| .\" $OpenBSD: ssh-keysign.8,v 1.16 2019/11/30 07:07:59 jmc Exp $ |
| .\" |
| .\" Copyright (c) 2002 Markus Friedl. All rights reserved. |
| .\" |
| .\" Redistribution and use in source and binary forms, with or without |
| .\" modification, are permitted provided that the following conditions |
| .\" are met: |
| .\" 1. Redistributions of source code must retain the above copyright |
| .\" notice, this list of conditions and the following disclaimer. |
| .\" 2. Redistributions in binary form must reproduce the above copyright |
| .\" notice, this list of conditions and the following disclaimer in the |
| .\" documentation and/or other materials provided with the distribution. |
| .\" |
| .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
| .Dd $Mdocdate: November 30 2019 $ |
| .Dt SSH-KEYSIGN 8 |
| .Os |
| .Sh NAME |
| .Nm ssh-keysign |
| .Nd OpenSSH helper for host-based authentication |
| .Sh SYNOPSIS |
| .Nm |
| .Sh DESCRIPTION |
| .Nm |
| is used by |
| .Xr ssh 1 |
| to access the local host keys and generate the digital signature |
| required during host-based authentication. |
| .Pp |
| .Nm |
| is disabled by default and can only be enabled in the |
| global client configuration file |
| .Pa /etc/ssh/ssh_config |
| by setting |
| .Cm EnableSSHKeysign |
| to |
| .Dq yes . |
| .Pp |
| .Nm |
| is not intended to be invoked by the user, but from |
| .Xr ssh 1 . |
| See |
| .Xr ssh 1 |
| and |
| .Xr sshd 8 |
| for more information about host-based authentication. |
| .Sh FILES |
| .Bl -tag -width Ds -compact |
| .It Pa /etc/ssh/ssh_config |
| Controls whether |
| .Nm |
| is enabled. |
| .Pp |
| .It Pa /etc/ssh/ssh_host_dsa_key |
| .It Pa /etc/ssh/ssh_host_ecdsa_key |
| .It Pa /etc/ssh/ssh_host_ed25519_key |
| .It Pa /etc/ssh/ssh_host_rsa_key |
| These files contain the private parts of the host keys used to |
| generate the digital signature. |
| They should be owned by root, readable only by root, and not |
| accessible to others. |
| Since they are readable only by root, |
| .Nm |
| must be set-uid root if host-based authentication is used. |
| .Pp |
| .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub |
| .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub |
| .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub |
| .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub |
| If these files exist they are assumed to contain public certificate |
| information corresponding with the private keys above. |
| .El |
| .Sh SEE ALSO |
| .Xr ssh 1 , |
| .Xr ssh-keygen 1 , |
| .Xr ssh_config 5 , |
| .Xr sshd 8 |
| .Sh HISTORY |
| .Nm |
| first appeared in |
| .Ox 3.2 . |
| .Sh AUTHORS |
| .An Markus Friedl Aq Mt markus@openbsd.org |