19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
94 lines
2.9 KiB
Groff
94 lines
2.9 KiB
Groff
.\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $
|
|
.\"
|
|
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd $Mdocdate: November 30 2019 $
|
|
.Dt SSH-KEYSIGN 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ssh-keysign
|
|
.Nd OpenSSH helper for host-based authentication
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is used by
|
|
.Xr ssh 1
|
|
to access the local host keys and generate the digital signature
|
|
required during host-based authentication.
|
|
.Pp
|
|
.Nm
|
|
is disabled by default and can only be enabled in the
|
|
global client configuration file
|
|
.Pa /etc/ssh/ssh_config
|
|
by setting
|
|
.Cm EnableSSHKeysign
|
|
to
|
|
.Dq yes .
|
|
.Pp
|
|
.Nm
|
|
is not intended to be invoked by the user, but from
|
|
.Xr ssh 1 .
|
|
See
|
|
.Xr ssh 1
|
|
and
|
|
.Xr sshd 8
|
|
for more information about host-based authentication.
|
|
.Sh FILES
|
|
.Bl -tag -width Ds -compact
|
|
.It Pa /etc/ssh/ssh_config
|
|
Controls whether
|
|
.Nm
|
|
is enabled.
|
|
.Pp
|
|
.It Pa /etc/ssh/ssh_host_dsa_key
|
|
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
|
.It Pa /etc/ssh/ssh_host_ed25519_key
|
|
.It Pa /etc/ssh/ssh_host_rsa_key
|
|
These files contain the private parts of the host keys used to
|
|
generate the digital signature.
|
|
They should be owned by root, readable only by root, and not
|
|
accessible to others.
|
|
Since they are readable only by root,
|
|
.Nm
|
|
must be set-uid root if host-based authentication is used.
|
|
.Pp
|
|
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
|
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
|
If these files exist they are assumed to contain public certificate
|
|
information corresponding with the private keys above.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1 ,
|
|
.Xr ssh-keygen 1 ,
|
|
.Xr ssh_config 5 ,
|
|
.Xr sshd 8
|
|
.Sh HISTORY
|
|
.Nm
|
|
first appeared in
|
|
.Ox 3.2 .
|
|
.Sh AUTHORS
|
|
.An Markus Friedl Aq Mt markus@openbsd.org
|