diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 69 |
1 files changed, 42 insertions, 27 deletions
@@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.312 2020/01/25 06:03:10 djm Exp $ -.Dd $Mdocdate: January 25 2020 $ +.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $ +.Dd $Mdocdate: September 10 2021 $ .Dt SSHD 8 .Os .Sh NAME @@ -58,8 +58,7 @@ .Nm (OpenSSH Daemon) is the daemon program for .Xr ssh 1 . -Together these programs replace rlogin and rsh, -and provide secure encrypted communications between two untrusted hosts +It provides secure encrypted communications between two untrusted hosts over an insecure network. .Pp .Nm @@ -107,7 +106,7 @@ supplied in any order, either with multiple .Fl C options or as a comma-separated list. The keywords are -.Dq addr, +.Dq addr , .Dq user , .Dq host , .Dq laddr , @@ -135,7 +134,9 @@ This allows easy monitoring of Debug mode. The server sends verbose debug output to standard error, and does not put itself in the background. -The server also will not fork and will only process one connection. +The server also will not +.Xr fork 2 +and will only process one connection. This option is only intended for debugging for the server. Multiple .Fl d @@ -302,7 +303,12 @@ things like allocating a pseudo-tty, forwarding X11 connections, forwarding TCP connections, or forwarding the authentication agent connection over the secure channel. .Pp -After this, the client either requests a shell or execution of a command. +After this, the client either requests an interactive shell or execution +or a non-interactive command, which +.Nm +will execute via the user's shell using its +.Fl c +option. The sides then enter session mode. In this mode, either side may send data at any time, and such data is forwarded to/from the shell or @@ -355,7 +361,8 @@ exists and the option is set, runs it; else if .Pa /etc/ssh/sshrc exists, runs -it; otherwise runs xauth. +it; otherwise runs +.Xr xauth 1 . The .Dq rc files are given the X11 @@ -631,6 +638,13 @@ This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . +.It Cm verify-required +Require that signatures made using this key attest that they verified +the user, e.g. via a PIN. +This option only makes sense for the FIDO authenticator algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . .It Cm restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation @@ -658,24 +672,25 @@ option. .Pp An example authorized_keys file: .Bd -literal -offset 3n -# Comments allowed at start of line -ssh-rsa AAAAB3Nza...LiPk== user@example.net -from="*.sales.example.net,!pc.sales.example.net" ssh-rsa -AAAAB2...19Q== john@example.net -command="dump /home",no-pty,no-port-forwarding ssh-rsa -AAAAC3...51R== example.net -permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa -AAAAB5...21S== -permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa -AAAAB5...21S== -tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== -jane@example.net -restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== -user@example.net -restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== -user@example.net -no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== -user@example.net +# Comments are allowed at start of line. Blank lines are allowed. +# Plain key, no restrictions +ssh-rsa ... +# Forced command, disable PTY and all forwarding +restrict,command="dump /home" ssh-rsa ... +# Restriction of ssh -L forwarding destinations +permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ... +# Restriction of ssh -R forwarding listeners +permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ... +# Configuration for tunnel forwarding +tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ... +# Override of restriction to allow PTY allocation +restrict,pty,command="nethack" ssh-rsa ... +# Allow FIDO key without requiring touch +no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ... +# Require user-verification (e.g. PIN or biometric) for FIDO key +verify-required sk-ecdsa-sha2-nistp256@openssh.com ... +# Trust CA key, allow touch-less FIDO if requested in certificate +cert-authority,no-touch-required,principals="user_a" ssh-rsa ... .Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The @@ -688,7 +703,7 @@ be prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects to an unknown host, its key is added to the per-user file. .Pp -Each line in these files contains the following fields: markers (optional), +Each line in these files contains the following fields: marker (optional), hostnames, keytype, base64-encoded key, comment. The fields are separated by spaces. .Pp |