ssh-keysign(1m)

1ssh-keysign(1M)         System Administration Commands         ssh-keysign(1M)
2
3
4

NAME

6       ssh-keysign - ssh helper program for host-based authentication
7

SYNOPSIS

9       ssh-keysign
10
11

DESCRIPTION

13       ssh-keysign  is used by ssh(1) to access the local host keys and gener‐
14       ate the digital signature  required  during  host-based  authentication
15       with  SSH  protocol version 2. This signature is of data that includes,
16       among other items, the name of the client host  and  the  name  of  the
17       client user.
18
19
20       ssh-keysign  is  disabled  by  default  and  can be enabled only in the
21       global client configuration file /etc/ssh/ssh_config by  setting  Host‐
22       basedAuthentication to yes.
23
24
25       ssh-keysign  is  not  intended to be invoked by the user, but from ssh.
26       See ssh(1) and sshd(1M) for more information about host-based authenti‐
27       cation.
28

FILES

30       /etc/ssh/ssh_config          Controls whether ssh-keysign is enabled.
31
32
33       /etc/ssh/ssh_host_dsa_key    These  files  contain the private parts of
34       /etc/ssh/ssh_host_rsa_key    the host keys used to generate the digital
35                                    signature.  They  should be owned by root,
36                                    readable only by root, and not  accessible
37                                    to  others. Because they are readable only
38                                    by root, ssh-keysign must be set-uid  root
39                                    if host-based authentication is used.
40
41

SECURITY

43       ssh-keysign will not sign host-based authentication data under the fol‐
44       lowing conditions:
45
46           o      If the HostbasedAuthentication client configuration  parame‐
47                  ter  is  not set to yes in /etc/ssh/ssh_config. This setting
48                  cannot be overriden in users' ~/.ssh/ssh_config files.
49
50           o      If the client hostname and username  in  /etc/ssh/ssh_config
51                  do not match the canonical hostname of the client where ssh-
52                  keysign is invoked and the name of the  user  invoking  ssh-
53                  keysign.
54
55
56       In  spite  of  ssh-keysign's  restrictions on the contents of the host-
57       based authentication data, there remains the ability of users to use it
58       as  an  avenue  for  obtaining the client's private host keys. For this
59       reason host-based authentication is turned off by default.
60

ATTRIBUTES

62       See attributes(5) for descriptions of the following attributes:
63
64
65
66
67       ┌─────────────────────────────┬─────────────────────────────┐
68       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
69       ├─────────────────────────────┼─────────────────────────────┤
70       │Availability                 │SUNWsshu                     │
71       ├─────────────────────────────┼─────────────────────────────┤
72       │Interface Stability          │Evolving                     │
73       └─────────────────────────────┴─────────────────────────────┘
74

AUTHORS

79       Markus Friedl, markus@openbsd.org
80

HISTORY

82       ssh-keysign first appeared in Ox 3.2.
83
84
85
86SunOS 5.11                        9 Jun 2004                   ssh-keysign(1M)