Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   20652 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

ssh-keysign(1M)		System Administration Commands	       ssh-keysign(1M)

NAME
       ssh-keysign - ssh helper program for host-based authentication

SYNOPSIS
       ssh-keysign

DESCRIPTION
       ssh-keysign  is used by ssh(1) to access the local host keys and gener‐
       ate the digital signature  required  during  host-based	authentication
       with  SSH  protocol version 2. This signature is of data that includes,
       among other items, the name of the client host  and  the	 name  of  the
       client user.

       ssh-keysign  is	disabled  by  default  and  can be enabled only in the
       global client configuration file /etc/ssh/ssh_config by	setting	 Host‐
       basedAuthentication to yes.

       ssh-keysign  is	not  intended to be invoked by the user, but from ssh.
       See ssh(1) and sshd(1M) for more information about host-based authenti‐
       cation.

FILES
       /etc/ssh/ssh_config

	   Controls whether ssh-keysign is enabled.

       /etc/ssh/ssh_host_dsa_key
       /etc/ssh/ssh_host_rsa_key

	   These files contain the private parts of the host keys used to gen‐
	   erate the digital signature. They should be owned by root, readable
	   only	 by root, and not accessible to others. Because they are read‐
	   able only by root, ssh-keysign must be set-uid root	if  host-based
	   authentication is used.

SECURITY
       ssh-keysign will not sign host-based authentication data under the fol‐
       lowing conditions:

	 ·  If the HostbasedAuthentication client configuration	 parameter  is
	    not	 set  to  yes  in  /etc/ssh/ssh_config. This setting cannot be
	    overriden in users' ~/.ssh/ssh_config files.

	 ·  If the client hostname and username in /etc/ssh/ssh_config do  not
	    match  the	canonical  hostname of the client where ssh-keysign is
	    invoked and the name of the user invoking ssh-keysign.

       In spite of ssh-keysign's restrictions on the  contents	of  the	 host-
       based authentication data, there remains the ability of users to use it
       as an avenue for obtaining the client's private	host  keys.  For  this
       reason host-based authentication is turned off by default.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWsshu			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Evolving			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       ssh(1), sshd(1M), ssh_config(4), attributes(5)

AUTHORS
       Markus Friedl, markus@openbsd.org

HISTORY
       ssh-keysign first appeared in Ox 3.2.

SunOS 5.10			  9 Jun 2004		       ssh-keysign(1M)

Vote for polarhome