ssh-keysign.0 1.74 KB
Newer Older
Colin Watson's avatar
Colin Watson committed
1
SSH-KEYSIGN(8)          OpenBSD System Manager's Manual         SSH-KEYSIGN(8)
Colin Watson's avatar
Colin Watson committed
2

Colin Watson's avatar
Colin Watson committed
3
NAME
Colin Watson's avatar
Colin Watson committed
4
     ssh-keysign - ssh helper program for host-based authentication
Colin Watson's avatar
Colin Watson committed
5

Colin Watson's avatar
Colin Watson committed
6 7
SYNOPSIS
     ssh-keysign
Colin Watson's avatar
Colin Watson committed
8

Colin Watson's avatar
Colin Watson committed
9 10
DESCRIPTION
     ssh-keysign is used by ssh(1) to access the local host keys and generate
Colin Watson's avatar
Colin Watson committed
11
     the digital signature required during host-based authentication with SSH
Colin Watson's avatar
Colin Watson committed
12 13
     protocol version 2.

Colin Watson's avatar
Colin Watson committed
14 15
     ssh-keysign is disabled by default and can only be enabled in the global
     client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign
Colin Watson's avatar
Colin Watson committed
16
     to ``yes''.
Colin Watson's avatar
Colin Watson committed
17

Colin Watson's avatar
Colin Watson committed
18
     ssh-keysign is not intended to be invoked by the user, but from ssh(1).
Colin Watson's avatar
Colin Watson committed
19 20
     See ssh(1) and sshd(8) for more information about host-based
     authentication.
Colin Watson's avatar
Colin Watson committed
21

Colin Watson's avatar
Colin Watson committed
22
FILES
Colin Watson's avatar
Colin Watson committed
23
     /etc/ssh/ssh_config
Colin Watson's avatar
Colin Watson committed
24
             Controls whether ssh-keysign is enabled.
Colin Watson's avatar
Colin Watson committed
25

Colin Watson's avatar
Colin Watson committed
26 27 28
     /etc/ssh/ssh_host_dsa_key
     /etc/ssh/ssh_host_ecdsa_key
     /etc/ssh/ssh_host_rsa_key
Colin Watson's avatar
Colin Watson committed
29 30 31
             These files contain the private parts of the host keys used to
             generate the digital signature.  They should be owned by root,
             readable only by root, and not accessible to others.  Since they
Colin Watson's avatar
Colin Watson committed
32
             are readable only by root, ssh-keysign must be set-uid root if
Colin Watson's avatar
Colin Watson committed
33
             host-based authentication is used.
Colin Watson's avatar
Colin Watson committed
34

Colin Watson's avatar
Colin Watson committed
35 36 37
     /etc/ssh/ssh_host_dsa_key-cert.pub
     /etc/ssh/ssh_host_ecdsa_key-cert.pub
     /etc/ssh/ssh_host_rsa_key-cert.pub
Colin Watson's avatar
Colin Watson committed
38 39 40 41
             If these files exist they are assumed to contain public
             certificate information corresponding with the private keys
             above.

Colin Watson's avatar
Colin Watson committed
42 43
SEE ALSO
     ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
Colin Watson's avatar
Colin Watson committed
44

Colin Watson's avatar
Colin Watson committed
45 46
HISTORY
     ssh-keysign first appeared in OpenBSD 3.2.
Colin Watson's avatar
Colin Watson committed
47

Colin Watson's avatar
Colin Watson committed
48
AUTHORS
Colin Watson's avatar
Colin Watson committed
49
     Markus Friedl <markus@openbsd.org>
Colin Watson's avatar
Colin Watson committed
50

Colin Watson's avatar
Colin Watson committed
51
OpenBSD 5.4                      July 16, 2013                     OpenBSD 5.4