summaryrefslogtreecommitdiff
path: root/sshd.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-01 18:33:32 +0000
committerColin Watson <cjwatson@debian.org>2003-09-01 18:33:32 +0000
commit58bfa257481a1c6938ada9bbd38801cc45633fb0 (patch)
tree385160ff5c19376a1e1bfd34fcf5c91cff42908e /sshd.0
parentae225aa5594655e3fa5685b4dd7f2ae0e1a5e2d7 (diff)
parent58657d96514cd6f16d82add8d6f4adbb36765758 (diff)
Import OpenSSH 3.6p1.
Diffstat (limited to 'sshd.0')
-rw-r--r--sshd.0547
1 files changed, 547 insertions, 0 deletions
diff --git a/sshd.0 b/sshd.0
new file mode 100644
index 000000000..658af69a6
--- /dev/null
+++ b/sshd.0
@@ -0,0 +1,547 @@
1SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8)
2
3^[[1mNAME^[[0m
4 ^[[1msshd ^[[22mM-bMM-^R OpenSSH SSH daemon
5
6^[[1mSYNOPSIS^[[0m
7 ^[[1msshd ^[[22m[^[[1mM-bMM-^RdeiqtD46^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mconfig_file^[[24m] [^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[24m]
8 [^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[24m] [^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[24m] [^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[24m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m]
9
10^[[1mDESCRIPTION^[[0m
11 ^[[1msshd ^[[22m(SSH Daemon) is the daemon program for ssh(1). Together these proM-bM-^@M-^P
12 grams replace rlogin and rsh, and provide secure encrypted communications
13 between two untrusted hosts over an insecure network. The programs are
14 intended to be as easy to install and use as possible.
15
16 ^[[1msshd ^[[22mis the daemon that listens for connections from clients. It is norM-bM-^@M-^P
17 mally started at boot from ^[[4m/etc/rc^[[24m. It forks a new daemon for each
18 incoming connection. The forked daemons handle key exchange, encryption,
19 authentication, command execution, and data exchange. This implementaM-bM-^@M-^P
20 tion of ^[[1msshd ^[[22msupports both SSH protocol version 1 and 2 simultaneously.
21 ^[[1msshd ^[[22mworks as follows:
22
23 ^[[1mSSH protocol version 1^[[0m
24
25 Each host has a hostM-bM-^@M-^Pspecific RSA key (normally 1024 bits) used to idenM-bM-^@M-^P
26 tify the host. Additionally, when the daemon starts, it generates a
27 server RSA key (normally 768 bits). This key is normally regenerated
28 every hour if it has been used, and is never stored on disk.
29
30 Whenever a client connects, the daemon responds with its public host and
31 server keys. The client compares the RSA host key against its own
32 database to verify that it has not changed. The client then generates a
33 256 bit random number. It encrypts this random number using both the
34 host key and the server key, and sends the encrypted number to the
35 server. Both sides then use this random number as a session key which is
36 used to encrypt all further communications in the session. The rest of
37 the session is encrypted using a conventional cipher, currently Blowfish
38 or 3DES, with 3DES being used by default. The client selects the encrypM-bM-^@M-^P
39 tion algorithm to use from those offered by the server.
40
41 Next, the server and the client enter an authentication dialog. The
42 client tries to authenticate itself using ^[[4m.rhosts^[[24m authentication, ^[[4m.rhosts^[[0m
43 authentication combined with RSA host authentication, RSA challengeM-bM-^@M-^P
44 response authentication, or password based authentication.
45
46 Rhosts authentication is normally disabled because it is fundamentally
47 insecure, but can be enabled in the server configuration file if desired.
48 System security is not improved unless ^[[1mrshd^[[22m, ^[[1mrlogind^[[22m, and ^[[1mrexecd ^[[22mare disM-bM-^@M-^P
49 abled (thus completely disabling rlogin and rsh into the machine).
50
51 ^[[1mSSH protocol version 2^[[0m
52
53 Version 2 works similarly: Each host has a hostM-bM-^@M-^Pspecific key (RSA or DSA)
54 used to identify the host. However, when the daemon starts, it does not
55 generate a server key. Forward security is provided through a DiffieM-bM-^@M-^P
56 Hellman key agreement. This key agreement results in a shared session
57 key.
58
59 The rest of the session is encrypted using a symmetric cipher, currently
60 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit
61 AES. The client selects the encryption algorithm to use from those
62 offered by the server. Additionally, session integrity is provided
63 through a cryptographic message authentication code (hmacM-bM-^@M-^Psha1 or hmacM-bM-^@M-^P
64 md5).
65
66 Protocol version 2 provides a public key based user (PubkeyAuthenticaM-bM-^@M-^P
67 tion) or client host (HostbasedAuthentication) authentication method,
68 conventional password authentication and challenge response based methM-bM-^@M-^P
69 ods.
70
71 ^[[1mCommand execution and data forwarding^[[0m
72
73 If the client successfully authenticates itself, a dialog for preparing
74 the session is entered. At this time the client may request things like
75 allocating a pseudoM-bM-^@M-^Ptty, forwarding X11 connections, forwarding TCP/IP
76 connections, or forwarding the authentication agent connection over the
77 secure channel.
78
79 Finally, the client either requests a shell or execution of a command.
80 The sides then enter session mode. In this mode, either side may send
81 data at any time, and such data is forwarded to/from the shell or command
82 on the server side, and the user terminal in the client side.
83
84 When the user program terminates and all forwarded X11 and other connecM-bM-^@M-^P
85 tions have been closed, the server sends command exit status to the
86 client, and both sides exit.
87
88 ^[[1msshd ^[[22mcan be configured using commandM-bM-^@M-^Pline options or a configuration
89 file. CommandM-bM-^@M-^Pline options override values specified in the configuraM-bM-^@M-^P
90 tion file.
91
92 ^[[1msshd ^[[22mrereads its configuration file when it receives a hangup signal,
93 SIGHUP, by executing itself with the name it was started as, i.e.,
94 ^[[4m/usr/sbin/sshd^[[24m.
95
96 The options are as follows:
97
98 ^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[0m
99 Specifies the number of bits in the ephemeral protocol version 1
100 server key (default 768).
101
102 ^[[1mM-bMM-^Rd ^[[22mDebug mode. The server sends verbose debug output to the system
103 log, and does not put itself in the background. The server also
104 will not fork and will only process one connection. This option
105 is only intended for debugging for the server. Multiple ^[[1mM-bMM-^Rd^[[0m
106 options increase the debugging level. Maximum is 3.
107
108 ^[[1mM-bMM-^Re ^[[22mWhen this option is specified, ^[[1msshd ^[[22mwill send the output to the
109 standard error instead of the system log.
110
111 ^[[1mM-bMM-^Rf ^[[4m^[[22mconfiguration_file^[[0m
112 Specifies the name of the configuration file. The default is
113 ^[[4m/etc/ssh/sshd_config^[[24m. ^[[1msshd ^[[22mrefuses to start if there is no conM-bM-^@M-^P
114 figuration file.
115
116 ^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[0m
117 Gives the grace time for clients to authenticate themselves
118 (default 120 seconds). If the client fails to authenticate the
119 user within this many seconds, the server disconnects and exits.
120 A value of zero indicates no limit.
121
122 ^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[0m
123 Specifies a file from which a host key is read. This option must
124 be given if ^[[1msshd ^[[22mis not run as root (as the normal host key files
125 are normally not readable by anyone but root). The default is
126 ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and
127 ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P
128 tocol version 2. It is possible to have multiple host key files
129 for the different protocol versions and host key algorithms.
130
131 ^[[1mM-bMM-^Ri ^[[22mSpecifies that ^[[1msshd ^[[22mis being run from inetd(8). ^[[1msshd ^[[22mis normally
132 not run from inetd because it needs to generate the server key
133 before it can respond to the client, and this may take tens of
134 seconds. Clients would have to wait too long if the key was
135 regenerated every time. However, with small key sizes (e.g.,
136 512) using ^[[1msshd ^[[22mfrom inetd may be feasible.
137
138 ^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[0m
139 Specifies how often the ephemeral protocol version 1 server key
140 is regenerated (default 3600 seconds, or one hour). The motivaM-bM-^@M-^P
141 tion for regenerating the key fairly often is that the key is not
142 stored anywhere, and after about an hour, it becomes impossible
143 to recover the key for decrypting intercepted communications even
144 if the machine is cracked into or physically seized. A value of
145 zero indicates that the key will never be regenerated.
146
147 ^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[0m
148 Can be used to give options in the format used in the configuraM-bM-^@M-^P
149 tion file. This is useful for specifying options for which there
150 is no separate commandM-bM-^@M-^Pline flag.
151
152 ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m
153 Specifies the port on which the server listens for connections
154 (default 22). Multiple port options are permitted. Ports speciM-bM-^@M-^P
155 fied in the configuration file are ignored when a commandM-bM-^@M-^Pline
156 port is specified.
157
158 ^[[1mM-bMM-^Rq ^[[22mQuiet mode. Nothing is sent to the system log. Normally the
159 beginning, authentication, and termination of each connection is
160 logged.
161
162 ^[[1mM-bMM-^Rt ^[[22mTest mode. Only check the validity of the configuration file and
163 sanity of the keys. This is useful for updating ^[[1msshd ^[[22mreliably as
164 configuration options may change.
165
166 ^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m This option is used to specify the size of the field in the utmp
167 structure that holds the remote host name. If the resolved host
168 name is longer than ^[[4mlen^[[24m, the dotted decimal value will be used
169 instead. This allows hosts with very long host names that overM-bM-^@M-^P
170 flow this field to still be uniquely identified. Specifying ^[[1mM-bMM-^Ru0^[[0m
171 indicates that only dotted decimal addresses should be put into
172 the ^[[4mutmp^[[24m file. ^[[1mM-bMM-^Ru0 ^[[22mmay also be used to prevent ^[[1msshd ^[[22mfrom making
173 DNS requests unless the authentication mechanism or configuration
174 requires it. Authentication mechanisms that may require DNS
175 include ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication^[[22m,
176 ^[[1mHostbasedAuthentication ^[[22mand using a ^[[1mfrom="patternM-bM-^@M-^Plist" ^[[22moption in
177 a key file. Configuration options that require DNS include using
178 a USER@HOST pattern in ^[[1mAllowUsers ^[[22mor ^[[1mDenyUsers^[[22m.
179
180 ^[[1mM-bMM-^RD ^[[22mWhen this option is specified ^[[1msshd ^[[22mwill not detach and does not
181 become a daemon. This allows easy monitoring of ^[[1msshd^[[22m.
182
183 ^[[1mM-bMM-^R4 ^[[22mForces ^[[1msshd ^[[22mto use IPv4 addresses only.
184
185 ^[[1mM-bMM-^R6 ^[[22mForces ^[[1msshd ^[[22mto use IPv6 addresses only.
186
187^[[1mCONFIGURATION FILE^[[0m
188 ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file
189 specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file format and configuraM-bM-^@M-^P
190 tion options are described in sshd_config(5).
191
192^[[1mLOGIN PROCESS^[[0m
193 When a user successfully logs in, ^[[1msshd ^[[22mdoes the following:
194
195 1. If the login is on a tty, and no command has been specified,
196 prints last login time and ^[[4m/etc/motd^[[24m (unless prevented in the
197 configuration file or by ^[[4m$HOME/.hushlogin^[[24m; see the ^[[4mFILES^[[24m secM-bM-^@M-^P
198 tion).
199
200 2. If the login is on a tty, records login time.
201
202 3. Checks ^[[4m/etc/nologin^[[24m; if it exists, prints contents and quits
203 (unless root).
204
205 4. Changes to run with normal user privileges.
206
207 5. Sets up basic environment.
208
209 6. Reads ^[[4m$HOME/.ssh/environment^[[24m if it exists and users are
210 allowed to change their environment. See the
211 ^[[1mPermitUserEnvironment ^[[22moption in sshd_config(5).
212
213 7. Changes to userM-bM-^@M-^Ys home directory.
214
215 8. If ^[[4m$HOME/.ssh/rc^[[24m exists, runs it; else if ^[[4m/etc/ssh/sshrc^[[0m
216 exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are
217 given the X11 authentication protocol and cookie in standard
218 input.
219
220 9. Runs userM-bM-^@M-^Ys shell or command.
221
222^[[1mAUTHORIZED_KEYS FILE FORMAT^[[0m
223 ^[[4m$HOME/.ssh/authorized_keys^[[24m is the default file that lists the public keys
224 that are permitted for RSA authentication in protocol version 1 and for
225 public key authentication (PubkeyAuthentication) in protocol version 2.
226 ^[[1mAuthorizedKeysFile ^[[22mmay be used to specify an alternative file.
227
228 Each line of the file contains one key (empty lines and lines starting
229 with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the
230 following fields, separated by spaces: options, bits, exponent, modulus,
231 comment. Each protocol version 2 public key consists of: options, keyM-bM-^@M-^P
232 type, base64 encoded key, comment. The options field is optional; its
233 presence is determined by whether the line starts with a number or not
234 (the options field never starts with a number). The bits, exponent, modM-bM-^@M-^P
235 ulus and comment fields give the RSA key for protocol version 1; the comM-bM-^@M-^P
236 ment field is not used for anything (but may be convenient for the user
237 to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\sshM-bM-^@M-^PdssM-bM-^@M-^] or
238 M-bM-^@M-^\sshM-bM-^@M-^PrsaM-bM-^@M-^].
239
240 Note that lines in this file are usually several hundred bytes long
241 (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type
242 them in; instead, copy the ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m or the ^[[4mid_rsa.pub^[[0m
243 file and edit it.
244
245 ^[[1msshd ^[[22menforces a minimum RSA key modulus size for protocol 1 and protocol
246 2 keys of 768 bits.
247
248 The options (if present) consist of commaM-bM-^@M-^Pseparated option specificaM-bM-^@M-^P
249 tions. No spaces are permitted, except within double quotes. The folM-bM-^@M-^P
250 lowing option specifications are supported (note that option keywords are
251 caseM-bM-^@M-^Pinsensitive):
252
253 ^[[1mfrom="patternM-bM-^@M-^Plist"^[[0m
254 Specifies that in addition to public key authentication, the
255 canonical name of the remote host must be present in the commaM-bM-^@M-^P
256 separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? serve as wildcards).
257 The list may also contain patterns negated by prefixing them with
258 M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the
259 key is not accepted. The purpose of this option is to optionally
260 increase security: public key authentication by itself does not
261 trust the network or name servers or anything (but the key); howM-bM-^@M-^P
262 ever, if somebody somehow steals the key, the key permits an
263 intruder to log in from anywhere in the world. This additional
264 option makes using a stolen key more difficult (name servers
265 and/or routers would have to be compromised in addition to just
266 the key).
267
268 ^[[1mcommand="command"^[[0m
269 Specifies that the command is executed whenever this key is used
270 for authentication. The command supplied by the user (if any) is
271 ignored. The command is run on a pty if the client requests a
272 pty; otherwise it is run without a tty. If an 8M-bM-^@M-^Pbit clean chanM-bM-^@M-^P
273 nel is required, one must not request a pty or should specify
274 ^[[1mnoM-bM-^@M-^Ppty^[[22m. A quote may be included in the command by quoting it
275 with a backslash. This option might be useful to restrict cerM-bM-^@M-^P
276 tain public keys to perform just a specific operation. An examM-bM-^@M-^P
277 ple might be a key that permits remote backups but nothing else.
278 Note that the client may specify TCP/IP and/or X11 forwarding
279 unless they are explicitly prohibited. Note that this option
280 applies to shell, command or subsystem execution.
281
282 ^[[1menvironment="NAME=value"^[[0m
283 Specifies that the string is to be added to the environment when
284 logging in using this key. Environment variables set this way
285 override other default environment values. Multiple options of
286 this type are permitted. Environment processing is disabled by
287 default and is controlled via the ^[[1mPermitUserEnvironment ^[[22moption.
288 This option is automatically disabled if ^[[1mUseLogin ^[[22mis enabled.
289
290 ^[[1mnoM-bM-^@M-^PportM-bM-^@M-^Pforwarding^[[0m
291 Forbids TCP/IP forwarding when this key is used for authenticaM-bM-^@M-^P
292 tion. Any port forward requests by the client will return an
293 error. This might be used, e.g., in connection with the ^[[1mcommand^[[0m
294 option.
295
296 ^[[1mnoM-bM-^@M-^PX11M-bM-^@M-^Pforwarding^[[0m
297 Forbids X11 forwarding when this key is used for authentication.
298 Any X11 forward requests by the client will return an error.
299
300 ^[[1mnoM-bM-^@M-^PagentM-bM-^@M-^Pforwarding^[[0m
301 Forbids authentication agent forwarding when this key is used for
302 authentication.
303
304 ^[[1mnoM-bM-^@M-^Ppty ^[[22mPrevents tty allocation (a request to allocate a pty will fail).
305
306 ^[[1mpermitopen="host:port"^[[0m
307 Limit local M-bM-^@M-^XM-bM-^@M-^Xssh M-bM-^@M-^PLM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only conM-bM-^@M-^P
308 nect to the specified host and port. IPv6 addresses can be specM-bM-^@M-^P
309 ified with an alternative syntax: ^[[4mhost/port^[[24m. Multiple ^[[1mpermitopen^[[0m
310 options may be applied separated by commas. No pattern matching
311 is performed on the specified hostnames, they must be literal
312 domains or addresses.
313
314 ^[[1mExamples^[[0m
315 1024 33 12121...312314325 ylo@foo.bar
316
317 from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula
318
319 command="dump /home",noM-bM-^@M-^Ppty,noM-bM-^@M-^PportM-bM-^@M-^Pforwarding 1024 33 23...2323
320 backup.hut.fi
321
322 permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323
323
324^[[1mSSH_KNOWN_HOSTS FILE FORMAT^[[0m
325 The ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m files contain
326 host public keys for all known hosts. The global file should be prepared
327 by the administrator (optional), and the perM-bM-^@M-^Puser file is maintained
328 automatically: whenever the user connects from an unknown host its key is
329 added to the perM-bM-^@M-^Puser file.
330
331 Each line in these files contains the following fields: hostnames, bits,
332 exponent, modulus, comment. The fields are separated by spaces.
333
334 Hostnames is a commaM-bM-^@M-^Pseparated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wildM-bM-^@M-^P
335 cards); each pattern in turn is matched against the canonical host name
336 (when authenticating a client) or against the userM-bM-^@M-^Psupplied name (when
337 authenticating a server). A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y! to
338 indicate negation: if the host name matches a negated pattern, it is not
339 accepted (by that line) even if it matched another pattern on the line.
340
341 Bits, exponent, and modulus are taken directly from the RSA host key;
342 they can be obtained, e.g., from ^[[4m/etc/ssh/ssh_host_key.pub^[[24m. The optional
343 comment field continues to the end of the line, and is not used.
344
345 Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
346
347 When performing host authentication, authentication is accepted if any
348 matching line has the proper key. It is thus permissible (but not recomM-bM-^@M-^P
349 mended) to have several lines or different host keys for the same names.
350 This will inevitably happen when short forms of host names from different
351 domains are put in the file. It is possible that the files contain conM-bM-^@M-^P
352 flicting information; authentication is accepted if valid information can
353 be found from either file.
354
355 Note that the lines in these files are typically hundreds of characters
356 long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand.
357 Rather, generate them by a script or by taking ^[[4m/etc/ssh/ssh_host_key.pub^[[0m
358 and adding the host names at the front.
359
360 ^[[1mExamples^[[0m
361
362 closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
363 cvs.openbsd.org,199.185.137.3 sshM-bM-^@M-^Prsa AAAA1234.....=
364
365^[[1mFILES^[[0m
366 /etc/ssh/sshd_config
367 Contains configuration data for ^[[1msshd^[[22m. The file format and conM-bM-^@M-^P
368 figuration options are described in sshd_config(5).
369
370 /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key,
371 /etc/ssh/ssh_host_rsa_key
372 These three files contain the private parts of the host keys.
373 These files should only be owned by root, readable only by root,
374 and not accessible to others. Note that ^[[1msshd ^[[22mdoes not start if
375 this file is group/worldM-bM-^@M-^Paccessible.
376
377 /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub,
378 /etc/ssh/ssh_host_rsa_key.pub
379 These three files contain the public parts of the host keys.
380 These files should be worldM-bM-^@M-^Preadable but writable only by root.
381 Their contents should match the respective private parts. These
382 files are not really used for anything; they are provided for the
383 convenience of the user so their contents can be copied to known
384 hosts files. These files are created using sshM-bM-^@M-^Pkeygen(1).
385
386 /etc/moduli
387 Contains DiffieM-bM-^@M-^PHellman groups used for the "DiffieM-bM-^@M-^PHellman Group
388 Exchange". The file format is described in moduli(5).
389
390 /var/empty
391 chroot(2) directory used by ^[[1msshd ^[[22mduring privilege separation in
392 the preM-bM-^@M-^Pauthentication phase. The directory should not contain
393 any files and must be owned by root and not group or worldM-bM-^@M-^P
394 writable.
395
396 /var/run/sshd.pid
397 Contains the process ID of the ^[[1msshd ^[[22mlistening for connections (if
398 there are several daemons running concurrently for different
399 ports, this contains the process ID of the one started last).
400 The content of this file is not sensitive; it can be worldM-bM-^@M-^PreadM-bM-^@M-^P
401 able.
402
403 $HOME/.ssh/authorized_keys
404 Lists the public keys (RSA or DSA) that can be used to log into
405 the userM-bM-^@M-^Ys account. This file must be readable by root (which
406 may on some machines imply it being worldM-bM-^@M-^Preadable if the userM-bM-^@M-^Ys
407 home directory resides on an NFS volume). It is recommended that
408 it not be accessible by others. The format of this file is
409 described above. Users will place the contents of their
410 ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m and/or ^[[4mid_rsa.pub^[[24m files into this file,
411 as described in sshM-bM-^@M-^Pkeygen(1).
412
413 /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts
414 These files are consulted when using rhosts with RSA host authenM-bM-^@M-^P
415 tication or protocol version 2 hostbased authentication to check
416 the public key of the host. The key must be listed in one of
417 these files to be accepted. The client uses the same files to
418 verify that it is connecting to the correct remote host. These
419 files should be writable only by root/the owner.
420 ^[[4m/etc/ssh/ssh_known_hosts^[[24m should be worldM-bM-^@M-^Preadable, and
421 ^[[4m$HOME/.ssh/known_hosts^[[24m can, but need not be, worldM-bM-^@M-^Preadable.
422
423 /etc/nologin
424 If this file exists, ^[[1msshd ^[[22mrefuses to let anyone except root log
425 in. The contents of the file are displayed to anyone trying to
426 log in, and nonM-bM-^@M-^Proot connections are refused. The file should be
427 worldM-bM-^@M-^Preadable.
428
429 /etc/hosts.allow, /etc/hosts.deny
430 Access controls that should be enforced by tcpM-bM-^@M-^Pwrappers are
431 defined here. Further details are described in hosts_access(5).
432
433 $HOME/.rhosts
434 This file contains hostM-bM-^@M-^Pusername pairs, separated by a space, one
435 per line. The given user on the corresponding host is permitted
436 to log in without a password. The same file is used by rlogind
437 and rshd. The file must be writable only by the user; it is recM-bM-^@M-^P
438 ommended that it not be accessible by others.
439
440 If is also possible to use netgroups in the file. Either host or
441 user name may be of the form +@groupname to specify all hosts or
442 all users in the group.
443
444 $HOME/.shosts
445 For ssh, this file is exactly the same as for ^[[4m.rhosts^[[24m. However,
446 this file is not used by rlogin and rshd, so using this permits
447 access using SSH only.
448
449 /etc/hosts.equiv
450 This file is used during ^[[4m.rhosts^[[24m authentication. In the simplest
451 form, this file contains host names, one per line. Users on
452 those hosts are permitted to log in without a password, provided
453 they have the same user name on both machines. The host name may
454 also be followed by a user name; such users are permitted to log
455 in as ^[[4many^[[24m user on this machine (except root). Additionally, the
456 syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated
457 entries start with M-bM-^@M-^XM-bM-^@M-^PM-bM-^@M-^Y.
458
459 If the client host/user is successfully matched in this file,
460 login is automatically permitted provided the client and server
461 user names are the same. Additionally, successful RSA host
462 authentication is normally required. This file must be writable
463 only by root; it is recommended that it be worldM-bM-^@M-^Preadable.
464
465 ^[[1mWarning: It is almost never a good idea to use user names in^[[0m
466 ^[[4mhosts.equiv^[[24m. Beware that it really means that the named user(s)
467 can log in as ^[[4manybody^[[24m, which includes bin, daemon, adm, and other
468 accounts that own critical binaries and directories. Using a
469 user name practically grants the user root access. The only
470 valid use for user names that I can think of is in negative
471 entries.
472
473 Note that this warning also applies to rsh/rlogin.
474
475 /etc/shosts.equiv
476 This is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. However, this
477 file may be useful in environments that want to run both
478 rsh/rlogin and ssh.
479
480 $HOME/.ssh/environment
481 This file is read into the environment at login (if it exists).
482 It can only contain empty lines, comment lines (that start with
483 M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file
484 should be writable only by the user; it need not be readable by
485 anyone else. Environment processing is disabled by default and
486 is controlled via the ^[[1mPermitUserEnvironment ^[[22moption.
487
488 $HOME/.ssh/rc
489 If this file exists, it is run with ^[[4m/bin/sh^[[24m after reading the
490 environment files but before starting the userM-bM-^@M-^Ys shell or comM-bM-^@M-^P
491 mand. It must not produce any output on stdout; stderr must be
492 used instead. If X11 forwarding is in use, it will receive the
493 "proto cookie" pair in its standard input (and DISPLAY in its
494 environment). The script must call xauth(1) because ^[[1msshd ^[[22mwill
495 not run xauth automatically to add X11 cookies.
496
497 The primary purpose of this file is to run any initialization
498 routines which may be needed before the userM-bM-^@M-^Ys home directory
499 becomes accessible; AFS is a particular example of such an enviM-bM-^@M-^P
500 ronment.
501
502 This file will probably contain some initialization code followed
503 by something similar to:
504
505 if read proto cookie && [ M-bM-^@M-^Pn "$DISPLAY" ]; then
506 if [ M-bM-^@M-^Xecho $DISPLAY | cut M-bM-^@M-^Pc1M-bM-^@M-^P10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then
507 # X11UseLocalhost=yes
508 echo add unix:M-bM-^@M-^Xecho $DISPLAY |
509 cut M-bM-^@M-^Pc11M-bM-^@M-^PM-bM-^@M-^X $proto $cookie
510 else
511 # X11UseLocalhost=no
512 echo add $DISPLAY $proto $cookie
513 fi | xauth M-bM-^@M-^Pq M-bM-^@M-^P
514 fi
515
516 If this file does not exist, ^[[4m/etc/ssh/sshrc^[[24m is run, and if that
517 does not exist either, xauth is used to add the cookie.
518
519 This file should be writable only by the user, and need not be
520 readable by anyone else.
521
522 /etc/ssh/sshrc
523 Like ^[[4m$HOME/.ssh/rc^[[24m. This can be used to specify machineM-bM-^@M-^Pspecific
524 loginM-bM-^@M-^Ptime initializations globally. This file should be
525 writable only by root, and should be worldM-bM-^@M-^Preadable.
526
527^[[1mAUTHORS^[[0m
528 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
529 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
530 de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P
531 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
532 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
533 for privilege separation.
534
535^[[1mSEE ALSO^[[0m
536 scp(1), sftp(1), ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1),
537 login.conf(5), moduli(5), sshd_config(5), sftpM-bM-^@M-^Pserver(8)
538
539 T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, ^[[4mSSH^[[0m
540 ^[[4mProtocol^[[24m ^[[4mArchitecture^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^ParchitectureM-bM-^@M-^P12.txt, January
541 2002, work in progress material.
542
543 M. Friedl, N. Provos, and W. A. Simpson, ^[[4mDiffieM-bM-^@M-^PHellman^[[24m ^[[4mGroup^[[24m ^[[4mExchange^[[0m
544 ^[[4mfor^[[24m ^[[4mthe^[[24m ^[[4mSSH^[[24m ^[[4mTransport^[[24m ^[[4mLayer^[[24m ^[[4mProtocol^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^PdhM-bM-^@M-^PgroupM-bM-^@M-^P
545 exchangeM-bM-^@M-^P02.txt, January 2002, work in progress material.
546
547BSD September 25, 1999 BSD
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 06:05:14 +0000