Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8) |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | ssh-keysign M-bM-^@M-^S ssh helper program for host-based authentication |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | SYNOPSIS |
| 7 | ssh-keysign |
| 8 | |
| 9 | DESCRIPTION |
| 10 | ssh-keysign is used by ssh(1) to access the local host keys and generate |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 11 | the digital signature required during host-based authentication. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 12 | |
| 13 | ssh-keysign is disabled by default and can only be enabled in the global |
| 14 | client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 15 | to M-bM-^@M-^\yesM-bM-^@M-^]. |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 16 | |
| 17 | ssh-keysign is not intended to be invoked by the user, but from ssh(1). |
| 18 | See ssh(1) and sshd(8) for more information about host-based |
| 19 | authentication. |
| 20 | |
| 21 | FILES |
| 22 | /etc/ssh/ssh_config |
| 23 | Controls whether ssh-keysign is enabled. |
| 24 | |
| 25 | /etc/ssh/ssh_host_dsa_key |
| 26 | /etc/ssh/ssh_host_ecdsa_key |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 27 | /etc/ssh/ssh_host_ed25519_key |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 28 | /etc/ssh/ssh_host_rsa_key |
| 29 | These files contain the private parts of the host keys used to |
| 30 | generate the digital signature. They should be owned by root, |
| 31 | readable only by root, and not accessible to others. Since they |
| 32 | are readable only by root, ssh-keysign must be set-uid root if |
| 33 | host-based authentication is used. |
| 34 | |
| 35 | /etc/ssh/ssh_host_dsa_key-cert.pub |
| 36 | /etc/ssh/ssh_host_ecdsa_key-cert.pub |
Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 37 | /etc/ssh/ssh_host_ed25519_key-cert.pub |
Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 38 | /etc/ssh/ssh_host_rsa_key-cert.pub |
| 39 | If these files exist they are assumed to contain public |
| 40 | certificate information corresponding with the private keys |
| 41 | above. |
| 42 | |
| 43 | SEE ALSO |
| 44 | ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) |
| 45 | |
| 46 | HISTORY |
| 47 | ssh-keysign first appeared in OpenBSD 3.2. |
| 48 | |
| 49 | AUTHORS |
| 50 | Markus Friedl <markus@openbsd.org> |
| 51 | |
Greg Hartman | 9768ca4 | 2017-06-22 20:49:52 -0700 | [diff] [blame] | 52 | OpenBSD 6.0 February 17, 2016 OpenBSD 6.0 |