Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 445121fe8dc73601fc301de5be5b7c02b2d20bf9^! / . / sshd.8
commit445121fe8dc73601fc301de5be5b7c02b2d20bf9[log] [tgz]
authorDamien Miller <djm@mindrot.org>Wed Mar 15 11:36:18 2006 +1100
committerDamien Miller <djm@mindrot.org>Wed Mar 15 11:36:18 2006 +1100
treec2fc4033a66d0e105f5899fb76573da681102407
parentfd725cf585d0f9aca648f177df35265b6abc10e6 [diff] [blame]
   - jmc@cvs.openbsd.org 2006/02/19 20:02:17
     [sshd.8]
     sync the (s)hosts.equiv FILES entries w/ those from ssh.1;

diff --git a/sshd.8 b/sshd.8
index 6df9d8a..24c1499 100644
--- a/sshd.8
+++ b/sshd.8

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.226 2006/02/19 19:52:10 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.227 2006/02/19 20:02:17 jmc Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -708,43 +708,9 @@
 .Xr hosts_access 5 .
 .Pp
 .It /etc/hosts.equiv
-This file is used during
-.Cm RhostsRSAAuthentication
-and
-.Cm HostbasedAuthentication
-authentication.
-In the simplest form, this file contains host names, one per line.
-Users on
-those hosts are permitted to log in without a password, provided they
-have the same user name on both machines.
-The host name may also be
-followed by a user name; such users are permitted to log in as
-.Em any
-user on this machine (except root).
-Additionally, the syntax
-.Dq +@group
-can be used to specify netgroups.
-Negated entries start with
-.Ql \&- .
-.Pp
-If the client host/user is successfully matched in this file, login is
-automatically permitted provided the client and server user names are the
-same.
-Additionally, successful client host key authentication is required.
-This file must be writable only by root; it is recommended
-that it be world-readable.
-.Pp
-.Sy "Warning: It is almost never a good idea to use user names in"
-.Pa hosts.equiv .
-Beware that it really means that the named user(s) can log in as
-.Em anybody ,
-which includes bin, daemon, adm, and other accounts that own critical
-binaries and directories.
-Using a user name practically grants the user root access.
-The only valid use for user names that I can think
-of is in negative entries.
-.Pp
-Note that this warning also applies to rsh/rlogin.
+This file is for host-based authentication (see
+.Xr ssh 1 ) .
+It should only be writable by root.
 .Pp
 .It /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
@@ -765,10 +731,10 @@
 The file should be world-readable.
 .Pp
 .It /etc/shosts.equiv
-This is processed exactly as
-.Pa /etc/hosts.equiv .
-However, this file may be useful in environments that want to run both
-rsh/rlogin and ssh.
+This file is used in exactly the same way as
+.Pa hosts.equiv ,
+but allows host-based authentication without permitting login with
+rlogin/rsh.
 .Pp
 .It /etc/ssh/ssh_known_hosts
 Systemwide list of known host keys.