From owner-freebsd-doc Thu Mar 9 13:50:12 2000 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9B86B37B873 for ; Thu, 9 Mar 2000 13:50:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA60947; Thu, 9 Mar 2000 13:50:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from alcanet.com.au (mail.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 3F84337B86D for ; Thu, 9 Mar 2000 13:49:45 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <115215>; Fri, 10 Mar 2000 08:50:35 +1100 Message-Id: <00Mar10.085035est.115215@border.alcanet.com.au> Date: Fri, 10 Mar 2000 08:50:34 +1100 From: peter.jeremy@alcatel.com.au To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: docs/17292: OpenSSH man pages cleanup Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17292 >Category: docs >Synopsis: OpenSSH man pages cleanup >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 9 13:50:00 PST 2000 >Closed-Date: >Last-Modified: >Originator: Peter Jeremy >Release: FreeBSD 4.0-CURRENT i386 >Organization: Alcatel Australia Limited >Environment: -current with int-cvs 0174 >Description: General cleanups in the ssh.1 and sshd.8 man pages to improve legibility. >How-To-Repeat: Code inspection. View output with "man -t | gv" equivalent. >Fix: Following are some patches to fix the following: - typos - Add double spaces following full stops to improve typeset output - mdoc-ification. (Though I'm uncertain whether option values and contents should be .Dq or something else). - Fix a missed /etc/ssh change - Expand wording on RandomSeed and behaviour when X11 isn't forwarded. - Change examples to literal mode. In addition, though not included here (for readability reasons), both man pages could do with a ",s/ *$//" to delete the trailing whitespace. Index: ssh.1 =================================================================== RCS file: /home/CVSROOT/src/crypto/openssh/ssh.1,v retrieving revision 1.3 diff -u -r1.3 ssh.1 --- ssh.1 2000/03/08 23:04:59 1.3 +++ ssh.1 2000/03/09 21:21:32 @@ -243,7 +243,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an -electronic purse; another is going trough firewalls. +electronic purse; another is going through firewalls. .Pp .Nm automatically maintains and checks a database containing RSA-based @@ -266,7 +266,7 @@ .Sh OPTIONS .Bl -tag -width Ds .It Fl a -Disables forwarding of the authentication agent connection. This may +Disables forwarding of the authentication agent connection. This may also be specified on a per-host basis in the configuration file. .It Fl c Ar blowfish|3des Selects the cipher to use for encrypting the session. @@ -316,7 +316,7 @@ options (and multiple identities specified in configuration files). .It Fl k -Disables forwarding of Kerberos tickets and AFS tokens. This may +Disables forwarding of Kerberos tickets and AFS tokens. This may also be specified on a per-host basis in the configuration file. .It Fl l Ar login_name Specifies the user to log in as on the remote machine. This may also @@ -475,7 +475,7 @@ argument given on the command line (i.e., the name is not converted to a canonicalized host name before matching). .It Cm AFSTokenPassing -Specifies whether to pass AFS tokens to remote host. The argument to +Specifies whether to pass AFS tokens to remote host. The argument to this keyword must be .Dq yes or @@ -494,7 +494,7 @@ .Dq yes , ssh will additionally check the host ip address in the .Pa known_hosts -file. This allows ssh to detect if a host key changed due to DNS spoofing. +file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to .Dq no , the check will not be executed. @@ -606,14 +606,14 @@ .Dq no in both the server and the client configuration files. .It Cm KerberosAuthentication -Specifies whether Kerberos authentication will be used. The argument to +Specifies whether Kerberos authentication will be used. The argument to this keyword must be .Dq yes or .Dq no . .It Cm KerberosTgtPassing -Specifies whether a Kerberos TGT will be forwarded to the server. This -will only work if the Kerberos server is actually an AFS kaserver. The +Specifies whether a Kerberos TGT will be forwarded to the server. This +will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be .Dq yes or @@ -632,8 +632,8 @@ QUIET, FATAL, ERROR, INFO, CHAT and DEBUG. The default is INFO. .It Cm NumberOfPasswordPrompts -Specifies the number of password prompts before giving up. The -argument to this keyword must be an integer. Default is 3. +Specifies the number of password prompts before giving up. The +argument to this keyword must be an integer. Default is 3. .It Cm PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be @@ -645,9 +645,14 @@ 22. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command -string extends to the end of the line, and is executed with /bin/sh. -In the command string, %h will be substituted by the host name to -connect and %p by the port. The command can be basically anything, +string extends to the end of the line, and is executed with +.Pa /bin/sh . +In the command string, +.Dq %h +will be substituted by the host name to +connect and +.Dq %p +by the port. The command can be basically anything, and should read from its stdin and write to its stdout. It should eventually connect an .Xr sshd 8 @@ -771,7 +776,7 @@ to point to a value of the form .Dq hostname:n where hostname indicates -the host where the shell runs, and n is an integer >= 1. Ssh uses +the host where the shell runs, and n is an integer \*(>= 1. Ssh uses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 connection insecure (and will require the user to @@ -924,7 +929,8 @@ .Xr rsh 1 . .It Pa /etc/hosts.equiv This file is used during -.Pa \&.rhosts authentication. It contains +.Pa \&.rhosts +authentication. It contains canonical hosts names, one per line (the full format is described on the .Xr sshd 8 Index: sshd.8 =================================================================== RCS file: /home/CVSROOT/src/crypto/openssh/sshd.8,v retrieving revision 1.4 diff -u -r1.4 sshd.8 --- sshd.8 2000/03/08 23:04:59 1.4 +++ sshd.8 2000/03/09 21:37:16 @@ -186,7 +186,7 @@ .Sh CONFIGURATION FILE .Nm reads configuration data from -.Pa /etc/sshd_config +.Pa /etc/ssh/sshd_config (or the file specified with .Fl f on the command line). The file @@ -197,7 +197,7 @@ The following keywords are possible. .Bl -tag -width Ds .It Cm AFSTokenPassing -Specifies whether an AFS token may be forwarded to the server. Default is +Specifies whether an AFS token may be forwarded to the server. Default is .Dq yes . .It Cm AllowGroups This keyword can be followed by a number of group names, separated @@ -323,18 +323,18 @@ .Dq no in both the server and the client configuration files. .It Cm KerberosAuthentication -Specifies whether Kerberos authentication is allowed. This can +Specifies whether Kerberos authentication is allowed. This can be in the form of a Kerberos ticket, or if .Cm PasswordAuthentication is yes, the password provided by the user will be validated through -the Kerberos KDC. Default is +the Kerberos KDC. Default is .Dq yes . .It Cm KerberosOrLocalPasswd If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as .Pa /etc/passwd -or SecurID. Default is +or SecurID. Default is .Dq yes . .It Cm KerberosTgtPassing Specifies whether a Kerberos TGT may be forwarded to the server. @@ -343,7 +343,7 @@ as this only works when the Kerberos KDC is actually an AFS kaserver. .It Cm KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache -file on logout. Default is +file on logout. Default is .Dq yes . .It Cm KeyRegenerationInterval The server key is automatically regenerated after this many seconds @@ -418,19 +418,25 @@ or equivalent.) The default is .Dq yes . .It Cm RandomSeed -Obsolete. Random number generation uses other techniques. +Obsolete - accepted and ignored with a warning. +Random number generation uses other techniques. .It Cm RhostsAuthentication -Specifies whether authentication using rhosts or /etc/hosts.equiv +Specifies whether authentication using rhosts or +.Pa /etc/hosts.equiv files is sufficient. Normally, this method should not be permitted because it is insecure. .Cm RhostsRSAAuthentication should be used instead, because it performs RSA-based host authentication in addition -to normal rhosts or /etc/hosts.equiv authentication. +to normal rhosts or +.Pa /etc/hosts.equiv +authentication. The default is .Dq no . .It Cm RhostsRSAAuthentication -Specifies whether rhosts or /etc/hosts.equiv authentication together +Specifies whether rhosts or +.Pa /etc/hosts.equiv +authentication together with successful RSA host authentication is allowed. The default is .Dq no . .It Cm RSAAuthentication @@ -444,7 +450,7 @@ .Xr skey 1 authentication is allowed. The default is .Dq yes . -Note that s/key authentication is enabled only if +Note that S/Key authentication is enabled only if .Cm PasswordAuthentication is allowed, too. .It Cm StrictModes @@ -463,7 +469,7 @@ .It Cm UseLogin Specifies whether .Xr login 1 -is used. The default is +is used. The default is .Dq no . .It Cm X11DisplayOffset Specifies the first display number available for @@ -516,10 +522,12 @@ exists, runs it; else if .Pa /etc/ssh/sshrc exists, runs -it; otherwise runs xauth. The +it; otherwise runs +.Xr xauth 1 . +The .Dq rc files are given the X11 -authentication protocol and cookie in standard input. +authentication protocol and cookie (if applicable) in standard input. .It Runs user's shell or command. .El @@ -593,11 +601,11 @@ Prevents tty allocation (a request to allocate a pty will fail). .El .Ss Examples -1024 33 12121.\|.\|.\|312314325 ylo@foo.bar -.Pp -from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula -.Pp -command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi +.Bd -literal +1024 33 12121...312314325 ylo@foo.bar +from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula +command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi +.Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts @@ -645,7 +653,9 @@ .Pa /etc/ssh/ssh_host_key.pub and adding the host names at the front. .Ss Examples -closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi +.Bd -literal +closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi +.Ed .Sh FILES .Bl -tag -width Ds .It Pa /etc/ssh/sshd_config @@ -687,7 +697,7 @@ listed in one of these files to be accepted. The client uses the same files to verify that the remote host is the one we intended to -connect. These files should be writable only by root/the owner. +connect. These files should be writable only by root/the owner. .Pa /etc/ssh/ssh_known_hosts should be world-readable, and .Pa $HOME/.ssh/known_hosts @@ -698,7 +708,7 @@ refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to log in, and non-root connections are refused. The file should be world-readable. -.It Pa /etc/hosts.allow, /etc/hosts.deny +.It Pa /etc/hosts.allow , /etc/hosts.deny If compiled with .Sy LIBWRAP support, tcp-wrappers access controls may be defined here as described in @@ -720,7 +730,7 @@ .Pa .rhosts . However, this file is not used by rlogin and rshd, so using this permits access using SSH only. -.Pa /etc/hosts.equiv +.It Pa /etc/hosts.equiv This file is used during .Pa .rhosts authentication. In the @@ -762,7 +772,9 @@ and assignment lines of the form name=value. The file should be writable only by the user; it need not be readable by anyone else. .It Pa $HOME/.ssh/rc -If this file exists, it is run with /bin/sh after reading the +If this file exists, it is run with +.Pa /bin/sh +after reading the environment files but before starting the user's shell or command. If X11 spoofing is in use, this will receive the "proto cookie" pair in standard input (and @@ -776,13 +788,19 @@ accessible; AFS is a particular example of such an environment. .Pp This file will probably contain some initialization code followed by -something similar to: "if read proto cookie; then echo add $DISPLAY -$proto $cookie | xauth -q -; fi". +something similar to: +.Bd -literal -offset indent +if [ -n "$DISPLAY" ] && read proto cookie; then + echo add $DISPLAY $proto $cookie | xauth -q - +fi +.Ed .Pp If this file does not exist, .Pa /etc/ssh/sshrc is run, and if that -does not exist either, xauth is used to store the cookie. +does not exist either, +.Xr xauth 1 +is used to store the cookie. .Pp This file should be writable only by the user, and need not be readable by anyone else. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message