Found 2243 results in 23 files.
android.googlesource.com/platform/external/openssh:hostfile.c: [ master, ]
232: 	const char *host;
467: 	const char *host;
120: host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
464: struct host_delete_ctx {
475: host_delete(struct hostkey_foreach_line *l, void *_ctx)
65: struct hostkeys {
164: hostfile_read_key(char **cpp, u_int *bitsp, struct sshkey *ret)
234: 	struct hostkeys *hostkeys;
531: hostfile_replace_entries(const char *filename, const char *host, const char *ip,
669: hostkeys_foreach(const char *path, hostkeys_foreach_fn *callback, void *ctx,
418: write_host_entry(FILE *f, const char *host, const char *ip,
448: add_host_to_hostfile(const char *filename, const char *host,
223: init_hostkeys(void)
238: record_hostkey(struct hostkey_foreach_line *l, void *_ctx)
271: load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
292: free_hostkeys(struct hostkeys *hostkeys)
342: check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
401: check_key_in_hostkeys(struct hostkeys *hostkeys, struct sshkey *key,
410: lookup_key_in_hostkeys_by_type(struct hostkeys *hostkeys, int keytype,
651: match_maybe_hashed(const char *host, const char *names, int *was_hashed)
79: 	if (l < sizeof(HASH_MAGIC) - 1) {
83: 	if (strncmp(s, HASH_MAGIC, sizeof(HASH_MAGIC) - 1) != 0) {
87: 	s += sizeof(HASH_MAGIC) - 1;
88: 	l -= sizeof(HASH_MAGIC) - 1;
89: 	if ((p = memchr(s, HASH_DELIM, l)) == NULL) {
135: 		/* Extract salt from known host entry */
143: 	    ssh_hmac_update(ctx, host, strlen(host)) < 0 ||
152: 	snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
153: 	    HASH_DELIM, uu_result);
258: 	hostkeys->entries[hostkeys->num_entries].host = xstrdup(ctx->host);
276: 	ctx.host = host;
280: 	if ((r = hostkeys_foreach(path, record_hostkey, &ctx, host, NULL,
288: 		    ctx.num_loaded, host);
297: 		free(hostkeys->entries[i].host);
330:  * HOST_FOUND, otherwise HOST_NEW.
333:  *  1. If the key is a cert and a matching CA is found, return HOST_OK
334:  *  2. If the key is not a cert and a matching key is found, return HOST_OK
336:  *     return HOST_CHANGED
337:  *  4. If no matching keys are found, then return HOST_NEW.
346: 	HostStatus end_return = HOST_NEW;
364: 			end_return = HOST_FOUND;
374: 				end_return = HOST_OK;
381: 				end_return = HOST_OK;
387: 			end_return = HOST_CHANGED;
393: 		end_return = HOST_REVOKED;
414: 	    found) == HOST_FOUND);
419:     const struct sshkey *key, int store_hash)
422: 	char *hashed_host = NULL;
424: 	if (store_hash) {
425: 		if ((hashed_host = host_hash(host, NULL, 0)) == NULL) {
426: 			error("%s: host_hash failed", __func__);
429: 		fprintf(f, "%s ", hashed_host);
431: 		fprintf(f, "%s,%s ", host, ip);
433: 		fprintf(f, "%s ", host);
444:  * Appends an entry to the host file.  Returns false if the entry could not
449:     const struct sshkey *key, int store_hash)
459: 	success = write_host_entry(f, host, NULL, key, store_hash);
468: 	int *skip_keys; /* XXX split for host/ip? might want to ensure both */
477: 	struct host_delete_ctx *ctx = (struct host_delete_ctx *)_ctx;
514: 		do_log2(loglevel, "%s%s%s:%ld: Removed %s key for host %s",
516: 		    l->path, l->linenum, sshkey_type(l->key), ctx->host);
532:     struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg)
536: 	struct host_delete_ctx ctx;
544: 	ctx.host = host;
575: 	/* Remove all entries for the specified host from the file */
576: 	if ((r = hostkeys_foreach(filename, host_delete, &ctx, host, ip,
586: 		if ((fp = sshkey_fingerprint(keys[i], hash_alg,
592: 		    quiet ? __func__ : "", quiet ? ": " : "", host, filename,
595: 		if (!write_host_entry(ctx.out, host, ip, keys[i], store_hash)) {
653: 	int hashed = *names == HASH_DELIM;
654: 	const char *hashed_host;
660: 		if ((hashed_host = host_hash(host, names, nlen)) == NULL)
662: 		return nlen == strlen(hashed_host) &&
663: 		    strncmp(hashed_host, names, nlen) == 0;
665: 	return match_hostname(host, names, nlen) == 1;
670:     const char *host, const char *ip, u_int options)
683: 	if (host == NULL && (options & HKF_WANT_MATCH) != 0)
722: 		/* Find the end of the host name portion. */
728: 		/* Check if the host name matches. */
729: 		if (host != NULL) {
730: 			if ((s = match_maybe_hashed(host, lineinfo.hosts,
732: 				debug2("%s: %s:%ld: bad host hash \"%.32s\"",
738: 				lineinfo.match |= HKF_MATCH_HOST |
739: 				    (hashed ? HKF_MATCH_HOST_HASHED : 0);
745: 					debug2("%s: %s:%ld: bad ip hash "
757: 			 * Skip this line if host matching requested and
758: 			 * neither host nor address matched.
765: 		/* Got a match.  Skip host name and any following whitespace */
1: /* $OpenBSD: hostfile.c,v 1.64 2015/02/16 22:08:57 djm Exp $ */
6:  * Functions for manipulating the known hosts files.
58: #include "hostfile.h"
66: 	struct hostkey_entry *entries;
130: 	if (name_from_hostfile == NULL) {
136: 		if (extract_salt(name_from_hostfile, src_len, salt,
187: static HostkeyMarker
222: struct hostkeys *
225: 	struct hostkeys *ret = xcalloc(1, sizeof(*ret));
241: 	struct hostkeys *hostkeys = ctx->hostkeys;
242: 	struct hostkey_entry *tmp;
245: 		error("%s:%ld: parse error in hostkeys file",
254: 	if ((tmp = reallocarray(hostkeys->entries,
255: 	    hostkeys->num_entries + 1, sizeof(*hostkeys->entries))) == NULL)
257: 	hostkeys->entries = tmp;
259: 	hostkeys->entries[hostkeys->num_entries].file = xstrdup(l->path);
260: 	hostkeys->entries[hostkeys->num_entries].line = l->linenum;
261: 	hostkeys->entries[hostkeys->num_entries].key = l->key;
263: 	hostkeys->entries[hostkeys->num_entries].marker = l->marker;
264: 	hostkeys->num_entries++;
278: 	ctx.hostkeys = hostkeys;
283: 			debug("%s: hostkeys_foreach failed for %s: %s",
296: 	for (i = 0; i < hostkeys->num_entries; i++) {
298: 		free(hostkeys->entries[i].file);
299: 		sshkey_free(hostkeys->entries[i].key);
300: 		explicit_bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
302: 	free(hostkeys->entries);
303: 	explicit_bzero(hostkeys, sizeof(*hostkeys));
304: 	free(hostkeys);
308: check_key_not_revoked(struct hostkeys *hostkeys, struct sshkey *k)
313: 	for (i = 0; i < hostkeys->num_entries; i++) {
314: 		if (hostkeys->entries[i].marker != MRK_REVOKE)
316: 		if (sshkey_equal_public(k, hostkeys->entries[i].key))
320: 		    hostkeys->entries[i].key))
341: static HostStatus
343:     struct sshkey *k, int keytype, const struct hostkey_entry **found)
348: 	HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE;
354: 	for (i = 0; i < hostkeys->num_entries; i++) {
355: 		if (proto == 1 && hostkeys->entries[i].key->type != KEY_RSA1)
357: 		if (proto == 2 && hostkeys->entries[i].key->type == KEY_RSA1)
359: 		if (hostkeys->entries[i].marker != want_marker)
362: 			if (hostkeys->entries[i].key->type != keytype)
366: 				*found = hostkeys->entries + i;
367: 			k = hostkeys->entries[i].key;
372: 			    hostkeys->entries[i].key)) {
376: 					*found = hostkeys->entries + i;
380: 			if (sshkey_equal(k, hostkeys->entries[i].key)) {
383: 					*found = hostkeys->entries + i;
389: 				*found = hostkeys->entries + i;
392: 	if (check_key_not_revoked(hostkeys, k) != 0) {
400: HostStatus
402:     const struct hostkey_entry **found)
406: 	return check_hostkeys_by_key_or_type(hostkeys, key, 0, found);
411:     const struct hostkey_entry **found)
413: 	return (check_hostkeys_by_key_or_type(hostkeys, NULL, keytype,
511: 		 * Hostname matches and has no CA/revoke marker, delete it
520: 	/* Retain non-matching hosts and invalid lines when deleting */
522: 		do_log2(loglevel, "%s%s%s:%ld: invalid known_hosts entry",
578: 		error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
657: 	if (was_hashed != NULL)
658: 		*was_hashed = hashed;
659: 	if (hashed) {
677: 	int hashed;
679: 	struct hostkey_foreach_line lineinfo;
725: 		lineinfo.hosts = cp;
731: 			    &hashed)) == -1) {
733: 				    __func__, path, linenum, lineinfo.hosts);
743: 				if ((s = match_maybe_hashed(ip, lineinfo.hosts,
744: 				    &hashed)) == -1) {
747: 					    linenum, lineinfo.hosts);
753: 					    (hashed ? HKF_MATCH_IP_HASHED : 0);
786: 			if (!hostfile_read_key(&cp, &kbits, lineinfo.key)) {
795: 				if (!hostfile_read_key(&cp, &kbits,
android.googlesource.com/platform/external/openssh:servconf.h: [ master, ]
197: 	const char *host;	/* possibly resolved hostname */
64: 	char   *host_key_files[MAX_HOSTKEYS];	/* Files containing host keys. */
66: 	char   *host_cert_files[MAX_HOSTCERTS];	/* Files containing host certs. */
68: 	char   *host_key_agent;		 /* ssh-agent socket for host keys. */
191: 	int	fingerprint_hash;
83: 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
100: 	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
101: 	int     hostbased_uses_name_from_packet_only; /* experimental */
102: 	char   *hostbased_key_types;	/* Key types allowed for hostbased */
65: 	int     num_host_key_files;     /* Number of files for host keys. */
67: 	int     num_host_cert_files;     /* Number of files for host certs. */
26: #define MAX_HOSTKEYS		256	/* Max # hostkeys. */
27: #define MAX_HOSTCERTS		256	/* Max # host certificates. */
76: 	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
75: 	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
98: 	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
220: 		M_CP_STROPT(hostbased_key_types); \
77: 						 * for RhostsRsaAuth */
android.googlesource.com/platform/external/openssh:ssh-keygen.c: [ master, ]
1042: 	const char *host;	/* Hostname searched for in find/delete case */
84: int hash_hosts = 0;
86: int find_host = 0;
88: int delete_host = 0;
98: int fingerprint_hash = SSH_FP_HASH_DEFAULT;
1050: known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
175: char hostname[NI_MAXHOST];
1041: struct known_hosts_ctx {
1100: known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
944: do_gen_all_hostkeys(struct passwd *pw)
1148: do_known_hosts(struct passwd *pw, const char *name)
1044: 	int has_unhashed;	/* When hashing, original had unhashed hosts */
6:  * Identity and host key generation and maintenance.
83: /* Flag indicating that we want to hash a known_hosts file */
85: /* Flag indicating that we want lookup a host in known_hosts file */
87: /* Flag indicating that we want to delete a host from a known_hosts file */
97: /* Hash algorithm to use for fingerprints. */
792: 	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
802: 			ra = sshkey_fingerprint(keys[i], fingerprint_hash,
837: 	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
850: 		ra = sshkey_fingerprint(public, fingerprint_hash,
921: 		ra = sshkey_fingerprint(public, fingerprint_hash,
951: 		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
952: 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
953: 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
955: 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
957: 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
980: 			printf("%s: generating new host keys: ", __progname);
1045: 	int found_key;		/* For find/delete, host was found */
1060: 		 * Don't hash hosts already already hashed, with wildcard
1063: 		if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
1066: 			if (has_wild && !find_host) {
1067: 				fprintf(stderr, "%s:%ld: ignoring host name "
1074: 		 * Split any comma-separated hostnames from the host list,
1075: 		 * hash and store separately.
1079: 			if ((hashed = host_hash(cp, NULL, 0)) == NULL)
1080: 				fatal("hash_host failed");
1105: 		if (delete_host) {
1117: 					printf("# Host %s found: line %ld\n",
1118: 					    ctx->host, l->linenum);
1121: 		} else if (find_host) {
1124: 				printf("# Host %s found: line %ld %s\n",
1125: 				    ctx->host,
1129: 			if (hash_hosts)
1130: 				known_hosts_hash(l, ctx);
1135: 	} else if (delete_host) {
1165: 	ctx.host = name;
1168: 	 * Find hosts goes to stdout, hash and deletions happen in-place
1171: 	if (!find_host && (hash_hosts || delete_host)) {
1190: 	    hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,
1191: 	    name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0)
1206: 	} else if (delete_host && !ctx.found_key) {
1207: 		fprintf(stderr, "Host %s not found in %s\n",
1236: 	exit (find_host && !ctx.found_key);
1917: 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
1919: 	    fingerprint_hash, SSH_FP_DEFAULT);
2208: 	    "       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
2294: 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
2295: 			if (fingerprint_hash == -1)
2296: 				fatal("Invalid hash algorithm \"%s\"", optarg);
2299: 			find_host = 1;
2303: 			hash_hosts = 1;
2315: 			delete_host = 1;
2390: 			cert_key_type = SSH2_CERT_TYPE_HOST;
2505: 	if (print_fingerprint && (delete_host || hash_hosts)) {
2524: 	if (delete_host || hash_hosts || find_host)
2556: 			    _PATH_HOST_RSA_KEY_FILE, rr_hostname);
2558: 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
2560: 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
2562: 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
2733: 		fp = sshkey_fingerprint(public, fingerprint_hash,
2735: 		ra = sshkey_fingerprint(public, fingerprint_hash,
51: #include "hostfile.h"
323: 	    pw->pw_name, hostname);
997: 		    hostname);
1043: 	FILE *out;		/* Output file, stdout for find_hosts case */
1052: 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
1053: 	char *hashed, *cp, *hosts, *ohosts;
1054: 	int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
1069: 				    l->linenum, l->hosts);
1077: 		ohosts = hosts = xstrdup(l->hosts);
1078: 		while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {
1081: 			fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);
1102: 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
1111: 				 * Hostname matches and has no CA/revoke
1136: 		/* Retain non-matching hosts when deleting */
1152: 	struct known_hosts_ctx ctx;
1155: 		cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
1158: 			fatal("Specified known hosts path too long");
1176: 			fatal("known_hosts path too long");
1189: 	if ((r = hostkeys_foreach(identity_file,
1192: 		fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
1198: 		fprintf(stderr, "%s is not a valid known_hosts file.\n",
1201: 			fprintf(stderr, "Not replacing existing known_hosts "
1232: 			    "of hostnames\n");
1773: 		 * Backdate certificate one minute to avoid problems on hosts
2215: 	    "       ssh-keygen -F hostname [-f known_hosts_file] [-l]\n"
2216: 	    "       ssh-keygen -H [-f known_hosts_file]\n"
2217: 	    "       ssh-keygen -R hostname [-f known_hosts_file]\n"
2218: 	    "       ssh-keygen -r hostname [-f input_keyfile] [-g]\n"
2240: 	char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;
2247: 	int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
2274: 	if (gethostname(hostname, sizeof(hostname)) < 0) {
2285: 			gen_all_hostkeys = 1;
2300: 			rr_hostname = optarg;
2316: 			rr_hostname = optarg;
2426: 			rr_hostname = optarg;
2525: 		do_known_hosts(pw, rr_hostname);
2542: 	if (rr_hostname != NULL) {
2547: 			    identity_file, rr_hostname);
2609: 	if (gen_all_hostkeys) {
2610: 		do_gen_all_hostkeys(pw);
2694: 		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
1082: 			ctx->has_unhashed = 1;
1084: 		free(ohosts);
1228: 		if (ctx.has_unhashed) {
1229: 			fprintf(stderr, "WARNING: %s contains unhashed "
2275: 		perror("gethostname");
android.googlesource.com/platform/external/openssh:Makefile.in: [ master, ]
360: host-key: ssh-keygen$(EXEEXT)
391: host-key-force: ssh-keygen$(EXEEXT)
522: UNITTESTS_TEST_HOSTKEYS_OBJS=\
526: regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
91: 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
128: 	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
129: 	-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
130: 	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
131: 	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
132: 	-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
289: install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
362: 		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
363: 			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
365: 			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
367: 		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
368: 			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
370: 			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
372: 		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
373: 			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
375: 			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
377: 		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
378: 			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
380: 			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
383: 		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
384: 			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
386: 			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
392: 	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
393: 	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
394: 	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
395: 	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
396: 	test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
80: 	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
82: 	compat.o crc32.o deattack.o fatal.o hostfile.o \
105: 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
124: 	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
239: 	rm -f regress/unittests/hostkeys/*.o
240: 	rm -f regress/unittests/hostkeys/test_hostkeys
259: 	rm -f regress/unittests/hostkeys/*.o
260: 	rm -f regress/unittests/hostkeys/test_hostkeys
446: 	[ -d `pwd`/regress/unittests/hostkeys ] || \
447: 		mkdir -p `pwd`/regress/unittests/hostkeys
523: 	regress/unittests/hostkeys/tests.o \
524: 	regress/unittests/hostkeys/test_iterate.o
527:     ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
529: 	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
540: 	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
100: SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
127: 	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
android.googlesource.com/platform/external/openssh:readconf.h: [ master, ]
79: 	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
123: 	int	hash_known_hosts;
149: 	int	 fingerprint_hash;
44: 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
75: 	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
78: 	char   *hostname;	/* Real host to connect. */
110: 	int	no_host_authentication_for_localhost;
153: 	char	*hostbased_key_types;
54: 	int     check_host_ip;	/* Also keep track of keys for IP address */
55: 	int     strict_host_key_checking;	/* Strict host key checking. */
91: 	int	verify_host_key_dns;	/* Verify host key using DNS */
131: 	int	visual_host_key;
147: 	char	*revoked_host_keys;
22: #define SSH_MAX_HOSTS_FILES	32
84: 	u_int	num_system_hostfiles;	/* Paths for /etc/ssh/ssh_known_hosts */
85: 	char   *system_hostfiles[SSH_MAX_HOSTS_FILES];
86: 	u_int	num_user_hostfiles;	/* Path for $HOME/.ssh/known_hosts */
87: 	char   *user_hostfiles[SSH_MAX_HOSTS_FILES];
141: 	int	canonicalize_hostname;
151: 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
177: #define SSH_UPDATE_HOSTKEYS_NO	0
178: #define SSH_UPDATE_HOSTKEYS_YES	1
179: #define SSH_UPDATE_HOSTKEYS_ASK	2
40: 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
80: 	char   *proxy_command;	/* Proxy command for connecting the host. */
191: void	 dump_client_config(Options *o, const char *host);
175: #define SSHCONF_POSTCANON	4  /* After hostname canonicalisation */
android.googlesource.com/platform/external/openssh:clientloop.c: [ master, ]
2094: 	char *host_str, *ip_str;
2092: struct hostkeys_update_ctx {
2118: hostkeys_update_ctx_free(struct hostkeys_update_ctx *ctx)
2137: hostkeys_find(struct hostkey_foreach_line *l, void *_ctx)
2171: update_known_hosts(struct hostkeys_update_ctx *ctx)
2240: client_global_hostkeys_private_confirm(int type, u_int32_t seq, void *_ctx)
2313: client_input_hostkeys(void)
130:  * Name of the host we are connecting to.  This is the name given on the
134: extern char *host;
564: 		logit("Timeout, server %s not responding.", host);
736: 			 * Received EOF.  The remote host has closed the
740: 			    "Connection to %.300s closed by remote host.\r\n",
741: 			    host);
760: 			    "Read from remote host %.300s: %.100s\r\n",
761: 			    host, strerror(errno));
895: 		logit("      -L[bind_address:]port:host:hostport    "
897: 		logit("      -R[bind_address:]port:host:hostport    "
988: 	free(fwd.listen_host);
990: 	free(fwd.connect_host);
1463:  * remote host.  If escape_char != SSH_ESCAPECHAR_NONE, it is the character
1701: 		    "Connection to %.64s closed.\r\n", host);
1822: 		/* Send a confirmation to the remote host. */
2131: 	free(ctx->host_str);
2147: 	/* Mark off keys we've already seen for this host */
2183: 		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
2191: 		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
2232: 	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
2233: 	    options.hash_known_hosts, 0,
2234: 	    options.fingerprint_hash)) != 0)
2254: 		    "private host keys");
2347: 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
2370: 				error("%s: received duplicated %s host key",
2394: 	get_hostfile_hostname_ipaddr(host,
2395: 	    options.check_host_ip ? (struct sockaddr *)&hostaddr : NULL,
2396: 	    options.port, &ctx->host_str,
2397: 	    options.check_host_ip ? &ctx->ip_str : NULL);
2401: 	    ctx, ctx->host_str, ctx->ip_str,
115: #include "hostfile.h"
131:  * command line, or the HostName specified for the user-supplied name in a
335: 		 * XXX: "localhost" match to determine FamilyLocal
338: 		if (strncmp(display, "localhost:", 10) == 0) {
2093: 	/* The hostname and (optionally) IP address string for the server */
2098: 	 * whether they already exist in known_hosts.
2099: 	 * keys_seen is filled in by hostkeys_find() and later (for new
2100: 	 * keys) by client_global_hostkeys_private_confirm().
2109: 	 * Keys that are in known_hosts, but were not present in the update
2111: 	 * Filled in by hostkeys_find().
2139: 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
2174: 	int loglevel = options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK ?
2185: 		do_log2(loglevel, "Learned new hostkey: %s %s",
2193: 		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
2197: 	if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {
2205: 			response = read_passphrase("Accept updated hostkeys? "
2211: 				options.update_hostkeys = 0;
2219: 			options.update_hostkeys = 0;
2227: 	 * them in known_hosts (assuming SSH_UPDATE_HOSTKEYS_ASK didn't
2230: 	if (options.update_hostkeys != 0 &&
2231: 	    (r = hostfile_replace_entries(options.user_hostfiles[0],
2235: 		error("%s: hostfile_replace_entries failed: %s",
2243: 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
2255: 		hostkeys_update_ctx_free(ctx);
2274: 		    "hostkeys-prove-00@openssh.com")) != 0 ||
2301: 	/* Make the edits to known_hosts */
2302: 	update_known_hosts(ctx);
2304: 	hostkeys_update_ctx_free(ctx);
2308:  * Handle hostkeys-00@openssh.com global request to inform the client of all
2309:  * the server's hostkeys. The keys are checked against the user's
2310:  * HostkeyAlgorithms preference before they are accepted.
2322: 	static int hostkeys_seen = 0; /* XXX use struct ssh */
2323: 	extern struct sockaddr_storage hostaddr; /* XXX from ssh.c */
2324: 	struct hostkeys_update_ctx *ctx = NULL;
2326: 	if (hostkeys_seen)
2327: 		fatal("%s: server already sent hostkeys", __func__);
2328: 	if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK &&
2331: 	if (!options.update_hostkeys || options.num_user_hostfiles <= 0)
2352: 		/* Check that the key is accepted in HostkeyAlgorithms */
2353: 		if (options.hostkeyalgorithms != NULL &&
2355: 		    options.hostkeyalgorithms,
2356: 		    strlen(options.hostkeyalgorithms), 0) != 1) {
2357: 			debug3("%s: %s key not permitted by HostkeyAlgorithms",
2386: 		debug("%s: server sent no hostkeys", __func__);
2400: 	if ((r = hostkeys_foreach(options.user_hostfiles[0], hostkeys_find,
2403: 		error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
2419: 		update_known_hosts(ctx);
2429: 		    "hostkeys-prove-00@openssh.com")) != 0 ||
2449: 		    client_global_hostkeys_private_confirm, ctx);
2455: 	hostkeys_update_ctx_free(ctx);
2460: 	 * what the client does with its hosts file.
2476: 	if (strcmp(rtype, "hostkeys-00@openssh.com") == 0)
2477: 		success = client_input_hostkeys();
android.googlesource.com/platform/external/openssh:auth2-hostbased.c: [ master, ]
161: hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
59: userauth_hostbased(Authctxt *authctxt)
247: Authmethod method_hostbased = {
137: 	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
165: 	HostStatus host_status;
186: 			    "user \"%.100s\" host \"%.100s\" (from packet)",
198: 			    "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",
213: 	host_status = check_key_in_hostfiles(pw, key, lookup,
218: 	if (host_status == HOST_NEW) {
219: 		host_status = check_key_in_hostfiles(pw, key, lookup,
225: 	if (host_status == HOST_OK) {
228: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
236: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
244: 	return (host_status == HOST_OK);
1: /* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */
43: #include "hostfile.h"
45: #include "canohost.h"
63: 	char *pkalg, *cuser, *chost, *service;
70: 		debug2("userauth_hostbased: disabled because of invalid user");
75: 	chost = packet_get_string(NULL);
79: 	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
80: 	    cuser, chost, pkalg, slen);
91: 		logit("userauth_hostbased: unsupported "
97: 		error("userauth_hostbased: cannot decode key: %s", pkalg);
101: 		error("userauth_hostbased: type mismatch for decoded key "
112: 	    options.hostbased_key_types,
113: 	    strlen(options.hostbased_key_types), 0) != 1) {
114: 		logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
127: 	buffer_put_cstring(&b, "hostbased");
130: 	buffer_put_cstring(&b, chost);
141: 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
148: 	debug2("userauth_hostbased: authenticated %d", authenticated);
154: 	free(chost);
159: /* return 1 if given hostkey is allowed */
172: 	resolvedname = get_canonical_hostname(options.use_dns);
175: 	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
176: 	    chost, resolvedname, ipaddr);
178: 	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
179: 		debug2("stripping trailing dot from chost %s", chost);
180: 		chost[len - 1] = '\0';
183: 	if (options.hostbased_uses_name_from_packet_only) {
184: 		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {
187: 			    __func__, cuser, chost);
190: 		lookup = chost;
192: 		if (strcasecmp(resolvedname, chost) != 0)
193: 			logit("userauth_hostbased mismatch: "
195: 			    chost, ipaddr, resolvedname);
214: 	    _PATH_SSH_SYSTEM_HOSTFILE,
215: 	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
220: 		    _PATH_SSH_SYSTEM_HOSTFILE2,
221: 		    options.ignore_user_known_hosts ? NULL :
222: 		    _PATH_SSH_USER_HOSTFILE2);
248: 	"hostbased",
249: 	userauth_hostbased,
250: 	&options.hostbased_authentication
185: 			debug2("%s: auth_rhosts2 refused "
196: 		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {
197: 			debug2("%s: auth_rhosts2 refused "
204: 	debug2("%s: access allowed by auth_rhosts2", __func__);
android.googlesource.com/platform/external/openssh:servconf.c: [ master, ]
388: 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
407: 	sAllowStreamLocalForwarding, sFingerprintHash,
379: 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
381: 	sRhostsRSAAuthentication, sRSAAuthentication,
387: 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
392: 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
395: 	sBanner, sUseDNS, sHostbasedAuthentication,
396: 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
401: 	sHostCertificate,
405: 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
87: 	options->num_host_key_files = 0;
88: 	options->num_host_cert_files = 0;
89: 	options->host_key_agent = NULL;
169: 	options->fingerprint_hash = -1;
191: 	if (options->num_host_key_files == 0) {
194: 			options->host_key_files[options->num_host_key_files++] =
195: 			    _PATH_HOST_KEY_FILE;
197: 			options->host_key_files[options->num_host_key_files++] =
198: 			    _PATH_HOST_RSA_KEY_FILE;
199: 			options->host_key_files[options->num_host_key_files++] =
200: 			    _PATH_HOST_DSA_KEY_FILE;
202: 			options->host_key_files[options->num_host_key_files++] =
203: 			    _PATH_HOST_ECDSA_KEY_FILE;
205: 			options->host_key_files[options->num_host_key_files++] =
206: 			    _PATH_HOST_ED25519_KEY_FILE;
338: 	if (options->fingerprint_hash == -1)
339: 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
356: 	for (i = 0; i < options->num_host_key_files; i++)
357: 		CLEAR_ON_NONE(options->host_key_files[i]);
358: 	for (i = 0; i < options->num_host_cert_files; i++)
359: 		CLEAR_ON_NONE(options->host_cert_files[i]);
622: 		fatal("bad addr or host: %s (%s)",
638: 	ci.host = get_canonical_hostname(use_dns);
721: 		debug3("checking match for '%s' user %s host %s addr %s "
723: 		    ci->host ? ci->host : "(null)",
765: 		} else if (strcasecmp(attrib, "host") == 0) {
766: 			if (ci == NULL || ci->host == NULL) {
770: 			if (match_hostname(ci->host, arg, len) != 1)
773: 				debug("connection from %.100s matched 'Host "
774: 				    "%.100s' at line %d", ci->host, arg, line);
1044: 		intptr = &options->num_host_key_files;
1046: 			fatal("%s line %d: too many host keys specified (max %d).",
1048: 		charptr = &options->host_key_files[*intptr];
1063: 		charptr = &options->host_key_agent;
1074: 		intptr = &options->num_host_cert_files;
1076: 			fatal("%s line %d: too many host certificates "
1079: 		charptr = &options->host_cert_files[*intptr];
1606: 				fatal("%s line %d: missing host in PermitOpen",
1744: 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1747: 			options->fingerprint_hash = value;
1837: 		} else if (strncmp(p, "host=", 5) == 0) {
1838: 			ci->host = xstrdup(p + 5);
1865: 	if (ci->user && ci->host && ci->address)
1867: 	if (!ci->user && !ci->host && !ci->address)
2166: 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2183: 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2198: 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2199: 	     o->host_key_files);
2200: 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2201: 	     o->host_cert_files);
54: #include "canohost.h"
56: #include "hostfile.h"
96: 	options->ignore_user_known_hosts = -1;
101: 	options->x11_use_localhost = -1;
110: 	options->hostbased_authentication = -1;
111: 	options->hostbased_uses_name_from_packet_only = -1;
112: 	options->hostbased_key_types = NULL;
192: 		/* fill default hostkeys for protocols */
226: 	if (options->ignore_user_known_hosts == -1)
227: 		options->ignore_user_known_hosts = 0;
236: 	if (options->x11_use_localhost == -1)
237: 		options->x11_use_localhost = 1;
254: 	if (options->hostbased_authentication == -1)
255: 		options->hostbased_authentication = 0;
256: 	if (options->hostbased_uses_name_from_packet_only == -1)
257: 		options->hostbased_uses_name_from_packet_only = 0;
258: 	if (options->hostbased_key_types == NULL)
259: 		options->hostbased_key_types = xstrdup("*");
430: 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
431: 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
432: 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
442: 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
443: 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
444: 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
486: 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
527: 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
540: 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
1045: 		if (*intptr >= MAX_HOSTKEYS)
1047: 			    filename, linenum, MAX_HOSTKEYS);
1075: 		if (*intptr >= MAX_HOSTKEYS)
1078: 			    MAX_HOSTCERTS);
1112: 		intptr = &options->ignore_user_known_hosts;
1120: 		intptr = &options->hostbased_authentication;
1124: 		intptr = &options->hostbased_uses_name_from_packet_only;
1128: 		charptr = &options->hostbased_key_types;
1205: 	case sX11UseLocalhost:
1206: 		intptr = &options->x11_use_localhost;
1738: 	case sFingerprintHash:
1892: 	M_CP_INTOPT(hostbased_authentication);
1893: 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1905: 	M_CP_INTOPT(x11_use_localhost);
2002: 	case sFingerprintHash:
2085: 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2097: 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2125: 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2127: 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2129: 	    o->hostbased_uses_name_from_packet_only);
2152: 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2186: 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2187: 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
95: 	options->ignore_rhosts = -1;
109: 	options->rhosts_rsa_authentication = -1;
224: 	if (options->ignore_rhosts == -1)
225: 		options->ignore_rhosts = 1;
252: 	if (options->rhosts_rsa_authentication == -1)
253: 		options->rhosts_rsa_authentication = 0;
440: 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
441: 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
482: 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
483: 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
1008: 		p = cleanhostname(p);
1043: 	case sHostKeyFile:
1062: 	case sHostKeyAgent:
1073: 	case sHostCertificate:
1092: 	case sIgnoreRhosts:
1093: 		intptr = &options->ignore_rhosts;
1111: 	case sIgnoreUserKnownHosts:
1115: 	case sRhostsRSAAuthentication:
1116: 		intptr = &options->rhosts_rsa_authentication;
1119: 	case sHostbasedAuthentication:
1123: 	case sHostbasedUsesNameFromPacketOnly:
1127: 	case sHostbasedAcceptedKeyTypes:
1608: 			p = cleanhostname(p);
2124: 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2126: 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2128: 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
android.googlesource.com/platform/external/openssh:readconf.c: [ master, ]
132: 	oHost, oMatch,
147: 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
159: 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
137: 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
138: 	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
139: 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
140: 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
144: 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
145: 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
146: 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
148: 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
152: 	oHashKnownHosts,
154: 	oVisualHostKey, oUseRoaming,
156: 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
158: 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
730: static const struct multistate multistate_canonicalizehostname[] = {
72:    # Thus, host-specific definitions should be at the beginning of the
75:    # Host-specific declarations.  These may override anything above.  A single
76:    # host may match multiple declarations; these are processed in the order
79:    Host *.ngs.fi ngs.fi
82:    Host fake.com
83:      HostName another.host.name.real.org
89:    Host books.com
93:    Host fascist.blob.com
98:    Host puukko.hut.fi
102:    Host *.fr
105:    Host *.su
109:    Host vpn.fake.com
114:    Host *
215: 	{ "host", oHost },
303: 	fwd->listen_host = newfwd->listen_host;
306: 	fwd->connect_host = newfwd->connect_host;
326: 	fwd->listen_host = newfwd->listen_host;
329: 	fwd->connect_host = newfwd->connect_host;
342: 		free(options->local_forwards[i].listen_host);
344: 		free(options->local_forwards[i].connect_host);
353: 		free(options->remote_forwards[i].listen_host);
355: 		free(options->remote_forwards[i].connect_host);
489:     const char *host_arg, const char *original_host, int post_canon,
492: 	char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
506: 		host = percent_expand(options->hostname,
507: 		    "h", host_arg, (char *)NULL);
509: 		host = xstrdup(host_arg);
511: 	debug2("checking match for '%s' host %s originally %s",
512: 	    cp, host, original_host);
549: 		if (strcasecmp(attrib, "host") == 0) {
550: 			criteria = xstrdup(host);
551: 			r = match_hostname(host, arg, len) == 1;
555: 			criteria = xstrdup(original_host);
556: 			r = match_hostname(original_host, arg, len) == 1;
579: 			    "h", host,
581: 			    "n", original_host,
624: 	free(host);
745: process_config_line(Options *options, struct passwd *pw, const char *host,
746:     const char *original_host, char *line, const char *filename,
904: 		intptr = &options->check_host_ip;
908: 		intptr = &options->verify_host_key_dns;
913: 		intptr = &options->strict_host_key_checking;
926: 		intptr = &options->no_host_authentication_for_localhost;
1024: 		charptr = &options->host_key_alias;
1122: 			fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
1194: 			fatal("Host directive not supported as a command-line "
1202: 			if (match_pattern(host, arg)) {
1204: 					debug("%.200s line %d: Skipping Host "
1224: 			fatal("Host directive not supported as a command-line "
1226: 		value = match_cfg_line(options, &s, pw, host, original_host,
1326: 		intptr = &options->hash_known_hosts;
1356: 		intptr = &options->visual_host_key;
1465: 		charptr = &options->revoked_host_keys;
1469: 		intptr = &options->fingerprint_hash;
1475: 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1529: read_config_file(const char *filename, struct passwd *pw, const char *host,
1530:     const char *original_host, Options *options, int flags)
1554: 	 * on/off by Host specifications.
1561: 		if (process_config_line(options, pw, host, original_host,
1611: 	options->check_host_ip = -1;
1612: 	options->strict_host_key_checking = -1;
1629: 	options->host_key_alias = NULL;
1645: 	options->no_host_authentication_for_localhost = - 1;
1649: 	options->verify_host_key_dns = -1;
1657: 	options->hash_known_hosts = -1;
1664: 	options->visual_host_key = -1;
1675: 	options->revoked_host_keys = NULL;
1676: 	options->fingerprint_hash = -1;
1743: 	if (options->check_host_ip == -1)
1744: 		options->check_host_ip = 1;
1745: 	if (options->strict_host_key_checking == -1)
1746: 		options->strict_host_key_checking = 2;	/* 2 is default */
1806: 	if (options->no_host_authentication_for_localhost == - 1)
1807: 		options->no_host_authentication_for_localhost = 0;
1816: 	if (options->verify_host_key_dns == -1)
1817: 		options->verify_host_key_dns = 0;
1828: 	if (options->hash_known_hosts == -1)
1829: 		options->hash_known_hosts = 0;
1839: 	if (options->visual_host_key == -1)
1840: 		options->visual_host_key = 0;
1855: 	if (options->fingerprint_hash == -1)
1856: 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1872: 	CLEAR_ON_NONE(options->revoked_host_keys);
1875: 	/* options->host_key_alias should not be set by default */
1988: 			fwd->listen_host = NULL;
1991: 		fwd->connect_host = xstrdup("socks");
2001: 			fwd->listen_host = NULL;
2006: 			fwd->listen_host = xstrdup(fwdargs[0].arg);
2008: 			fwd->connect_host = xstrdup("socks");
2016: 			fwd->connect_host = xstrdup(fwdargs[1].arg);
2019: 			fwd->listen_host = xstrdup(fwdargs[0].arg);
2024: 			fwd->listen_host = NULL;
2026: 			fwd->connect_host = xstrdup(fwdargs[1].arg);
2032: 		fwd->listen_host = xstrdup(fwdargs[0].arg);
2034: 		fwd->connect_host = xstrdup(fwdargs[2].arg);
2059: 	if (fwd->connect_host != NULL &&
2060: 	    strlen(fwd->connect_host) >= NI_MAXHOST)
2062: 	/* XXX - if connecting to a remote socket, max sun len may not match this host */
2066: 	if (fwd->listen_host != NULL &&
2067: 	    strlen(fwd->listen_host) >= NI_MAXHOST)
2076: 	free(fwd->connect_host);
2077: 	fwd->connect_host = NULL;
2080: 	free(fwd->listen_host);
2081: 	fwd->listen_host = NULL;
2206: 		    strcmp(fwd->connect_host, "socks") != 0)
2209: 		    strcmp(fwd->connect_host, "socks") == 0)
2214: 		else if (fwd->listen_host == NULL)
2218: 			    fwd->listen_host, fwd->listen_port);
2223: 			else if (fwd->connect_host == NULL)
2227: 				    fwd->connect_host, fwd->connect_port);
2235: dump_client_config(Options *o, const char *host)
2240: 	/* Most interesting options first: user, host, port */
2242: 	dump_cfg_string(oHostName, host);
2251: 	dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
2256: 	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
2265: 	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2269: 	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
2279: 	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
2283: 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
2284: 	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);
2301: 	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
2311: 	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
185: 	{ "hostbasedauthentication", oHostbasedAuthentication },
204: 	{ "hostname", oHostName },
205: 	{ "hostkeyalias", oHostKeyAlias },
234: 	{ "hostkeyalgorithms", oHostKeyAlgorithms },
246: 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
256: 	{ "hashknownhosts", oHashKnownHosts },
275: 	{ "fingerprinthash", oFingerprintHash },
277: 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
496: 	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
504: 	if (options->hostname != NULL) {
554: 		} else if (strcasecmp(attrib, "originalhost") == 0) {
570: 			if (gethostname(thishost, sizeof(thishost)) == -1)
572: 			strlcpy(shorthost, thishost, sizeof(shorthost));
573: 			shorthost[strcspn(thishost, ".")] = '\0';
577: 			    "L", shorthost,
580: 			    "l", thishost,
636: 		fatal("%s line %d: empty hostname suffix", filename, linenum);
638: 		fatal("%s line %d: hostname suffix \"%.100s\" "
644: 			fatal("%s line %d: hostname suffix \"%.100s\" contains "
648: 			fatal("%s line %d: hostname suffix \"%.100s\" contains "
884: 		intptr = &options->hostbased_authentication;
925: 	case oNoHostAuthenticationForLocalhost:
998: 		cpptr = (char **)&options->system_hostfiles;
999: 		uintptr = &options->num_system_hostfiles;
1000: 		max_entries = SSH_MAX_HOSTS_FILES;
1014: 		cpptr = (char **)&options->user_hostfiles;
1015: 		uintptr = &options->num_user_hostfiles;
1016: 		max_entries = SSH_MAX_HOSTS_FILES;
1020: 		charptr = &options->hostname;
1124: 		if (*activep && options->hostkeyalgorithms == NULL)
1125: 			options->hostkeyalgorithms = xstrdup(arg);
1192: 	case oHost:
1400: 				fatal("%s line %d: too many hostname suffixes.",
1437: 		intptr = &options->canonicalize_hostname;
1468: 	case oFingerprintHash:
1482: 		intptr = &options->update_hostkeys;
1487: 		charptr = &options->hostbased_key_types;
1609: 	options->hostbased_authentication = -1;
1625: 	options->hostkeyalgorithms = NULL;
1628: 	options->hostname = NULL;
1633: 	options->num_system_hostfiles = 0;
1634: 	options->num_user_hostfiles = 0;
1674: 	options->canonicalize_hostname = -1;
1677: 	options->update_hostkeys = -1;
1678: 	options->hostbased_key_types = NULL;
1683:  * needed for hostname canonicalization to proceed.
1692: 	if (options->canonicalize_hostname == -1)
1693: 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
1739: 	if (options->hostbased_authentication == -1)
1740: 		options->hostbased_authentication = 0;
1767: 	/* options->hostkeyalgorithms, default set in myproposals.h */
1790: 	if (options->num_system_hostfiles == 0) {
1791: 		options->system_hostfiles[options->num_system_hostfiles++] =
1792: 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1793: 		options->system_hostfiles[options->num_system_hostfiles++] =
1794: 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1796: 	if (options->num_user_hostfiles == 0) {
1797: 		options->user_hostfiles[options->num_user_hostfiles++] =
1798: 		    xstrdup(_PATH_SSH_USER_HOSTFILE);
1799: 		options->user_hostfiles[options->num_user_hostfiles++] =
1800: 		    xstrdup(_PATH_SSH_USER_HOSTFILE2);
1853: 	if (options->canonicalize_hostname == -1)
1854: 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
1857: 	if (options->update_hostkeys == -1)
1858: 		options->update_hostkeys = 0;
1859: 	if (options->hostbased_key_types == NULL)
1860: 		options->hostbased_key_types = xstrdup("*");
1874: 	/* options->hostname will be set in the main program if appropriate */
1950:  *	[listenhost:]listenport|listenpath:connecthost:connectport|connectpath
1953:  *	[listenhost:]listenport
2120: 	case oFingerprintHash:
2249: 	dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
2266: 	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
2285: 	dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);
2300: 	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2302: 	dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
2322: 	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
2323: 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
119:      RhostsRSAAuthentication yes
120:      StrictHostKeyChecking yes
177: 	{ "rhostsauthentication", oDeprecated },
184: 	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
218: 	{ "globalknownhostsfile", oGlobalKnownHostsFile },
219: 	{ "globalknownhostsfile2", oDeprecated },
220: 	{ "userknownhostsfile", oUserKnownHostsFile },
221: 	{ "userknownhostsfile2", oDeprecated },
224: 	{ "checkhostip", oCheckHostIP },
225: 	{ "stricthostkeychecking", oStrictHostKeyChecking },
245: 	{ "verifyhostkeydns", oVerifyHostKeyDNS },
261: 	{ "visualhostkey", oVisualHostKey },
269: 	{ "canonicalizehostname", oCanonicalizeHostname },
274: 	{ "revokedhostkeys", oRevokedHostKeys },
276: 	{ "updatehostkeys", oUpdateHostkeys },
571: 				fatal("gethostname: %s", strerror(errno));
879: 	case oRhostsRSAAuthentication:
880: 		intptr = &options->rhosts_rsa_authentication;
883: 	case oHostbasedAuthentication:
903: 	case oCheckHostIP:
907: 	case oVerifyHostKeyDNS:
912: 	case oStrictHostKeyChecking:
997: 	case oGlobalKnownHostsFile:
1013: 	case oUserKnownHostsFile:
1019: 	case oHostName:
1023: 	case oHostKeyAlias:
1117: 	case oHostKeyAlgorithms:
1325: 	case oHashKnownHosts:
1355: 	case oVisualHostKey:
1436: 	case oCanonicalizeHostname:
1438: 		multistate_ptr = multistate_canonicalizehostname;
1464: 	case oRevokedHostKeys:
1481: 	case oUpdateHostkeys:
1486: 	case oHostbasedKeyTypes:
1608: 	options->rhosts_rsa_authentication = -1;
1737: 	if (options->rhosts_rsa_authentication == -1)
1738: 		options->rhosts_rsa_authentication = 0;
2108: 	case oVerifyHostKeyDNS:
2109: 	case oStrictHostKeyChecking:
2110: 	case oUpdateHostkeys:
2118: 	case oCanonicalizeHostname:
2119: 		return fmt_multistate_int(val, multistate_canonicalizehostname);
2276: 	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
android.googlesource.com/platform/external/openssh:sshconnect.c: [ master, ]
71: Key *previous_host_key = NULL;
73: static int matching_host_key_dns = 0;
708: check_host_cert(const char *host, const Key *host_key)
805: check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
1237: verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
744: get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
6:  * Code to connect to a remote host, and to perform the client side of the
89:     const char *host, int port)
95: 	ret = percent_expand(tmp, "h", host, "p", strport,
106: ssh_proxy_fdpass_connect(const char *host, u_short port,
122: 	    host, port);
185: ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
201: 	    host, port);
415:  * Opens a TCP/IP connection to the remote server on the given host.
416:  * The address of the remote host will be returned in hostaddr.
422:  * and %p substituted for host and port, respectively) to use to contact
426: ssh_connect_direct(const char *host, struct addrinfo *aitop,
444: 		 * Loop through addresses for this host, and try each one in
458: 				host, ntop, strport);
484: 		error("ssh: connect to host %s port %s: %s",
485: 		    host, strport, strerror(errno));
504: ssh_connect(const char *host, struct addrinfo *addrs,
509: 		return ssh_connect_direct(host, addrs, hostaddr, port, family,
515: 		return ssh_proxy_fdpass_connect(host, port,
518: 	return ssh_proxy_connect(host, port, options.proxy_command);
596: 				    "Connection closed by remote host");
712: 	if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
716: 	if (buffer_len(host_key->cert->critical) != 0) {
718: 		    "critical options(s)", host);
741:  * host keys in known_hosts files. These may have a port number appended.
774: 			*hostfile_ipaddr = put_host_port(ntop, port);
788: 		if (options.host_key_alias != NULL) {
789: 			*hostfile_hostname = xstrdup(options.host_key_alias);
792: 			*hostfile_hostname = put_host_port(hostname, port);
798:  * check whether the supplied host key is valid, return -1 if the key
806:     Key *host_key, int readonly,
810: 	HostStatus host_status;
813: 	char *ip = NULL, *host = NULL;
817: 	const struct hostkey_entry *host_found, *ip_found;
820: 	int r, want_cert = key_is_cert(host_key), host_ip_differ = 0;
822: 	struct hostkeys *host_hostkeys, *ip_hostkeys;
826: 	 * Force accepting of the host key for loopback/localhost. The
829: 	 * them, and the user will get bogus HOST_CHANGED warnings.  This
830: 	 * essentially disables host authentication for localhost; however,
833: 	if (options.no_host_authentication_for_localhost == 1 && local &&
834: 	    options.host_key_alias == NULL) {
835: 		debug("Forcing accepting of host key for "
844: 	get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip);
847: 	 * Turn off check_host_ip if the connection is to localhost, via proxy
850: 	if (options.check_host_ip && (local ||
852: 		options.check_host_ip = 0;
854: 	host_hostkeys = init_hostkeys();
856: 		load_hostkeys(host_hostkeys, host, user_hostfiles[i]);
858: 		load_hostkeys(host_hostkeys, host, system_hostfiles[i]);
861: 	if (!want_cert && options.check_host_ip) {
871: 	want_cert = key_is_cert(host_key);
872: 	type = key_type(host_key);
875: 	 * Check if the host key is present in the user's list of known
878: 	host_status = check_key_in_hostkeys(host_hostkeys, host_key,
879: 	    &host_found);
887: 		ip_status = check_key_in_hostkeys(ip_hostkeys, host_key,
889: 		if (host_status == HOST_CHANGED &&
890: 		    (ip_status != HOST_CHANGED || 
892: 		    !key_equal(ip_found->key, host_found->key))))
893: 			host_ip_differ = 1;
895: 		ip_status = host_status;
897: 	switch (host_status) {
898: 	case HOST_OK:
899: 		/* The host is known and the key matches. */
900: 		debug("Host '%.200s' is known and matches the %s host %s.",
901: 		    host, type, want_cert ? "certificate" : "key");
903: 		    host_found->file, host_found->line);
904: 		if (want_cert && !check_host_cert(hostname, host_key))
906: 		if (options.check_host_ip && ip_status == HOST_NEW) {
908: 				logit("%s host key for IP address "
911: 			else if (!add_host_to_hostfile(user_hostfiles[0], ip,
912: 			    host_key, options.hash_known_hosts))
913: 				logit("Failed to add the %s host key for IP "
918: 				logit("Warning: Permanently added the %s host "
921: 		} else if (options.visual_host_key) {
922: 			fp = sshkey_fingerprint(host_key,
923: 			    options.fingerprint_hash, SSH_FP_DEFAULT);
924: 			ra = sshkey_fingerprint(host_key,
925: 			    options.fingerprint_hash, SSH_FP_RANDOMART);
928: 			logit("Host key fingerprint is %s\n%s\n", fp, ra);
934: 	case HOST_NEW:
935: 		if (options.host_key_alias == NULL && port != 0 &&
938: 			if (check_host_key(hostname, hostaddr, 0, host_key,
947: 		/* The host is new. */
948: 		if (options.strict_host_key_checking == 1) {
950: 			 * User has requested strict host key checking.  We
951: 			 * will not add the host key automatically.  The only
954: 			error("No %s host key is known for %.200s and you "
955: 			    "have requested strict checking.", type, host);
957: 		} else if (options.strict_host_key_checking == 2) {
960: 			if (show_other_keys(host_hostkeys, host_key))
963: 				    " known for this host.");
967: 			fp = sshkey_fingerprint(host_key,
968: 			    options.fingerprint_hash, SSH_FP_DEFAULT);
969: 			ra = sshkey_fingerprint(host_key,
970: 			    options.fingerprint_hash, SSH_FP_RANDOMART);
974: 			if (options.verify_host_key_dns) {
975: 				if (matching_host_key_dns)
977: 					    "Matching host key fingerprint"
981: 					    "No matching host key fingerprint"
985: 			    "The authenticity of host '%.200s (%s)' can't be "
990: 			    host, ip, msg1, type, fp,
991: 			    options.visual_host_key ? "\n" : "",
992: 			    options.visual_host_key ? ra : "",
1004: 		if (options.check_host_ip && ip_status == HOST_NEW) {
1005: 			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
1007: 			if (options.hash_known_hosts) {
1008: 				/* Add hash of host and IP separately */
1009: 				r = add_host_to_hostfile(user_hostfiles[0],
1010: 				    host, host_key, options.hash_known_hosts) &&
1011: 				    add_host_to_hostfile(user_hostfiles[0], ip,
1012: 				    host_key, options.hash_known_hosts);
1014: 				/* Add unhashed "host,ip" */
1015: 				r = add_host_to_hostfile(user_hostfiles[0],
1016: 				    hostline, host_key,
1017: 				    options.hash_known_hosts);
1020: 			r = add_host_to_hostfile(user_hostfiles[0], host,
1021: 			    host_key, options.hash_known_hosts);
1022: 			hostp = host;
1026: 			logit("Failed to add the host to the list of known "
1032: 	case HOST_REVOKED:
1034: 		error("@       WARNING: REVOKED HOST KEY DETECTED!               @");
1036: 		error("The %s host key for %s is marked as revoked.", type, host);
1038: 		error("impersonate this host.");
1041: 		 * If strict host key checking is in use, the user will have
1044: 		if (options.strict_host_key_checking) {
1045: 			error("%s host key for %.200s was revoked and you have "
1046: 			    "requested strict checking.", type, host);
1051: 	case HOST_CHANGED:
1058: 			debug("Host certificate authority does not "
1060: 			    host_found->file, host_found->line);
1065: 		if (options.check_host_ip && host_ip_differ) {
1067: 			if (ip_status == HOST_NEW)
1069: 			else if (ip_status == HOST_OK)
1076: 			error("The %s host key for %s has changed,", type, host);
1079: 			error("DNS SPOOFING is happening or the IP address for the host");
1080: 			error("and its host key have changed at the same time.");
1081: 			if (ip_status != HOST_NEW)
1085: 		/* The host key has changed. */
1086: 		warn_changed_key(host_key);
1087: 		error("Add correct host key in %.100s to get rid of this message.",
1089: 		error("Offending %s key in %s:%lu", key_type(host_found->key),
1090: 		    host_found->file, host_found->line);
1093: 		 * If strict host key checking is in use, the user will have
1096: 		if (options.strict_host_key_checking) {
1097: 			error("%s host key for %.200s has changed and you have "
1098: 			    "requested strict checking.", type, host);
1104: 		 * If strict host key checking has not been requested, allow
1154: 			fatal("Error: forwarding disabled due to host key "
1159: 		 * This could be done by converting the host key to an
1160: 		 * identifying sentence, tell that the host identifies itself
1165: 	case HOST_FOUND:
1170: 	if (options.check_host_ip && host_status != HOST_CHANGED &&
1171: 	    ip_status == HOST_CHANGED) {
1173: 		    "Warning: the %s host key for '%.200s' "
1176: 		    type, host, ip, ip_found->file, ip_found->line);
1177: 		if (host_status == HOST_OK) {
1180: 			    "\nMatching host key in %s:%lu",
1181: 			    host_found->file, host_found->line);
1183: 		if (options.strict_host_key_checking == 1) {
1187: 		} else if (options.strict_host_key_checking == 2) {
1204: 	free(host);
1205: 	if (host_hostkeys != NULL)
1206: 		free_hostkeys(host_hostkeys);
1212: 	if (want_cert && host_status != HOST_REVOKED) {
1218: 		raw_key = key_from_private(host_key);
1221: 		host_key = raw_key;
1227: 	free(host);
1228: 	if (host_hostkeys != NULL)
1229: 		free_hostkeys(host_hostkeys);
1243: 	if ((fp = sshkey_fingerprint(host_key,
1244: 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1245: 		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
1250: 	debug("Server host key: %s %s",
1251: 	    compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
1253: 	if (sshkey_equal(previous_host_key, host_key)) {
1254: 		debug2("%s: server host key %s %s matches cached key",
1255: 		    __func__, sshkey_type(host_key), fp);
1261: 	if (options.revoked_host_keys != NULL) {
1262: 		r = sshkey_check_revoked(host_key, options.revoked_host_keys);
1267: 			error("Host key %s %s revoked by file %s",
1268: 			    sshkey_type(host_key), fp,
1269: 			    options.revoked_host_keys);
1273: 			error("Error checking host key %s %s in "
1274: 			    "revoked keys file %s: %s", sshkey_type(host_key),
1275: 			    fp, options.revoked_host_keys, ssh_err(r));
1281: 	if (options.verify_host_key_dns) {
1286: 		if ((r = sshkey_from_private(host_key, &plain)) != 0)
1290: 		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
1292: 				if (options.verify_host_key_dns == 1 &&
1299: 					matching_host_key_dns = 1;
1303: 					    "with the new host key to get rid "
1309: 	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1316: 	if (r == 0 && host_key != NULL) {
1317: 		key_free(previous_host_key);
1318: 		previous_host_key = key_from_private(host_key);
1335: 	char *host;
1342: 	host = xstrdup(orighost);
1343: 	lowercase(host);
1354: 		ssh_kex2(host, hostaddr, port);
1355: 		ssh_userauth2(local_user, server_user, host, sensitive);
1358: 		ssh_kex(host, hostaddr);
1359: 		ssh_userauth1(local_user, server_user, host, sensitive);
1385: /* print all known host keys for a given host, but skip keys of given type */
1407: 		    options.fingerprint_hash, SSH_FP_DEFAULT);
1409: 		    options.fingerprint_hash, SSH_FP_RANDOMART);
1412: 		logit("WARNING: %s key found for host %s\n"
1416: 		    found->host, found->file, found->line,
1418: 		if (options.visual_host_key)
1428: warn_changed_key(Key *host_key)
1432: 	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
1438: 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
1442: 	error("It is also possible that a host key has just been changed.");
1443: 	error("The fingerprint for the %s key sent by the remote host is\n%s.",
1444: 	    key_type(host_key), fp);
47: #include "hostfile.h"
56: #include "hostfile.h"
83: static int show_other_keys(struct hostkeys *, Key *);
427:     struct sockaddr_storage *hostaddr, u_short port, int family,
432: 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
453: 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
469: 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
505:     struct sockaddr_storage *hostaddr, u_short port, int family,
725: sockaddr_is_local(struct sockaddr *hostaddr)
727: 	switch (hostaddr->sa_family) {
729: 		return (ntohl(((struct sockaddr_in *)hostaddr)->
733: 		    &(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
740:  * Prepare the hostname and ip address strings that are used to lookup
745:     u_short port, char **hostfile_hostname, char **hostfile_ipaddr)
747: 	char ntop[NI_MAXHOST];
750: 	switch (hostaddr == NULL ? -1 : hostaddr->sa_family) {
769: 	if (hostfile_ipaddr != NULL) {
771: 			if (getnameinfo(hostaddr, addrlen,
772: 			    ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)
776: 			*hostfile_ipaddr = xstrdup("<no hostip for proxy "
787: 	if (hostfile_hostname != NULL) {
790: 			debug("using hostkeyalias: %s", *hostfile_hostname);
799:  * is not valid. user_hostfile[0] will not be updated if 'readonly' is true.
807:     char **user_hostfiles, u_int num_user_hostfiles,
808:     char **system_hostfiles, u_int num_system_hostfiles)
811: 	HostStatus ip_status;
814: 	char hostline[1000], *hostp, *fp, *ra;
819: 	int local = sockaddr_is_local(hostaddr);
821: 	int hostkey_trusted = 0; /* Known or explicitly accepted by user */
828: 	 * machines, localhost will refer to a different machine in each of
836: 		    "loopback/localhost.");
841: 	 * Prepare the hostname and address strings used for hostkey lookup.
848: 	 * command or if we don't have a hostname to compare with
851: 	    strcmp(hostname, ip) == 0 || options.proxy_command != NULL))
855: 	for (i = 0; i < num_user_hostfiles; i++)
857: 	for (i = 0; i < num_system_hostfiles; i++)
860: 	ip_hostkeys = NULL;
862: 		ip_hostkeys = init_hostkeys();
863: 		for (i = 0; i < num_user_hostfiles; i++)
864: 			load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]);
865: 		for (i = 0; i < num_system_hostfiles; i++)
866: 			load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]);
876: 	 * hosts or in the systemwide list.
883: 	 * localhost, looking for a certificate, or the hostname was an ip
886: 	if (!want_cert && ip_hostkeys != NULL) {
909: 				    "'%.128s' not in list of known hosts.",
915: 				    "hosts (%.30s).", type, ip,
916: 				    user_hostfiles[0]);
920: 				    "of known hosts.", type, ip);
932: 		hostkey_trusted = 1;
939: 			    ROQUIET, user_hostfiles, num_user_hostfiles,
940: 			    system_hostfiles, num_system_hostfiles) == 0) {
998: 			hostkey_trusted = 1; /* user explicitly confirmed */
1002: 		 * local known_hosts file.
1006: 			hostp = hostline;
1027: 			    "hosts (%.500s).", user_hostfiles[0]);
1030: 			    "list of known hosts.", hostp, type);
1056: 			 * all hosts that one might visit.
1088: 		    user_hostfiles[0]);
1197: 	if (!hostkey_trusted && options.update_hostkeys) {
1198: 		debug("%s: hostkey not known or explicitly trusted: "
1200: 		options.update_hostkeys = 0;
1207: 	if (ip_hostkeys != NULL)
1208: 		free_hostkeys(ip_hostkeys);
1230: 	if (ip_hostkeys != NULL)
1231: 		free_hostkeys(ip_hostkeys);
1310: 	    options.user_hostfiles, options.num_user_hostfiles,
1311: 	    options.system_hostfiles, options.num_system_hostfiles);
1332: ssh_login(Sensitive *sensitive, const char *orighost,
1333:     struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms)
1341: 	/* Convert the user-supplied hostname into all lowercase. */
1387: show_other_keys(struct hostkeys *hostkeys, Key *key)
1399: 	const struct hostkey_entry *found;
1404: 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1199: 		    "disabling UpdateHostkeys", __func__);
1260: 	/* Check in RevokedHostKeys file if specified */
android.googlesource.com/platform/external/openssh:sshd.8: [ master, ]
652: .Sh SSH_KNOWN_HOSTS FILE FORMAT
49: .Op Fl c Ar host_certificate_file
53: .Op Fl h Ar host_key_file
109: that would apply to the specified user, host, and address will be set before
114: .Dq host ,
122: .It Fl c Ar host_certificate_file
126: The certificate file must match a host key file specified using the
165: .It Fl h Ar host_key_file
166: Specifies a file from which a host key is read.
170: host key files are normally not readable by anyone but root).
172: .Pa /etc/ssh/ssh_host_key
174: .Pa /etc/ssh/ssh_host_dsa_key ,
175: .Pa /etc/ssh/ssh_host_ecdsa_key .
176: .Pa /etc/ssh/ssh_host_ed25519_key
178: .Pa /etc/ssh/ssh_host_rsa_key
180: It is possible to have multiple host key files for
181: the different protocol versions and host key algorithms.
245: structure that holds the remote host name.
246: If the resolved host name is longer than
249: This allows hosts with very long host names that
269: USER@HOST pattern in
284: each host has a host-specific key,
286: used to identify the host.
295: host and server keys.
297: RSA host key against its own database to verify that it has not changed.
300: random number using both the host key and the server key, and sends
325: host-based authentication,
571: name of the remote host or its IP address must be present in the
606: .It Cm permitopen="host:port"
610: such that it may only connect to the specified host and port.
657: files contain host public keys for all known hosts.
660: maintained automatically: whenever the user connects from an unknown host,
681: wildcards); each pattern in turn is matched against the canonical host
686: to indicate negation: if the host name matches a negated
697: Alternately, hostnames may be stored in a hashed form which hides host names
705: Bits, exponent, and modulus are taken directly from the RSA host key; they
707: .Pa /etc/ssh/ssh_host_key.pub .
714: When performing host authentication, authentication is accepted if any
734: recommended) to have several lines or different host keys for the same
736: This will inevitably happen when short forms of host names
743: long, and you definitely don't want to type in the host keys by hand.
747: .Pa /etc/ssh/ssh_host_key.pub
748: and adding the host names at the front.
752: including removing hosts matching a host name and converting all host
765: # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
783: This file is used for host-based authentication (see
800: but allows host-based authentication without permitting login with
842: Contains a list of host keys for all hosts the user has logged into
843: that are not already in the systemwide list of known host keys.
855: This file is for host-based authentication (see
880: but allows host-based authentication without permitting login with
883: .It Pa /etc/ssh/ssh_host_key
884: .It Pa /etc/ssh/ssh_host_dsa_key
885: .It Pa /etc/ssh/ssh_host_ecdsa_key
886: .It Pa /etc/ssh/ssh_host_ed25519_key
887: .It Pa /etc/ssh/ssh_host_rsa_key
888: These files contain the private parts of the host keys.
895: .It Pa /etc/ssh/ssh_host_key.pub
896: .It Pa /etc/ssh/ssh_host_dsa_key.pub
897: .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
898: .It Pa /etc/ssh/ssh_host_ed25519_key.pub
899: .It Pa /etc/ssh/ssh_host_rsa_key.pub
900: These files contain the public parts of the host keys.
911: Systemwide list of known host keys.
913: system administrator to contain the public host keys of all machines in the
64: and provide secure encrypted communications between two untrusted hosts
129: .Cm HostKey
264: .Cm HostbasedAuthentication ,
455: 	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
456: 		# X11UseLocalhost=yes
460: 		# X11UseLocalhost=no
577: In addition to the wildcard matching that may be applied to hostnames or
615: No pattern matching is performed on the specified hostnames,
654: .Pa /etc/ssh/ssh_known_hosts
656: .Pa ~/.ssh/known_hosts
664: hostnames, bits, exponent, modulus, comment.
676: Hostnames is a comma-separated list of patterns
689: A hostname or address may optionally be enclosed within
699: Hashed hostnames start with a
702: Only one hashed hostname may appear on a single line and none of the above
722: The known hosts file also provides a facility to mark keys as revoked,
751: .Pa ~/.ssh/known_hosts
753: names to their hashed representations.
755: An example ssh_known_hosts file:
760: # A hashed hostname
841: .It Pa ~/.ssh/known_hosts
854: .It Pa /etc/hosts.equiv
879: .Pa hosts.equiv ,
906: the user so their contents can be copied to known hosts files.
910: .It Pa /etc/ssh/ssh_known_hosts
263: .Cm RhostsRSAAuthentication ,
782: .It Pa ~/.rhosts
797: .It Pa ~/.shosts
799: .Pa .rhosts ,
877: .It Pa /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:ssh.1: [ master, ]
55: .Op Fl L Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport
62: .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport
64: .Op Fl W Ar host : Ns Ar port
93: it is executed on the remote host instead of a login shell.
115: This can also be specified on a per-host basis in a configuration file.
118: Users with the ability to bypass file permissions on the remote host
147: The default value can be set on a host-by-host basis in the
244: .Ic ssh -f host xterm .
258: .Cm Host
284: a per-host basis in the configuration file.
302: .Ar port : host : hostport
305: Specifies that the given port on the local (client) host is to be
306: forwarded to the given host and port on the remote side.
314: .Ar host
337: This also may be specified on a per-host basis in the configuration file.
446: .It Host
497: Port to connect to on the remote host.
499: per-host basis in the configuration file.
523: .Ar port : host : hostport
526: Specifies that the given port on the remote (server) host is to be
527: forwarded to the given host and port on the local side.
533: .Ar host
611: .It Fl W Ar host : Ns Ar port
613: .Ar host
655: This can also be specified on a per-host basis in a configuration file.
658: Users with the ability to bypass file permissions on the remote host
715: host-based authentication,
723: Host-based authentication works as follows:
740: host key (see the description of
855: host for checking; however, since all communications are encrypted,
861: Host keys are stored in
868: If a host's identification ever changes,
876: host key is not known or has changed.
983: the user connects to the remote host using
1085: .Sh VERIFYING HOST KEYS
1094: .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1098: Because of the difficulty of comparing host keys
1100: there is also support to compare host keys visually,
1110: find out that the host key has changed when a completely different pattern
1114: host key is the same, not guaranteed proof.
1131: .Dq host.example.com .
1133: host.example.com:
1135: $ ssh-keygen -r host.example.com.
1141: .Dl $ dig -t SSHFP host.example.com
1145: $ ssh -o "VerifyHostKeyDNS ask" host.example.com
1147: Matching host key fingerprint found in DNS.
1230: indicates the host where the shell runs, and
1318: This file is used for host-based authentication (see above).
1333: but allows host-based authentication without permitting login with
1389: Contains a list of host keys for all hosts the user has logged into
1390: that are not already in the systemwide list of known host keys.
1405: This file is for host-based authentication (see above).
1411: but allows host-based authentication without permitting login with
1419: .It Pa /etc/ssh/ssh_host_key
1420: .It Pa /etc/ssh/ssh_host_dsa_key
1421: .It Pa /etc/ssh/ssh_host_ecdsa_key
1422: .It Pa /etc/ssh/ssh_host_ed25519_key
1423: .It Pa /etc/ssh/ssh_host_rsa_key
1424: These files contain the private parts of the host keys
1425: and are used for host-based authentication.
1428: must be setuid root, since the host key is readable only by root.
1433: to access the host keys,
1436: be setuid root when host-based authentication is used.
1442: Systemwide list of known host keys.
1444: system administrator to contain the public host keys of all machines in the
1585: .%T Hash Visualization: a New Technique to improve Real-World Security
66: .Oo Ar user Ns @ Oc Ns Ar hostname
75: two untrusted hosts over an insecure network.
82: .Ar hostname
203: .Dq localhost
263: Allows remote hosts to connect to local forwarded ports.
316: .Ar hostport
330: .Dq localhost
436: .It FingerprintHash
445: .It HashKnownHosts
447: .It HostbasedAuthentication
448: .It HostbasedKeyTypes
449: .It HostKeyAlgorithms
450: .It HostKeyAlias
451: .It HostName
463: .It NoHostAuthenticationForLocalhost
535: .Ar hostport
725: .Pa /etc/hosts.equiv
741: .Pa /etc/ssh/ssh_known_hosts
743: .Pa ~/.ssh/known_hosts ,
749: .Pa /etc/hosts.equiv ,
860: identification for all hosts it has ever been used with.
862: .Pa ~/.ssh/known_hosts
865: .Pa /etc/ssh/ssh_known_hosts
866: is automatically checked for known hosts.
867: Any new hosts are automatically added to the user's file.
996: (localhost)
1000: $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1117: all known hosts, the following command line can be used:
1119: .Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1227: .Dq hostname:n ,
1229: .Dq hostname
1388: .It Pa ~/.ssh/known_hosts
1404: .It Pa /etc/hosts.equiv
1410: .Pa hosts.equiv ,
1441: .It Pa /etc/ssh/ssh_known_hosts
418: .It CanonicalizeHostname
422: .It CheckHostIP
442: .It GlobalKnownHostsFile
477: .It RhostsRSAAuthentication
484: .It StrictHostKeyChecking
488: .It UpdateHostKeys
491: .It UserKnownHostsFile
492: .It VerifyHostKeyDNS
493: .It VisualHostKey
727: .Pa /etc/shosts.equiv
730: .Pa ~/.rhosts
732: .Pa ~/.shosts
750: .Pa ~/.rhosts ,
816: .Pa ~/.rhosts
874: .Cm StrictHostKeyChecking
1089: .Cm StrictHostKeyChecking
1104: .Cm VisualHostKey
1152: .Cm VerifyHostKeyDNS
1317: .It Pa ~/.rhosts
1330: .It Pa ~/.shosts
1332: .Pa .rhosts ,
1408: .It Pa /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:ssh-keyscan.1: [ master, ]
23: .Op Ar host | addrlist namelist
28: is a utility for gathering the public ssh host keys of a number of
71: Hash all hostnames and addresses in the output.
79: Port to connect to on the remote host.
84: seconds have elapsed since a connection was initiated to a host or since the
85: last time anything was read from that host, then the connection is
86: closed and the host in question considered unavailable.
130: host-or-namelist bits exponent modulus
135: host-or-namelist keytype base64-encoded-key
151: Print the rsa host key for machine
175: It generates "Connection closed by remote host" messages on the consoles
29: hosts.
31: .Pa ssh_known_hosts
38: uses non-blocking socket I/O to contact as many hosts as possible in
41: hosts can be collected in tens of seconds, even when some of those
42: hosts are down or do not run ssh.
58: Read hosts or
67: will read hosts or
72: Hashed names may be used normally by
89: Specifies the type of the key to fetch from the scanned hosts.
113: If an ssh_known_hosts file is constructed using
121: attacks which have begun after the ssh_known_hosts file was created.
149: .Pa /etc/ssh/ssh_known_hosts
152: .Ar hostname :
154: $ ssh-keyscan hostname
157: Find all hosts from the file
158: .Pa ssh_hosts
160: .Pa ssh_known_hosts :
162: $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
163: 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
android.googlesource.com/platform/external/openssh:ssh-keygen.1: [ master, ]
77: .Op Fl E Ar fingerprint_hash
177: Additionally, the system administrator may use this to generate host keys,
188: (host keys must have an empty passphrase), or it may be a string of
211: .Dq user@host
223: for which host keys
224: do not exist, generate the host keys with the default key file path,
228: to generate new host keys.
274: .It Fl E Ar fingerprint_hash
275: Specifies the hash algorithm used when displaying key fingerprints.
297: This option is useful to find hashed host names or addresses and may also be
314: Hash a
329: When signing a key, create a host certificate instead of a user
411: Specify one or more principals (user or host names) to be included in
473: At present, no options are valid for host keys.
647: user or host authentication.
649: more principal (user or host) names and a set of options that
652: on a certificate rather than trusting many user/host keys.
658: supports two types of certificates: user and host.
659: User certificates authenticate users to servers, whereas host certificates
667: A host certificate requires the
671: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
673: The host certificate will be output to
674: .Pa /path/to/host_key-cert.pub .
683: .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
690: Certificates may be limited to be valid for a set of principal (user/host)
696: .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
717: For certificates to be used for user or host authentication, the CA
737: Plain public keys are revoked by listing their hash or contents in the KRL and
770: Revokes the specified key by its SHA1 hash.
85: .Fl F Ar hostname
86: .Op Fl f Ar known_hosts_file
90: .Op Fl f Ar known_hosts_file
92: .Fl R Ar hostname
93: .Op Fl f Ar known_hosts_file
95: .Fl r Ar hostname
291: .It Fl F Ar hostname
293: .Ar hostname
295: .Pa known_hosts
300: option to print found keys in a hashed format.
315: .Pa known_hosts
317: This replaces all hostnames and addresses with hashed representations
320: These hashes may be used normally by
326: This option will not modify existing hashed hostnames and is therefore safe
327: to use on files that mix hashed and non-hashed names.
495: .It Fl R Ar hostname
497: .Ar hostname
499: .Pa known_hosts
501: This option is useful to delete hashed hosts (see the
504: .It Fl r Ar hostname
506: .Ar hostname
660: authenticate server hosts to users.
692: By default, generated certificates are valid for all users or hosts.
android.googlesource.com/platform/external/openssh:sshd_config.5: [ master, ]
170: If the pattern takes the form USER@HOST then USER and HOST
245: It is recommended to use a dedicated user that has no other role on the host
502: If the pattern takes the form USER@HOST then USER and HOST
516: Specifies the hash algorithm used when logging key fingerprints.
555: to force remote port forwardings to be available to the local host only,
586: with successful public key client host authentication is allowed
587: (host-based authentication).
611: Specifies a file containing a public host certificate.
612: The certificate's public key must match a private host key already specified
619: Specifies a file containing a private host key
622: .Pa /etc/ssh/ssh_host_key
624: .Pa /etc/ssh/ssh_host_dsa_key ,
625: .Pa /etc/ssh/ssh_host_ecdsa_key ,
626: .Pa /etc/ssh/ssh_host_ed25519_key
628: .Pa /etc/ssh/ssh_host_rsa_key
633: It is possible to have multiple host key files.
642: It is also possible to specify public host key files instead.
648: with an agent that has access to the private host keys.
811: .Ar host | Ar IPv4_addr | Ar IPv6_addr
816: .Ar host | Ar IPv4_addr : Ar port
822: .Ar host | Ar IPv6_addr Oc : Ar port
938: .Cm Host ,
957: or one with bits set in this host portion of the address.
1064: .Ar host : port
1267: with successful RSA host authentication is allowed.
1362: if the network goes down or the client host crashes.
1384: should look up the remote host name and check that
1385: the resolved host name for the remote IP address maps back to the
172: users from particular hosts.
504: users from particular hosts.
515: .It Cm FingerprintHash
543: Specifies whether remote hosts are allowed to connect to ports
548: This prevents other remote hosts from connecting to forwarded ports.
552: allowing other hosts to connect.
573: .It Cm HostbasedAcceptedKeyTypes
574: Specifies the key types that will be accepted for hostbased authentication
584: .It Cm HostbasedAuthentication
585: Specifies whether rhosts or /etc/hosts.equiv authentication together
593: .It Cm HostbasedUsesNameFromPacketOnly
599: .Pa /etc/hosts.equiv
601: .Cm HostbasedAuthentication .
610: .It Cm HostCertificate
614: .Cm HostKey .
618: .It Cm HostKey
646: .It Cm HostKeyAgent
662: .Cm HostbasedAuthentication .
664: .Pa /etc/hosts.equiv
674: .Pa ~/.ssh/known_hosts
678: .Cm HostbasedAuthentication .
986: .Cm HostbasedAcceptedKeyTypes ,
987: .Cm HostbasedAuthentication ,
988: .Cm HostbasedUsesNameFromPacketOnly ,
1013: .Cm X11UseLocalHost .
1266: Specifies whether rhosts or /etc/hosts.equiv authentication together
1356: .Dq ghost
1473: .Cm X11UseLocalhost
1494: .It Cm X11UseLocalhost
1501: hostname part of the
1504: .Dq localhost .
1505: This prevents remote hosts from connecting to the proxy display.
1508: .Cm X11UseLocalhost
589: .Cm RhostsRSAAuthentication
596: .Pa ~/.shosts ,
597: .Pa ~/.rhosts ,
654: .It Cm IgnoreRhosts
656: .Pa .rhosts
658: .Pa .shosts
660: .Cm RhostsRSAAuthentication
666: .Pa /etc/shosts.equiv
670: .It Cm IgnoreUserKnownHosts
676: .Cm RhostsRSAAuthentication
1005: .Cm RhostsRSAAuthentication ,
1265: .It Cm RhostsRSAAuthentication
android.googlesource.com/platform/external/openssh:ssh_config.5: [ master, ]
65: .Dq Host
68: The matched host name is usually the one given on the command line
74: host-specific declarations should be given near the beginning of the
103: .It Cm Host
105: .Cm Host
115: The host is usually the
125: .Cm Host
136: .Cm Host
149: .Cm host ,
173: This may be useful to specify conditions that work with canonical host
183: will be substituted by the first component of the local host name,
185: will be substituted by the local host name (including any domain name),
187: will be substituted by the target host name,
189: will be substituted by the original target host name
204: .Cm host
216: keyword matches against the target username on the remote host.
256: search for the specified destination host.
297: .Cm Host
340: will additionally check the host IP address in the
343: This allows ssh to detect if a host key changed due to DNS spoofing.
522: will be substituted by the first component of the local host name,
524: will be substituted by the local host name (including any domain name),
526: will be substituted by the target host name,
528: will be substituted by the original target host name
538: by a hash of the concatenation: %l%h%p%r.
644: Specifies the hash algorithm used when displaying key fingerprints.
662: Users with the ability to bypass file permissions on the remote host
681: Users with the ability to bypass file permissions on the remote host
737: host key database, separated by whitespace.
754: should hash host names and addresses when they are added to
792: Specifies the protocol version 2 host key algorithms
806: If hostkeys are known for the destination host then this default is modified
817: real host name when looking up or saving the host key
818: in the host key database files.
820: or for multiple servers running on a single host.
822: Specifies the real host name to log into.
826: then this will be replaced with the host name specified on the command line
888: (local host name),
890: (remote host name) or
1001: (remote host name),
1003: (local host name),
1005: (host name as provided on the command line),
1013: by a hash of the concatenation: %l%h%p%r.
1026: the secure channel to the specified host and port from the remote machine.
1032: .Ar host : Ns Ar hostport .
1091: the machines and the user will get many warnings about changed host keys.
1092: However, this option disables host authentication for localhost.
1097: The default is to check the host key for localhost.
1130: Specifies the port number to connect on the remote host.
1170: will be substituted by the host name to
1183: Host key management will be done using the
1184: HostName of the host being connected (defaulting to the name typed by
1246: the secure channel to the specified host and port from the local machine.
1252: .Ar host : Ns Ar hostport .
1299: Specifies revoked host public keys.
1300: Keys listed in this file will be refused for host authentication.
1302: then host authentication will be refused for all hosts.
1309: Specifies whether to try rhosts based authentication with RSA host
1421: will never automatically add host keys to the
1423: file, and refuses to connect to hosts whose host key has changed.
1433: ssh will automatically add new host keys to the
1437: new host keys
1438: will be added to the user known host files only after the user
1440: ssh will refuse to connect to hosts whose host key has changed.
1441: The host keys of
1462: if the network goes down or the remote host dies.
1521: host was already trusted or explicity accepted by the user.
1560: host key database, separated by whitespace.
1576: need to confirm new host keys according to the
1588: See also VERIFYING HOST KEYS in
1593: an ASCII art representation of the remote host key fingerprint is
1595: for unknown host keys.
1599: only the fingerprint string will be printed for unknown host keys.
1618: For example, to specify a set of declarations for any host in the
1623: .Dl Host *.co.uk
1626: would match any host in the 192.168.0.[0-9] network range:
1628: .Dl Host 192.168.0.?
66: specifications, and that section is only applied for hosts that
108: keyword) to be only for those hosts that match one of the patterns
114: defaults for all hosts.
116: .Ar hostname
150: .Cm originalhost ,
170: after hostname canonicalization (see the
205: keyword are matched against the target hostname, after any substitution
207: .Cm Hostname
212: .Cm originalhost
213: keyword matches against the hostname as it was specified on the command-line.
258: Specifies whether to fail with an error when hostname canonicalization fails.
261: will attempt to look up the unqualified hostname using the system resolver's
269: is enabled and the target hostname cannot be found in any of the domains
273: Controls whether explicit hostname canonicalization is performed.
277: hostname lookups.
283: will attempt to canonicalize the hostname specified on the command line
302: Specifies the maximum number of dot characters in a hostname before
306: allows a single dot (i.e. hostname.subdomain).
309: canonicalizing hostnames.
321: will allow hostnames matching
341: .Pa known_hosts
589: .Dq localhost
609: .Cm HostbasedAuthentication .
616: This option should be placed in the non-hostspecific section.
643: .It Cm FingerprintHash
719: Specifies whether remote hosts are allowed to connect to local
724: This prevents other remote hosts from connecting to forwarded ports.
728: thus allowing remote hosts to connect to forwarded ports.
739: .Pa /etc/ssh/ssh_known_hosts ,
740: .Pa /etc/ssh/ssh_known_hosts2 .
751: .It Cm HashKnownHosts
755: .Pa ~/.ssh/known_hosts .
756: These hashed names may be used normally by
764: Note that existing names and addresses in known hosts files
766: but may be manually hashed using
768: .It Cm HostbasedAuthentication
780: .It Cm HostbasedKeyTypes
781: Specifies the key types that will be used for hostbased authentication
791: .It Cm HostKeyAlgorithms
815: .It Cm HostKeyAlias
821: .It Cm HostName
823: This can be used to specify nicknames or abbreviations for hosts.
824: If the hostname contains the character sequence
836: .Cm HostName
1046: .Dq localhost
1088: .It Cm NoHostAuthenticationForLocalhost
1090: In this case localhost will refer to a different machine on each of
1141: gssapi-with-mic,hostbased,publickey,
1422: .Pa ~/.ssh/known_hosts
1426: .Pa /etc/ssh/ssh_known_hosts
1427: file is poorly maintained or when connections to new hosts are
1430: add all new hosts.
1434: user known hosts files.
1442: known hosts will be verified automatically in all cases.
1509: should accept notifications of additional hostkeys from the server sent
1517: Enabling this option allows learning alternate hostkeys for a server
1520: Additional hostkeys are only accepted if the key used to authenticate the
1526: then the user is asked to confirm the modifications to the known_hosts file.
1534: .Dq hostkeys@openssh.com
1535: protocol extension used to inform the client of all the server's hostkeys.
1562: .Pa ~/.ssh/known_hosts ,
1563: .Pa ~/.ssh/known_hosts2 .
70: .Cm CanonicalizeHostname
119: .Cm CanonicalizeHostname
171: .Cm CanonicalizeHostname
209: .Cm CanonicalizeHostname
254: .Cm CanonicalizeHostname
268: .Cm CanonicalizeHostname
272: .It Cm CanonicalizeHostname
290: .Cm CanonicalizeHostname
336: .It Cm CheckHostIP
735: .It Cm GlobalKnownHostsFile
769: Specifies whether to try rhosts based authentication with public key
779: .Cm RhostsRSAAuthentication .
1190: .Cm CheckHostIP
1298: .It Cm RevokedHostKeys
1308: .It Cm RhostsRSAAuthentication
1417: .It Cm StrictHostKeyChecking
1506: .It Cm UpdateHostKeys
1511: .Cm UserKnownHostsFile .
1523: .Cm UpdateHostKeys
1551: .Cm RhostsRSAAuthentication
1558: .It Cm UserKnownHostsFile
1564: .It Cm VerifyHostKeyDNS
1577: .Cm StrictHostKeyChecking
1590: .It Cm VisualHostKey
android.googlesource.com/platform/external/openssh:ssh-keyscan.0: [ master, ]
8:                  [host | addrlist namelist] ...
11:      ssh-keyscan is a utility for gathering the public ssh host keys of a
34:      -H      Hash all hostnames and addresses in the output.  Hashed names may
39:              Port to connect to on the remote host.
43:              elapsed since a connection was initiated to a host or since the
44:              last time anything was read from that host, then the connection
45:              is closed and the host in question considered unavailable.
73:      host-or-namelist bits exponent modulus
77:      host-or-namelist keytype base64-encoded-key
85:      Print the rsa host key for machine hostname:
104:      It generates "Connection closed by remote host" messages on the consoles
12:      number of hosts.  It was designed to aid in building and verifying
13:      ssh_known_hosts files.  ssh-keyscan provides a minimal interface suitable
16:      ssh-keyscan uses non-blocking socket I/O to contact as many hosts as
18:      1,000 hosts can be collected in tens of seconds, even when some of those
19:      hosts are down or do not run ssh.  For scanning, one does not need login
30:              Read hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from file, one per line.
32:              hosts or M-bM-^@M-^\addrlist namelistM-bM-^@M-^] pairs from the standard input.
49:              Specifies the type of the key to fetch from the scanned hosts.
59:      If an ssh_known_hosts file is constructed using ssh-keyscan without
63:      middle attacks which have begun after the ssh_known_hosts file was
82:      /etc/ssh/ssh_known_hosts
87:      $ ssh-keyscan hostname
89:      Find all hosts from the file ssh_hosts which have new or different keys
90:      from those in the sorted file ssh_known_hosts:
92:      $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
93:              sort -u - ssh_known_hosts | diff ssh_known_hosts -
android.googlesource.com/platform/external/openssh:PROTOCOL.certkeys: [ master, ]
12: managed, passwordless authentication and centrally certified host keys.
25: acceptance of certified host keys, by adding a similar ability to
61: #define SSH_CERT_TYPE_HOST    2
123: inducing collisions in the signature hash infeasible.
138: or a host using a SSH_CERT_TYPE_... value.
146: certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
26: specify CA keys in ~/.ssh/known_hosts.
android.googlesource.com/platform/external/openssh:ssh-keygen.0: [ master, ]
14:      ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
50:      Additionally, the system administrator may use this to generate host
56:      passphrase may be empty to indicate no passphrase (host keys must have an
83:              which host keys do not exist, generate the host keys with the
86:              generate new host keys.
127:      -E fingerprint_hash
128:              Specifies the hash algorithm used when displaying key
140:              any occurrences found.  This option is useful to find hashed host
154:      -H      Hash a known_hosts file.  This replaces all hostnames and
163:      -h      When signing a key, create a host certificate instead of a user
220:              Specify one or more principals (user or host names) to be
276:              At present, no options are valid for host keys.
404:      used for user or host authentication.  Certificates consist of a public
405:      key, some identity information, zero or more principal (user or host)
408:      its signature on a certificate rather than trusting many user/host keys.
412:      ssh-keygen supports two types of certificates: user and host.  User
413:      certificates authenticate users to servers, whereas host certificates
419:      A host certificate requires the -h option:
421:            $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
423:      The host certificate will be output to /path/to/host_key-cert.pub.
429:            $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
435:      (user/host) names.  By default, generated certificates are valid for all
440:            $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
455:      For certificates to be used for user or host authentication, the CA
468:      per line.  Plain public keys are revoked by listing their hash or
497:              Revokes the specified key by its SHA1 hash.
17:      ssh-keygen -F hostname [-f known_hosts_file] [-l]
18:      ssh-keygen -H [-f known_hosts_file]
19:      ssh-keygen -R hostname [-f known_hosts_file]
20:      ssh-keygen -r hostname [-f input_keyfile] [-g]
74:      initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is created, but can be changed
138:      -F hostname
139:              Search for the specified hostname in a known_hosts file, listing
142:              -H option to print found keys in a hashed format.
155:              addresses with hashed representations within the specified file;
157:              These hashes may be used normally by ssh and sshd, but they do
159:              disclosed.  This option will not modify existing hashed hostnames
160:              and is therefore safe to use on files that mix hashed and non-
161:              hashed names.
296:      -R hostname
297:              Removes all keys belonging to hostname from a known_hosts file.
298:              This option is useful to delete hashed hosts (see the -H option
301:      -r hostname
302:              Print the SSHFP fingerprint resource record named hostname for
414:      authenticate server hosts to users.  To generate a user certificate:
436:      users or hosts.  To generate a certificate for a specified set of
android.googlesource.com/platform/external/openssh:sshd.0: [ master, ]
8:           [-c host_certificate_file] [-E log_file] [-f config_file]
9:           [-g login_grace_time] [-h host_key_file] [-k key_gen_time]
41:              file that would apply to the specified user, host, and address
48:      -c host_certificate_file
50:              key exchange.  The certificate file must match a host key file
79:      -h host_key_file
80:              Specifies a file from which a host key is read.  This option must
81:              be given if sshd is not run as root (as the normal host key files
83:              /etc/ssh/ssh_host_key for protocol version 1, and
84:              /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key.
85:              /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
86:              protocol version 2.  It is possible to have multiple host key
87:              files for the different protocol versions and host key
134:              structure that holds the remote host name.  If the resolved host
136:              instead.  This allows hosts with very long host names that
145:              using a USER@HOST pattern in AllowUsers or DenyUsers.
151:      protocol 1 only supports RSA keys.  For both protocols, each host has a
152:      host-specific key, normally 2048 bits, used to identify the host.
158:      host and server keys.  The client compares the RSA host key against its
161:      both the host key and the server key, and sends the encrypted number to
178:      client tries to authenticate itself using host-based authentication,
337:              the canonical name of the remote host or its IP address must be
371:      permitopen="host:port"
373:              connect to the specified host and port.  IPv6 addresses can be
407:      The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
410:      automatically: whenever the user connects from an unknown host, its key
424:      wildcards); each pattern in turn is matched against the canonical host
427:      indicate negation: if the host name matches a negated pattern, it is not
432:      Alternately, hostnames may be stored in a hashed form which hides host
438:      Bits, exponent, and modulus are taken directly from the RSA host key;
439:      they can be obtained, for example, from /etc/ssh/ssh_host_key.pub.  The
444:      When performing host authentication, authentication is accepted if any
459:      different host keys for the same names.  This will inevitably happen when
460:      short forms of host names from different domains are put in the file.  It
466:      long, and you definitely don't want to type in the host keys by hand.
468:      /etc/ssh/ssh_host_key.pub and adding the host names at the front.
470:      ~/.ssh/known_hosts including removing hosts matching a host name and
471:      converting all host names to their hashed representations.
483:         # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
494:              This file is used for host-based authentication (see ssh(1) for
505:              host-based authentication without permitting login with
537:              Contains a list of host keys for all hosts the user has logged
538:              into that are not already in the systemwide list of known host
549:              This file is for host-based authentication (see ssh(1)).  It
567:              allows host-based authentication without permitting login with
570:      /etc/ssh/ssh_host_key
571:      /etc/ssh/ssh_host_dsa_key
572:      /etc/ssh/ssh_host_ecdsa_key
573:      /etc/ssh/ssh_host_ed25519_key
574:      /etc/ssh/ssh_host_rsa_key
575:              These files contain the private parts of the host keys.  These
580:      /etc/ssh/ssh_host_key.pub
581:      /etc/ssh/ssh_host_dsa_key.pub
582:      /etc/ssh/ssh_host_ecdsa_key.pub
583:      /etc/ssh/ssh_host_ed25519_key.pub
584:      /etc/ssh/ssh_host_rsa_key.pub
585:              These files contain the public parts of the host keys.  These
593:              Systemwide list of known host keys.  This file should be prepared
594:              by the system administrator to contain the public host keys of
15:      communications between two untrusted hosts over an insecure network.
44:              pairs.  The keywords are M-bM-^@M-^\userM-bM-^@M-^], M-bM-^@M-^\hostM-bM-^@M-^], M-bM-^@M-^\laddrM-bM-^@M-^], M-bM-^@M-^\lportM-bM-^@M-^], and
51:              specified using the -h option or the HostKey configuration
143:              HostbasedAuthentication, and using a from="pattern-list" option
255:                 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
256:                         # X11UseLocalhost=yes
260:                         # X11UseLocalhost=no
342:              hostnames or addresses, a from stanza may match IP addresses
376:              pattern matching is performed on the specified hostnames, they
406: SSH_KNOWN_HOSTS FILE FORMAT
408:      public keys for all known hosts.  The global file should be prepared by
414:      (optional), hostnames, bits, exponent, modulus, comment.  The fields are
423:      Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act...(3 bytes skipped)...
429:      A hostname or address may optionally be enclosed within M-bM-^@M-^X[M-bM-^@M-^Y and M-bM-^@M-^X]M-bM-^@M-^...(1 bytes skipped)...
433:      names and addresses should the file's contents be disclosed.  Hashed
434:      hostnames start with a M-bM-^@M-^X|M-bM-^@M-^Y character.  Only one hashed hostname may
451:      The known hosts file also provides a facility to mark keys as revoked,
473:      An example ssh_known_hosts file:
478:         # A hashed hostname
536:      ~/.ssh/known_hosts
548:      /etc/hosts.equiv
566:              This file is used in exactly the same way as hosts.equiv, but
590:              hosts files.  These files are created using ssh-keygen(1).
592:      /etc/ssh/ssh_known_hosts
142:              require DNS include RhostsRSAAuthentication,
493:      ~/.rhosts
503:      ~/.shosts
504:              This file is used in exactly the same way as .rhosts, but allows
565:      /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:ssh.0: [ master, ]
10:          [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
13:          [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
29:      If command is specified, it is executed on the remote host instead of a
43:              can also be specified on a per-host basis in a configuration
47:              ability to bypass file permissions on the remote host (for the
68:              set on a host-by-host basis in the configuration files; see the
123:              remote site is with something like ssh -f host xterm.
130:      -G      Causes ssh to print its configuration after evaluating Host and
146:              Identity files may also be specified on a per-host basis in the
158:      -L [bind_address:]port:host:hostport
159:              Specifies that the given port on the local (client) host is to be
160:              forwarded to the given host and port on the remote side.  This
164:              the secure channel, and a connection is made to host port
178:              may be specified on a per-host basis in the configuration file.
254:                    Host
305:              Port to connect to on the remote host.  This can be specified on
306:              a per-host basis in the configuration file.
319:      -R [bind_address:]port:host:hostport
320:              Specifies that the given port on the remote (server) host is to
321:              be forwarded to the given host and port on the local side.  This
325:              is made to host port hostport from the local machine.
371:      -W host:port
373:              forwarded to host on port over the secure channel.  Implies -N,
389:      -X      Enables X11 forwarding.  This can also be specified on a per-host
393:              ability to bypass file permissions on the remote host (for the
427:      authentication, host-based authentication, public key authentication,
433:      Host-based authentication works as follows: If the machine the user logs
439:      Additionally, the server must be able to verify the client's host key
497:      password.  The password is sent to the remote host for checking; however,
502:      identification for all hosts it has ever been used with.  Host keys are
506:      host's identification ever changes, ssh warns about this and disables
510:      whose host key is not known or has changed.
581:      the remote host using ssh, specifying a port to be used to forward
632: VERIFYING HOST KEYS
638:            $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
641:      accepted or rejected.  Because of the difficulty of comparing host keys
643:      host keys visually, using random art.  By setting the VisualHostKey
647:      that the host key has changed when a completely different pattern is
650:      probability that the host key is the same, not guaranteed proof.
663:      M-bM-^@M-^\host.example.comM-bM-^@M-^].  The SSHFP resource records should first be added to
664:      the zonefile for host.example.com:
666:            $ ssh-keygen -r host.example.com.
671:            $ dig -t SSHFP host.example.com
675:            $ ssh -o "VerifyHostKeyDNS ask" host.example.com
677:            Matching host key fingerprint found in DNS.
725:                            M-bM-^@M-^\hostnameM-bM-^@M-^] indicates the host where the shell runs,
786:              This file is used for host-based authentication (see above).  On
796:              host-based authentication without permitting login with
845:              Contains a list of host keys for all hosts the user has logged
846:              into that are not already in the systemwide list of known host
856:              This file is for host-based authentication (see above).  It
861:              allows host-based authentication without permitting login with
868:      /etc/ssh/ssh_host_key
869:      /etc/ssh/ssh_host_dsa_key
870:      /etc/ssh/ssh_host_ecdsa_key
871:      /etc/ssh/ssh_host_ed25519_key
872:      /etc/ssh/ssh_host_rsa_key
873:              These files contain the private parts of the host keys and are
874:              used for host-based authentication.  If protocol version 1 is
875:              used, ssh must be setuid root, since the host key is readable
877:              access the host keys, eliminating the requirement that ssh be
878:              setuid root when host-based authentication is used.  By default
882:              Systemwide list of known host keys.  This file should be prepared
883:              by the system administrator to contain the public host keys of
940:      A. Perrig and D. Song, Hash Visualization: a New Technique to improve
14:          [-w local_tun[:remote_tun]] [user@]hostname [command]
20:      untrusted hosts over an insecure network.  X11 connections, arbitrary TCP
24:      ssh connects and logs into the specified hostname (with optional user
133:      -g      Allows remote hosts to connect to local forwarded ports.  If used
165:              hostport from the remote machine.  Port forwardings can also be
244:                    FingerprintHash
253:                    HashKnownHosts
255:                    HostbasedAuthentication
256:                    HostbasedKeyTypes
257:                    HostKeyAlgorithms
258:                    HostKeyAlias
259:                    HostName
271:                    NoHostAuthenticationForLocalhost
434:      in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
440:      (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
443:      [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
503:      stored in ~/.ssh/known_hosts in the user's home directory.  Additionally,
504:      the file /etc/ssh/ssh_known_hosts is automatically checked for known
505:      hosts.  Any new hosts are automatically added to the user's file.  If a
587:      M-bM-^@M-^\127.0.0.1M-bM-^@M-^] (localhost) to remote server M-bM-^@M-^\server.example.comM-bM-^@M-^]:
589:          $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
653:      known hosts, the following command line can be used:
655:            $ ssh-keygen -lv -f ~/.ssh/known_hosts
724:                            point to a value of the form M-bM-^@M-^\hostname:nM-bM-^@M-^], where
844:      ~/.ssh/known_hosts
855:      /etc/hosts.equiv
860:              This file is used in exactly the same way as hosts.equiv, but
881:      /etc/ssh/ssh_known_hosts
97:              bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be
172:              M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local
226:                    CanonicalizeHostname
230:                    CheckHostIP
250:                    GlobalKnownHostsFile
285:                    RhostsRSAAuthentication
292:                    StrictHostKeyChecking
296:                    UpdateHostKeys
299:                    UserKnownHostsFile
300:                    VerifyHostKeyDNS
301:                    VisualHostKey
436:      ~/.rhosts or ~/.shosts exist in the user's home directory on the remote
474:      The authorized_keys file corresponds to the conventional ~/.rhosts file,
509:      StrictHostKeyChecking option can be used to control logins to machines
635:      StrictHostKeyChecking has been disabled).  Fingerprints can be determined
680:      See the VerifyHostKeyDNS option in ssh_config(5) for more information.
785:      ~/.rhosts
794:      ~/.shosts
795:              This file is used in exactly the same way as .rhosts, but allows
859:      /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:sshd_config.0: [ master, ]
81:              USER@HOST then USER and HOST are separately checked, restricting
138:              other role on the host than running authorized keys commands.  If
300:              allowed for all users.  If the pattern takes the form USER@HOST
301:              then USER and HOST are separately checked, restricting logins to
309:              Specifies the hash algorithm used when logging key fingerprints.
332:              forwardings to be available to the local host only, M-bM-^@M-^\yesM-bM-^@M-^] to
355:              together with successful public key client host authentication is
356:              allowed (host-based authentication).  This option is similar to
370:              Specifies a file containing a public host certificate.  The
371:              certificate's public key must match a private host key already
376:              Specifies a file containing a private host key used by SSH.  The
377:              default is /etc/ssh/ssh_host_key for protocol version 1, and
378:              /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
379:              /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for
382:              host key files.  M-bM-^@M-^\rsa1M-bM-^@M-^] keys are used for version 1 and M-bM-^@M-^\dsaM-bM-^@M-^],
384:              protocol.  It is also possible to specify public host key files
390:              agent that has access to the private host keys.  If
482:                    ListenAddress host|IPv4_addr|IPv6_addr
483:                    ListenAddress host|IPv4_addr:port
484:                    ListenAddress [host|IPv6_addr]:port
550:              criteria are User, Group, Host, LocalAddress, LocalPort, and
560:              with bits set in this host portion of the address.  For example,
618:                    PermitOpen host:port
731:              together with successful RSA host authentication is allowed.  The
804:              server will notice if the network goes down or the client host
822:      UseDNS  Specifies whether sshd(8) should look up the remote host name and
823:              check that the resolved host name for the remote IP address maps
82:              logins to particular users from particular hosts.  The allow/deny
302:              particular users from particular hosts.  The allow/deny
308:      FingerprintHash
325:              Specifies whether remote hosts are allowed to connect to ports
328:              hosts from connecting to forwarded ports.  GatewayPorts can be
330:              bind to non-loopback addresses, thus allowing other hosts to
347:      HostbasedAcceptedKeyTypes
348:              Specifies the key types that will be accepted for hostbased
353:      HostbasedAuthentication
354:              Specifies whether rhosts or /etc/hosts.equiv authentication
360:      HostbasedUsesNameFromPacketOnly
363:              ~/.rhosts, and /etc/hosts.equiv files during
364:              HostbasedAuthentication.  A setting of M-bM-^@M-^\yesM-bM-^@M-^] means that sshd(8)
369:      HostCertificate
372:              specified by HostKey.  The default behaviour of sshd(8) is not to
375:      HostKey
388:      HostKeyAgent
396:              RhostsRSAAuthentication or HostbasedAuthentication.
398:              /etc/hosts.equiv and /etc/shosts.equiv are still used.  The
403:              ~/.ssh/known_hosts during RhostsRSAAuthentication or
404:              HostbasedAuthentication.  The default is M-bM-^@M-^\noM-bM-^@M-^].
570:              GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes,
571:              HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IPQoS,
579:              X11Forwarding and X11UseLocalHost.
730:              Specifies whether rhosts or /etc/hosts.equiv authentication
875:              X11UseLocalhost below), though this is not the default.
891:      X11UseLocalhost
895:              the hostname part of the DISPLAY environment variable to
896:              M-bM-^@M-^\localhostM-bM-^@M-^].  This prevents remote hosts from connecting to the
898:              with this configuration.  X11UseLocalhost may be set to M-bM-^@M-^\noM-bM-^@M-^] to
357:              RhostsRSAAuthentication and applies to protocol version 2 only.
362:              reverse name lookup when matching the name in the ~/.shosts,
394:      IgnoreRhosts
395:              Specifies that .rhosts and .shosts files will not be used in
401:      IgnoreUserKnownHosts
577:              RhostsRSAAuthentication, RSAAuthentication, StreamLocalBindMask,
729:      RhostsRSAAuthentication
800:              indefinitely on the server, leaving M-bM-^@M-^\ghostM-bM-^@M-^] users and consuming
android.googlesource.com/platform/external/openssh:ssh_config.0: [ master, ]
21:      given in the specification.  The matched host name is usually the one
25:      Since the first obtained value for each parameter is used, more host-
42:      Host    Restricts the following declarations (up to the next Host or
47:              hosts.  The host is usually the hostname argument given on the
53:              Host entry is ignored, regardless of whether any other patterns
59:      Match   Restricts the following declarations (up to the next Host or
64:              host, originalhost, user, and localuser.  The all criteria must
73:              conditions that work with canonical host names only.  The exec
79:              first component of the local host name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted
80:              by the local host name (including any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be
81:              substituted by the target host name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by
82:              the original target host name specified on the command-line, M-bM-^@M-^X%pM-bM-^@M-^Y
88:              described in the PATTERNS section.  The criteria for the host
93:              the target username on the remote host.  The localuser keyword
117:              destination host.
140:              configuration in matching Host and Match stanzas.
167:              host IP address in the known_hosts file.  This allows ssh to
168:              detect if a host key changed due to DNS spoofing.  If the option
275:              will be substituted by the first component of the local host
276:              name, M-bM-^@M-^X%lM-bM-^@M-^Y will be substituted by the local host name (including
277:              any domain name), M-bM-^@M-^X%hM-bM-^@M-^Y will be substituted by the target host
278:              name, M-bM-^@M-^X%nM-bM-^@M-^Y will be substituted by the original target host name
281:              running ssh(1), and M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation:
344:              Specifies the hash algorithm used when displaying key
354:              ability to bypass file permissions on the remote host (for the
367:              ability to bypass file permissions on the remote host (for the
407:              Specifies one or more files to use for the global host key
421:              Indicates that ssh(1) should hash host names and addresses when
442:              Specifies the protocol version 2 host key algorithms that the
455:              If hostkeys are known for the destination host then this default
462:              Specifies an alias that should be used instead of the real host
463:              name when looking up or saving the host key in the host key
465:              connections or for multiple servers running on a single host.
468:              Specifies the real host name to log into.  This can be used to
471:              with the host name specified on the command line (this is useful
501: ...(13 bytes skipped)...user's home directory), M-bM-^@M-^X%uM-bM-^@M-^Y (local user name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host
502:              name), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name) or M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name).
567: ...(13 bytes skipped)...performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host
568:              name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the
570:              M-bM-^@M-^X%uM-bM-^@M-^Y (local user name) or M-bM-^@M-^X%CM-bM-^@M-^Y by a hash of the concatenation:
582:              the secure channel to the specified host and port from the remote
584:              second argument must be host:hostport.  IPv6 addresses can be
627:              warnings about changed host keys.  However, this option disables
628:              host authentication for localhost.  The argument to this keyword
629: ...(5 bytes skipped)...        must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is to check the host key for
651:      Port    Specifies the port number to connect on the remote host.  The
677:              by the host name to connect, M-bM-^@M-^X%pM-bM-^@M-^Y by the port, and M-bM-^@M-^X%rM-bM-^@M-^Y by the
681:              on some machine, or execute sshd -i somewhere.  Host key
682:              management will be done using the HostName of the host being
720:              the secure channel to the specified host and port from the local
722:              second argument must be host:hostport.  IPv6 addresses can be
746:              Specifies revoked host public keys.  Keys listed in this file
747:              will be refused for host authentication.  Note that if this file
748:              does not exist or is not readable, then host authentication will
756:              host authentication.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
829:              host keys to the ~/.ssh/known_hosts file, and refuses to connect
830:              to hosts whose host key has changed.  This provides maximum
835:              this flag is set to M-bM-^@M-^\noM-bM-^@M-^], ssh will automatically add new host
837:              M-bM-^@M-^\askM-bM-^@M-^], new host keys will be added to the user known host files
839:              to do, and ssh will refuse to connect to hosts whose host key has
840:              changed.  The host keys of known hosts will be verified
852:              client will notice if the network goes down or the remote host
881:              only accepted if the key used to authenticate the host was
905:              Specifies one or more files to use for the user host key
916:              to confirm new host keys according to the StrictHostKeyChecking
921:              See also VERIFYING HOST KEYS in ssh(1).
925:              remote host key fingerprint is printed in addition to the
926:              fingerprint string at login and for unknown host keys.  If this
928:              and only the fingerprint string will be printed for unknown host
939:      declarations for any host in the M-bM-^@M-^\.co.ukM-bM-^@M-^] set of domains, the following
942:            Host *.co.uk
944:      The following pattern would match any host in the 192.168.0.[0-9] network
947:            Host 192.168.0.?
19:      configuration files contain sections separated by M-bM-^@M-^\HostM-bM-^@M-^] specifications,
20:      and that section is only applied for hosts that match one of the patterns
43:              Match keyword) to be only for those hosts that match one of the
71:              being re-parsed after hostname canonicalization (see the
89:              keyword are matched against the target hostname, after any
90:              substitution by the Hostname or CanonicalizeHostname options.
91:              The originalhost keyword matches against the hostname as it was
120:              Specifies whether to fail with an error when hostname
122:              up the unqualified hostname using the system resolver's search
124:              CanonicalizeHostname is enabled and the target hostname cannot be
128:              Controls whether explicit hostname canonicalization is performed.
130:              the system resolver handle all hostname lookups.  If set to M-bM-^@M-^\yesM-bM-^@M-^]
132:              attempt to canonicalize the hostname specified on the command
143:              Specifies the maximum number of dot characters in a hostname
145:              single dot (i.e. hostname.subdomain).
149:              when canonicalizing hostnames.  The rules consist of one or more
156:              will allow hostnames matching M-bM-^@M-^\*.a.example.comM-bM-^@M-^] to be
325:              ssh-keysign(8) during HostbasedAuthentication.  The argument must
327:              placed in the non-hostspecific section.  See ssh-keysign(8) for
343:      FingerprintHash
397:              Specifies whether remote hosts are allowed to connect to local
399:              to the loopback address.  This prevents other remote hosts from
402:              wildcard address, thus allowing remote hosts to connect to
409:              /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
420:      HashKnownHosts
422:              they are added to ~/.ssh/known_hosts.  These hashed names may be
426:              known hosts files will not be converted automatically, but may be
427:              manually hashed using ssh-keygen(1).
429:      HostbasedAuthentication
435:      HostbasedKeyTypes
436:              Specifies the key types that will be used for hostbased
441:      HostKeyAlgorithms
461:      HostKeyAlias
467:      HostName
469:              specify nicknames or abbreviations for hosts.  If the hostname
478:              HostName specifications).
623:      NoHostAuthenticationForLocalhost
625:              machines.  In this case localhost will refer to a different
630:              localhost.
660:                    gssapi-with-mic,hostbased,publickey,
749:              be refused for all hosts.  Keys may be specified as a text file,
832:              annoying when the /etc/ssh/ssh_known_hosts file is poorly
833:              maintained or when connections to new hosts are frequently made.
834:              This option forces the user to manually add all new hosts.  If
836:              keys to the user known hosts files.  If this flag is set to
875:              additional hostkeys from the server sent after authentication has
878:              allows learning alternate hostkeys for a server and supports
880:              public keys before old ones are removed.  Additional hostkeys are
884:              the modifications to the known_hosts file.  Confirmation is
889:              M-bM-^@M-^\hostkeys@openssh.comM-bM-^@M-^] protocol extension used to inform the
890:              client of all the server's hostkeys.
907:              ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
22:      given on the command line (see the CanonicalizeHostname option for
48:              command line (see the CanonicalizeHostname option for
72:              CanonicalizeHostname option.)  This may be useful to specify
115:              When CanonicalizeHostname is enabled, this option specifies the
127:      CanonicalizeHostname
134:              CanonicalizePermittedCNAMEs rules.  If CanonicalizeHostname is
165:      CheckHostIP
313:              M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the listening port be bound for local
406:      GlobalKnownHostsFile
430:              Specifies whether to try rhosts based authentication with public
433:              and is similar to RhostsRSAAuthentication.
591:              address.  The bind_address of M-bM-^@M-^\localhostM-bM-^@M-^] indicates that the
685:              CheckHostIP is not available for connects with a proxy command.
745:      RevokedHostKeys
754:      RhostsRSAAuthentication
755:              Specifies whether to try rhosts based authentication with RSA
827:      StrictHostKeyChecking
873:      UpdateHostKeys
876:              completed and add them to UserKnownHostsFile.  The argument must
883:              UpdateHostKeys is set to M-bM-^@M-^\askM-bM-^@M-^], then the user is asked to confirm
896:              this option must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with
904:      UserKnownHostsFile
909:      VerifyHostKeyDNS
923:      VisualHostKey