Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Mar 2000 08:50:34 +1100
From:      peter.jeremy@alcatel.com.au
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   docs/17292: OpenSSH man pages cleanup
Message-ID:  <00Mar10.085035est.115215@border.alcanet.com.au>

next in thread | raw e-mail | index | archive | help

>Number:         17292
>Category:       docs
>Synopsis:       OpenSSH man pages cleanup
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar  9 13:50:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:

	-current with int-cvs 0174

>Description:

	General cleanups in the ssh.1 and sshd.8 man pages to
	improve legibility.

>How-To-Repeat:

	Code inspection.  View output with "man -t | gv" equivalent.

>Fix:

	Following are some patches to fix the following:
- typos
- Add double spaces following full stops to improve typeset output
- mdoc-ification.  (Though I'm uncertain whether option values and
  contents should be .Dq or something else).
- Fix a missed /etc/ssh change
- Expand wording on RandomSeed and behaviour when X11 isn't forwarded.
- Change examples to literal mode.

	In addition, though not included here (for readability reasons),
	both man pages could do with a ",s/ *$//" to delete the
	trailing whitespace.

Index: ssh.1
===================================================================
RCS file: /home/CVSROOT/src/crypto/openssh/ssh.1,v
retrieving revision 1.3
diff -u -r1.3 ssh.1
--- ssh.1	2000/03/08 23:04:59	1.3
+++ ssh.1	2000/03/09 21:21:32
@@ -243,7 +243,7 @@
 Forwarding of arbitrary TCP/IP connections over the secure channel can
 be specified either on command line or in a configuration file.  One
 possible application of TCP/IP forwarding is a secure connection to an
-electronic purse; another is going trough firewalls.
+electronic purse; another is going through firewalls.
 .Pp
 .Nm
 automatically maintains and checks a database containing RSA-based
@@ -266,7 +266,7 @@
 .Sh OPTIONS
 .Bl -tag -width Ds
 .It Fl a
-Disables forwarding of the authentication agent connection. This may
+Disables forwarding of the authentication agent connection.  This may
 also be specified on a per-host basis in the configuration file.
 .It Fl c Ar blowfish|3des
 Selects the cipher to use for encrypting the session. 
@@ -316,7 +316,7 @@
 options (and multiple identities specified in
 configuration files).
 .It Fl k
-Disables forwarding of Kerberos tickets and AFS tokens. This may
+Disables forwarding of Kerberos tickets and AFS tokens.  This may
 also be specified on a per-host basis in the configuration file.
 .It Fl l Ar login_name
 Specifies the user to log in as on the remote machine.  This may also
@@ -475,7 +475,7 @@
 argument given on the command line (i.e., the name is not converted to
 a canonicalized host name before matching).
 .It Cm AFSTokenPassing
-Specifies whether to pass AFS tokens to remote host. The argument to 
+Specifies whether to pass AFS tokens to remote host.  The argument to 
 this keyword must be
 .Dq yes
 or
@@ -494,7 +494,7 @@
 .Dq yes ,
 ssh will additionally check the host ip address in the
 .Pa known_hosts
-file. This allows ssh to detect if a host key changed due to DNS spoofing.
+file.  This allows ssh to detect if a host key changed due to DNS spoofing.
 If the option is set to
 .Dq no ,
 the check will not be executed.
@@ -606,14 +606,14 @@
 .Dq no
 in both the server and the client configuration files.
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used. The argument to 
+Specifies whether Kerberos authentication will be used.  The argument to 
 this keyword must be
 .Dq yes
 or
 .Dq no .
 .It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server. This
-will only work if the Kerberos server is actually an AFS kaserver. The
+Specifies whether a Kerberos TGT will be forwarded to the server.  This
+will only work if the Kerberos server is actually an AFS kaserver.  The
 argument to this keyword must be
 .Dq yes
 or
@@ -632,8 +632,8 @@
 QUIET, FATAL, ERROR, INFO, CHAT and DEBUG.
 The default is INFO.
 .It Cm NumberOfPasswordPrompts
-Specifies the number of password prompts before giving up. The
-argument to this keyword must be an integer. Default is 3.
+Specifies the number of password prompts before giving up.  The
+argument to this keyword must be an integer.  Default is 3.
 .It Cm PasswordAuthentication
 Specifies whether to use password authentication.  The argument to
 this keyword must be
@@ -645,9 +645,14 @@
 22.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.  The command
-string extends to the end of the line, and is executed with /bin/sh.
-In the command string, %h will be substituted by the host name to
-connect and %p by the port.  The command can be basically anything,
+string extends to the end of the line, and is executed with
+.Pa /bin/sh .
+In the command string,
+.Dq %h
+will be substituted by the host name to
+connect and
+.Dq %p
+by the port.  The command can be basically anything,
 and should read from its stdin and write to its stdout.  It should
 eventually connect an
 .Xr sshd 8
@@ -771,7 +776,7 @@
 to point to a value of the form
 .Dq hostname:n
 where hostname indicates
-the host where the shell runs, and n is an integer >= 1.  Ssh uses
+the host where the shell runs, and n is an integer \*(>= 1.  Ssh uses
 this special value to forward X11 connections over the secure
 channel.  The user should normally not set DISPLAY explicitly, as that
 will render the X11 connection insecure (and will require the user to
@@ -924,7 +929,8 @@
 .Xr rsh 1 .
 .It Pa /etc/hosts.equiv
 This file is used during
-.Pa \&.rhosts authentication.  It contains
+.Pa \&.rhosts
+authentication.  It contains
 canonical hosts names, one per line (the full format is described on
 the
 .Xr sshd 8
Index: sshd.8
===================================================================
RCS file: /home/CVSROOT/src/crypto/openssh/sshd.8,v
retrieving revision 1.4
diff -u -r1.4 sshd.8
--- sshd.8	2000/03/08 23:04:59	1.4
+++ sshd.8	2000/03/09 21:37:16
@@ -186,7 +186,7 @@
 .Sh CONFIGURATION FILE
 .Nm
 reads configuration data from 
-.Pa /etc/sshd_config
+.Pa /etc/ssh/sshd_config
 (or the file specified with
 .Fl f
 on the command line).  The file
@@ -197,7 +197,7 @@
 The following keywords are possible.
 .Bl -tag -width Ds
 .It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server. Default is
+Specifies whether an AFS token may be forwarded to the server.  Default is
 .Dq yes .
 .It Cm AllowGroups
 This keyword can be followed by a number of group names, separated
@@ -323,18 +323,18 @@
 .Dq no
 in both the server and the client configuration files.
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed. This can
+Specifies whether Kerberos authentication is allowed.  This can
 be in the form of a Kerberos ticket, or if
 .Cm PasswordAuthentication
 is yes, the password provided by the user will be validated through
-the Kerberos KDC. Default is
+the Kerberos KDC.  Default is
 .Dq yes .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
 such as
 .Pa /etc/passwd
-or SecurID. Default is
+or SecurID.  Default is
 .Dq yes .
 .It Cm KerberosTgtPassing
 Specifies whether a Kerberos TGT may be forwarded to the server.
@@ -343,7 +343,7 @@
 as this only works when the Kerberos KDC is actually an AFS kaserver.
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
-file on logout. Default is
+file on logout.  Default is
 .Dq yes .
 .It Cm KeyRegenerationInterval
 The server key is automatically regenerated after this many seconds
@@ -418,19 +418,25 @@
 or equivalent.)  The default is
 .Dq yes .
 .It Cm RandomSeed
-Obsolete.  Random number generation uses other techniques.
+Obsolete - accepted and ignored with a warning.
+Random number generation uses other techniques.
 .It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
+Specifies whether authentication using rhosts or
+.Pa /etc/hosts.equiv
 files is sufficient.  Normally, this method should not be permitted
 because it is insecure. 
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition
-to normal rhosts or /etc/hosts.equiv authentication.
+to normal rhosts or
+.Pa /etc/hosts.equiv
+authentication.
 The default is
 .Dq no .
 .It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
 with successful RSA host authentication is allowed.  The default is
 .Dq no .
 .It Cm RSAAuthentication
@@ -444,7 +450,7 @@
 .Xr skey 1 
 authentication is allowed.  The default is
 .Dq yes .
-Note that s/key authentication is enabled only if
+Note that S/Key authentication is enabled only if
 .Cm PasswordAuthentication
 is allowed, too.
 .It Cm StrictModes
@@ -463,7 +469,7 @@
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
-is used. The default is
+is used.  The default is
 .Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
@@ -516,10 +522,12 @@
 exists, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
-it; otherwise runs xauth.  The
+it; otherwise runs
+.Xr xauth 1 .
+The
 .Dq rc
 files are given the X11
-authentication protocol and cookie in standard input.
+authentication protocol and cookie (if applicable) in standard input.
 .It
 Runs user's shell or command.
 .El
@@ -593,11 +601,11 @@
 Prevents tty allocation (a request to allocate a pty will fail).
 .El
 .Ss Examples
-1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
-.Pp
-from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula
-.Pp
-command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
+.Bd -literal
+1024 33 12121...312314325 ylo@foo.bar
+from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
+command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
+.Ed
 .Sh SSH_KNOWN_HOSTS FILE FORMAT
 The 
 .Pa /etc/ssh/ssh_known_hosts
@@ -645,7 +653,9 @@
 .Pa /etc/ssh/ssh_host_key.pub
 and adding the host names at the front.
 .Ss Examples
-closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi
+.Bd -literal
+closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
+.Ed
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa /etc/ssh/sshd_config
@@ -687,7 +697,7 @@
 listed in one of these files to be accepted.
 The client uses the same files
 to verify that the remote host is the one we intended to
-connect. These files should be writable only by root/the owner.
+connect.  These files should be writable only by root/the owner.
 .Pa /etc/ssh/ssh_known_hosts
 should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
@@ -698,7 +708,7 @@
 refuses to let anyone except root log in.  The contents of the file
 are displayed to anyone trying to log in, and non-root connections are
 refused.  The file should be world-readable.
-.It Pa /etc/hosts.allow, /etc/hosts.deny
+.It Pa /etc/hosts.allow , /etc/hosts.deny
 If compiled with
 .Sy LIBWRAP
 support, tcp-wrappers access controls may be defined here as described in
@@ -720,7 +730,7 @@
 .Pa .rhosts .
 However, this file is
 not used by rlogin and rshd, so using this permits access using SSH only.
-.Pa /etc/hosts.equiv
+.It Pa /etc/hosts.equiv
 This file is used during
 .Pa .rhosts
 authentication.  In the
@@ -762,7 +772,9 @@
 and assignment lines of the form name=value.  The file should be writable
 only by the user; it need not be readable by anyone else.
 .It Pa $HOME/.ssh/rc
-If this file exists, it is run with /bin/sh after reading the
+If this file exists, it is run with
+.Pa /bin/sh
+after reading the
 environment files but before starting the user's shell or command.  If
 X11 spoofing is in use, this will receive the "proto cookie" pair in
 standard input (and
@@ -776,13 +788,19 @@
 accessible; AFS is a particular example of such an environment.
 .Pp
 This file will probably contain some initialization code followed by
-something similar to: "if read proto cookie; then echo add $DISPLAY
-$proto $cookie | xauth -q -; fi".
+something similar to:
+.Bd -literal -offset indent
+if [ -n "$DISPLAY" ] && read proto cookie; then
+    echo add $DISPLAY $proto $cookie | xauth -q -
+fi
+.Ed
 .Pp
 If this file does not exist,
 .Pa /etc/ssh/sshrc
 is run, and if that
-does not exist either, xauth is used to store the cookie.
+does not exist either,
+.Xr xauth 1
+is used to store the cookie.
 .Pp
 This file should be writable only by the user, and need not be
 readable by anyone else.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00Mar10.085035est.115215>