diff options
author | Damien Miller <djm@mindrot.org> | 2006-01-02 13:38:00 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-01-02 13:38:00 +0100 |
commit | 48c94abf5b4d262ce4572c5b26d0ffdff8d25a87 (patch) | |
tree | f8e75c5676aef26aeb5fafc0fbd9675ef26c2658 /ssh.1 | |
parent | - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support (diff) | |
download | openssh-48c94abf5b4d262ce4572c5b26d0ffdff8d25a87.tar.xz openssh-48c94abf5b4d262ce4572c5b26d0ffdff8d25a87.zip |
- (djm) OpenBSD CVS Sync
- jmc@cvs.openbsd.org 2005/12/31 10:46:17
[ssh.1]
merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
AUTHENTICATION" sections into "AUTHENTICATION";
some rewording done to make the text read better, plus some
improvements from djm;
ok djm
Diffstat (limited to '')
-rw-r--r-- | ssh.1 | 63 |
1 files changed, 31 insertions, 32 deletions
@@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.231 2005/12/31 01:38:45 stevesk Exp $ +.\" $OpenBSD: ssh.1,v 1.232 2005/12/31 10:46:17 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -788,7 +788,36 @@ prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Sh LOGIN SESSION AND REMOTE EXECUTION +.Pp +.Nm +automatically maintains and checks a database containing +identification for all hosts it has ever been used with. +Host keys are stored in +.Pa ~/.ssh/known_hosts +in the user's home directory. +Additionally, the file +.Pa /etc/ssh/ssh_known_hosts +is automatically checked for known hosts. +Any new hosts are automatically added to the user's file. +If a host's identification ever changes, +.Nm +warns about this and disables password authentication to prevent +server spoofing or man-in-the-middle attacks, +which could otherwise be used to circumvent the encryption. +The +.Cm StrictHostKeyChecking +option can be used to control logins to machines whose +host key is not known or has changed. +.Pp +.Nm +can be configured to verify host identification using fingerprint resource +records (SSHFP) published in DNS. +The +.Cm VerifyHostKeyDNS +option can be used to control how DNS lookups are performed. +SSHFP resource records can be generated using +.Xr ssh-keygen 1 . +.Pp When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -924,36 +953,6 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. -.Sh SERVER AUTHENTICATION -.Nm -automatically maintains and checks a database containing -identifications for all hosts it has ever been used with. -Host keys are stored in -.Pa ~/.ssh/known_hosts -in the user's home directory. -Additionally, the file -.Pa /etc/ssh/ssh_known_hosts -is automatically checked for known hosts. -Any new hosts are automatically added to the user's file. -If a host's identification ever changes, -.Nm -warns about this and disables password authentication to prevent a -trojan horse from getting the user's password. -Another purpose of this mechanism is to prevent man-in-the-middle attacks -which could otherwise be used to circumvent the encryption. -The -.Cm StrictHostKeyChecking -option can be used to prevent logins to machines whose -host key is not known or has changed. -.Pp -.Nm -can be configured to verify host identification using fingerprint resource -records (SSHFP) published in DNS. -The -.Cm VerifyHostKeyDNS -option can be used to control how DNS lookups are performed. -SSHFP resource records can be generated using -.Xr ssh-keygen 1 . .Sh ENVIRONMENT .Nm will normally set the following environment variables: |