1*87c1498dSEd Maste.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $ 2545d5ecaSDag-Erling Smørgrav.\" 3545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 2002 Markus Friedl. All rights reserved. 4545d5ecaSDag-Erling Smørgrav.\" 5545d5ecaSDag-Erling Smørgrav.\" Redistribution and use in source and binary forms, with or without 6545d5ecaSDag-Erling Smørgrav.\" modification, are permitted provided that the following conditions 7545d5ecaSDag-Erling Smørgrav.\" are met: 8545d5ecaSDag-Erling Smørgrav.\" 1. Redistributions of source code must retain the above copyright 9545d5ecaSDag-Erling Smørgrav.\" notice, this list of conditions and the following disclaimer. 10545d5ecaSDag-Erling Smørgrav.\" 2. Redistributions in binary form must reproduce the above copyright 11545d5ecaSDag-Erling Smørgrav.\" notice, this list of conditions and the following disclaimer in the 12545d5ecaSDag-Erling Smørgrav.\" documentation and/or other materials provided with the distribution. 13545d5ecaSDag-Erling Smørgrav.\" 14545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15545d5ecaSDag-Erling Smørgrav.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16545d5ecaSDag-Erling Smørgrav.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17545d5ecaSDag-Erling Smørgrav.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18545d5ecaSDag-Erling Smørgrav.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19545d5ecaSDag-Erling Smørgrav.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20545d5ecaSDag-Erling Smørgrav.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21545d5ecaSDag-Erling Smørgrav.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22545d5ecaSDag-Erling Smørgrav.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24545d5ecaSDag-Erling Smørgrav.\" 25*87c1498dSEd Maste.Dd $Mdocdate: March 31 2022 $ 26545d5ecaSDag-Erling Smørgrav.Dt SSH-KEYSIGN 8 27545d5ecaSDag-Erling Smørgrav.Os 28545d5ecaSDag-Erling Smørgrav.Sh NAME 29545d5ecaSDag-Erling Smørgrav.Nm ssh-keysign 3019261079SEd Maste.Nd OpenSSH helper for host-based authentication 31545d5ecaSDag-Erling Smørgrav.Sh SYNOPSIS 32545d5ecaSDag-Erling Smørgrav.Nm 33545d5ecaSDag-Erling Smørgrav.Sh DESCRIPTION 34545d5ecaSDag-Erling Smørgrav.Nm 35545d5ecaSDag-Erling Smørgravis used by 36545d5ecaSDag-Erling Smørgrav.Xr ssh 1 37545d5ecaSDag-Erling Smørgravto access the local host keys and generate the digital signature 38acc1a9efSDag-Erling Smørgravrequired during host-based authentication. 394b17dab0SDag-Erling Smørgrav.Pp 404b17dab0SDag-Erling Smørgrav.Nm 414b17dab0SDag-Erling Smørgravis disabled by default and can only be enabled in the 42d0c8c0bcSDag-Erling Smørgravglobal client configuration file 434b17dab0SDag-Erling Smørgrav.Pa /etc/ssh/ssh_config 444b17dab0SDag-Erling Smørgravby setting 45d0c8c0bcSDag-Erling Smørgrav.Cm EnableSSHKeysign 464b17dab0SDag-Erling Smørgravto 474b17dab0SDag-Erling Smørgrav.Dq yes . 484b17dab0SDag-Erling Smørgrav.Pp 49545d5ecaSDag-Erling Smørgrav.Nm 50545d5ecaSDag-Erling Smørgravis not intended to be invoked by the user, but from 51545d5ecaSDag-Erling Smørgrav.Xr ssh 1 . 52545d5ecaSDag-Erling SmørgravSee 53545d5ecaSDag-Erling Smørgrav.Xr ssh 1 54545d5ecaSDag-Erling Smørgravand 55545d5ecaSDag-Erling Smørgrav.Xr sshd 8 56761efaa7SDag-Erling Smørgravfor more information about host-based authentication. 57545d5ecaSDag-Erling Smørgrav.Sh FILES 584a421b63SDag-Erling Smørgrav.Bl -tag -width Ds -compact 594b17dab0SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_config 604b17dab0SDag-Erling SmørgravControls whether 614b17dab0SDag-Erling Smørgrav.Nm 624b17dab0SDag-Erling Smørgravis enabled. 634a421b63SDag-Erling Smørgrav.Pp 644a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_dsa_key 654a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_ecdsa_key 66f7167e0eSDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_ed25519_key 674a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_rsa_key 68545d5ecaSDag-Erling SmørgravThese files contain the private parts of the host keys used to 69d0c8c0bcSDag-Erling Smørgravgenerate the digital signature. 70d0c8c0bcSDag-Erling SmørgravThey should be owned by root, readable only by root, and not 71545d5ecaSDag-Erling Smørgravaccessible to others. 72545d5ecaSDag-Erling SmørgravSince they are readable only by root, 73545d5ecaSDag-Erling Smørgrav.Nm 74761efaa7SDag-Erling Smørgravmust be set-uid root if host-based authentication is used. 754a421b63SDag-Erling Smørgrav.Pp 764a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub 774a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub 78f7167e0eSDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub 794a421b63SDag-Erling Smørgrav.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub 80*87c1498dSEd MasteIf these files exist, they are assumed to contain public certificate 81e2f6069cSDag-Erling Smørgravinformation corresponding with the private keys above. 82545d5ecaSDag-Erling Smørgrav.El 83545d5ecaSDag-Erling Smørgrav.Sh SEE ALSO 84545d5ecaSDag-Erling Smørgrav.Xr ssh 1 , 85545d5ecaSDag-Erling Smørgrav.Xr ssh-keygen 1 , 864b17dab0SDag-Erling Smørgrav.Xr ssh_config 5 , 87545d5ecaSDag-Erling Smørgrav.Xr sshd 8 88545d5ecaSDag-Erling Smørgrav.Sh HISTORY 89545d5ecaSDag-Erling Smørgrav.Nm 90545d5ecaSDag-Erling Smørgravfirst appeared in 91545d5ecaSDag-Erling Smørgrav.Ox 3.2 . 92d95e11bfSDag-Erling Smørgrav.Sh AUTHORS 93e4a9863fSDag-Erling Smørgrav.An Markus Friedl Aq Mt markus@openbsd.org 94