diff -ru openssh-3.5p1.orig/TODO openssh-3.5p1/TODO --- openssh-3.5p1.orig/TODO 2002-09-05 16:32:03.000000000 +1000 +++ openssh-3.5p1/TODO 2003-03-06 19:38:46.000000000 +1100 @@ -15,8 +15,6 @@ - Replacement for setproctitle() - HP-UX support only currently -- Handle changing passwords for the non-PAM expired password case - - Improve PAM support (a pam_lastlog module will cause sshd to exit) and maybe support alternate forms of authentications like OPIE via pam? diff -ru openssh-3.5p1.orig/acconfig.h openssh-3.5p1/acconfig.h --- openssh-3.5p1.orig/acconfig.h 2002-09-26 10:38:48.000000000 +1000 +++ openssh-3.5p1/acconfig.h 2003-03-06 19:38:46.000000000 +1100 @@ -25,6 +25,9 @@ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK +/* Path to passwd program */ +#undef PASSWD_PROGRAM_PATH + /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD diff -ru openssh-3.5p1.orig/auth-pam.c openssh-3.5p1/auth-pam.c --- openssh-3.5p1.orig/auth-pam.c 2002-07-29 06:24:08.000000000 +1000 +++ openssh-3.5p1/auth-pam.c 2003-03-06 19:47:43.000000000 +1100 @@ -42,8 +42,6 @@ #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -60,7 +58,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -256,18 +254,10 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); - /* flag that password change is necessary */ - password_change_required = 1; - /* disallow other functionality for now */ - no_port_forwarding_flag |= 2; - no_agent_forwarding_flag |= 2; - no_x11_forwarding_flag |= 2; + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); + flag_password_change_required(); break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -353,13 +343,7 @@ fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); #if 0 - /* XXX: This would need to be done in the parent process, - * but there's currently no way to pass such request. */ - no_port_forwarding_flag &= ~2; - no_agent_forwarding_flag &= ~2; - no_x11_forwarding_flag &= ~2; - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) - channel_permit_all_opens(); + flag_password_change_successful(); #endif } } Only in openssh-3.5p1: auth-pam.c.orig diff -ru openssh-3.5p1.orig/auth-passwd.c openssh-3.5p1/auth-passwd.c --- openssh-3.5p1.orig/auth-passwd.c 2002-09-26 09:14:16.000000000 +1000 +++ openssh-3.5p1/auth-passwd.c 2003-03-06 19:38:46.000000000 +1100 @@ -42,6 +42,10 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "buffer.h" +#include "misc.h" +#include "channels.h" +#include "auth-options.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,9 +85,9 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; -#ifdef WITH_AIXAUTHENTICATE -extern char *aixloginmsg; -#endif + +int password_change_required = 0; +pid_t password_change_pid; /* pid used to reset forwarding flags */ /* * Tries to authenticate the user using password. Returns true if @@ -149,15 +153,16 @@ #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); - + aix_remove_embedded_newlines(authmsg); if (authsuccess) - /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh", &aixloginmsg) < 0) - aixloginmsg = NULL; - - return(authsuccess); + debug3("AIX/authenticate succeeded for user %s: %.100s", + pw->pw_name, authmsg); + else + debug3("AIX/authenticate failed for user %s: %.100s", + pw->pw_name, authmsg); + if (authmsg) + xfree(authmsg); + return authsuccess; #endif #ifdef KRB4 if (options.kerberos_authentication == 1) { @@ -233,3 +238,103 @@ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ } + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + setuid(pw->pw_uid); + if (geteuid() == 0) + execl(PASSWD_PROGRAM_PATH, "passwd", pw->pw_name, + (char *)NULL); + else + execl(PASSWD_PROGRAM_PATH, "passwd", (char *)NULL); + + /* execl shouldn't return */ + fatal("Couldn't exec %s", PASSWD_PROGRAM_PATH); + exit(1); + } + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + mysignal(SIGCHLD, old_signal); + + if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { + debug("%s password changed sucessfully", __func__); + flag_password_change_successful(); + return 1; + } else { + fatal("Failed to change password for %s, passwd returned %d", + pw->pw_name, status); + return 0; + } +} + +/* + * Because an expired password is changed after forking to exec the user's + * shell, restoring the port forwarding flags is done by sending a + * USR1 signal to the parent after the password is changed successfully. + */ +void +flag_password_change_required(void) +{ + debug("%s disabling forwarding flags", __func__); + /* flag that password change is necessary */ + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + + /* set handler to reset flags */ + password_change_pid = getpid(); + mysignal(SIGUSR1, password_change_successful_handler); +} + +/* + * password change successful, tell parent to restore port + * forwarding flags + */ +void +flag_password_change_successful(void) +{ + debug("%s signalling parent to reset forwarding flags", __func__); + kill(password_change_pid, SIGUSR1); + + /* reset flags in local process too */ + password_change_required = 0; + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; +} + +/* + * signal handler to reset change flags + */ +void +password_change_successful_handler(int sig) +{ + debug("%s restoring port forwarding flags", __func__); + mysignal(SIGUSR1, SIG_DFL); /* unset handler */ + + password_change_required = 0; + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); +} diff -ru openssh-3.5p1.orig/auth.c openssh-3.5p1/auth.c --- openssh-3.5p1.orig/auth.c 2002-09-22 01:26:53.000000000 +1000 +++ openssh-3.5p1/auth.c 2003-03-06 19:47:43.000000000 +1100 @@ -36,6 +36,11 @@ #include #endif +#ifdef WITH_AIXAUTHENTICATE +#include +#include +#endif + #include "xmalloc.h" #include "match.h" #include "groupaccess.h" @@ -51,9 +56,12 @@ #include "misc.h" #include "bufaux.h" #include "packet.h" +#include "sshlogin.h" /* import */ extern ServerOptions options; +extern Buffer expire_message; +extern Buffer login_message; /* Debugging messages */ Buffer auth_debug; @@ -75,51 +83,75 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ - !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; + time_t today; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; #define DAY (24L * 60 * 60) /* 1 day in seconds */ - spw = getspnam(pw->pw_name); - if (spw != NULL) { - time_t today = time(NULL) / DAY; +#define WEEK (DAY * 7) /* 1 week in seconds */ +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) + if ((spw = getspnam(pw->pw_name)) != NULL) { + int daysleft; + + today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" - " sp_max %d", (int)today, (int)spw->sp_expire, - (int)spw->sp_lstchg, (int)spw->sp_max); + " sp_max %d sp_warn %d", (int)today, (int)spw->sp_expire, + (int)spw->sp_lstchg, (int)spw->sp_max, (int)spw->sp_warn); /* * We assume account and password expiration occurs the * day after the day specified. */ - if (spw->sp_expire != -1 && today > spw->sp_expire) { + daysleft = spw->sp_expire - today; + if (spw->sp_expire == -1) { + debug3("account expiration disabled"); + } else if (today > spw->sp_expire) { log("Account %.100s has expired", pw->pw_name); return 0; - } + } else if (daysleft <= spw->sp_warn) { + char buf[256]; + debug3("account will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your account will expire in %d day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&login_message, buf, strlen(buf)); + } + +#define PWCHG_FORCED "You must change your password now.\n" +#define PWCHG_EXPIRED "Your password has expired, you must change it now.\n" + daysleft = spw->sp_lstchg + spw->sp_max - today; if (spw->sp_lstchg == 0) { log("User %.100s password has expired (root forced)", pw->pw_name); - return 0; - } - - if (spw->sp_max != -1 && - today > spw->sp_lstchg + spw->sp_max) { + flag_password_change_required(); + buffer_append(&expire_message, PWCHG_FORCED, + sizeof(PWCHG_FORCED)); + } else if (spw->sp_max == -1) { + debug3("password expiration disabled"); + } else if (daysleft < 0) { log("User %.100s password has expired (password aged)", pw->pw_name); - return 0; + flag_password_change_required(); + buffer_append(&expire_message, PWCHG_EXPIRED, + sizeof(PWCHG_EXPIRED)); + } else if (daysleft <= spw->sp_warn) { + char buf[256]; + + debug3("password will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your password will expire in %d day%s.\n", + daysleft, daysleft == 1 ? "" : "s"); + buffer_append(&expire_message, buf, strlen(buf)); } } -#else - /* Shouldn't be called if pw is NULL, but better safe than sorry... */ - if (!pw || !pw->pw_name) - return 0; #endif /* @@ -202,19 +234,80 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { - if (loginmsg && *loginmsg) { - /* Remove embedded newlines (if any) */ - char *p; - for (p = loginmsg; *p; p++) { - if (*p == '\n') - *p = ' '; + /* + * Don't check loginrestrictions() for root account (use + * PermitRootLogin to control logins via ssh), or if running as + * non-root user (since loginrestrictions will always fail). + */ + if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { + int loginrestrict_errno = errno; + char *msg; + + /* check for AIX account restrictions */ + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + if (msg && *msg) { + aix_remove_embedded_newlines(msg); + log("Login restricted for %s: %.100s", + pw->pw_name, msg); + xfree(msg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + + /* Don't fail if /etc/nologin set */ + if (!(loginrestrict_errno == EPERM && + stat(_PATH_NOLOGIN, &st) == 0)) + return 0; } - return 0; + } + + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg; + int result, maxexpired; + struct userpw *upw; + + /* check if password expired too long */ + upw = getuserpw(pw->pw_name); + result = getuserattr(pw->pw_name, S_MAXEXPIRED, &maxexpired, + SEC_INT); + if (upw != NULL && result == 0) { + debug3("%s lastupdate %lu maxexpired %d wks time %d", + __func__, upw->upw_lastupdate, maxexpired, + (int)time(NULL)); + if (maxexpired != -1 && upw->upw_lastupdate + + (maxexpired*WEEK) <= time(NULL) ){ + log("User %.100s password expired too long", + pw->pw_name); + return 0; + } + } + + result = passwdexpired(pw->pw_name, &msg); + buffer_append(&expire_message, msg, strlen(msg)); + if (msg && *msg) + aix_remove_embedded_newlines(msg); + debug3("AIX/passwdexpired returned %d msg %.100s", result, msg); + + switch (result) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + flag_password_change_required(); + break; + default: /* user can't change(2) or other error (-1) */ + log("Password can't be changed for user %s: " + "%.100s", pw->pw_name, msg); + if (msg) + xfree(msg); + return 0; + } + if (msg) + xfree(msg); + } #endif /* WITH_AIXAUTHENTICATE */ @@ -230,6 +323,45 @@ return authctxt; } +/* + * Generate last_login message and store for later display. This must be + * called before login_login() is called and lastlog is updated. + */ +void +generate_login_message(const char *user, uid_t uid, const char *host) +{ +#ifdef WITH_AIXAUTHENTICATE + char *msg; + + /* We don't have a pty yet, so just label the line as "ssh" */ + if (loginsuccess(user, host, "ssh", &msg) >= 0) + buffer_append(&login_message, msg, strlen(msg)); +#elif !defined(NO_SSH_LASTLOG) + if (options.print_lastlog) { + char *time_string, lasthost[MAXHOSTNAMELEN], buf[256]; + time_t last_login_time; + + last_login_time = get_last_login_time(uid, user, lasthost, + sizeof(lasthost)); + + if (last_login_time != 0) { + time_string = ctime(&last_login_time); + if (strchr(time_string, '\n')) + *strchr(time_string, '\n') = 0; + if (strcmp(lasthost, "") == 0) + snprintf(buf, sizeof(buf), + "Last login: %s\r\n", + time_string); + else + snprintf(buf, sizeof(buf), + "Last login: %s from %s\r\n", + time_string, lasthost); + buffer_append(&login_message, buf, strlen(buf)); + } + } +#endif +} + void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { @@ -257,6 +389,9 @@ get_remote_port(), info); + if (authenticated && geteuid() == 0) + generate_login_message(authctxt->user, authctxt->pw->pw_uid, + get_canonical_hostname(options.verify_reverse_mapping)); #ifdef WITH_AIXAUTHENTICATE if (authenticated == 0 && strcmp(method, "password") == 0) loginfailed(authctxt->user, @@ -417,6 +552,7 @@ uid_t uid = pw->pw_uid; char buf[MAXPATHLEN], homedir[MAXPATHLEN]; char *cp; + int comparehome = 0; struct stat st; if (realpath(file, buf) == NULL) { @@ -424,11 +560,8 @@ strerror(errno)); return -1; } - if (realpath(pw->pw_dir, homedir) == NULL) { - snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir, - strerror(errno)); - return -1; - } + if (realpath(pw->pw_dir, homedir) != NULL) + comparehome = 1; /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || @@ -457,7 +590,7 @@ } /* If are passed the homedir then we can stop */ - if (strcmp(homedir, buf) == 0) { + if (comparehome && strcmp(homedir, buf) == 0) { debug3("secure_filename: terminating check at '%s'", buf); break; @@ -487,6 +620,11 @@ if (pw == NULL) { log("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); +#endif return (NULL); } if (!allowed_user(pw)) diff -ru openssh-3.5p1.orig/auth.h openssh-3.5p1/auth.h --- openssh-3.5p1.orig/auth.h 2002-09-27 13:26:01.000000000 +1000 +++ openssh-3.5p1/auth.h 2003-03-06 19:38:46.000000000 +1100 @@ -156,6 +156,10 @@ int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); +int do_tty_change_password(struct passwd *pw); +void flag_password_change_required(void); +void flag_password_change_successful(void); +void password_change_successful_handler(int); char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); diff -ru openssh-3.5p1.orig/config.h.in openssh-3.5p1/config.h.in --- openssh-3.5p1.orig/config.h.in 2002-10-04 11:31:57.000000000 +1000 +++ openssh-3.5p1/config.h.in 2003-03-06 19:38:46.000000000 +1100 @@ -25,6 +25,9 @@ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK +/* Path to passwd program */ +#undef PASSWD_PROGRAM_PATH + /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD diff -ru openssh-3.5p1.orig/configure openssh-3.5p1/configure --- openssh-3.5p1.orig/configure 2002-10-04 11:31:56.000000000 +1000 +++ openssh-3.5p1/configure 2003-03-06 19:38:46.000000000 +1100 @@ -3293,6 +3293,56 @@ fi fi +# Extract the first word of "passwd", so it can be a program name with args. +set dummy passwd; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_path_PASSWD_PROGRAM_PATH+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + case $PASSWD_PROGRAM_PATH in + [\\/]* | ?:[\\/]*) + ac_cv_path_PASSWD_PROGRAM_PATH="$PASSWD_PROGRAM_PATH" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PASSWD_PROGRAM_PATH="$as_dir/$ac_word$ac_exec_ext" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + + ;; +esac +fi +PASSWD_PROGRAM_PATH=$ac_cv_path_PASSWD_PROGRAM_PATH + +if test -n "$PASSWD_PROGRAM_PATH"; then + echo "$as_me:$LINENO: result: $PASSWD_PROGRAM_PATH" >&5 +echo "${ECHO_T}$PASSWD_PROGRAM_PATH" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + +if test ! -z "$PASSWD_PROGRAM_PATH" ; then + cat >>confdefs.h <<_ACEOF +#define PASSWD_PROGRAM_PATH "$PASSWD_PROGRAM_PATH" +_ACEOF + +else + { { echo "$as_me:$LINENO: error: *** passwd command not found - check config.log ***" >&5 +echo "$as_me: error: *** passwd command not found - check config.log ***" >&2;} + { (exit 1); exit 1; }; } +fi + if test -z "$LD" ; then LD=$CC fi @@ -17350,6 +17400,7 @@ s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t s,@SH@,$SH,;t t s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t +s,@PASSWD_PROGRAM_PATH@,$PASSWD_PROGRAM_PATH,;t t s,@LD@,$LD,;t t s,@LIBWRAP@,$LIBWRAP,;t t s,@LIBPAM@,$LIBPAM,;t t diff -ru openssh-3.5p1.orig/configure.ac openssh-3.5p1/configure.ac --- openssh-3.5p1.orig/configure.ac 2002-09-26 10:38:47.000000000 +1000 +++ openssh-3.5p1/configure.ac 2003-03-06 19:38:46.000000000 +1100 @@ -40,6 +40,13 @@ fi fi +AC_PATH_PROG(PASSWD_PROGRAM_PATH, passwd) +if test ! -z "$PASSWD_PROGRAM_PATH" ; then + AC_DEFINE_UNQUOTED(PASSWD_PROGRAM_PATH, "$PASSWD_PROGRAM_PATH") +else + AC_MSG_ERROR([*** passwd command not found - check config.log ***]) +fi + if test -z "$LD" ; then LD=$CC fi diff -ru openssh-3.5p1.orig/loginrec.c openssh-3.5p1/loginrec.c --- openssh-3.5p1.orig/loginrec.c 2002-09-26 10:38:49.000000000 +1000 +++ openssh-3.5p1/loginrec.c 2003-03-06 19:38:46.000000000 +1100 @@ -292,6 +292,7 @@ * reliably search wtmp(x) for the last login (see * wtmp_get_entry().) */ + debug("%s called euid %d", __func__, geteuid()); pw = getpwuid(uid); if (pw == NULL) fatal("login_get_lastlog: Cannot find account for uid %i", uid); Only in openssh-3.5p1.orig: nohup.out diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.c openssh-3.5p1/openbsd-compat/port-aix.c --- openssh-3.5p1.orig/openbsd-compat/port-aix.c 2002-07-07 12:17:36.000000000 +1000 +++ openssh-3.5p1/openbsd-compat/port-aix.c 2003-03-06 19:38:46.000000000 +1100 @@ -52,5 +52,25 @@ xfree(cp); } -#endif /* _AIX */ +#ifdef WITH_AIXAUTHENTICATE +/* + * Remove embedded newlines in string (if any). + * Used before logging messages returned by AIX authentication functions + * so the message is logged on one line. + */ +void +aix_remove_embedded_newlines(char *p) +{ + if (p == NULL) + return; + + for (; *p; p++) { + if (*p == '\n') + *p = ' '; + } + /* Remove trailing newline */ + *--p = '\0'; +} +#endif /* WITH_AIXAUTHENTICATE */ +#endif /* _AIX */ diff -ru openssh-3.5p1.orig/openbsd-compat/port-aix.h openssh-3.5p1/openbsd-compat/port-aix.h --- openssh-3.5p1.orig/openbsd-compat/port-aix.h 2002-07-07 12:17:36.000000000 +1000 +++ openssh-3.5p1/openbsd-compat/port-aix.h 2003-03-06 19:38:46.000000000 +1100 @@ -26,4 +26,5 @@ #ifdef _AIX void aix_usrinfo(struct passwd *pw); +void aix_remove_embedded_newlines(char *); #endif /* _AIX */ diff -ru openssh-3.5p1.orig/scp.0 openssh-3.5p1/scp.0 --- openssh-3.5p1.orig/scp.0 2002-10-04 11:31:43.000000000 +1000 +++ openssh-3.5p1/scp.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,17 +1,17 @@ -SCP(1) System General Commands Manual SCP(1) +SCP(1) BSD General Commands Manual SCP(1) -NAME - scp - secure copy (remote file copy program) +^[[1mNAME^[[0m + ^[[1mscp ^[[22m- secure copy (remote file copy program) -SYNOPSIS - scp [-pqrvBC46] [-F ssh_config] [-S program] [-P port] [-c cipher] - [-i identity_file] [-o ssh_option] [[user@]host1:]file1 [...] - [[user@]host2:]file2 +^[[1mSYNOPSIS^[[0m + ^[[1mscp ^[[22m[^[[1m-pqrvBC46^[[22m] [^[[1m-F ^[[4m^[[22mssh_config^[[24m] [^[[1m-S ^[[4m^[[22mprogram^[[24m] [^[[1m-P ^[[4m^[[22mport^[[24m] [^[[1m-c ^[[4m^[[22mcipher^[[24m] + [^[[1m-i ^[[4m^[[22midentity_file^[[24m] [^[[1m-o ^[[4m^[[22mssh_option^[[24m] [[^[[4muser@^[[24m]^[[4mhost1^[[24m:]^[[4mfile1^[[24m [^[[4m...^[[24m] + [[^[[4muser@^[[24m]^[[4mhost2^[[24m:]^[[4mfile2^[[0m -DESCRIPTION - scp copies files between hosts on a network. It uses ssh(1) for data +^[[1mDESCRIPTION^[[0m + ^[[1mscp ^[[22mcopies files between hosts on a network. It uses ssh(1) for data transfer, and uses the same authentication and provides the same security - as ssh(1). Unlike rcp(1), scp will ask for passwords or passphrases if + as ssh(1). Unlike rcp(1), ^[[1mscp ^[[22mwill ask for passwords or passphrases if they are needed for authentication. Any file name may contain a host and user specification to indicate that @@ -20,68 +20,68 @@ The options are as follows: - -c cipher + ^[[1m-c ^[[4m^[[22mcipher^[[0m Selects the cipher to use for encrypting the data transfer. This option is directly passed to ssh(1). - -i identity_file + ^[[1m-i ^[[4m^[[22midentity_file^[[0m Selects the file from which the identity (private key) for RSA authentication is read. This option is directly passed to ssh(1). - -p Preserves modification times, access times, and modes from the + ^[[1m-p ^[[22mPreserves modification times, access times, and modes from the original file. - -r Recursively copy entire directories. + ^[[1m-r ^[[22mRecursively copy entire directories. - -v Verbose mode. Causes scp and ssh(1) to print debugging messages + ^[[1m-v ^[[22mVerbose mode. Causes ^[[1mscp ^[[22mand ssh(1) to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems. - -B Selects batch mode (prevents asking for passwords or + ^[[1m-B ^[[22mSelects batch mode (prevents asking for passwords or passphrases). - -q Disables the progress meter. + ^[[1m-q ^[[22mDisables the progress meter. - -C Compression enable. Passes the -C flag to ssh(1) to enable comM-- + ^[[1m-C ^[[22mCompression enable. Passes the ^[[1m-C ^[[22mflag to ssh(1) to enable com- pression. - -F ssh_config - Specifies an alternative per-user configuration file for ssh. + ^[[1m-F ^[[4m^[[22mssh_config^[[0m + Specifies an alternative per-user configuration file for ^[[1mssh^[[22m. This option is directly passed to ssh(1). - -P port + ^[[1m-P ^[[4m^[[22mport^[[0m Specifies the port to connect to on the remote host. Note that - this option is written with a capital `P', because -p is already + this option is written with a capital `P', because ^[[1m-p ^[[22mis already reserved for preserving the times and modes of the file in rcp(1). - -S program - Name of program to use for the encrypted connection. The program + ^[[1m-S ^[[4m^[[22mprogram^[[0m + Name of ^[[4mprogram^[[24m to use for the encrypted connection. The program must understand ssh(1) options. - -o ssh_option - Can be used to pass options to ssh in the format used in + ^[[1m-o ^[[4m^[[22mssh_option^[[0m + Can be used to pass options to ^[[1mssh ^[[22min the format used in ssh_config(5). This is useful for specifying options for which - there is no separate scp command-line flag. For example, forcing - the use of protocol version 1 is specified using scp - -oProtocol=1. + there is no separate ^[[1mscp ^[[22mcommand-line flag. For example, forcing + the use of protocol version 1 is specified using ^[[1mscp^[[0m + ^[[1m-oProtocol=1^[[22m. - -4 Forces scp to use IPv4 addresses only. + ^[[1m-4 ^[[22mForces ^[[1mscp ^[[22mto use IPv4 addresses only. - -6 Forces scp to use IPv6 addresses only. + ^[[1m-6 ^[[22mForces ^[[1mscp ^[[22mto use IPv6 addresses only. -DIAGNOSTICS - scp exits with 0 on success or >0 if an error occurred. +^[[1mDIAGNOSTICS^[[0m + ^[[1mscp ^[[22mexits with 0 on success or >0 if an error occurred. -AUTHORS +^[[1mAUTHORS^[[0m Timo Rinne and Tatu Ylonen -HISTORY - scp is based on the rcp(1) program in BSD source code from the Regents of +^[[1mHISTORY^[[0m + ^[[1mscp ^[[22mis based on the rcp(1) program in BSD source code from the Regents of the University of California. -SEE ALSO +^[[1mSEE ALSO^[[0m rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5), sshd(8) diff -ru openssh-3.5p1.orig/session.c openssh-3.5p1/session.c --- openssh-3.5p1.orig/session.c 2002-09-26 10:38:50.000000000 +1000 +++ openssh-3.5p1/session.c 2003-03-06 19:38:46.000000000 +1100 @@ -95,6 +95,9 @@ extern u_int utmp_len; extern int startup_pipe; extern void destroy_sensitive_data(void); +extern Buffer expire_message; +extern Buffer login_message; +extern int password_change_required; /* original command from peer. */ const char *original_command = NULL; @@ -103,10 +106,6 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; -#ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ - #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif @@ -456,10 +455,11 @@ #if defined(USE_PAM) do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); - if (is_pam_password_change_required()) +#endif /* USE_PAM */ + + if (password_change_required) packet_disconnect("Password change required but no " "TTY available"); -#endif /* USE_PAM */ /* Fork the child. */ if ((pid = fork()) == 0) { @@ -719,10 +719,10 @@ void do_login(Session *s, const char *command) { - char *time_string; socklen_t fromlen; struct sockaddr_storage from; struct passwd * pw = s->pw; + int password_changed = 0; pid_t pid = getpid(); /* @@ -746,16 +746,22 @@ options.verify_reverse_mapping), (struct sockaddr *)&from, fromlen); -#ifdef USE_PAM /* * If password change is needed, do it now. * This needs to occur before the ~/.hushlogin check. */ +#ifdef USE_PAM if (is_pam_password_change_required()) { print_pam_messages(); do_pam_chauthtok(); } #endif + buffer_append(&expire_message, "\0", 1); + if (password_change_required) { + printf("%s", (char *)buffer_ptr(&expire_message)); + do_tty_change_password(pw); + password_changed = 1; + } if (check_quietlogin(s, command)) return; @@ -764,23 +770,12 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ -#ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) - printf("%s\n", aixloginmsg); -#endif /* WITH_AIXAUTHENTICATE */ - -#ifndef NO_SSH_LASTLOG - if (options.print_lastlog && s->last_login_time != 0) { - time_string = ctime(&s->last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = 0; - if (strcmp(s->hostname, "") == 0) - printf("Last login: %s\r\n", time_string); - else - printf("Last login: %s from %s\r\n", time_string, - s->hostname); - } -#endif /* NO_SSH_LASTLOG */ + if (!password_changed) + printf("%s", (char *)buffer_ptr(&expire_message)); + + /* display post-login message */ + buffer_append(&login_message, "\0", 1); + printf("%s", (char *)buffer_ptr(&login_message)); do_motd(); } @@ -1584,12 +1579,6 @@ packet_disconnect("Protocol error: you already have a pty."); return 0; } - /* Get the time and hostname when the user last logged in. */ - if (options.print_lastlog) { - s->hostname[0] = '\0'; - s->last_login_time = get_last_login_time(s->pw->pw_uid, - s->pw->pw_name, s->hostname, sizeof(s->hostname)); - } s->term = packet_get_string(&len); diff -ru openssh-3.5p1.orig/session.h openssh-3.5p1/session.h --- openssh-3.5p1.orig/session.h 2002-07-04 10:14:18.000000000 +1000 +++ openssh-3.5p1/session.h 2003-03-06 19:38:46.000000000 +1100 @@ -39,9 +39,6 @@ int ptyfd, ttyfd, ptymaster; u_int row, col, xpixel, ypixel; char tty[TTYSZ]; - /* last login */ - char hostname[MAXHOSTNAMELEN]; - time_t last_login_time; /* X11 */ u_int display_number; char *display; diff -ru openssh-3.5p1.orig/sftp-server.0 openssh-3.5p1/sftp-server.0 --- openssh-3.5p1.orig/sftp-server.0 2002-10-04 11:31:45.000000000 +1000 +++ openssh-3.5p1/sftp-server.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,27 +1,27 @@ -SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8) +SFTP-SERVER(8) BSD System Manager's Manual SFTP-SERVER(8) -NAME - sftp-server - SFTP server subsystem +^[[1mNAME^[[0m + ^[[1msftp-server ^[[22m- SFTP server subsystem -SYNOPSIS - sftp-server +^[[1mSYNOPSIS^[[0m + ^[[1msftp-server^[[0m -DESCRIPTION - sftp-server is a program that speaks the server side of SFTP protocol to - stdout and expects client requests from stdin. sftp-server is not - intended to be called directly, but from sshd(8) using the Subsystem +^[[1mDESCRIPTION^[[0m + ^[[1msftp-server ^[[22mis a program that speaks the server side of SFTP protocol to + stdout and expects client requests from stdin. ^[[1msftp-server ^[[22mis not + intended to be called directly, but from sshd(8) using the ^[[1mSubsystem^[[0m option. See sshd(8) for more information. -SEE ALSO +^[[1mSEE ALSO^[[0m sftp(1), ssh(1), sshd(8) - T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + T. Ylonen and S. Lehtinen, ^[[4mSSH^[[24m ^[[4mFile^[[24m ^[[4mTransfer^[[24m ^[[4mProtocol^[[24m, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -AUTHORS +^[[1mAUTHORS^[[0m Markus Friedl -HISTORY - sftp-server first appeared in OpenBSD 2.8 . +^[[1mHISTORY^[[0m + ^[[1msftp-server ^[[22mfirst appeared in OpenBSD 2.8 . BSD August 30, 2000 BSD diff -ru openssh-3.5p1.orig/sftp.0 openssh-3.5p1/sftp.0 --- openssh-3.5p1.orig/sftp.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.5p1/sftp.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,171 +1,171 @@ -SFTP(1) System General Commands Manual SFTP(1) +SFTP(1) BSD General Commands Manual SFTP(1) -NAME - sftp - Secure file transfer program +^[[1mNAME^[[0m + ^[[1msftp ^[[22m- Secure file transfer program -SYNOPSIS - sftp [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem | sftp_server] - [-B buffer_size] [-F ssh_config] [-P sftp_server path] - [-R num_requests] [-S program] host - sftp [[user@]host[:file [file]]] - sftp [[user@]host[:dir[/]]] +^[[1mSYNOPSIS^[[0m + ^[[1msftp ^[[22m[^[[1m-vC1^[[22m] [^[[1m-b ^[[4m^[[22mbatchfile^[[24m] [^[[1m-o ^[[4m^[[22mssh_option^[[24m] [^[[1m-s ^[[4m^[[22msubsystem^[[24m | ^[[4msftp_server^[[24m] + [^[[1m-B ^[[4m^[[22mbuffer_size^[[24m] [^[[1m-F ^[[4m^[[22mssh_config^[[24m] [^[[1m-P ^[[4m^[[22msftp_server^[[24m ^[[4mpath^[[24m] + [^[[1m-R ^[[4m^[[22mnum_requests^[[24m] [^[[1m-S ^[[4m^[[22mprogram^[[24m] ^[[4mhost^[[0m + ^[[1msftp ^[[22m[[^[[4muser^[[24m@]^[[4mhost^[[24m[:^[[4mfile^[[24m [^[[4mfile^[[24m]]] + ^[[1msftp ^[[22m[[^[[4muser^[[24m@]^[[4mhost^[[24m[:^[[4mdir^[[24m[^[[4m/^[[24m]]] -DESCRIPTION - sftp is an interactive file transfer program, similar to ftp(1), which +^[[1mDESCRIPTION^[[0m + ^[[1msftp ^[[22mis an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also - use many features of ssh, such as public key authentication and compresM-- - sion. sftp connects and logs into the specified host, then enters an + use many features of ssh, such as public key authentication and compres- + sion. ^[[1msftp ^[[22mconnects and logs into the specified ^[[4mhost^[[24m, then enters an interactive command mode. - The second usage format will retrieve files automatically if a non-interM-- - active authentication method is used; otherwise it will do so after sucM-- + The second usage format will retrieve files automatically if a non-inter- + active authentication method is used; otherwise it will do so after suc- cessful interactive authentication. - The last usage format allows the sftp client to start in a remote direcM-- + The last usage format allows the sftp client to start in a remote direc- tory. The options are as follows: - -b batchfile - Batch mode reads a series of commands from an input batchfile - instead of stdin. Since it lacks user interaction it should be - used in conjunction with non-interactive authentication. sftp - will abort if any of the following commands fail: get, put, - rename, ln, rm, mkdir, chdir, lchdir and lmkdir. + ^[[1m-b ^[[4m^[[22mbatchfile^[[0m + Batch mode reads a series of commands from an input ^[[4mbatchfile^[[0m + instead of ^[[4mstdin^[[24m. Since it lacks user interaction it should be + used in conjunction with non-interactive authentication. ^[[1msftp^[[0m + will abort if any of the following commands fail: ^[[1mget^[[22m, ^[[1mput^[[22m, + ^[[1mrename^[[22m, ^[[1mln^[[22m, ^[[1mrm^[[22m, ^[[1mmkdir^[[22m, ^[[1mchdir^[[22m, ^[[1mlchdir ^[[22mand ^[[1mlmkdir^[[22m. - -o ssh_option - Can be used to pass options to ssh in the format used in + ^[[1m-o ^[[4m^[[22mssh_option^[[0m + Can be used to pass options to ^[[1mssh ^[[22min the format used in ssh_config(5). This is useful for specifying options for which - there is no separate sftp command-line flag. For example, to - specify an alternate port use: sftp -oPort=24. + there is no separate ^[[1msftp ^[[22mcommand-line flag. For example, to + specify an alternate port use: ^[[1msftp -oPort=24^[[22m. - -s subsystem | sftp_server + ^[[1m-s ^[[4m^[[22msubsystem^[[24m | ^[[4msftp_server^[[0m Specifies the SSH2 subsystem or the path for an sftp server on the remote host. A path is useful for using sftp over protocol - version 1, or when the remote sshd does not have an sftp subsysM-- + version 1, or when the remote ^[[1msshd ^[[22mdoes not have an sftp subsys- tem configured. - -v Raise logging level. This option is also passed to ssh. + ^[[1m-v ^[[22mRaise logging level. This option is also passed to ssh. - -B buffer_size - Specify the size of the buffer that sftp uses when transferring + ^[[1m-B ^[[4m^[[22mbuffer_size^[[0m + Specify the size of the buffer that ^[[1msftp ^[[22muses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 32768 bytes. - -C Enables compression (via ssh's -C flag). + ^[[1m-C ^[[22mEnables compression (via ssh's ^[[1m-C ^[[22mflag). - -F ssh_config - Specifies an alternative per-user configuration file for ssh. + ^[[1m-F ^[[4m^[[22mssh_config^[[0m + Specifies an alternative per-user configuration file for ^[[1mssh^[[22m. This option is directly passed to ssh(1). - -P sftp_server path - Connect directly to a local sftp-server (rather than via ssh) + ^[[1m-P ^[[4m^[[22msftp_server^[[24m ^[[4mpath^[[0m + Connect directly to a local ^[[1msftp-server ^[[22m(rather than via ^[[1mssh^[[22m) This option may be useful in debugging the client and server. - -R num_requests + ^[[1m-R ^[[4m^[[22mnum_requests^[[0m Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. The default is 16 outstanding requests. - -S program - Name of the program to use for the encrypted connection. The + ^[[1m-S ^[[4m^[[22mprogram^[[0m + Name of the ^[[4mprogram^[[24m to use for the encrypted connection. The program must understand ssh(1) options. - -1 Specify the use of protocol version 1. + ^[[1m-1 ^[[22mSpecify the use of protocol version 1. -INTERACTIVE COMMANDS - Once in interactive mode, sftp understands a set of commands similar to +^[[1mINTERACTIVE COMMANDS^[[0m + Once in interactive mode, ^[[1msftp ^[[22munderstands a set of commands similar to those of ftp(1). Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces. - bye Quit sftp. + ^[[1mbye ^[[22mQuit sftp. - cd path - Change remote directory to path. + ^[[1mcd ^[[4m^[[22mpath^[[0m + Change remote directory to ^[[4mpath^[[24m. - lcd path - Change local directory to path. + ^[[1mlcd ^[[4m^[[22mpath^[[0m + Change local directory to ^[[4mpath^[[24m. - chgrp grp path - Change group of file path to grp. grp must be a numeric GID. + ^[[1mchgrp ^[[4m^[[22mgrp^[[24m ^[[4mpath^[[0m + Change group of file ^[[4mpath^[[24m to ^[[4mgrp^[[24m. ^[[4mgrp^[[24m must be a numeric GID. - chmod mode path - Change permissions of file path to mode. + ^[[1mchmod ^[[4m^[[22mmode^[[24m ^[[4mpath^[[0m + Change permissions of file ^[[4mpath^[[24m to ^[[4mmode^[[24m. - chown own path - Change owner of file path to own. own must be a numeric UID. + ^[[1mchown ^[[4m^[[22mown^[[24m ^[[4mpath^[[0m + Change owner of file ^[[4mpath^[[24m to ^[[4mown^[[24m. ^[[4mown^[[24m must be a numeric UID. - exit Quit sftp. + ^[[1mexit ^[[22mQuit sftp. - get [flags] remote-path [local-path] - Retrieve the remote-path and store it on the local machine. If + ^[[1mget ^[[22m[^[[4mflags^[[24m] ^[[4mremote-path^[[24m [^[[4mlocal-path^[[24m] + Retrieve the ^[[4mremote-path^[[24m and store it on the local machine. If the local path name is not specified, it is given the same name - it has on the remote machine. If the -P flag is specified, then + it has on the remote machine. If the ^[[1m-P ^[[22mflag is specified, then the file's full permission and access time are copied too. - help Display help text. + ^[[1mhelp ^[[22mDisplay help text. - lls [ls-options [path]] - Display local directory listing of either path or current direcM-- - tory if path is not specified. + ^[[1mlls ^[[22m[^[[4mls-options^[[24m [^[[4mpath^[[24m]] + Display local directory listing of either ^[[4mpath^[[24m or current direc- + tory if ^[[4mpath^[[24m is not specified. - lmkdir path - Create local directory specified by path. + ^[[1mlmkdir ^[[4m^[[22mpath^[[0m + Create local directory specified by ^[[4mpath^[[24m. - ln oldpath newpath - Create a symbolic link from oldpath to newpath. + ^[[1mln ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Create a symbolic link from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - lpwd Print local working directory. + ^[[1mlpwd ^[[22mPrint local working directory. - ls [flags] [path] - Display remote directory listing of either path or current direcM-- - tory if path is not specified. If the -l flag is specified, then + ^[[1mls ^[[22m[^[[4mflags^[[24m] [^[[4mpath^[[24m] + Display remote directory listing of either ^[[4mpath^[[24m or current direc- + tory if ^[[4mpath^[[24m is not specified. If the ^[[1m-l ^[[22mflag is specified, then display additional details including permissions and ownership information. - lumask umask - Set local umask to umask. + ^[[1mlumask ^[[4m^[[22mumask^[[0m + Set local umask to ^[[4mumask^[[24m. - mkdir path - Create remote directory specified by path. + ^[[1mmkdir ^[[4m^[[22mpath^[[0m + Create remote directory specified by ^[[4mpath^[[24m. - put [flags] local-path [local-path] - Upload local-path and store it on the remote machine. If the + ^[[1mput ^[[22m[^[[4mflags^[[24m] ^[[4mlocal-path^[[24m [^[[4mlocal-path^[[24m] + Upload ^[[4mlocal-path^[[24m and store it on the remote machine. If the remote path name is not specified, it is given the same name it - has on the local machine. If the -P flag is specified, then the + has on the local machine. If the ^[[1m-P ^[[22mflag is specified, then the file's full permission and access time are copied too. - pwd Display remote working directory. + ^[[1mpwd ^[[22mDisplay remote working directory. - quit Quit sftp. + ^[[1mquit ^[[22mQuit sftp. - rename oldpath newpath - Rename remote file from oldpath to newpath. + ^[[1mrename ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Rename remote file from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - rmdir path - Remove remote directory specified by path. + ^[[1mrmdir ^[[4m^[[22mpath^[[0m + Remove remote directory specified by ^[[4mpath^[[24m. - rm path - Delete remote file specified by path. + ^[[1mrm ^[[4m^[[22mpath^[[0m + Delete remote file specified by ^[[4mpath^[[24m. - symlink oldpath newpath - Create a symbolic link from oldpath to newpath. + ^[[1msymlink ^[[4m^[[22moldpath^[[24m ^[[4mnewpath^[[0m + Create a symbolic link from ^[[4moldpath^[[24m to ^[[4mnewpath^[[24m. - ! command - Execute command in local shell. + ! ^[[4mcommand^[[0m + Execute ^[[4mcommand^[[24m in local shell. ! Escape to local shell. ? Synonym for help. -AUTHORS +^[[1mAUTHORS^[[0m Damien Miller -SEE ALSO +^[[1mSEE ALSO^[[0m scp(1), ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sftp-server(8), sshd(8) - T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + T. Ylonen and S. Lehtinen, ^[[4mSSH^[[24m ^[[4mFile^[[24m ^[[4mTransfer^[[24m ^[[4mProtocol^[[24m, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. BSD February 4, 2001 BSD diff -ru openssh-3.5p1.orig/ssh-add.0 openssh-3.5p1/ssh-add.0 --- openssh-3.5p1.orig/ssh-add.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.5p1/ssh-add.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,54 +1,54 @@ -SSH-ADD(1) System General Commands Manual SSH-ADD(1) +SSH-ADD(1) BSD General Commands Manual SSH-ADD(1) -NAME - ssh-add - adds RSA or DSA identities to the authentication agent +^[[1mNAME^[[0m + ^[[1mssh-add ^[[22m- adds RSA or DSA identities to the authentication agent -SYNOPSIS - ssh-add [-lLdDxX] [-t life] [file ...] - ssh-add -s reader - ssh-add -e reader +^[[1mSYNOPSIS^[[0m + ^[[1mssh-add ^[[22m[^[[1m-lLdDxX^[[22m] [^[[1m-t ^[[4m^[[22mlife^[[24m] [^[[4mfile^[[24m ^[[4m...^[[24m] + ^[[1mssh-add -s ^[[4m^[[22mreader^[[0m + ^[[1mssh-add -e ^[[4m^[[22mreader^[[0m -DESCRIPTION - ssh-add adds RSA or DSA identities to the authentication agent, +^[[1mDESCRIPTION^[[0m + ^[[1mssh-add ^[[22madds RSA or DSA identities to the authentication agent, ssh-agent(1). When run without arguments, it adds the files - $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. AlternaM-- + ^[[4m$HOME/.ssh/id_rsa^[[24m, ^[[4m$HOME/.ssh/id_dsa^[[24m and ^[[4m$HOME/.ssh/identity^[[24m. Alterna- tive file names can be given on the command line. If any file requires a - passphrase, ssh-add asks for the passphrase from the user. The - passphrase is read from the user's tty. ssh-add retries the last + passphrase, ^[[1mssh-add ^[[22masks for the passphrase from the user. The + passphrase is read from the user's tty. ^[[1mssh-add ^[[22mretries the last passphrase if multiple identity files are given. The authentication agent must be running and must be an ancestor of the - current process for ssh-add to work. + current process for ^[[1mssh-add ^[[22mto work. The options are as follows: - -l Lists fingerprints of all identities currently represented by the + ^[[1m-l ^[[22mLists fingerprints of all identities currently represented by the agent. - -L Lists public key parameters of all identities currently repreM-- + ^[[1m-L ^[[22mLists public key parameters of all identities currently repre- sented by the agent. - -d Instead of adding the identity, removes the identity from the + ^[[1m-d ^[[22mInstead of adding the identity, removes the identity from the agent. - -D Deletes all identities from the agent. + ^[[1m-D ^[[22mDeletes all identities from the agent. - -x Lock the agent with a password. + ^[[1m-x ^[[22mLock the agent with a password. - -X Unlock the agent. + ^[[1m-X ^[[22mUnlock the agent. - -t life + ^[[1m-t ^[[4m^[[22mlife^[[0m Set a maximum lifetime when adding identities to an agent. The - lifetime may be specified in seconds or in a time format speciM-- + lifetime may be specified in seconds or in a time format speci- fied in sshd(8). - -s reader - Add key in smartcard reader. + ^[[1m-s ^[[4m^[[22mreader^[[0m + Add key in smartcard ^[[4mreader^[[24m. - -e reader - Remove key in smartcard reader. + ^[[1m-e ^[[4m^[[22mreader^[[0m + Remove key in smartcard ^[[4mreader^[[24m. -FILES +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. @@ -62,35 +62,35 @@ the user. Identity files should not be readable by anyone but the user. Note that - ssh-add ignores identity files if they are accessible by others. + ^[[1mssh-add ^[[22mignores identity files if they are accessible by others. -ENVIRONMENT +^[[1mENVIRONMENT^[[0m DISPLAY and SSH_ASKPASS - If ssh-add needs a passphrase, it will read the passphrase from - the current terminal if it was run from a terminal. If ssh-add + If ^[[1mssh-add ^[[22mneeds a passphrase, it will read the passphrase from + the current terminal if it was run from a terminal. If ^[[1mssh-add^[[0m does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This - is particularly useful when calling ssh-add from a .Xsession or + is particularly useful when calling ^[[1mssh-add ^[[22mfrom a ^[[4m.Xsession^[[24m or related script. (Note that on some machines it may be necessary - to redirect the input from /dev/null to make this work.) + to redirect the input from ^[[4m/dev/null^[[24m to make this work.) SSH_AUTH_SOCK Identifies the path of a unix-domain socket used to communicate with the agent. -DIAGNOSTICS +^[[1mDIAGNOSTICS^[[0m Exit status is 0 on success, 1 if the specified command fails, and 2 if - ssh-add is unable to contact the authentication agent. + ^[[1mssh-add ^[[22mis unable to contact the authentication agent. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1.orig/ssh-agent.0 openssh-3.5p1/ssh-agent.0 --- openssh-3.5p1.orig/ssh-agent.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.5p1/ssh-agent.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,36 +1,36 @@ -SSH-AGENT(1) System General Commands Manual SSH-AGENT(1) +SSH-AGENT(1) BSD General Commands Manual SSH-AGENT(1) -NAME - ssh-agent - authentication agent +^[[1mNAME^[[0m + ^[[1mssh-agent ^[[22m- authentication agent -SYNOPSIS - ssh-agent [-a bind_address] [-c | -s] [-d] [command [args ...]] - ssh-agent [-c | -s] -k - -DESCRIPTION - ssh-agent is a program to hold private keys used for public key authentiM-- - cation (RSA, DSA). The idea is that ssh-agent is started in the beginM-- - ning of an X-session or a login session, and all other windows or proM-- +^[[1mSYNOPSIS^[[0m + ^[[1mssh-agent ^[[22m[^[[1m-a ^[[4m^[[22mbind_address^[[24m] [^[[1m-c ^[[22m| ^[[1m-s^[[22m] [^[[1m-d^[[22m] [^[[4mcommand^[[24m [^[[4margs^[[24m ^[[4m...^[[24m]] + ^[[1mssh-agent ^[[22m[^[[1m-c ^[[22m| ^[[1m-s^[[22m] ^[[1m-k^[[0m + +^[[1mDESCRIPTION^[[0m + ^[[1mssh-agent ^[[22mis a program to hold private keys used for public key authenti- + cation (RSA, DSA). The idea is that ^[[1mssh-agent ^[[22mis started in the begin- + ning of an X-session or a login session, and all other windows or pro- grams are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1). The options are as follows: - -a bind_address - Bind the agent to the unix-domain socket bind_address. The - default is /tmp/ssh-XXXXXXXX/agent.. + ^[[1m-a ^[[4m^[[22mbind_address^[[0m + Bind the agent to the unix-domain socket ^[[4mbind_address^[[24m. The + default is ^[[4m/tmp/ssh-XXXXXXXX/agent.^[[24m. - -c Generate C-shell commands on stdout. This is the default if + ^[[1m-c ^[[22mGenerate C-shell commands on stdout. This is the default if SHELL looks like it's a csh style of shell. - -s Generate Bourne shell commands on stdout. This is the default if + ^[[1m-s ^[[22mGenerate Bourne shell commands on stdout. This is the default if SHELL does not look like it's a csh style of shell. - -k Kill the current agent (given by the SSH_AGENT_PID environment + ^[[1m-k ^[[22mKill the current agent (given by the SSH_AGENT_PID environment variable). - -d Debug mode. When this option is specified ssh-agent will not + ^[[1m-d ^[[22mDebug mode. When this option is specified ^[[1mssh-agent ^[[22mwill not fork. If a commandline is given, this is executed as a subprocess of the agent. @@ -38,19 +38,19 @@ The agent initially does not have any private keys. Keys are added using ssh-add(1). When executed without arguments, ssh-add(1) adds the files - $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the + ^[[4m$HOME/.ssh/id_rsa^[[24m, ^[[4m$HOME/.ssh/id_dsa^[[24m and ^[[4m$HOME/.ssh/identity^[[24m. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a - small X11 application if running under X11, or from the terminal if runM-- - ning without X). It then sends the identity to the agent. Several idenM-- + small X11 application if running under X11, or from the terminal if run- + ning without X). It then sends the identity to the agent. Several iden- tities can be stored in the agent; the agent can automatically use any of - these identities. ssh-add -l displays the identities currently held by + these identities. ^[[1mssh-add -l ^[[22mdisplays the identities currently held by the agent. - The idea is that the agent is run in the user's local PC, laptop, or terM-- + The idea is that the agent is run in the user's local PC, laptop, or ter- minal. Authentication data need not be stored on any other machine, and - authentication passphrases never go over the network. However, the conM-- + authentication passphrases never go over the network. However, the con- nection to the agent is forwarded over SSH remote logins, and the user - can thus use the privileges given by the identities anywhere in the netM-- + can thus use the privileges given by the identities anywhere in the net- work in a secure way. There are two main ways to get an agent setup: Either the agent starts a @@ -62,7 +62,7 @@ The agent will never send a private key over its request channel. Instead, operations that require a private key will be performed by the - agent, and the result will be returned to the requester. This way, priM-- + agent, and the result will be returned to the requester. This way, pri- vate keys are not exposed to clients using the agent. A unix-domain socket is created and the name of this socket is stored in @@ -75,7 +75,7 @@ The agent exits automatically when the command given on the command line terminates. -FILES +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. @@ -89,19 +89,19 @@ the user. /tmp/ssh-XXXXXXXX/agent. - Unix-domain sockets used to contain the connection to the authenM-- + Unix-domain sockets used to contain the connection to the authen- tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) BSD September 25, 1999 BSD diff -ru openssh-3.5p1.orig/ssh-keygen.0 openssh-3.5p1/ssh-keygen.0 --- openssh-3.5p1.orig/ssh-keygen.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.5p1/ssh-keygen.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,31 +1,31 @@ -SSH-KEYGEN(1) System General Commands Manual SSH-KEYGEN(1) +SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1) -NAME - ssh-keygen - authentication key generation, management and conversion +^[[1mNAME^[[0m + ^[[1mssh-keygen ^[[22m- authentication key generation, management and conversion -SYNOPSIS - ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] - [-f output_keyfile] - ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] - ssh-keygen -i [-f input_keyfile] - ssh-keygen -e [-f input_keyfile] - ssh-keygen -y [-f input_keyfile] - ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] - ssh-keygen -l [-f input_keyfile] - ssh-keygen -B [-f input_keyfile] - ssh-keygen -D reader - ssh-keygen -U reader [-f input_keyfile] - -DESCRIPTION - ssh-keygen generates, manages and converts authentication keys for - ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 +^[[1mSYNOPSIS^[[0m + ^[[1mssh-keygen ^[[22m[^[[1m-q^[[22m] [^[[1m-b ^[[4m^[[22mbits^[[24m] ^[[1m-t ^[[4m^[[22mtype^[[24m [^[[1m-N ^[[4m^[[22mnew_passphrase^[[24m] [^[[1m-C ^[[4m^[[22mcomment^[[24m] + [^[[1m-f ^[[4m^[[22moutput_keyfile^[[24m] + ^[[1mssh-keygen -p ^[[22m[^[[1m-P ^[[4m^[[22mold_passphrase^[[24m] [^[[1m-N ^[[4m^[[22mnew_passphrase^[[24m] [^[[1m-f ^[[4m^[[22mkeyfile^[[24m] + ^[[1mssh-keygen -i ^[[22m[^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + ^[[1mssh-keygen -e ^[[22m[^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + ^[[1mssh-keygen -y ^[[22m[^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + ^[[1mssh-keygen -c ^[[22m[^[[1m-P ^[[4m^[[22mpassphrase^[[24m] [^[[1m-C ^[[4m^[[22mcomment^[[24m] [^[[1m-f ^[[4m^[[22mkeyfile^[[24m] + ^[[1mssh-keygen -l ^[[22m[^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + ^[[1mssh-keygen -B ^[[22m[^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + ^[[1mssh-keygen -D ^[[4m^[[22mreader^[[0m + ^[[1mssh-keygen -U ^[[4m^[[22mreader^[[24m [^[[1m-f ^[[4m^[[22minput_keyfile^[[24m] + +^[[1mDESCRIPTION^[[0m + ^[[1mssh-keygen ^[[22mgenerates, manages and converts authentication keys for + ssh(1). ^[[1mssh-keygen ^[[22mcan create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to - be generated is specified with the -t option. + be generated is specified with the ^[[1m-t ^[[22moption. Normally each user wishing to use SSH with RSA or DSA authentication runs - this once to create the authentication key in $HOME/.ssh/identity, - $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system adminM-- - istrator may use this to generate host keys, as seen in /etc/rc. + this once to create the authentication key in ^[[4m$HOME/.ssh/identity^[[24m, + ^[[4m$HOME/.ssh/id_dsa^[[24m or ^[[4m$HOME/.ssh/id_rsa^[[24m. Additionally, the system admin- + istrator may use this to generate host keys, as seen in ^[[4m/etc/rc^[[24m. Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same @@ -33,13 +33,13 @@ passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a - series of words, punctuation, numbers, whitespace, or any string of charM-- + series of words, punctuation, numbers, whitespace, or any string of char- acters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non- alphanumeric characters. The passphrase can be changed later by using - the -p option. + the ^[[1m-p ^[[22moption. There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding @@ -47,91 +47,91 @@ For RSA1 keys, there is also a comment field in the key file that is only for convenience to the user to help identify the key. The comment can - tell what the key is for, or whatever is useful. The comment is initialM-- + tell what the key is for, or whatever is useful. The comment is initial- ized to ``user@host'' when the key is created, but can be changed using - the -c option. + the ^[[1m-c ^[[22moption. After a key is generated, instructions below detail where the keys should be placed to be activated. The options are as follows: - -b bits + ^[[1m-b ^[[4m^[[22mbits^[[0m Specifies the number of bits in the key to create. Minimum is 512 bits. Generally 1024 bits is considered sufficient, and key sizes above that no longer improve security but make things slower. The default is 1024 bits. - -c Requests changing the comment in the private and public key - files. This operation is only supported for RSA1 keys. The proM-- + ^[[1m-c ^[[22mRequests changing the comment in the private and public key + files. This operation is only supported for RSA1 keys. The pro- gram will prompt for the file containing the private keys, for the passphrase if the key has one, and for the new comment. - -e This option will read a private or public OpenSSH key file and + ^[[1m-e ^[[22mThis option will read a private or public OpenSSH key file and print the key in a `SECSH Public Key File Format' to stdout. This option allows exporting keys for use by several commercial SSH implementations. - -f filename + ^[[1m-f ^[[4m^[[22mfilename^[[0m Specifies the filename of the key file. - -i This option will read an unencrypted private (or public) key file + ^[[1m-i ^[[22mThis option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private - (or public) key to stdout. ssh-keygen also reads the `SECSH + (or public) key to stdout. ^[[1mssh-keygen ^[[22malso reads the `SECSH Public Key File Format'. This option allows importing keys from several commercial SSH implementations. - -l Show fingerprint of specified public key file. Private RSA1 keys - are also supported. For RSA and DSA keys ssh-keygen tries to + ^[[1m-l ^[[22mShow fingerprint of specified public key file. Private RSA1 keys + are also supported. For RSA and DSA keys ^[[1mssh-keygen ^[[22mtries to find the matching public key file and prints its fingerprint. - -p Requests changing the passphrase of a private key file instead of + ^[[1m-p ^[[22mRequests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. - -q Silence ssh-keygen. Used by /etc/rc when creating a new key. + ^[[1m-q ^[[22mSilence ^[[1mssh-keygen^[[22m. Used by ^[[4m/etc/rc^[[24m when creating a new key. - -y This option will read a private OpenSSH format file and print an + ^[[1m-y ^[[22mThis option will read a private OpenSSH format file and print an OpenSSH public key to stdout. - -t type + ^[[1m-t ^[[4m^[[22mtype^[[0m Specifies the type of the key to create. The possible values are - ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for protoM-- + ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for proto- col version 2. - -B Show the bubblebabble digest of specified private or public key + ^[[1m-B ^[[22mShow the bubblebabble digest of specified private or public key file. - -C comment + ^[[1m-C ^[[4m^[[22mcomment^[[0m Provides the new comment. - -D reader - Download the RSA public key stored in the smartcard in reader. + ^[[1m-D ^[[4m^[[22mreader^[[0m + Download the RSA public key stored in the smartcard in ^[[4mreader^[[24m. - -N new_passphrase + ^[[1m-N ^[[4m^[[22mnew_passphrase^[[0m Provides the new passphrase. - -P passphrase + ^[[1m-P ^[[4m^[[22mpassphrase^[[0m Provides the (old) passphrase. - -U reader - Upload an existing RSA private key into the smartcard in reader. + ^[[1m-U ^[[4m^[[22mreader^[[0m + Upload an existing RSA private key into the smartcard in ^[[4mreader^[[24m. -FILES +^[[1mFILES^[[0m $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1mssh-keygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/identity.pub - Contains the protocol version 1 RSA public key for authenticaM-- + Contains the protocol version 1 RSA public key for authentica- tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using RSA authentication. There is no need to keep the contents of this file secret. @@ -141,13 +141,13 @@ user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1mssh-keygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/id_dsa.pub - Contains the protocol version 2 DSA public key for authenticaM-- + Contains the protocol version 2 DSA public key for authentica- tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. @@ -157,27 +157,27 @@ user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by - ssh-keygen but it is offered as the default file for the private + ^[[1mssh-keygen ^[[22mbut it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. $HOME/.ssh/id_rsa.pub - Contains the protocol version 2 RSA public key for authenticaM-- + Contains the protocol version 2 RSA public key for authentica- tion. The contents of this file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. -AUTHORS +^[[1mAUTHORS^[[0m OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and creM-- + de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), ssh-add(1), ssh-agent(1), sshd(8) - J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- + J. Galbraith and R. Thayer, ^[[4mSECSH^[[24m ^[[4mPublic^[[24m ^[[4mKey^[[24m ^[[4mFile^[[24m ^[[4mFormat^[[24m, draft-ietf- secsh-publickeyfile-01.txt, March 2001, work in progress material. BSD September 25, 1999 BSD diff -ru openssh-3.5p1.orig/ssh-keyscan.0 openssh-3.5p1/ssh-keyscan.0 --- openssh-3.5p1.orig/ssh-keyscan.0 2002-10-04 11:31:44.000000000 +1000 +++ openssh-3.5p1/ssh-keyscan.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,101 +1,101 @@ -SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) +SSH-KEYSCAN(1) BSD General Commands Manual SSH-KEYSCAN(1) -NAME - ssh-keyscan - gather ssh public keys +^[[1mNAME^[[0m + ^[[1mssh-keyscan ^[[22m- gather ssh public keys -SYNOPSIS - ssh-keyscan [-v46] [-p port] [-T timeout] [-t type] [-f file] - [host | addrlist namelist] [...] +^[[1mSYNOPSIS^[[0m + ^[[1mssh-keyscan ^[[22m[^[[1m-v46^[[22m] [^[[1m-p ^[[4m^[[22mport^[[24m] [^[[1m-T ^[[4m^[[22mtimeout^[[24m] [^[[1m-t ^[[4m^[[22mtype^[[24m] [^[[1m-f ^[[4m^[[22mfile^[[24m] + [^[[4mhost^[[24m | ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m] [^[[4m...^[[24m] -DESCRIPTION - ssh-keyscan is a utility for gathering the public ssh host keys of a numM-- +^[[1mDESCRIPTION^[[0m + ^[[1mssh-keyscan ^[[22mis a utility for gathering the public ssh host keys of a num- ber of hosts. It was designed to aid in building and verifying - ssh_known_hosts files. ssh-keyscan provides a minimal interface suitable + ^[[4mssh_known_hosts^[[24m files. ^[[1mssh-keyscan ^[[22mprovides a minimal interface suitable for use by shell and perl scripts. - ssh-keyscan uses non-blocking socket I/O to contact as many hosts as posM-- + ^[[1mssh-keyscan ^[[22muses non-blocking socket I/O to contact as many hosts as pos- sible in parallel, so it is very efficient. The keys from a domain of 1,000 hosts can be collected in tens of seconds, even when some of those hosts are down or do not run ssh. For scanning, one does not need login - access to the machines that are being scanned, nor does the scanning proM-- + access to the machines that are being scanned, nor does the scanning pro- cess involve any encryption. The options are as follows: - -p port + ^[[1m-p ^[[4m^[[22mport^[[0m Port to connect to on the remote host. - -T timeout - Set the timeout for connection attempts. If timeout seconds have + ^[[1m-T ^[[4m^[[22mtimeout^[[0m + Set the timeout for connection attempts. If ^[[4mtimeout^[[24m seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. - -t type + ^[[1m-t ^[[4m^[[22mtype^[[0m Specifies the type of the key to fetch from the scanned hosts. The possible values are ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for protocol version 2. Multiple values may be specified by separating them with commas. The default is ``rsa1''. - -f filename - Read hosts or addrlist namelist pairs from this file, one per - line. If - is supplied instead of a filename, ssh-keyscan will - read hosts or addrlist namelist pairs from the standard input. + ^[[1m-f ^[[4m^[[22mfilename^[[0m + Read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from this file, one per + line. If ^[[4m-^[[24m is supplied instead of a filename, ^[[1mssh-keyscan ^[[22mwill + read hosts or ^[[4maddrlist^[[24m ^[[4mnamelist^[[24m pairs from the standard input. - -v Verbose mode. Causes ssh-keyscan to print debugging messages + ^[[1m-v ^[[22mVerbose mode. Causes ^[[1mssh-keyscan ^[[22mto print debugging messages about its progress. - -4 Forces ssh-keyscan to use IPv4 addresses only. + ^[[1m-4 ^[[22mForces ^[[1mssh-keyscan ^[[22mto use IPv4 addresses only. - -6 Forces ssh-keyscan to use IPv6 addresses only. + ^[[1m-6 ^[[22mForces ^[[1mssh-keyscan ^[[22mto use IPv6 addresses only. -SECURITY - If a ssh_known_hosts file is constructed using ssh-keyscan without veriM-- +^[[1mSECURITY^[[0m + If a ssh_known_hosts file is constructed using ^[[1mssh-keyscan ^[[22mwithout veri- fying the keys, users will be vulnerable to attacks. On the other hand, - if the security model allows such a risk, ssh-keyscan can help in the + if the security model allows such a risk, ^[[1mssh-keyscan ^[[22mcan help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hosts file was created. -EXAMPLES - Print the rsa1 host key for machine hostname: +^[[1mEXAMPLES^[[0m + Print the ^[[4mrsa1^[[24m host key for machine ^[[4mhostname^[[24m: $ ssh-keyscan hostname - Find all hosts from the file ssh_hosts which have new or different keys - from those in the sorted file ssh_known_hosts: + Find all hosts from the file ^[[4mssh_hosts^[[24m which have new or different keys + from those in the sorted file ^[[4mssh_known_hosts^[[24m: $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ sort -u - ssh_known_hosts | diff ssh_known_hosts - -FILES - Input format: +^[[1mFILES^[[0m + ^[[4mInput^[[24m ^[[4mformat:^[[0m 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 - Output format for rsa1 keys: + ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa1^[[24m ^[[4mkeys:^[[0m host-or-namelist bits exponent modulus - Output format for rsa and dsa keys: + ^[[4mOutput^[[24m ^[[4mformat^[[24m ^[[4mfor^[[24m ^[[4mrsa^[[24m ^[[4mand^[[24m ^[[4mdsa^[[24m ^[[4mkeys:^[[0m host-or-namelist keytype base64-encoded-key - Where keytype is either ``ssh-rsa'' or ``ssh-dsa''. + Where ^[[4mkeytype^[[24m is either ``ssh-rsa'' or ``ssh-dsa''. - /etc/ssh/ssh_known_hosts + ^[[4m/etc/ssh/ssh_known_hosts^[[0m -BUGS +^[[1mBUGS^[[0m It generates "Connection closed by remote host" messages on the consoles of all the machines it scans if the server is older than version 2.9. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), sshd(8) -AUTHORS +^[[1mAUTHORS^[[0m David Mazieres wrote the initial version, and Wayne Davison added support for protocol version 2. diff -ru openssh-3.5p1.orig/ssh-keysign.0 openssh-3.5p1/ssh-keysign.0 --- openssh-3.5p1.orig/ssh-keysign.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.5p1/ssh-keysign.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,42 +1,42 @@ -SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8) +SSH-KEYSIGN(8) BSD System Manager's Manual SSH-KEYSIGN(8) -NAME - ssh-keysign - ssh helper program for hostbased authentication +^[[1mNAME^[[0m + ^[[1mssh-keysign ^[[22m- ssh helper program for hostbased authentication -SYNOPSIS - ssh-keysign +^[[1mSYNOPSIS^[[0m + ^[[1mssh-keysign^[[0m -DESCRIPTION - ssh-keysign is used by ssh(1) to access the local host keys and generate +^[[1mDESCRIPTION^[[0m + ^[[1mssh-keysign ^[[22mis used by ssh(1) to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. - ssh-keysign is disabled by default and can only be enabled in the the - global client configuration file /etc/ssh/ssh_config by setting - HostbasedAuthentication to ``yes''. + ^[[1mssh-keysign ^[[22mis disabled by default and can only be enabled in the the + global client configuration file ^[[4m/etc/ssh/ssh_config^[[24m by setting + ^[[1mHostbasedAuthentication ^[[22mto ``yes''. - ssh-keysign is not intended to be invoked by the user, but from ssh(1). - See ssh(1) and sshd(8) for more information about hostbased authenticaM-- + ^[[1mssh-keysign ^[[22mis not intended to be invoked by the user, but from ssh(1). + See ssh(1) and sshd(8) for more information about hostbased authentica- tion. -FILES +^[[1mFILES^[[0m /etc/ssh/ssh_config - Controls whether ssh-keysign is enabled. + Controls whether ^[[1mssh-keysign ^[[22mis enabled. /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These files contain the private parts of the host keys used to generate the digital signature. They should be owned by root, readable only by root, and not accessible to others. Since they - are readable only by root, ssh-keysign must be set-uid root if + are readable only by root, ^[[1mssh-keysign ^[[22mmust be set-uid root if hostbased authentication is used. -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) -AUTHORS +^[[1mAUTHORS^[[0m Markus Friedl -HISTORY - ssh-keysign first appeared in OpenBSD 3.2. +^[[1mHISTORY^[[0m + ^[[1mssh-keysign ^[[22mfirst appeared in OpenBSD 3.2. BSD May 24, 2002 BSD diff -ru openssh-3.5p1.orig/ssh-rand-helper.0 openssh-3.5p1/ssh-rand-helper.0 --- openssh-3.5p1.orig/ssh-rand-helper.0 2002-10-04 11:31:46.000000000 +1000 +++ openssh-3.5p1/ssh-rand-helper.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,49 +1,49 @@ -SSH-RAND-HELPER(8) System Manager's Manual SSH-RAND-HELPER(8) +SSH-RAND-HELPER(8) BSD System Manager's Manual SSH-RAND-HELPER(8) -NAME - ssh-rand-helper - Random number gatherer for OpenSSH +^[[1mNAME^[[0m + ^[[1mssh-rand-helper ^[[22m- Random number gatherer for OpenSSH -SYNOPSIS - ssh-rand-hlper [-vxXh] [-b bytes] +^[[1mSYNOPSIS^[[0m + ^[[1mssh-rand-hlper ^[[22m[^[[1m-vxXh^[[22m] [^[[1m-b ^[[4m^[[22mbytes^[[24m] -DESCRIPTION - ssh-rand-helper is a small helper program used by ssh(1), ssh-add(1), +^[[1mDESCRIPTION^[[0m + ^[[1mssh-rand-helper ^[[22mis a small helper program used by ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1) and sshd(8) to gather random numbers of cryptographic quality if the openssl(4) library has not been configured to provide them itself. - Normally ssh-rand-helper will generate a strong random seed and provide + Normally ^[[1mssh-rand-helper ^[[22mwill generate a strong random seed and provide it to the calling program via standard output. If standard output is a - tty, ssh-rand-helper will instead print the seed in hexidecimal format + tty, ^[[1mssh-rand-helper ^[[22mwill instead print the seed in hexidecimal format unless told otherwise. - ssh-rand-helper will by default gather random numbers from the system - commands listed in /etc/ssh/ssh_prng_cmds. The output of each of the + ^[[1mssh-rand-helper ^[[22mwill by default gather random numbers from the system + commands listed in ^[[4m/etc/ssh/ssh_prng_cmds^[[24m. The output of each of the commands listed will be hashed and used to generate a random seed for the - calling program. ssh-rand-helper will also store seed files in - ~/.ssh/prng_seed between executions. + calling program. ^[[1mssh-rand-helper ^[[22mwill also store seed files in + ^[[4m~/.ssh/prng_seed^[[24m between executions. - Alternately, ssh-rand-helper may be configured at build time to collect + Alternately, ^[[1mssh-rand-helper ^[[22mmay be configured at build time to collect random numbers from a EGD/PRNGd server via a unix domain or localhost tcp socket. - This program is not intended to be run by the end-user, so the few comM-- + This program is not intended to be run by the end-user, so the few com- mandline options are for debugging purposes only. - -b bytes + ^[[1m-b ^[[4m^[[22mbytes^[[0m Specify the number of random bytes to include in the output. - -x Output a hexidecimal instead of a binary seed. + ^[[1m-x ^[[22mOutput a hexidecimal instead of a binary seed. - -X Force output of a binary seed, even if standard output is a tty + ^[[1m-X ^[[22mForce output of a binary seed, even if standard output is a tty - -v Turn on debugging message. Multiple -v options will increase the - debugging level. -h Display a summary of options. + ^[[1m-v ^[[22mTurn on debugging message. Multiple ^[[1m-v ^[[22moptions will increase the + debugging level. ^[[1m-h ^[[22mDisplay a summary of options. -AUTHORS +^[[1mAUTHORS^[[0m Damien Miller -SEE ALSO +^[[1mSEE ALSO^[[0m ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) BSD April 14, 2002 BSD diff -ru openssh-3.5p1.orig/ssh.0 openssh-3.5p1/ssh.0 --- openssh-3.5p1.orig/ssh.0 2002-10-04 11:31:45.000000000 +1000 +++ openssh-3.5p1/ssh.0 2003-03-06 19:38:46.000000000 +1100 @@ -1,100 +1,100 @@ -SSH(1) System General Commands Manual SSH(1) +SSH(1) BSD General Commands Manual SSH(1) -NAME - ssh - OpenSSH SSH client (remote login program) +^[[1mNAME^[[0m + ^[[1mssh ^[[22m- OpenSSH SSH client (remote login program) -SYNOPSIS - ssh [-l login_name] hostname | user@hostname [command] +^[[1mSYNOPSIS^[[0m + ^[[1mssh ^[[22m[^[[1m-l ^[[4m^[[22mlogin_name^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] - ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec] - [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] - [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R - port:host:hostport] [-D port] hostname | user@hostname [command] + ^[[1mssh ^[[22m[^[[1m-afgknqstvxACNTX1246^[[22m] [^[[1m-b ^[[4m^[[22mbind_address^[[24m] [^[[1m-c ^[[4m^[[22mcipher_spec^[[24m] + [^[[1m-e ^[[4m^[[22mescape_char^[[24m] [^[[1m-i ^[[4m^[[22midentity_file^[[24m] [^[[1m-l ^[[4m^[[22mlogin_name^[[24m] [^[[1m-m ^[[4m^[[22mmac_spec^[[24m] + [^[[1m-o ^[[4m^[[22moption^[[24m] [^[[1m-p ^[[4m^[[22mport^[[24m] [^[[1m-F ^[[4m^[[22mconfigfile^[[24m] [^[[1m-L ^[[4m^[[22mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] [^[[1m-R^[[0m + ^[[4mport^[[24m:^[[4mhost^[[24m:^[[4mhostport^[[24m] [^[[1m-D ^[[4m^[[22mport^[[24m] ^[[4mhostname^[[24m | ^[[4muser@hostname^[[24m [^[[4mcommand^[[24m] -DESCRIPTION - ssh (SSH client) is a program for logging into a remote machine and for +^[[1mDESCRIPTION^[[0m + ^[[1mssh ^[[22m(SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. - ssh connects and logs into the specified hostname. The user must prove + ^[[1mssh ^[[22mconnects and logs into the specified ^[[4mhostname^[[24m. The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used: - SSH protocol version 1 + ^[[1mSSH protocol version 1^[[0m - First, if the machine the user logs in from is listed in /etc/hosts.equiv - or /etc/shosts.equiv on the remote machine, and the user names are the + First, if the machine the user logs in from is listed in ^[[4m/etc/hosts.equiv^[[0m + or ^[[4m/etc/shosts.equiv^[[24m on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, - if .rhosts or .shosts exists in the user's home directory on the remote + if ^[[4m.rhosts^[[24m or ^[[4m.shosts^[[24m exists in the user's home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure. - The second authentication method is the rhosts or hosts.equiv method comM-- + The second authentication method is the ^[[4mrhosts^[[24m or ^[[4mhosts.equiv^[[24m method com- bined with RSA-based host authentication. It means that if the login - would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or - /etc/shosts.equiv, and if additionally the server can verify the client's - host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the - FILES section), only then login is permitted. This authentication method - closes security holes due to IP spoofing, DNS spoofing and routing spoofM-- - ing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and + would be permitted by ^[[4m$HOME/.rhosts^[[24m, ^[[4m$HOME/.shosts^[[24m, ^[[4m/etc/hosts.equiv^[[24m, or + ^[[4m/etc/shosts.equiv^[[24m, and if additionally the server can verify the client's + host key (see ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m in the + ^[[4mFILES^[[24m section), only then login is permitted. This authentication method + closes security holes due to IP spoofing, DNS spoofing and routing spoof- + ing. [Note to the administrator: ^[[4m/etc/hosts.equiv^[[24m, ^[[4m$HOME/.rhosts^[[24m, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] - As a third authentication method, ssh supports RSA based authentication. + As a third authentication method, ^[[1mssh ^[[22msupports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file - $HOME/.ssh/authorized_keys lists the public keys that are permitted for - logging in. When the user logs in, the ssh program tells the server + ^[[4m$HOME/.ssh/authorized_keys^[[24m lists the public keys that are permitted for + logging in. When the user logs in, the ^[[1mssh ^[[22mprogram tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the - ssh program running on behalf of the user) a challenge, a random number, + ^[[1mssh ^[[22mprogram running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted - using the proper private key. The user's client then decrypts the chalM-- + using the proper private key. The user's client then decrypts the chal- lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. - ssh implements the RSA authentication protocol automatically. The user + ^[[1mssh ^[[22mimplements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the - private key in $HOME/.ssh/identity and the public key in - $HOME/.ssh/identity.pub in the user's home directory. The user should - then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home - directory on the remote machine (the authorized_keys file corresponds to - the conventional $HOME/.rhosts file, and has one key per line, though the + private key in ^[[4m$HOME/.ssh/identity^[[24m and the public key in + ^[[4m$HOME/.ssh/identity.pub^[[24m in the user's home directory. The user should + then copy the ^[[4midentity.pub^[[24m to ^[[4m$HOME/.ssh/authorized_keys^[[24m in his/her home + directory on the remote machine (the ^[[4mauthorized_keys^[[24m file corresponds to + the conventional ^[[4m$HOME/.rhosts^[[24m file, and has one key per line, though the lines can be very long). After this, the user can log in without giving - the password. RSA authentication is much more secure than rhosts authenM-- + the password. RSA authentication is much more secure than rhosts authen- tication. - The most convenient way to use RSA authentication may be with an authenM-- + The most convenient way to use RSA authentication may be with an authen- tication agent. See ssh-agent(1) for more information. - If other authentication methods fail, ssh prompts the user for a passM-- + If other authentication methods fail, ^[[1mssh ^[[22mprompts the user for a pass- word. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. - SSH protocol version 2 + ^[[1mSSH protocol version 2^[[0m When a user connects using protocol version 2 similar authentication methods are available. Using the default values for - PreferredAuthentications, the client will try to authenticate first using + ^[[1mPreferredAuthentications^[[22m, the client will try to authenticate first using the hostbased method; if this method fails public key authentication is attempted, and finally if this method fails keyboard-interactive and password authentication are tried. The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The - client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to + client uses his private key, ^[[4m$HOME/.ssh/id_dsa^[[24m or ^[[4m$HOME/.ssh/id_rsa^[[24m, to sign the session identifier and sends the result to the server. The server checks whether the matching public key is listed in - $HOME/.ssh/authorized_keys and grants access if both the key is found and + ^[[4m$HOME/.ssh/authorized_keys^[[24m and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. @@ -102,15 +102,15 @@ If public key authentication fails or is not available a password can be sent encrypted to the remote host for proving the user's identity. - Additionally, ssh supports hostbased or challenge response authenticaM-- + Additionally, ^[[1mssh ^[[22msupports hostbased or challenge response authentica- tion. - Protocol 2 provides additional mechanisms for confidentiality (the trafM-- + Protocol 2 provides additional mechanisms for confidentiality (the traf- fic is encrypted using 3DES, Blowfish, CAST128 or Arcfour) and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. - Login session and remote execution + ^[[1mLogin session and remote execution^[[0m When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the @@ -126,66 +126,66 @@ if a tty is used. The session terminates when the command or shell on the remote machine - exits and all X11 and TCP/IP connections have been closed. The exit staM-- - tus of the remote program is returned as the exit status of ssh. + exits and all X11 and TCP/IP connections have been closed. The exit sta- + tus of the remote program is returned as the exit status of ^[[1mssh^[[22m. - Escape Characters + ^[[1mEscape Characters^[[0m - When a pseudo terminal has been requested, ssh supports a number of funcM-- + When a pseudo terminal has been requested, ssh supports a number of func- tions through the use of an escape character. - A single tilde character can be sent as ~~ or by following the tilde by a + A single tilde character can be sent as ^[[1m~~ ^[[22mor by following the tilde by a character other than those described below. The escape character must - always follow a newline to be interpreted as special. The escape characM-- - ter can be changed in configuration files using the EscapeChar configuraM-- - tion directive or on the command line by the -e option. + always follow a newline to be interpreted as special. The escape charac- + ter can be changed in configuration files using the ^[[1mEscapeChar ^[[22mconfigura- + tion directive or on the command line by the ^[[1m-e ^[[22moption. The supported escapes (assuming the default `~') are: - ~. Disconnect + ^[[1m~. ^[[22mDisconnect - ~^Z Background ssh + ^[[1m~^Z ^[[22mBackground ssh - ~# List forwarded connections + ^[[1m~# ^[[22mList forwarded connections - ~& Background ssh at logout when waiting for forwarded connection / + ^[[1m~& ^[[22mBackground ssh at logout when waiting for forwarded connection / X11 sessions to terminate - ~? Display a list of escape characters + ^[[1m~? ^[[22mDisplay a list of escape characters - ~C Open command line (only useful for adding port forwardings using - the -L and -R options) + ^[[1m~C ^[[22mOpen command line (only useful for adding port forwardings using + the ^[[1m-L ^[[22mand ^[[1m-R ^[[22moptions) - ~R Request rekeying of the connection (only useful for SSH protocol + ^[[1m~R ^[[22mRequest rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it) - X11 and TCP forwarding + ^[[1mX11 and TCP forwarding^[[0m - If the ForwardX11 variable is set to ``yes'' (or, see the description of - the -X and -x options described later) and the user is using X11 (the + If the ^[[1mForwardX11 ^[[22mvariable is set to ``yes'' (or, see the description of + the ^[[1m-X ^[[22mand ^[[1m-x ^[[22moptions described later) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made - from the local machine. The user should not manually set DISPLAY. ForM-- + from the local machine. The user should not manually set DISPLAY. For- warding of X11 connections can be configured on the command line or in configuration files. - The DISPLAY value set by ssh will point to the server machine, but with a + The DISPLAY value set by ^[[1mssh ^[[22mwill point to the server machine, but with a display number greater than zero. This is normal, and happens because - ssh creates a ``proxy'' X server on the server machine for forwarding the + ^[[1mssh ^[[22mcreates a ``proxy'' X server on the server machine for forwarding the connections over the encrypted channel. - ssh will also automatically set up Xauthority data on the server machine. + ^[[1mssh ^[[22mwill also automatically set up Xauthority data on the server machine. For this purpose, it will generate a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain). - If the ForwardAgent variable is set to ``yes'' (or, see the description - of the -A and -a options described later) and the user is using an - authentication agent, the connection to the agent is automatically forM-- + If the ^[[1mForwardAgent ^[[22mvariable is set to ``yes'' (or, see the description + of the ^[[1m-A ^[[22mand ^[[1m-a ^[[22moptions described later) and the user is using an + authentication agent, the connection to the agent is automatically for- warded to the remote side. Forwarding of arbitrary TCP/IP connections over the secure channel can be @@ -193,25 +193,25 @@ possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. - Server authentication + ^[[1mServer authentication^[[0m - ssh automatically maintains and checks a database containing identificaM-- + ^[[1mssh ^[[22mautomatically maintains and checks a database containing identifica- tions for all hosts it has ever been used with. Host keys are stored in - $HOME/.ssh/known_hosts in the user's home directory. Additionally, the - file /etc/ssh/ssh_known_hosts is automatically checked for known hosts. + ^[[4m$HOME/.ssh/known_hosts^[[24m in the user's home directory. Additionally, the + file ^[[4m/etc/ssh/ssh_known_hosts^[[24m is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's - identification ever changes, ssh warns about this and disables password - authentication to prevent a trojan horse from getting the user's passM-- + identification ever changes, ^[[1mssh ^[[22mwarns about this and disables password + authentication to prevent a trojan horse from getting the user's pass- word. Another purpose of this mechanism is to prevent man-in-the-middle attacks which could otherwise be used to circumvent the encryption. The - StrictHostKeyChecking option can be used to prevent logins to machines + ^[[1mStrictHostKeyChecking ^[[22moption can be used to prevent logins to machines whose host key is not known or has changed. The options are as follows: - -a Disables forwarding of the authentication agent connection. + ^[[1m-a ^[[22mDisables forwarding of the authentication agent connection. - -A Enables forwarding of the authentication agent connection. This + ^[[1m-A ^[[22mEnables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. @@ -223,26 +223,26 @@ that enable them to authenticate using the identities loaded into the agent. - -b bind_address + ^[[1m-b ^[[4m^[[22mbind_address^[[0m Specify the interface to transmit from on machines with multiple interfaces or aliased addresses. - -c blowfish|3des|des - Selects the cipher to use for encrypting the session. 3des is - used by default. It is believed to be secure. 3des (triple-des) + ^[[1m-c ^[[4m^[[22mblowfish|3des|des^[[0m + Selects the cipher to use for encrypting the session. ^[[4m3des^[[24m is + used by default. It is believed to be secure. ^[[4m3des^[[24m (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. - blowfish is a fast block cipher, it appears very secure and is - much faster than 3des. des is only supported in the ssh client + ^[[4mblowfish^[[24m is a fast block cipher, it appears very secure and is + much faster than ^[[4m3des^[[24m. ^[[4mdes^[[24m is only supported in the ^[[1mssh ^[[22mclient for interoperability with legacy protocol 1 implementations that - do not support the 3des cipher. Its use is strongly discouraged + do not support the ^[[4m3des^[[24m cipher. Its use is strongly discouraged due to cryptographic weaknesses. - -c cipher_spec + ^[[1m-c ^[[4m^[[22mcipher_spec^[[0m Additionally, for protocol version 2 a comma-separated list of - ciphers can be specified in order of preference. See Ciphers for + ciphers can be specified in order of preference. See ^[[1mCiphers ^[[22mfor more information. - -e ch|^ch|none + ^[[1m-e ^[[4m^[[22mch|^ch|none^[[0m Sets the escape character for sessions with a pty (default: `~'). The escape character is only recognized at the beginning of a line. The escape character followed by a dot (`.') closes the @@ -251,86 +251,86 @@ character to ``none'' disables any escapes and makes the session fully transparent. - -f Requests ssh to go to background just before command execution. - This is useful if ssh is going to ask for passwords or + ^[[1m-f ^[[22mRequests ^[[1mssh ^[[22mto go to background just before command execution. + This is useful if ^[[1mssh ^[[22mis going to ask for passwords or passphrases, but the user wants it in the background. This - implies -n. The recommended way to start X11 programs at a - remote site is with something like ssh -f host xterm. + implies ^[[1m-n^[[22m. The recommended way to start X11 programs at a + remote site is with something like ^[[1mssh -f host xterm^[[22m. - -g Allows remote hosts to connect to local forwarded ports. + ^[[1m-g ^[[22mAllows remote hosts to connect to local forwarded ports. - -i identity_file + ^[[1m-i ^[[4m^[[22midentity_file^[[0m Selects a file from which the identity (private key) for RSA or - DSA authentication is read. The default is $HOME/.ssh/identity - for protocol version 1, and $HOME/.ssh/id_rsa and - $HOME/.ssh/id_dsa for protocol version 2. Identity files may + DSA authentication is read. The default is ^[[4m$HOME/.ssh/identity^[[0m + for protocol version 1, and ^[[4m$HOME/.ssh/id_rsa^[[24m and + ^[[4m$HOME/.ssh/id_dsa^[[24m for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. - It is possible to have multiple -i options (and multiple identiM-- + It is possible to have multiple ^[[1m-i ^[[22moptions (and multiple identi- ties specified in configuration files). - -I smartcard_device + ^[[1m-I ^[[4m^[[22msmartcard_device^[[0m Specifies which smartcard device to use. The argument is the - device ssh should use to communicate with a smartcard used for + device ^[[1mssh ^[[22mshould use to communicate with a smartcard used for storing the user's private RSA key. - -k Disables forwarding of Kerberos tickets and AFS tokens. This may + ^[[1m-k ^[[22mDisables forwarding of Kerberos tickets and AFS tokens. This may also be specified on a per-host basis in the configuration file. - -l login_name + ^[[1m-l ^[[4m^[[22mlogin_name^[[0m Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. - -m mac_spec + ^[[1m-m ^[[4m^[[22mmac_spec^[[0m Additionally, for protocol version 2 a comma-separated list of MAC (message authentication code) algorithms can be specified in - order of preference. See the MACs keyword for more information. + order of preference. See the ^[[1mMACs ^[[22mkeyword for more information. - -n Redirects stdin from /dev/null (actually, prevents reading from - stdin). This must be used when ssh is run in the background. A + ^[[1m-n ^[[22mRedirects stdin from ^[[4m/dev/null^[[24m (actually, prevents reading from + stdin). This must be used when ^[[1mssh ^[[22mis run in the background. A common trick is to use this to run X11 programs on a remote - machine. For example, ssh -n shadows.cs.hut.fi emacs & will + machine. For example, ^[[1mssh -n shadows.cs.hut.fi emacs & ^[[22mwill start an emacs on shadows.cs.hut.fi, and the X11 connection will - be automatically forwarded over an encrypted channel. The ssh + be automatically forwarded over an encrypted channel. The ^[[1mssh^[[0m program will be put in the background. (This does not work if - ssh needs to ask for a password or passphrase; see also the -f + ^[[1mssh ^[[22mneeds to ask for a password or passphrase; see also the ^[[1m-f^[[0m option.) - -N Do not execute a remote command. This is useful for just forM-- + ^[[1m-N ^[[22mDo not execute a remote command. This is useful for just for- warding ports (protocol version 2 only). - -o option - Can be used to give options in the format used in the configuraM-- + ^[[1m-o ^[[4m^[[22moption^[[0m + Can be used to give options in the format used in the configura- tion file. This is useful for specifying options for which there is no separate command-line flag. - -p port + ^[[1m-p ^[[4m^[[22mport^[[0m Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file. - -q Quiet mode. Causes all warning and diagnostic messages to be + ^[[1m-q ^[[22mQuiet mode. Causes all warning and diagnostic messages to be suppressed. - -s May be used to request invocation of a subsystem on the remote + ^[[1m-s ^[[22mMay be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which - facilitate the use of SSH as a secure transport for other appliM-- - cations (eg. sftp). The subsystem is specified as the remote comM-- + facilitate the use of SSH as a secure transport for other appli- + cations (eg. sftp). The subsystem is specified as the remote com- mand. - -t Force pseudo-tty allocation. This can be used to execute arbiM-- + ^[[1m-t ^[[22mForce pseudo-tty allocation. This can be used to execute arbi- trary screen-based programs on a remote machine, which can be - very useful, e.g., when implementing menu services. Multiple -t - options force tty allocation, even if ssh has no local tty. + very useful, e.g., when implementing menu services. Multiple ^[[1m-t^[[0m + options force tty allocation, even if ^[[1mssh ^[[22mhas no local tty. - -T Disable pseudo-tty allocation. + ^[[1m-T ^[[22mDisable pseudo-tty allocation. - -v Verbose mode. Causes ssh to print debugging messages about its - progress. This is helpful in debugging connection, authenticaM-- - tion, and configuration problems. Multiple -v options increases + ^[[1m-v ^[[22mVerbose mode. Causes ^[[1mssh ^[[22mto print debugging messages about its + progress. This is helpful in debugging connection, authentica- + tion, and configuration problems. Multiple ^[[1m-v ^[[22moptions increases the verbosity. Maximum is 3. - -x Disables X11 forwarding. + ^[[1m-x ^[[22mDisables X11 forwarding. - -X Enables X11 forwarding. This can also be specified on a per-host + ^[[1m-X ^[[22mEnables X11 forwarding. This can also be specified on a per-host basis in a configuration file. X11 forwarding should be enabled with caution. Users with the @@ -339,76 +339,76 @@ through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. - -C Requests compression of all data (including stdin, stdout, + ^[[1m-C ^[[22mRequests compression of all data (including stdin, stdout, stderr, and data for forwarded X11 and TCP/IP connections). The compression algorithm is the same used by gzip(1), and the - ``level'' can be controlled by the CompressionLevel option for + ``level'' can be controlled by the ^[[1mCompressionLevel ^[[22moption for protocol version 1. Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. The default value can be set on a host-by-host basis - in the configuration files; see the Compression option. + in the configuration files; see the ^[[1mCompression ^[[22moption. - -F configfile - Specifies an alternative per-user configuration file. If a conM-- + ^[[1m-F ^[[4m^[[22mconfigfile^[[0m + Specifies an alternative per-user configuration file. If a con- figuration file is given on the command line, the system-wide - configuration file (/etc/ssh/ssh_config) will be ignored. The - default for the per-user configuration file is $HOME/.ssh/config. + configuration file (^[[4m/etc/ssh/ssh_config^[[24m) will be ignored. The + default for the per-user configuration file is ^[[4m$HOME/.ssh/config^[[24m. - -L port:host:hostport + ^[[1m-L ^[[4m^[[22mport:host:hostport^[[0m Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This - works by allocating a socket to listen to port on the local side, + works by allocating a socket to listen to ^[[4mport^[[24m on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to - host port hostport from the remote machine. Port forwardings can - also be specified in the configuration file. Only root can forM-- + ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the remote machine. Port forwardings can + also be specified in the configuration file. Only root can for- ward privileged ports. IPv6 addresses can be specified with an - alternative syntax: port/host/hostport + alternative syntax: ^[[4mport/host/hostport^[[0m - -R port:host:hostport + ^[[1m-R ^[[4m^[[22mport:host:hostport^[[0m Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This - works by allocating a socket to listen to port on the remote - side, and whenever a connection is made to this port, the connecM-- + works by allocating a socket to listen to ^[[4mport^[[24m on the remote + side, and whenever a connection is made to this port, the connec- tion is forwarded over the secure channel, and a connection is - made to host port hostport from the local machine. Port forwardM-- + made to ^[[4mhost^[[24m port ^[[4mhostport^[[24m from the local machine. Port forward- ings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified with an alternative - syntax: port/host/hostport + syntax: ^[[4mport/host/hostport^[[0m - -D port + ^[[1m-D ^[[4m^[[22mport^[[0m Specifies a local ``dynamic'' application-level port forwarding. - This works by allocating a socket to listen to port on the local - side, and whenever a connection is made to this port, the connecM-- + This works by allocating a socket to listen to ^[[4mport^[[24m on the local + side, and whenever a connection is made to this port, the connec- tion is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 protocol is supported, and - ssh will act as a SOCKS4 server. Only root can forward priviM-- + ^[[1mssh ^[[22mwill act as a SOCKS4 server. Only root can forward privi- leged ports. Dynamic port forwardings can also be specified in the configuration file. - -1 Forces ssh to try protocol version 1 only. + ^[[1m-1 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 1 only. - -2 Forces ssh to try protocol version 2 only. + ^[[1m-2 ^[[22mForces ^[[1mssh ^[[22mto try protocol version 2 only. - -4 Forces ssh to use IPv4 addresses only. + ^[[1m-4 ^[[22mForces ^[[1mssh ^[[22mto use IPv4 addresses only. - -6 Forces ssh to use IPv6 addresses only. + ^[[1m-6 ^[[22mForces ^[[1mssh ^[[22mto use IPv6 addresses only. -CONFIGURATION FILES - ssh may additionally obtain configuration data from a per-user configuraM-- - tion file and a system-wide configuration file. The file format and conM-- +^[[1mCONFIGURATION FILES^[[0m + ^[[1mssh ^[[22mmay additionally obtain configuration data from a per-user configura- + tion file and a system-wide configuration file. The file format and con- figuration options are described in ssh_config(5). -ENVIRONMENT - ssh will normally set the following environment variables: +^[[1mENVIRONMENT^[[0m + ^[[1mssh ^[[22mwill normally set the following environment variables: DISPLAY The DISPLAY variable indicates the location of the X11 server. - It is automatically set by ssh to point to a value of the form + It is automatically set by ^[[1mssh ^[[22mto point to a value of the form ``hostname:n'' where hostname indicates the host where the shell - runs, and n is an integer >= 1. ssh uses this special value to + runs, and n is an integer >= 1. ^[[1mssh ^[[22muses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 connection insecure (and will require the user to manually copy @@ -422,17 +422,17 @@ MAIL Set to the path of the user's mailbox. - PATH Set to the default PATH, as specified when compiling ssh. + PATH Set to the default PATH, as specified when compiling ^[[1mssh^[[22m. SSH_ASKPASS - If ssh needs a passphrase, it will read the passphrase from the - current terminal if it was run from a terminal. If ssh does not + If ^[[1mssh ^[[22mneeds a passphrase, it will read the passphrase from the + current terminal if it was run from a terminal. If ^[[1mssh ^[[22mdoes not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly - useful when calling ssh from a .Xsession or related script. + useful when calling ^[[1mssh ^[[22mfrom a ^[[4m.Xsession^[[24m or related script. (Note that on some machines it may be necessary to redirect the - input from /dev/null to make this work.) + input from ^[[4m/dev/null^[[24m to make this work.) SSH_AUTH_SOCK Identifies the path of a unix-domain socket used to communicate @@ -444,12 +444,12 @@ client port number, server ip-address and server port number. SSH_ORIGINAL_COMMAND - The variable contains the original command line if a forced comM-- - mand is executed. It can be used to extract the original arguM-- + The variable contains the original command line if a forced com- + mand is executed. It can be used to extract the original argu- ments. SSH_TTY - This is set to the name of the tty (path to the device) associM-- + This is set to the name of the tty (path to the device) associ- ated with the current shell or command. If the current session has no tty, this variable is not set. @@ -459,22 +459,22 @@ USER Set to the name of the user logging in. - Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the + Additionally, ^[[1mssh ^[[22mreads ^[[4m$HOME/.ssh/environment^[[24m, and adds lines of the format ``VARNAME=value'' to the environment if the file exists and if users are allowed to change their environment. See the - PermitUserEnvironment option in sshd_config(5). + ^[[1mPermitUserEnvironment ^[[22moption in sshd_config(5). -FILES +^[[1mFILES^[[0m $HOME/.ssh/known_hosts Records host keys for all hosts the user has logged into that are - not in /etc/ssh/ssh_known_hosts. See sshd(8). + not in ^[[4m/etc/ssh/ssh_known_hosts^[[24m. See sshd(8). $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). Note - that ssh ignores a private key file if it is accessible by othM-- + that ^[[1mssh ^[[22mignores a private key file if it is accessible by oth- ers. It is possible to specify a passphrase when generating the key; the passphrase will be used to encrypt the sensitive part of this file using 3DES. @@ -482,15 +482,15 @@ $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the - $HOME/.ssh/identity.pub file should be added to - $HOME/.ssh/authorized_keys on all machines where the user wishes - to log in using protocol version 1 RSA authentication. The conM-- - tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file - should be added to $HOME/.ssh/authorized_keys on all machines + ^[[4m$HOME/.ssh/identity.pub^[[24m file should be added to + ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes + to log in using protocol version 1 RSA authentication. The con- + tents of the ^[[4m$HOME/.ssh/id_dsa.pub^[[24m and ^[[4m$HOME/.ssh/id_rsa.pub^[[24m file + should be added to ^[[4m$HOME/.ssh/authorized_keys^[[24m on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. These files are not sensitive and can (but need - not) be readable by anyone. These files are never used automatiM-- - cally and are not necessary; they are only provided for the conM-- + not) be readable by anyone. These files are never used automati- + cally and are not necessary; they are only provided for the con- venience of the user. $HOME/.ssh/config @@ -510,15 +510,15 @@ by the system administrator to contain the public host keys of all machines in the organization. This file should be world- readable. This file contains public keys, one per line, in the - following format (fields separated by spaces): system name, pubM-- + following format (fields separated by spaces): system name, pub- lic key and optional comment field. When different names are - used for the same machine, all such names should be listed, sepaM-- + used for the same machine, all such names should be listed, sepa- rated by commas. The format is described on the sshd(8) manual page. The canonical system name (as returned by name servers) is used by sshd(8) to verify the client host when logging in; other names - are needed because ssh does not convert the user-supplied name to + are needed because ^[[1mssh ^[[22mdoes not convert the user-supplied name to a canonical name before checking the key, because someone with access to the name servers would then be able to fool host authentication. @@ -530,22 +530,22 @@ /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and - are used for RhostsRSAAuthentication and HostbasedAuthentication. - If the protocol version 1 RhostsRSAAuthentication method is used, - ssh must be setuid root, since the host key is readable only by - root. For protocol version 2, ssh uses ssh-keysign(8) to access - the host keys for HostbasedAuthentication. This eliminates the - requirement that ssh be setuid root when that authentication - method is used. By default ssh is not setuid root. + are used for ^[[1mRhostsRSAAuthentication ^[[22mand ^[[1mHostbasedAuthentication^[[22m. + If the protocol version 1 ^[[1mRhostsRSAAuthentication ^[[22mmethod is used, + ^[[1mssh ^[[22mmust be setuid root, since the host key is readable only by + root. For protocol version 2, ^[[1mssh ^[[22muses ssh-keysign(8) to access + the host keys for ^[[1mHostbasedAuthentication^[[22m. This eliminates the + requirement that ^[[1mssh ^[[22mbe setuid root when that authentication + method is used. By default ^[[1mssh ^[[22mis not setuid root. $HOME/.rhosts - This file is used in .rhosts authentication to list the host/user + This file is used in ^[[4m.rhosts^[[24m authentication to list the host/user pairs that are permitted to log in. (Note that this file is also used by rlogin and rsh, which makes using this file insecure.) Each line of the file contains a host name (in the canonical form returned by name servers), and then a user name on that host, separated by a space. On some machines this file may need to be - world-readable if the user's home directory is on a NFS partiM-- + world-readable if the user's home directory is on a NFS parti- tion, because sshd(8) reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. The recommended permission for most machines is @@ -554,18 +554,18 @@ Note that by default sshd(8) will be installed so that it requires successful RSA host authentication before permitting .rhosts authentication. If the server machine does not have the - client's host key in /etc/ssh/ssh_known_hosts, it can be stored - in $HOME/.ssh/known_hosts. The easiest way to do this is to conM-- + client's host key in ^[[4m/etc/ssh/ssh_known_hosts^[[24m, it can be stored + in ^[[4m$HOME/.ssh/known_hosts^[[24m. The easiest way to do this is to con- nect back to the client from the server machine using ssh; this - will automatically add the host key to $HOME/.ssh/known_hosts. + will automatically add the host key to ^[[4m$HOME/.ssh/known_hosts^[[24m. $HOME/.shosts - This file is used exactly the same way as .rhosts. The purpose + This file is used exactly the same way as ^[[4m.rhosts^[[24m. The purpose for having this file is to be able to use rhosts authentication - with ssh without permitting login with rlogin or rsh(1). + with ^[[1mssh ^[[22mwithout permitting login with ^[[1mrlogin ^[[22mor rsh(1). /etc/hosts.equiv - This file is used during .rhosts authentication. It contains + This file is used during ^[[4m.rhosts^[[24m ^[[4mauthentication.^[[24m It contains canonical hosts names, one per line (the full format is described on the sshd(8) manual page). If the client host is found in this file, login is automatically permitted provided client and server @@ -574,41 +574,41 @@ writable by root. /etc/shosts.equiv - This file is processed exactly as /etc/hosts.equiv. This file - may be useful to permit logins using ssh but not using + This file is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. This file + may be useful to permit logins using ^[[1mssh ^[[22mbut not using rsh/rlogin. /etc/ssh/sshrc - Commands in this file are executed by ssh when the user logs in + Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in just before the user's shell (or command) is started. See the sshd(8) manual page for more information. $HOME/.ssh/rc - Commands in this file are executed by ssh when the user logs in + Commands in this file are executed by ^[[1mssh ^[[22mwhen the user logs in just before the user's shell (or command) is started. See the sshd(8) manual page for more information. $HOME/.ssh/environment Contains additional defini