Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   16655 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

SSH-KEYSIGN(1M)						       SSH-KEYSIGN(1M)

NAME
       ssh-keysign - ssh helper program for host-based authentication

SYNOPSIS
       ssh-keysign

DESCRIPTION
       ssh-keysign  is used by ssh(1) to access the local host keys and gener‐
       ate the digital signature  required  during  host-based	authentication
       with  SSH  protocol version 2. This signature is of data that includes,
       among other items, the name of the client host  and  the	 name  of  the
       client user.

       ssh-keysign  is	disabled  by  default  and  can be enabled only in the
       global client configuration file /etc/ssh/ssh_config by	setting	 Host‐
       basedAuthentication to yes.

       ssh-keysign  is	not  intended to be invoked by the user, but from ssh.
       See ssh(1) and sshd(1M) for more information about host-based authenti‐
       cation.

FILES
       /etc/ssh/ssh_config
				    Controls whether ssh-keysign is enabled.

       /etc/ssh/ssh_host_dsa_key
       /etc/ssh/ssh_host_rsa_key
				    These  files  contain the private parts of
				    the host keys used to generate the digital
				    signature.	They  should be owned by root,
				    readable only by root, and not  accessible
				    to	others. Because they are readable only
				    by root, ssh-keysign must be set-uid  root
				    if host-based authentication is used.

SECURITY
       ssh-keysign will not sign host-based authentication data under the fol‐
       lowing conditions:

	   o	  If the HostbasedAuthentication client configuration  parame‐
		  ter  is  not set to yes in /etc/ssh/ssh_config. This setting
		  cannot be overriden in users' ~/.ssh/ssh_config files.

	   o	  If the client hostname and username  in  /etc/ssh/ssh_config
		  do not match the canonical hostname of the client where ssh-
		  keysign is invoked and the name of the  user	invoking  ssh-
		  keysign.

       In  spite  of  ssh-keysign's  restrictions on the contents of the host-
       based authentication data, there remains the ability of users to use it
       as  an  avenue  for  obtaining the client's private host keys. For this
       reason host-based authentication is turned off by default.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌────────────────────┬─────────────────┐
       │  ATTRIBUTE TYPE    │ ATTRIBUTE VALUE │
       ├────────────────────┼─────────────────┤
       │Interface Stability │ Evolving	      │
       └────────────────────┴─────────────────┘

SEE ALSO
       ssh(1), sshd(1M), ssh_config(4), attributes(5)

AUTHORS
       Markus Friedl, markus@openbsd.org

HISTORY
       ssh-keysign first appeared in Ox 3.2.

				  Jun 9, 2004		       SSH-KEYSIGN(1M)

Vote for polarhome