Attachment #8211 for bug #17292

View | Details | Raw Unified | Return to bug 17292
Collapse All | Expand All




Forwarding of arbitrary TCP/IP connections over the secure channel can
be specified either on command line or in a configuration file.  One
possible application of TCP/IP forwarding is a secure connection to an
electronic purse; another is going through firewalls.
.Pp
.Nm
automatically maintains and checks a database containing RSA-based

.Sh OPTIONS
.Bl -tag -width Ds
.It Fl a
Disables forwarding of the authentication agent connection.  This may
also be specified on a per-host basis in the configuration file.
.It Fl c Ar blowfish|3des
Selects the cipher to use for encrypting the session. 

options (and multiple identities specified in
configuration files).
.It Fl k
Disables forwarding of Kerberos tickets and AFS tokens.  This may
also be specified on a per-host basis in the configuration file.
.It Fl l Ar login_name
Specifies the user to log in as on the remote machine.  This may also

argument given on the command line (i.e., the name is not converted to
a canonicalized host name before matching).
.It Cm AFSTokenPassing
Specifies whether to pass AFS tokens to remote host.  The argument to 
this keyword must be
.Dq yes
or

.Dq yes ,
ssh will additionally check the host ip address in the
.Pa known_hosts
file.  This allows ssh to detect if a host key changed due to DNS spoofing.
If the option is set to
.Dq no ,
the check will not be executed.

.Dq no
in both the server and the client configuration files.
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication will be used.  The argument to 
this keyword must be
.Dq yes
or
.Dq no .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT will be forwarded to the server.  This
will only work if the Kerberos server is actually an AFS kaserver.  The
argument to this keyword must be
.Dq yes
or

QUIET, FATAL, ERROR, INFO, CHAT and DEBUG.
The default is INFO.
.It Cm NumberOfPasswordPrompts
Specifies the number of password prompts before giving up.  The
argument to this keyword must be an integer.  Default is 3.
.It Cm PasswordAuthentication
Specifies whether to use password authentication.  The argument to
this keyword must be

22.
.It Cm ProxyCommand
Specifies the command to use to connect to the server.  The command
string extends to the end of the line, and is executed with
.Pa /bin/sh .
In the command string,
.Dq %h
will be substituted by the host name to
connect and
.Dq %p
by the port.  The command can be basically anything,
and should read from its stdin and write to its stdout.  It should
eventually connect an
.Xr sshd 8

to point to a value of the form
.Dq hostname:n
where hostname indicates
the host where the shell runs, and n is an integer \*(>= 1.  Ssh uses
this special value to forward X11 connections over the secure
channel.  The user should normally not set DISPLAY explicitly, as that
will render the X11 connection insecure (and will require the user to

.Xr rsh 1 .
.It Pa /etc/hosts.equiv
This file is used during
.Pa \&.rhosts
authentication.  It contains
canonical hosts names, one per line (the full format is described on
the
.Xr sshd 8




.Sh CONFIGURATION FILE
.Nm
reads configuration data from 
.Pa /etc/ssh/sshd_config
(or the file specified with
.Fl f
on the command line).  The file

The following keywords are possible.
.Bl -tag -width Ds
.It Cm AFSTokenPassing
Specifies whether an AFS token may be forwarded to the server.  Default is
.Dq yes .
.It Cm AllowGroups
This keyword can be followed by a number of group names, separated

.Dq no
in both the server and the client configuration files.
.It Cm KerberosAuthentication
Specifies whether Kerberos authentication is allowed.  This can
be in the form of a Kerberos ticket, or if
.Cm PasswordAuthentication
is yes, the password provided by the user will be validated through
the Kerberos KDC.  Default is
.Dq yes .
.It Cm KerberosOrLocalPasswd
If set then if password authentication through Kerberos fails then
the password will be validated via any additional local mechanism
such as
.Pa /etc/passwd
or SecurID.  Default is
.Dq yes .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.

as this only works when the Kerberos KDC is actually an AFS kaserver.
.It Cm KerberosTicketCleanup
Specifies whether to automatically destroy the user's ticket cache
file on logout.  Default is
.Dq yes .
.It Cm KeyRegenerationInterval
The server key is automatically regenerated after this many seconds

or equivalent.)  The default is
.Dq yes .
.It Cm RandomSeed
Obsolete - accepted and ignored with a warning.
Random number generation uses other techniques.
.It Cm RhostsAuthentication
Specifies whether authentication using rhosts or
.Pa /etc/hosts.equiv
files is sufficient.  Normally, this method should not be permitted
because it is insecure. 
.Cm RhostsRSAAuthentication
should be used
instead, because it performs RSA-based host authentication in addition
to normal rhosts or
.Pa /etc/hosts.equiv
authentication.
The default is
.Dq no .
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or
.Pa /etc/hosts.equiv
authentication together
with successful RSA host authentication is allowed.  The default is
.Dq no .
.It Cm RSAAuthentication

.Xr skey 1 
authentication is allowed.  The default is
.Dq yes .
Note that S/Key authentication is enabled only if
.Cm PasswordAuthentication
is allowed, too.
.It Cm StrictModes

.It Cm UseLogin
Specifies whether
.Xr login 1
is used.  The default is
.Dq no .
.It Cm X11DisplayOffset
Specifies the first display number available for

exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
it; otherwise runs
.Xr xauth 1 .
The
.Dq rc
files are given the X11
authentication protocol and cookie (if applicable) in standard input.
.It
Runs user's shell or command.
.El

Prevents tty allocation (a request to allocate a pty will fail).
.El
.Ss Examples
.Bd -literal
1024 33 12121...312314325 ylo@foo.bar
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
.Ed
.Sh SSH_KNOWN_HOSTS FILE FORMAT
The 
.Pa /etc/ssh/ssh_known_hosts

.Pa /etc/ssh/ssh_host_key.pub
and adding the host names at the front.
.Ss Examples
.Bd -literal
closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
.Ed
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config

listed in one of these files to be accepted.
The client uses the same files
to verify that the remote host is the one we intended to
connect.  These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
.Pa $HOME/.ssh/known_hosts

refuses to let anyone except root log in.  The contents of the file
are displayed to anyone trying to log in, and non-root connections are
refused.  The file should be world-readable.
.It Pa /etc/hosts.allow , /etc/hosts.deny
If compiled with
.Sy LIBWRAP
support, tcp-wrappers access controls may be defined here as described in

.Pa .rhosts .
However, this file is
not used by rlogin and rshd, so using this permits access using SSH only.
.It Pa /etc/hosts.equiv
This file is used during
.Pa .rhosts
authentication.  In the

and assignment lines of the form name=value.  The file should be writable
only by the user; it need not be readable by anyone else.
.It Pa $HOME/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the
environment files but before starting the user's shell or command.  If
X11 spoofing is in use, this will receive the "proto cookie" pair in
standard input (and

accessible; AFS is a particular example of such an environment.
.Pp
This file will probably contain some initialization code followed by
something similar to:
.Bd -literal -offset indent
if [ -n "$DISPLAY" ] && read proto cookie; then
    echo add $DISPLAY $proto $cookie | xauth -q -
fi
.Ed
.Pp
If this file does not exist,
.Pa /etc/ssh/sshrc
is run, and if that
does not exist either,
.Xr xauth 1
is used to store the cookie.
.Pp
This file should be writable only by the user, and need not be
readable by anyone else.

Return to bug 17292

Lines 243-249 Link Here

(-)ssh.1 (-15 / +21 lines)
243	Forwarding of arbitrary TCP/IP connections over the secure channel can	243	Forwarding of arbitrary TCP/IP connections over the secure channel can
244	be specified either on command line or in a configuration file. One	244	be specified either on command line or in a configuration file. One
245	possible application of TCP/IP forwarding is a secure connection to an	245	possible application of TCP/IP forwarding is a secure connection to an
246	electronic purse; another is going trough firewalls.	246	electronic purse; another is going through firewalls.
247	.Pp	247	.Pp
248	.Nm	248	.Nm
249	automatically maintains and checks a database containing RSA-based	249	automatically maintains and checks a database containing RSA-based
Lines 266-272 Link Here
266	.Sh OPTIONS	266	.Sh OPTIONS
267	.Bl -tag -width Ds	267	.Bl -tag -width Ds
268	.It Fl a	268	.It Fl a
269	Disables forwarding of the authentication agent connection. This may	269	Disables forwarding of the authentication agent connection. This may
270	also be specified on a per-host basis in the configuration file.	270	also be specified on a per-host basis in the configuration file.
271	.It Fl c Ar blowfish\|3des	271	.It Fl c Ar blowfish\|3des
272	Selects the cipher to use for encrypting the session.	272	Selects the cipher to use for encrypting the session.
Lines 316-322 Link Here
316	options (and multiple identities specified in	316	options (and multiple identities specified in
317	configuration files).	317	configuration files).
318	.It Fl k	318	.It Fl k
319	Disables forwarding of Kerberos tickets and AFS tokens. This may	319	Disables forwarding of Kerberos tickets and AFS tokens. This may
320	also be specified on a per-host basis in the configuration file.	320	also be specified on a per-host basis in the configuration file.
321	.It Fl l Ar login_name	321	.It Fl l Ar login_name
322	Specifies the user to log in as on the remote machine. This may also	322	Specifies the user to log in as on the remote machine. This may also
Lines 475-481 Link Here
475	argument given on the command line (i.e., the name is not converted to	475	argument given on the command line (i.e., the name is not converted to
476	a canonicalized host name before matching).	476	a canonicalized host name before matching).
477	.It Cm AFSTokenPassing	477	.It Cm AFSTokenPassing
478	Specifies whether to pass AFS tokens to remote host. The argument to	478	Specifies whether to pass AFS tokens to remote host. The argument to
479	this keyword must be	479	this keyword must be
480	.Dq yes	480	.Dq yes
481	or	481	or
Lines 494-500 Link Here
494	.Dq yes ,	494	.Dq yes ,
495	ssh will additionally check the host ip address in the	495	ssh will additionally check the host ip address in the
496	.Pa known_hosts	496	.Pa known_hosts
497	file. This allows ssh to detect if a host key changed due to DNS spoofing.	497	file. This allows ssh to detect if a host key changed due to DNS spoofing.
498	If the option is set to	498	If the option is set to
499	.Dq no ,	499	.Dq no ,
500	the check will not be executed.	500	the check will not be executed.
Lines 606-619 Link Here
606	.Dq no	606	.Dq no
607	in both the server and the client configuration files.	607	in both the server and the client configuration files.
608	.It Cm KerberosAuthentication	608	.It Cm KerberosAuthentication
609	Specifies whether Kerberos authentication will be used. The argument to	609	Specifies whether Kerberos authentication will be used. The argument to
610	this keyword must be	610	this keyword must be
611	.Dq yes	611	.Dq yes
612	or	612	or
613	.Dq no .	613	.Dq no .
614	.It Cm KerberosTgtPassing	614	.It Cm KerberosTgtPassing
615	Specifies whether a Kerberos TGT will be forwarded to the server. This	615	Specifies whether a Kerberos TGT will be forwarded to the server. This
616	will only work if the Kerberos server is actually an AFS kaserver. The	616	will only work if the Kerberos server is actually an AFS kaserver. The
617	argument to this keyword must be	617	argument to this keyword must be
618	.Dq yes	618	.Dq yes
619	or	619	or
Lines 632-639 Link Here
632	QUIET, FATAL, ERROR, INFO, CHAT and DEBUG.	632	QUIET, FATAL, ERROR, INFO, CHAT and DEBUG.
633	The default is INFO.	633	The default is INFO.
634	.It Cm NumberOfPasswordPrompts	634	.It Cm NumberOfPasswordPrompts
635	Specifies the number of password prompts before giving up. The	635	Specifies the number of password prompts before giving up. The
636	argument to this keyword must be an integer. Default is 3.	636	argument to this keyword must be an integer. Default is 3.
637	.It Cm PasswordAuthentication	637	.It Cm PasswordAuthentication
638	Specifies whether to use password authentication. The argument to	638	Specifies whether to use password authentication. The argument to
639	this keyword must be	639	this keyword must be
Lines 645-653 Link Here
645	22.	645	22.
646	.It Cm ProxyCommand	646	.It Cm ProxyCommand
647	Specifies the command to use to connect to the server. The command	647	Specifies the command to use to connect to the server. The command
648	string extends to the end of the line, and is executed with /bin/sh.	648	string extends to the end of the line, and is executed with
649	In the command string, %h will be substituted by the host name to	649	.Pa /bin/sh .
650	connect and %p by the port. The command can be basically anything,	650	In the command string,
		651	.Dq %h
		652	will be substituted by the host name to
		653	connect and
		654	.Dq %p
		655	by the port. The command can be basically anything,
651	and should read from its stdin and write to its stdout. It should	656	and should read from its stdin and write to its stdout. It should
652	eventually connect an	657	eventually connect an
653	.Xr sshd 8	658	.Xr sshd 8
Lines 771-777 Link Here
771	to point to a value of the form	776	to point to a value of the form
772	.Dq hostname:n	777	.Dq hostname:n
773	where hostname indicates	778	where hostname indicates
774	the host where the shell runs, and n is an integer >= 1. Ssh uses	779	the host where the shell runs, and n is an integer \*(>= 1. Ssh uses
775	this special value to forward X11 connections over the secure	780	this special value to forward X11 connections over the secure
776	channel. The user should normally not set DISPLAY explicitly, as that	781	channel. The user should normally not set DISPLAY explicitly, as that
777	will render the X11 connection insecure (and will require the user to	782	will render the X11 connection insecure (and will require the user to
Lines 924-930 Link Here
924	.Xr rsh 1 .	929	.Xr rsh 1 .
925	.It Pa /etc/hosts.equiv	930	.It Pa /etc/hosts.equiv
926	This file is used during	931	This file is used during
927	.Pa \&.rhosts authentication. It contains	932	.Pa \&.rhosts
		933	authentication. It contains
928	canonical hosts names, one per line (the full format is described on	934	canonical hosts names, one per line (the full format is described on
929	the	935	the
930	.Xr sshd 8	936	.Xr sshd 8

Lines 186-192 Link Here

(-)sshd.8 (-27 / +45 lines)
186	.Sh CONFIGURATION FILE	186	.Sh CONFIGURATION FILE
187	.Nm	187	.Nm
188	reads configuration data from	188	reads configuration data from
189	.Pa /etc/sshd_config	189	.Pa /etc/ssh/sshd_config
190	(or the file specified with	190	(or the file specified with
191	.Fl f	191	.Fl f
192	on the command line). The file	192	on the command line). The file
Lines 197-203 Link Here
197	The following keywords are possible.	197	The following keywords are possible.
198	.Bl -tag -width Ds	198	.Bl -tag -width Ds
199	.It Cm AFSTokenPassing	199	.It Cm AFSTokenPassing
200	Specifies whether an AFS token may be forwarded to the server. Default is	200	Specifies whether an AFS token may be forwarded to the server. Default is
201	.Dq yes .	201	.Dq yes .
202	.It Cm AllowGroups	202	.It Cm AllowGroups
203	This keyword can be followed by a number of group names, separated	203	This keyword can be followed by a number of group names, separated
Lines 323-340 Link Here
323	.Dq no	323	.Dq no
324	in both the server and the client configuration files.	324	in both the server and the client configuration files.
325	.It Cm KerberosAuthentication	325	.It Cm KerberosAuthentication
326	Specifies whether Kerberos authentication is allowed. This can	326	Specifies whether Kerberos authentication is allowed. This can
327	be in the form of a Kerberos ticket, or if	327	be in the form of a Kerberos ticket, or if
328	.Cm PasswordAuthentication	328	.Cm PasswordAuthentication
329	is yes, the password provided by the user will be validated through	329	is yes, the password provided by the user will be validated through
330	the Kerberos KDC. Default is	330	the Kerberos KDC. Default is
331	.Dq yes .	331	.Dq yes .
332	.It Cm KerberosOrLocalPasswd	332	.It Cm KerberosOrLocalPasswd
333	If set then if password authentication through Kerberos fails then	333	If set then if password authentication through Kerberos fails then
334	the password will be validated via any additional local mechanism	334	the password will be validated via any additional local mechanism
335	such as	335	such as
336	.Pa /etc/passwd	336	.Pa /etc/passwd
337	or SecurID. Default is	337	or SecurID. Default is
338	.Dq yes .	338	.Dq yes .
339	.It Cm KerberosTgtPassing	339	.It Cm KerberosTgtPassing
340	Specifies whether a Kerberos TGT may be forwarded to the server.	340	Specifies whether a Kerberos TGT may be forwarded to the server.
Lines 343-349 Link Here
343	as this only works when the Kerberos KDC is actually an AFS kaserver.	343	as this only works when the Kerberos KDC is actually an AFS kaserver.
344	.It Cm KerberosTicketCleanup	344	.It Cm KerberosTicketCleanup
345	Specifies whether to automatically destroy the user's ticket cache	345	Specifies whether to automatically destroy the user's ticket cache
346	file on logout. Default is	346	file on logout. Default is
347	.Dq yes .	347	.Dq yes .
348	.It Cm KeyRegenerationInterval	348	.It Cm KeyRegenerationInterval
349	The server key is automatically regenerated after this many seconds	349	The server key is automatically regenerated after this many seconds
Lines 418-436 Link Here
418	or equivalent.) The default is	418	or equivalent.) The default is
419	.Dq yes .	419	.Dq yes .
420	.It Cm RandomSeed	420	.It Cm RandomSeed
421	Obsolete. Random number generation uses other techniques.	421	Obsolete - accepted and ignored with a warning.
		422	Random number generation uses other techniques.
422	.It Cm RhostsAuthentication	423	.It Cm RhostsAuthentication
423	Specifies whether authentication using rhosts or /etc/hosts.equiv	424	Specifies whether authentication using rhosts or
		425	.Pa /etc/hosts.equiv
424	files is sufficient. Normally, this method should not be permitted	426	files is sufficient. Normally, this method should not be permitted
425	because it is insecure.	427	because it is insecure.
426	.Cm RhostsRSAAuthentication	428	.Cm RhostsRSAAuthentication
427	should be used	429	should be used
428	instead, because it performs RSA-based host authentication in addition	430	instead, because it performs RSA-based host authentication in addition
429	to normal rhosts or /etc/hosts.equiv authentication.	431	to normal rhosts or
		432	.Pa /etc/hosts.equiv
		433	authentication.
430	The default is	434	The default is
431	.Dq no .	435	.Dq no .
432	.It Cm RhostsRSAAuthentication	436	.It Cm RhostsRSAAuthentication
433	Specifies whether rhosts or /etc/hosts.equiv authentication together	437	Specifies whether rhosts or
		438	.Pa /etc/hosts.equiv
		439	authentication together
434	with successful RSA host authentication is allowed. The default is	440	with successful RSA host authentication is allowed. The default is
435	.Dq no .	441	.Dq no .
436	.It Cm RSAAuthentication	442	.It Cm RSAAuthentication
Lines 444-450 Link Here
444	.Xr skey 1	450	.Xr skey 1
445	authentication is allowed. The default is	451	authentication is allowed. The default is
446	.Dq yes .	452	.Dq yes .
447	Note that s/key authentication is enabled only if	453	Note that S/Key authentication is enabled only if
448	.Cm PasswordAuthentication	454	.Cm PasswordAuthentication
449	is allowed, too.	455	is allowed, too.
450	.It Cm StrictModes	456	.It Cm StrictModes
Lines 463-469 Link Here
463	.It Cm UseLogin	469	.It Cm UseLogin
464	Specifies whether	470	Specifies whether
465	.Xr login 1	471	.Xr login 1
466	is used. The default is	472	is used. The default is
467	.Dq no .	473	.Dq no .
468	.It Cm X11DisplayOffset	474	.It Cm X11DisplayOffset
469	Specifies the first display number available for	475	Specifies the first display number available for
Lines 516-525 Link Here
516	exists, runs it; else if	522	exists, runs it; else if
517	.Pa /etc/ssh/sshrc	523	.Pa /etc/ssh/sshrc
518	exists, runs	524	exists, runs
519	it; otherwise runs xauth. The	525	it; otherwise runs
		526	.Xr xauth 1 .
		527	The
520	.Dq rc	528	.Dq rc
521	files are given the X11	529	files are given the X11
522	authentication protocol and cookie in standard input.	530	authentication protocol and cookie (if applicable) in standard input.
523	.It	531	.It
524	Runs user's shell or command.	532	Runs user's shell or command.
525	.El	533	.El
Lines 593-603 Link Here
593	Prevents tty allocation (a request to allocate a pty will fail).	601	Prevents tty allocation (a request to allocate a pty will fail).
594	.El	602	.El
595	.Ss Examples	603	.Ss Examples
596	1024 33 12121.\\|.\\|.\\|312314325 ylo@foo.bar	604	.Bd -literal
597	.Pp	605	1024 33 12121...312314325 ylo@foo.bar
598	from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\\|.\\|.\\|2334 ylo@niksula	606	from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
599	.Pp	607	command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
600	command="dump /home",no-pty,no-port-forwarding 1024 33 23.\\|.\\|.\\|2323 backup.hut.fi	608	.Ed
601	.Sh SSH_KNOWN_HOSTS FILE FORMAT	609	.Sh SSH_KNOWN_HOSTS FILE FORMAT
602	The	610	The
603	.Pa /etc/ssh/ssh_known_hosts	611	.Pa /etc/ssh/ssh_known_hosts
Lines 645-651 Link Here
645	.Pa /etc/ssh/ssh_host_key.pub	653	.Pa /etc/ssh/ssh_host_key.pub
646	and adding the host names at the front.	654	and adding the host names at the front.
647	.Ss Examples	655	.Ss Examples
648	closenet,closenet.hut.fi,.\\|.\\|.\\|,130.233.208.41 1024 37 159.\\|.\\|.93 closenet.hut.fi	656	.Bd -literal
		657	closenet,closenet.hut.fi,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
		658	.Ed
649	.Sh FILES	659	.Sh FILES
650	.Bl -tag -width Ds	660	.Bl -tag -width Ds
651	.It Pa /etc/ssh/sshd_config	661	.It Pa /etc/ssh/sshd_config
Lines 687-693 Link Here
687	listed in one of these files to be accepted.	697	listed in one of these files to be accepted.
688	The client uses the same files	698	The client uses the same files
689	to verify that the remote host is the one we intended to	699	to verify that the remote host is the one we intended to
690	connect. These files should be writable only by root/the owner.	700	connect. These files should be writable only by root/the owner.
691	.Pa /etc/ssh/ssh_known_hosts	701	.Pa /etc/ssh/ssh_known_hosts
692	should be world-readable, and	702	should be world-readable, and
693	.Pa $HOME/.ssh/known_hosts	703	.Pa $HOME/.ssh/known_hosts
Lines 698-704 Link Here
698	refuses to let anyone except root log in. The contents of the file	708	refuses to let anyone except root log in. The contents of the file
699	are displayed to anyone trying to log in, and non-root connections are	709	are displayed to anyone trying to log in, and non-root connections are
700	refused. The file should be world-readable.	710	refused. The file should be world-readable.
701	.It Pa /etc/hosts.allow, /etc/hosts.deny	711	.It Pa /etc/hosts.allow , /etc/hosts.deny
702	If compiled with	712	If compiled with
703	.Sy LIBWRAP	713	.Sy LIBWRAP
704	support, tcp-wrappers access controls may be defined here as described in	714	support, tcp-wrappers access controls may be defined here as described in
Lines 720-726 Link Here
720	.Pa .rhosts .	730	.Pa .rhosts .
721	However, this file is	731	However, this file is
722	not used by rlogin and rshd, so using this permits access using SSH only.	732	not used by rlogin and rshd, so using this permits access using SSH only.
723	.Pa /etc/hosts.equiv	733	.It Pa /etc/hosts.equiv
724	This file is used during	734	This file is used during
725	.Pa .rhosts	735	.Pa .rhosts
726	authentication. In the	736	authentication. In the
Lines 762-768 Link Here
762	and assignment lines of the form name=value. The file should be writable	772	and assignment lines of the form name=value. The file should be writable
763	only by the user; it need not be readable by anyone else.	773	only by the user; it need not be readable by anyone else.
764	.It Pa $HOME/.ssh/rc	774	.It Pa $HOME/.ssh/rc
765	If this file exists, it is run with /bin/sh after reading the	775	If this file exists, it is run with
		776	.Pa /bin/sh
		777	after reading the
766	environment files but before starting the user's shell or command. If	778	environment files but before starting the user's shell or command. If
767	X11 spoofing is in use, this will receive the "proto cookie" pair in	779	X11 spoofing is in use, this will receive the "proto cookie" pair in
768	standard input (and	780	standard input (and
Lines 776-788 Link Here
776	accessible; AFS is a particular example of such an environment.	788	accessible; AFS is a particular example of such an environment.
777	.Pp	789	.Pp
778	This file will probably contain some initialization code followed by	790	This file will probably contain some initialization code followed by
779	something similar to: "if read proto cookie; then echo add $DISPLAY	791	something similar to:
780	$proto $cookie \| xauth -q -; fi".	792	.Bd -literal -offset indent
		793	if [ -n "$DISPLAY" ] && read proto cookie; then
		794	echo add $DISPLAY $proto $cookie \| xauth -q -
		795	fi
		796	.Ed
781	.Pp	797	.Pp
782	If this file does not exist,	798	If this file does not exist,
783	.Pa /etc/ssh/sshrc	799	.Pa /etc/ssh/sshrc
784	is run, and if that	800	is run, and if that
785	does not exist either, xauth is used to store the cookie.	801	does not exist either,
		802	.Xr xauth 1
		803	is used to store the cookie.
786	.Pp	804	.Pp
787	This file should be writable only by the user, and need not be	805	This file should be writable only by the user, and need not be
788	readable by anyone else.	806	readable by anyone else.