ssh-keysign(1m) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨페이지이름
검색(S)

ssh-keysign(1m)

Name
     ssh-keysign - ssh helper program for host-based  authentica-
     tion

Synopsis
     ssh-keysign

Description
     ssh-keysign is used by ssh(1) to access the local host  keys
     and  generate  the  digital  signature required during host-
     based authentication with SSH protocol version 2. This  sig-
     nature is of data that includes, among other items, the name
     of the client host and the name of the client user.


     ssh-keysign is disabled by default and can be  enabled  only
     in  the global client configuration file /etc/ssh/ssh_config
     by setting HostbasedAuthentication to yes.


     ssh-keysign is not intended to be invoked by the  user,  but
     from ssh. See ssh(1) and sshd(1M) for more information about
     host-based authentication.

Files
     /etc/ssh/ssh_config
                                  Controls whether ssh-keysign is
                                  enabled.


     /etc/ssh/ssh_host_dsa_key
     /etc/ssh/ssh_host_rsa_key
                                  These files contain the private
                                  parts  of the host keys used to
                                  generate the digital signature.
                                  They  should  be owned by root,
                                  readable only by root, and  not
                                  accessible  to  others. Because
                                  they are readable only by root,
                                  ssh-keysign   must  be  set-uid
                                  root if host-based  authentica-
                                  tion is used.

Security
     ssh-keysign will not  sign  host-based  authentication  data
     under the following conditions:

         o    If the HostbasedAuthentication client configuration
              parameter is not set to yes in /etc/ssh/ssh_config.
              This  setting  cannot  be   overriden   in   users'
              ~/.ssh/ssh_config files.

         o    If   the   client   hostname   and   username    in

              /etc/ssh/ssh_config  do  not  match  the  canonical
              hostname of the client where ssh-keysign is invoked
              and the name of the user invoking ssh-keysign.


     In spite of ssh-keysign's restrictions on  the  contents  of
     the  host-based authentication data, there remains the abil-
     ity of users to use  it  as  an  avenue  for  obtaining  the
     client's  private  host  keys.  For  this  reason host-based
     authentication is turned off by default.

Attributes
     See attributes(5) for descriptions of the  following  attri-
     butes:



     tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i)  ATTRI-
     BUTE  TYPEATTRIBUTE VALUE _ Availabilitynetwork/ssh _ Inter-
     face StabilityCommitted

See Also
     ssh(1), sshd(1M), ssh_config(4), attributes(5)

Authors
     Markus Friedl, markus@openbsd.org

History
     ssh-keysign first appeared in Ox 3.2.
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3