diff options
| author |   djm <djm@openbsd.org> | 2008-11-04 08:22:12 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2008-11-04 08:22:12 +0000 |
| commit | 5e1e7a5242b1ab8ed68e80b6a58e9bc53ef4eafc (patch) | |
| tree | 13db888820537cc1133bfad4411544b6abe5995c /usr.bin/ssh/sshd_config.5 | |
| parent | volume scaling/setting cleanup: (diff) | |
| download | wireguard-openbsd-5e1e7a5242b1ab8ed68e80b6a58e9bc53ef4eafc.tar.xz wireguard-openbsd-5e1e7a5242b1ab8ed68e80b6a58e9bc53ef4eafc.zip | |
Add support for an experimental zero-knowledge password authentication
method using the J-PAKE protocol described in F. Hao, P. Ryan,
"Password Authenticated Key Exchange by Juggling", 16th Workshop on
Security Protocols, Cambridge, April 2008.
This method allows password-based authentication without exposing
the password to the server. Instead, the client and server exchange
cryptographic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
"just commit it. It isn't too intrusive." deraadt@
Diffstat (limited to 'usr.bin/ssh/sshd_config.5')
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 28607a110ad..ac31845b311 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.97 2008/10/09 03:50:54 djm Exp $ -.Dd $Mdocdate: October 9 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.98 2008/11/04 08:22:13 djm Exp $ +.Dd $Mdocdate: November 4 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -612,8 +612,9 @@ Available keywords are .Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding , +.Cm X11UseLocalHost , and -.Cm X11UseLocalHost . +.Cm ZeroKnowledgePasswordAuthentication . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. @@ -980,6 +981,17 @@ Specifies the full pathname of the program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm ZeroKnowledgePasswordAuthentication +Specifies whether to use zero knowledge password authentication. +This authentication method avoids exposure of password to untrusted +hosts. +The argument to this keyword must be +.Dq yes +or +.Dq no . +The default is currently +.Dq no +as this method is considered experimental. .El .Sh TIME FORMATS .Xr sshd 8 |