aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssh/doc
diff options
context:
space:
mode:
authorHans Nilsson <[email protected]>2015-11-06 10:24:48 +0100
committerHans Nilsson <[email protected]>2015-11-06 10:24:48 +0100
commita3bc0687a34623824bf980c9ed19eb204dcccf66 (patch)
tree30cbb844aee7f3aef5cccdff73530a4198d3314a /lib/ssh/doc
parent0ce885af02b6666d498c408ff0188a5fd22c8575 (diff)
parent7adbd6ee24fa7f1bb3c26d5106e7e38446405f16 (diff)
downloadotp-a3bc0687a34623824bf980c9ed19eb204dcccf66.tar.gz
otp-a3bc0687a34623824bf980c9ed19eb204dcccf66.tar.bz2
otp-a3bc0687a34623824bf980c9ed19eb204dcccf66.zip
Merge branch 'hans/ssh/random_modulus/OTP-13054' into maint
* hans/ssh/random_modulus/OTP-13054: ssh: correct a bad doc xref public_key: renamed priv/ssh_moduli -> priv/moduli ssh, public_key: updates after doc review ssh: changes after doc review ssh: extend 'dh_gex_limits' to server side ssh: option dh_gex_groups with tag ssh_moduli_file ssh, public_key: random selection of diffie-hellman moduli
Diffstat (limited to 'lib/ssh/doc')
-rw-r--r--lib/ssh/doc/src/ssh.xml38
1 files changed, 34 insertions, 4 deletions
diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml
index 2b190c98b6..5c18c48f65 100644
--- a/lib/ssh/doc/src/ssh.xml
+++ b/lib/ssh/doc/src/ssh.xml
@@ -462,15 +462,45 @@ kex is implicit but public_key is set explicitly.</p>
</warning>
</item>
- <tag><c><![CDATA[{dh_gex_groups, [{Size=integer(),G=integer(),P=integer()}] | {file,filename()} }]]></c></tag>
+ <tag><c><![CDATA[{dh_gex_groups, [{Size=integer(),G=integer(),P=integer()}] | {file,filename()} {ssh_moduli_file,filename()} }]]></c></tag>
<item>
- <p>Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated.
- See RFC 4419 for details.
+ <p>Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated.
+ See RFC 4419 for details. The three variants of this option are:
</p>
- <p>If the parameter is <c>{file,filename()}</c>, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts.
+ <taglist>
+ <tag><c>{Size=integer(),G=integer(),P=integer()}</c></tag>
+ <item>The groups are given explicitly in this list. There may be several elements with the same <c>Size</c>.
+ In such a case, the server will choose one randomly in the negotiated Size.
+ </item>
+ <tag><c>{file,filename()}</c></tag>
+ <item>The file must have one or more three-tuples <c>{Size=integer(),G=integer(),P=integer()}</c>
+ terminated by a dot. The file is read when the daemon starts.
+ </item>
+ <tag><c>{ssh_moduli_file,filename()}</c></tag>
+ <item>The file must be in
+ <seealso marker="public_key:public_key#dh_gex_group/4">ssh-keygen moduli file format</seealso>.
+ The file is read when the daemon starts.
+ </item>
+ </taglist>
+ <p>The default list is fetched from the
+ <seealso marker="public_key:public_key#dh_gex_group/4">public_key</seealso> application.
</p>
</item>
+ <tag><c><![CDATA[{dh_gex_limits,{Min=integer(),Max=integer()}}]]></c></tag>
+ <item>
+ <p>Limits what a client can ask for in diffie-hellman-group-exchange.
+ The limits will be
+ <c>{MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)}</c> where <c>MaxClient</c> and
+ <c>MinClient</c> are the values proposed by a connecting client.
+ </p>
+ <p>The default value is <c>{0,infinity}</c>.
+ </p>
+ <p>If <c>MaxUsed &lt; MinUsed</c> in a key exchange, it will fail with a disconnect.
+ </p>
+ <p>See RFC 4419 for the function of the Max and Min values.</p>
+ </item>
+
<tag><c><![CDATA[{pwdfun, fun(User::string(), password::string()) -> boolean()}]]></c></tag>
<item>
<p>Provides a function for password validation. This function is called