diff options
Diffstat (limited to 'lib/ssh/doc/src/ssh.xml')
-rw-r--r-- | lib/ssh/doc/src/ssh.xml | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index a0355219a1..b88bdc1667 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -565,6 +565,26 @@ </p> </item> + <tag><marker id="option-pk_check_user"/><c>pk_check_user</c></tag> + <item> + <p>Enables checking of the + <seetype marker="#authentication_client_options">client's user name</seetype> + in the server when doing public key authentication. It is disabled by default. + </p> + <p>The term "user" is used differently in OpenSSH and SSH in Erlang/OTP: + see more in the <seeguide marker="terminology#the-term--user-">User's Guide</seeguide>. + </p> + <p>If the option is enabled, and no + <seeerl marker="#option-pwdfun"><c>pwdfun</c></seeerl> + is present, the user name must present in the + <seeerl marker="#option-user_passwords">user_passwords</seeerl> + for the check to succeed but the value of the password is not checked. + </p> + <p>In case of a <seeerl marker="#option-pwdfun"><c>pwdfun</c></seeerl> + checking the user, the atom <c>pubkey</c> is put in the password argument. + </p> + </item> + <tag><marker id="option-password"/><c>password</c></tag> <item> <p>Provides a global password that authenticates any user.</p> @@ -587,7 +607,6 @@ the <c>State</c> variable could be used. This state is per connection only. The first time the pwdfun is called for a connection, the <c>State</c> variable has the value <c>undefined</c>. </p> - <p>The fun should return: </p> <list type="bulleted"> @@ -598,9 +617,12 @@ <item><c>{true, NewState:any()}</c> if the user and password is valid</item> <item><c>{false, NewState:any()}</c> if the user or password is invalid</item> </list> - <p>A third usage is to block login attempts from a missbehaving peer. The <c>State</c> described above can be used for this. The return value <c>disconnect</c> is useful for this.</p> + <p>In case of the <seeerl marker="#option-pk_check_user"><c>pk_check_user</c></seeerl> is set, + the atom <c>pubkey</c> is put in the password argument when validating a public key login. The + pwdfun is then responsible to check that the user name is valid. + </p> </item> <tag><c>pwdfun</c> with @@ -613,6 +635,10 @@ <item><c>true</c> if the user and password is valid</item> <item><c>false</c> if the user or password is invalid</item> </list> + <p>In case of the <seeerl marker="#option-pk_check_user"><c>pk_check_user</c></seeerl> is set, + the atom <c>pubkey</c> is put in the password argument when validating a public key login. The + pwdfun is then responsible to check that the user name is valid. + </p> <p>This variant is kept for compatibility.</p> </item> </taglist> |