port number that \fBsshd\fR listens on. The default is 22. -Multiple options of this type are permitted. See also \fBListenAddress\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBPrintLastLog\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should display the date and time when the user -last logged in. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBPrintMotd\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should display the contents of \fB/etc/motd\fR -when a user logs in interactively. (On some systems it is also displayed by the -shell or a shell startup file, such as \fB/etc/profile\fR.) The default is -\fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBProtocol\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the protocol versions \fBsshd\fR should support in order of -preference. The possible values are \fB1\fR and \fB2\fR. Multiple versions must -be comma-separated. The default is \fB2,1\fR. This means that \fBssh\fR tries -version 2 and falls back to version 1 if version 2 is not available. -.RE - -.sp -.ne 2 -.na -\fB\fBPubkeyAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether public key authentication is allowed. The default is -\fByes\fR. This option applies to protocol version 2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBRhostsAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether authentication using \fBrhosts\fR or \fB/etc/hosts.equiv\fR -files is sufficient. Normally, this method should not be permitted because it -is insecure. \fBRhostsRSAAuthentication\fR should be used instead, because it -performs RSA-based host authentication in addition to normal \fBrhosts\fR or -\fB/etc/hosts.equiv\fR authentication. The default is \fBno\fR. This parameter -applies only to protocol version 1. -.RE - -.sp -.ne 2 -.na -\fB\fBRhostsRSAAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBrhosts\fR or \fB/etc/hosts.equiv\fR authentication -together with successful RSA host authentication is allowed. The default is -\fBno\fR. This parameter applies only to protocol version 1. -.RE - -.sp -.ne 2 -.na -\fB\fBRSAAuthentication\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether pure RSA authentication is allowed. The default is \fByes\fR. -This option applies to protocol version 1 only. -.RE - -.sp -.ne 2 -.na -\fB\fBServerKeyBits\fR\fR -.ad -.sp .6 -.RS 4n -Defines the number of bits in the ephemeral protocol version 1 server key. The -minimum value is 512, and the default is 768. -.RE - -.sp -.ne 2 -.na -\fB\fBStrictModes\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should check file modes and ownership of the -user's files and home directory before accepting login. This is normally -desirable because novices sometimes accidentally leave their directory or files -world-writable. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBSubsystem\fR\fR -.ad -.sp .6 -.RS 4n -Configures an external subsystem (for example, a file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem -request. The command \fBsftp-server\fR(1M) implements the \fBsftp\fR file -transfer subsystem. -.sp -Alternately, the name \fBinternal-sftp\fR implements an in-process \fBsftp\fR -server. This can simplify configurations using \fBChrootDirectory\fR to force a -different filesystem root on clients. -.sp -By default, no subsystems are defined. This option applies to protocol version -2 only. -.RE - -.sp -.ne 2 -.na -\fB\fBSyslogFacility\fR\fR -.ad -.sp .6 -.RS 4n -Gives the facility code that is used when logging messages from \fBsshd\fR. The -possible values are: \fBDAEMON\fR, \fBUSER\fR, \fBAUTH\fR, \fBLOCAL0\fR, -\fBLOCAL1\fR, \fBLOCAL2\fR, \fBLOCAL3\fR, \fBLOCAL4\fR, \fBLOCAL5\fR, -\fBLOCAL6\fR, and \fBLOCAL7\fR. The default is \fBAUTH\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBUseOpenSSLEngine\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should use the OpenSSL PKCS#11 engine for -offloading cryptographic operations to the Cryptographic Framework. -Cryptographic operations are accelerated according to the available installed -plug-ins. When no suitable plug-ins are present this option does not have an -effect. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBVerifyReverseMapping\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should try to verify the remote host name and -check that the resolved host name for the remote IP address maps back to the -very same IP address. (A \fByes\fR setting means "verify".) Setting this -parameter to \fBno\fR can be useful where DNS servers might be down and thus -cause \fBsshd\fR to spend much time trying to resolve the client's IP address -to a name. This feature is useful for Internet-facing servers. The default is -\fBno\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBX11DisplayOffset\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the first display number available for \fBsshd\fR's X11 forwarding. -This prevents \fBsshd\fR from interfering with real X11 servers. The default is -10. -.RE - -.sp -.ne 2 -.na -\fB\fBX11Forwarding\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether X11 forwarding is permitted. The default is \fByes\fR. -Disabling X11 forwarding does not improve security in any way, as users can -always install their own forwarders. -.sp -When X11 forwarding is enabled, there can be additional exposure to the server -and to client displays if the \fBsshd\fR proxy display is configured to listen -on the wildcard address (see \fBX11UseLocalhost\fR). However, this is not the -default. Additionally, the authentication spoofing and authentication data -verification and substitution occur on the client side. The security risk of -using X11 forwarding is that the client's X11 display server can be exposed to -attack when the \fBssh\fR client requests forwarding (see the warnings for -\fBForwardX11\fR in \fBssh_config\fR(4)). A system administrator who wants to -protect clients that expose themselves to attack by unwittingly requesting X11 -forwarding, should specify a \fBno\fR setting. -.sp -Disabling X11 forwarding does not prevent users from forwarding X11 traffic, as -users can always install their own forwarders. -.RE - -.sp -.ne 2 -.na -\fB\fBX11UseLocalhost\fR\fR -.ad -.sp .6 -.RS 4n -Specifies whether \fBsshd\fR should bind the X11 forwarding server to the -loopback address or to the wildcard address. By default, \fBsshd\fR binds the -forwarding server to the loopback address and sets the hostname part of the -\fBDISPLAY\fR environment variable to \fBlocalhost\fR. This prevents remote -hosts from connecting to the proxy display. However, some older X11 clients -might not function with this configuration. \fBX11UseLocalhost\fR can be set to -\fBno\fR to specify that the forwarding server should be bound to the wildcard -address. The argument must be \fByes\fR or \fBno\fR. The default is \fByes\fR. -.RE - -.sp -.ne 2 -.na -\fB\fBXAuthLocation\fR\fR -.ad -.sp .6 -.RS 4n -Specifies the location of the \fBxauth\fR(1) program. The default is -\fB/usr/X11/bin/xauth\fR and \fBsshd\fR attempts to open it when X11 forwarding -is enabled. -.RE - -.SS "Time Formats" -.LP -\fBsshd\fR command-line arguments and configuration file options that specify -time can be expressed using a sequence of the form: -\fItime\fR[\fIqualifier\fR,] where \fItime\fR is a positive integer value and -\fIqualifier\fR is one of the following: -.sp -.ne 2 -.na -\fB\fI<none>\fR\fR -.ad -.RS 10n -seconds -.RE - -.sp -.ne 2 -.na -\fB\fBs\fR | \fBS\fR\fR -.ad -.RS 10n -seconds -.RE - -.sp -.ne 2 -.na -\fB\fBm\fR | \fBM\fR\fR -.ad -.RS 10n -minutes -.RE - -.sp -.ne 2 -.na -\fB\fBh\fR | \fBH\fR\fR -.ad -.RS 10n -hours -.RE - -.sp -.ne 2 -.na -\fB\fBd\fR | \fBD\fR\fR -.ad -.RS 10n -days -.RE - -.sp -.ne 2 -.na -\fB\fBw\fR | \fB\fR\fR -.ad -.RS 10n -weeks -.RE - -.sp -.LP -Each element of the sequence is added together to calculate the total time -value. For example: -.sp -.ne 2 -.na -\fB\fB600\fR\fR -.ad -.RS 9n -600 seconds (10 minutes) -.RE - -.sp -.ne 2 -.na -\fB\fB10m\fR\fR -.ad -.RS 9n -10 minutes -.RE - -.sp -.ne 2 -.na -\fB\fB1h30m\fR\fR -.ad -.RS 9n -1 hour, 30 minutes (90 minutes) -.RE - -.SH FILES -.ne 2 -.na -\fB\fB/etc/ssh/sshd_config\fR\fR -.ad -.RS 24n -Contains configuration data for \fBsshd\fR. This file should be writable by -root only, but it is recommended (though not necessary) that it be -world-readable. -.RE - -.SH ATTRIBUTES -.LP -See \fBattributes\fR(5) for descriptions of the following attributes: -.sp - -.sp -.TS -box; -c | c -l | l . -ATTRIBUTE TYPE ATTRIBUTE VALUE -_ -Interface Stability Uncommitted -.TE - -.SH SEE ALSO -.LP -\fBlogin\fR(1), \fBsshd\fR(1M), \fBchroot\fR(2), \fBssh_config\fR(4), -\fBattributes\fR(5), \fBkerberos\fR(5) -.SH AUTHORS -.LP -OpenSSH is a derivative of the original and free \fBssh\fR 1.2.12 release by -Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de -Raadt, and Dug Song removed many bugs, re-added recent features, and created -OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 -and 2.0. Niels Provos and Markus Friedl contributed support for privilege -separation. diff --git a/usr/src/man/man5/filesystem.5 b/usr/src/man/man5/filesystem.5 index a2db375494..5bbe8bc08d 100644 --- a/usr/src/man/man5/filesystem.5 +++ b/usr/src/man/man5/filesystem.5 @@ -19,7 +19,6 @@ filesystem \- File system organization .fi .SH DESCRIPTION -.sp .LP The file system tree is organized for administrative convenience. Distinct areas within the file system tree are provided for files that are private to @@ -75,7 +74,6 @@ In the following file or directory descriptions, GNOME stands for GNU Network Object Model Environment. The GNOME Desktop is shipped with the Solaris operating system. .SS "Root File System" -.sp .LP The root file system contains files that are unique to each machine. It contains the following directories: @@ -1891,7 +1889,6 @@ Databases needed for backwards compatibility with \fBNIS\fR and .RE .SS "\fB/usr\fR File System" -.sp .LP Because it is desirable to keep the root file system small and not volatile, on disk-based systems larger file systems are often mounted on \fB/home\fR, @@ -2797,16 +2794,6 @@ present when the Binary Compatibility Package is installed. .sp .ne 2 .na -\fB\fB/usr/lib/ssh\fR\fR -.ad -.sp .6 -.RS 4n -Contains the Secure Shell daemon (\fBsshd\fR) and supporting programs. -.RE - -.sp -.ne 2 -.na \fB\fB/usr/lib/\fIsubsystem\fR\fR\fR .ad .sp .6 @@ -3650,7 +3637,6 @@ Directory for newer versions of POSIX-compliant utilities. .RE .SH SEE ALSO -.sp .LP \fBat\fR(1), \fBex\fR(1), \fBfmli\fR(1), \fBiconv\fR(1), \fBlp\fR(1), \fBisainfo\fR(1), \fBmail\fR(1), \fBmailx\fR(1), \fBnroff\fR(1), |