Differences between current version and revision by previous author of sshd(8).
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 6 | Last edited on Thursday, December 23, 2004 5:34:37 pm | by MattBrown | |
| Older page: | version 5 | Last edited on Monday, September 1, 2003 1:01:26 am | by AristotlePagaltzis | Revert |
@@ -170,20 +170,33 @@
Note that lines in this file are usually several hundred bytes long (because of the size of the RSA key modulus). You don't want to type them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub file and edit it.
The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive):
-
from=
+*
from="pattern-list"
+;: Specifies that in addition to public key authentication, the canonical name of the remote host must be present in the comma-separated list of patterns ('*' and '?' serve as wildcards). The list may also contain patterns negated by prefixing them with '!'; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key).
+* command="command"
+;:Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) isignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP/IP and/or X11 forwarding unless they are explicitly prohibited. Note that this option applies to shell, command or subsystem execution.
+* environment="NAME=value"
+;:Specifies that the string is to be added to the environment when logging in using this key. Environment variables set this way override other default environment values. Multiple options of this type are permitted. Environment processing is disabled by default and is controlled via the PermitUserEnvironment option. This option is automatically disabled if UseLogin is enabled.
+* no-port-forwarding
+;:Forbids TCP/IP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. This might be used, e.g., in connection with the command option.
+* no-X11-forwarding
+;:Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error.
+* no-agent-forwarding
+;:Forbids authentication agent forwarding when this key is used for authentication.
+* no-pty
+;:Prevents tty allocation (a request to allocate a pty will fail).
+* permitopen="host:port"
+;:Limit local ``ssh -L'' port forwarding such that it may only connect to the specified host and port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses.
-Specifies that in addition to RSA authentication, thecanonical name of the remote host must be present inthe comma-separated list of patterns ( and ? serveas wildcards)
. The list may also contain patternsnegated by prefixing them with !; if the canonicalhost name matches a negated pattern, the key is notaccepted
. The purpose of this option is to option-ally increase security: RSA authentication by itselfdoes not trust the network or name servers or any-thing (but the key); however, if somebody somehowsteals the key, the key permits an intruder to log infrom anywhere in the world
. This additional optionmakes using a stolen key more difficult (name serversand/or routers would have to be compromised in addi-tion to just the key).command= port forwarding such that it may only connect to the specified host and port. IPv6 addresses can be specified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses
.
+''Examples''
+ 1024 33 12121
...312314325 ylo@foo
.bar
-__Examples__
-33 12121
...312314325
ylo@foo.bar
+ from="*.niksula.hut.fi,!pc.niksula.hut.fi"
1024 35 23
...2334
ylo@niksula
-from
=
+ command
="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
-command
=
-
-
+ permitopen
="10.2.1.55:80",
permitopen="10.2.1.56:25" 1024 33 23...2323
__SSH_KNOWN_HOSTS FILE FORMAT__
The /etc/ssh/ssh_known_hosts, and $HOME/.ssh/known_hosts files contain host public keys for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects from an unknown host its key is added to the per-user file.
