- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
diff --git a/ssh.1 b/ssh.1
index 786df18..4bbfe34 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.64 2000/10/16 21:46:31 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.68 2000/11/12 19:50:38 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -209,9 +209,9 @@
If this method fails password authentication is tried.
.Pp
The public key method is similar to RSA authentication described
-in the previous section except that the DSA algorithm is used
-instead of the patented RSA algorithm.
-The client uses his private DSA key
+in the previous section except that the DSA or RSA algorithm is used
+instead.
+The client uses his private key
.Pa $HOME/.ssh/id_dsa
to sign the session identifier and sends the result to the server.
The server checks whether the matching public key is listed in
@@ -331,7 +331,7 @@
RSA host keys are stored in
.Pa $HOME/.ssh/known_hosts
and
-DSA host keys are stored in
+host keys used in the protocol version 2 are stored in
.Pa $HOME/.ssh/known_hosts2
in the user's home directory.
Additionally, the files
@@ -352,7 +352,8 @@
.Cm StrictHostKeyChecking
option (see below) can be used to prevent logins to machines whose
host key is not known or has changed.
-.Sh OPTIONS
+.Pp
+The options are as follows:
.Bl -tag -width Ds
.It Fl a
Disables forwarding of the authentication agent connection.
@@ -407,7 +408,7 @@
Allows remote hosts to connect to local forwarded ports.
.It Fl i Ar identity_file
Selects the file from which the identity (private key) for
-RSA authentication is read.
+RSA or DSA authentication is read.
Default is
.Pa $HOME/.ssh/identity
in the user's home directory.
@@ -552,6 +553,22 @@
.Nm
to use IPv6 addresses only.
.El
+.Pp
+If
+.Nm
+is not invoked with one of the standard program names
+.Pf ( Dq ssh ,
+.Dq slogin ,
+.Dq rsh ,
+.Dq rlogin ,
+or
+.Dq remsh ) ,
+it uses this name as its
+.Ar hostname
+argument.
+This is consistent with traditional
+.Xr rsh 1
+behavior.
.Sh CONFIGURATION FILES
.Nm
obtains configuration data from the following sources (in this order):
@@ -660,14 +677,12 @@
back to rsh or exiting.
The argument must be an integer.
This may be useful in scripts if the connection sometimes fails.
-.It Cm DSAAuthentication
-Specifies whether to try DSA authentication.
+.It Cm PubkeyAuthentication
+Specifies whether to try public key authentication.
The argument to this keyword must be
.Dq yes
or
.Dq no .
-DSA authentication will only be
-attempted if a DSA identity file exists.
Note that this option applies to protocol version 2 only.
.It Cm EscapeChar
Sets the escape character (default:
@@ -745,16 +760,6 @@
It is possible to have
multiple identity files specified in configuration files; all these
identities will be tried in sequence.
-.It Cm IdentityFile2
-Specifies the file from which the user's DSA authentication identity
-is read (default
-.Pa $HOME/.ssh/id_dsa
-in the user's home directory).
-The file name may use the tilde
-syntax to refer to a user's home directory.
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
.It Cm KeepAlive
Specifies whether the system should send keepalive messages to the
other side.
@@ -1096,7 +1101,7 @@
This file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
.It Pa $HOME/.ssh/authorized_keys2
-Lists the DSA keys that can be used for logging in as this user.
+Lists the public keys (DSA/RSA) that can be used for logging in as this user.
This file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
.It Pa /etc/ssh_known_hosts, /etc/ssh_known_hosts2
@@ -1104,7 +1109,7 @@
.Pa /etc/ssh_known_hosts
contains RSA and
.Pa /etc/ssh_known_hosts2
-contains DSA keys.
+contains DSA or RSA keys for protocol version 2.
These files should be prepared by the
system administrator to contain the public host keys of all machines in the
organization.
@@ -1219,7 +1224,7 @@
A version of this library which includes support for the RSA algorithm
is required for proper operation.
.El
-.Sh AUTHOR
+.Sh AUTHORS
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release by Tatu Ylonen,
but with bugs removed and newer features re-added.