Lines Matching +full:touch +full:- +full:keys
45 .Bk -words
75 can be configured using command-line options or a configuration file
78 command-line options override values specified in the
87 .Bl -tag -width Ds
107 options or as a comma-separated list.
193 command-line flag.
202 option are ignored when a command-line port is specified.
205 option override command-line ports.
227 Only check the validity of the configuration file and sanity of the keys.
255 .Cm from="pattern-list"
267 Each host has a host-specific key,
273 Forward secrecy is provided through a Diffie-Hellman key agreement.
283 host-based authentication,
285 challenge-response authentication,
299 on HP-UX, containing
308 for the account while allowing still public-key, then the passwd field
318 things like allocating a pseudo-tty, forwarding X11 connections,
323 of a non-interactive command, which
340 .Bl -enum -offset indent
420 .Bd -literal -offset 3n
421 if read proto cookie && [ -n "$DISPLAY" ]; then
422 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
425 cut -c11-` $proto $cookie
429 fi | xauth -q -
439 specifies the files containing public keys for
450 Public keys consist of the following space-separated fields:
451 options, keytype, base64-encoded key, comment.
455 .Bl -item -compact -offset indent
457 sk-ecdsa-sha2-nistp256@openssh.com
459 ecdsa-sha2-nistp256
461 ecdsa-sha2-nistp384
463 ecdsa-sha2-nistp521
465 sk-ssh-ed25519@openssh.com
467 ssh-ed25519
469 ssh-dss
471 ssh-rsa
479 8 kilobytes, which permits RSA keys up to 16 kilobits.
493 The options (if present) consist of comma-separated option
497 that option keywords are case-insensitive):
498 .Bl -tag -width Ds
499 .It Cm agent-forwarding
503 .It Cm cert-authority
516 If an 8-bit clean channel is required,
518 .Cm no-pty .
522 to restrict certain public keys to perform just a specific operation.
538 If a command is specified and a forced-command is embedded in a certificate
551 .It Cm expiry-time="timespec"
556 .It Cm from="pattern-list"
559 comma-separated list of patterns.
576 .It Cm no-agent-forwarding
579 .It Cm no-port-forwarding
585 .It Cm no-pty
587 .It Cm no-user-rc
590 .It Cm no-X11-forwarding
633 .It Cm port-forwarding
639 .Cm cert-authority
641 comma-separated list.
644 This option is ignored for keys that are not marked as trusted certificate
646 .Cm cert-authority
652 .It Cm no-touch-required
656 .Cm ecdsa-sk
658 .Cm ed25519-sk .
659 .It Cm verify-required
663 .Cm ecdsa-sk
665 .Cm ed25519-sk .
679 .It Cm user-rc
685 .It Cm X11-forwarding
692 .Bd -literal -offset 3n
695 ssh-rsa ...
697 restrict,command="dump /home" ssh-rsa ...
698 # Restriction of ssh -L forwarding destinations
699 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
700 # Restriction of ssh -R forwarding listeners
701 permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
703 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
705 restrict,pty,command="nethack" ssh-rsa ...
706 # Allow FIDO key without requiring touch
707 no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
708 # Require user-verification (e.g. PIN or biometric) for FIDO key
709 verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
710 # Trust CA key, allow touch-less FIDO if requested in certificate
711 cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
718 files contain host public keys for all known hosts.
720 be prepared by the administrator (optional), and the per-user file is
722 its key is added to the per-user file.
725 hostnames, keytype, base64-encoded key, comment.
729 .Dq @cert-authority ,
737 Hostnames is a comma-separated list of patterns
770 and a non-standard port number.
780 The keytype and base64-encoded key are taken directly from the host key; they
794 .Dq @cert-authority
797 The known hosts file also provides a facility to mark keys as revoked,
800 Revoked keys are specified by including the
809 recommended) to have several lines or different host keys for the same
818 long, and you definitely don't want to type in the host keys by hand.
820 .Xr ssh-keyscan 1
824 .Xr ssh-keygen 1
831 .Bd -literal -offset 3n
833 cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
835 |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
838 @revoked * ssh-rsa AAAAB5W...
840 @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
843 .Bl -tag -width Ds -compact
857 This file is used for host-based authentication (see
861 world-readable if the user's home directory is on an NFS partition,
874 but allows host-based authentication without permitting login with
878 This directory is the default location for all user-specific configuration
885 Lists the public keys (DSA, ECDSA, Ed25519, RSA)
916 Contains a list of host keys for all hosts the user has logged into
917 that are not already in the systemwide list of known host keys.
920 can, but need not be, world-readable.
930 Access controls that should be enforced by tcp-wrappers are defined here.
935 This file is for host-based authentication (see
940 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
956 are displayed to anyone trying to log in, and non-root connections are
958 The file should be world-readable.
963 but allows host-based authentication without permitting login with
969 These files contain the private parts of the host keys.
974 does not start if these files are group/world-accessible.
979 These files contain the public parts of the host keys.
980 These files should be world-readable but writable only by
987 .Xr ssh-keygen 1 .
990 Systemwide list of known host keys.
992 system administrator to contain the public host keys of all machines in the
996 should be world-readable.
1008 machine-specific login-time initializations globally.
1009 This file should be writable only by root, and should be world-readable.
1015 during privilege separation in the pre-authentication phase.
1017 and not group or world-writable.
1025 The content of this file is not sensitive; it can be world-readable.
1031 .Xr ssh-add 1 ,
1032 .Xr ssh-agent 1 ,
1033 .Xr ssh-keygen 1 ,
1034 .Xr ssh-keyscan 1 ,
1041 .Xr sftp-server 8
1047 removed many bugs, re-added newer features and