diff options
author | Colin Watson <cjwatson@debian.org> | 2010-01-24 21:19:46 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-01-24 21:19:46 +0000 |
commit | 1e4cfeee6c17b02af09418c5afe4a4d71aaaf0c8 (patch) | |
tree | 2b17a8cdc39aef9ad5cd73ecc25b3dfaa6d2267a /sshd.0 | |
parent | 7fe2877662d34ef04c67884cfcffce60a6444f18 (diff) | |
parent | 54af7a4ae8d455791a631bdfaade4b64436ae16a (diff) |
Import 5.3p1 tarball
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 574 |
1 files changed, 574 insertions, 0 deletions
@@ -0,0 +1,574 @@ | |||
1 | SSHD(8) OpenBSD System Manager's Manual SSHD(8) | ||
2 | |||
3 | NAME | ||
4 | sshd - OpenSSH SSH daemon | ||
5 | |||
6 | SYNOPSIS | ||
7 | sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-f config_file] | ||
8 | [-g login_grace_time] [-h host_key_file] [-k key_gen_time] | ||
9 | [-o option] [-p port] [-u len] | ||
10 | |||
11 | DESCRIPTION | ||
12 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these | ||
13 | programs replace rlogin(1) and rsh(1), and provide secure encrypted com- | ||
14 | munications between two untrusted hosts over an insecure network. | ||
15 | |||
16 | sshd listens for connections from clients. It is normally started at | ||
17 | boot from /etc/rc. It forks a new daemon for each incoming connection. | ||
18 | The forked daemons handle key exchange, encryption, authentication, com- | ||
19 | mand execution, and data exchange. | ||
20 | |||
21 | sshd can be configured using command-line options or a configuration file | ||
22 | (by default sshd_config(5)); command-line options override values speci- | ||
23 | fied in the configuration file. sshd rereads its configuration file when | ||
24 | it receives a hangup signal, SIGHUP, by executing itself with the name | ||
25 | and options it was started with, e.g. /usr/sbin/sshd. | ||
26 | |||
27 | The options are as follows: | ||
28 | |||
29 | -4 Forces sshd to use IPv4 addresses only. | ||
30 | |||
31 | -6 Forces sshd to use IPv6 addresses only. | ||
32 | |||
33 | -b bits | ||
34 | Specifies the number of bits in the ephemeral protocol version 1 | ||
35 | server key (default 1024). | ||
36 | |||
37 | -C connection_spec | ||
38 | Specify the connection parameters to use for the -T extended test | ||
39 | mode. If provided, any Match directives in the configuration | ||
40 | file that would apply to the specified user, host, and address | ||
41 | will be set before the configuration is written to standard out- | ||
42 | put. The connection parameters are supplied as keyword=value | ||
43 | pairs. The keywords are ``user'', ``host'', and ``addr''. All | ||
44 | are required and may be supplied in any order, either with multi- | ||
45 | ple -C options or as a comma-separated list. | ||
46 | |||
47 | -D When this option is specified, sshd will not detach and does not | ||
48 | become a daemon. This allows easy monitoring of sshd. | ||
49 | |||
50 | -d Debug mode. The server sends verbose debug output to the system | ||
51 | log, and does not put itself in the background. The server also | ||
52 | will not fork and will only process one connection. This option | ||
53 | is only intended for debugging for the server. Multiple -d op- | ||
54 | tions increase the debugging level. Maximum is 3. | ||
55 | |||
56 | -e When this option is specified, sshd will send the output to the | ||
57 | standard error instead of the system log. | ||
58 | |||
59 | -f config_file | ||
60 | Specifies the name of the configuration file. The default is | ||
61 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- | ||
62 | figuration file. | ||
63 | |||
64 | -g login_grace_time | ||
65 | Gives the grace time for clients to authenticate themselves (de- | ||
66 | fault 120 seconds). If the client fails to authenticate the user | ||
67 | within this many seconds, the server disconnects and exits. A | ||
68 | value of zero indicates no limit. | ||
69 | |||
70 | -h host_key_file | ||
71 | Specifies a file from which a host key is read. This option must | ||
72 | be given if sshd is not run as root (as the normal host key files | ||
73 | are normally not readable by anyone but root). The default is | ||
74 | /etc/ssh/ssh_host_key for protocol version 1, and | ||
75 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | ||
76 | tocol version 2. It is possible to have multiple host key files | ||
77 | for the different protocol versions and host key algorithms. | ||
78 | |||
79 | -i Specifies that sshd is being run from inetd(8). sshd is normally | ||
80 | not run from inetd because it needs to generate the server key | ||
81 | before it can respond to the client, and this may take tens of | ||
82 | seconds. Clients would have to wait too long if the key was re- | ||
83 | generated every time. However, with small key sizes (e.g. 512) | ||
84 | using sshd from inetd may be feasible. | ||
85 | |||
86 | -k key_gen_time | ||
87 | Specifies how often the ephemeral protocol version 1 server key | ||
88 | is regenerated (default 3600 seconds, or one hour). The motiva- | ||
89 | tion for regenerating the key fairly often is that the key is not | ||
90 | stored anywhere, and after about an hour it becomes impossible to | ||
91 | recover the key for decrypting intercepted communications even if | ||
92 | the machine is cracked into or physically seized. A value of ze- | ||
93 | ro indicates that the key will never be regenerated. | ||
94 | |||
95 | -o option | ||
96 | Can be used to give options in the format used in the configura- | ||
97 | tion file. This is useful for specifying options for which there | ||
98 | is no separate command-line flag. For full details of the op- | ||
99 | tions, and their values, see sshd_config(5). | ||
100 | |||
101 | -p port | ||
102 | Specifies the port on which the server listens for connections | ||
103 | (default 22). Multiple port options are permitted. Ports speci- | ||
104 | fied in the configuration file with the Port option are ignored | ||
105 | when a command-line port is specified. Ports specified using the | ||
106 | ListenAddress option override command-line ports. | ||
107 | |||
108 | -q Quiet mode. Nothing is sent to the system log. Normally the be- | ||
109 | ginning, authentication, and termination of each connection is | ||
110 | logged. | ||
111 | |||
112 | -T Extended test mode. Check the validity of the configuration | ||
113 | file, output the effective configuration to stdout and then exit. | ||
114 | Optionally, Match rules may be applied by specifying the connec- | ||
115 | tion parameters using one or more -C options. | ||
116 | |||
117 | -t Test mode. Only check the validity of the configuration file and | ||
118 | sanity of the keys. This is useful for updating sshd reliably as | ||
119 | configuration options may change. | ||
120 | |||
121 | -u len This option is used to specify the size of the field in the utmp | ||
122 | structure that holds the remote host name. If the resolved host | ||
123 | name is longer than len, the dotted decimal value will be used | ||
124 | instead. This allows hosts with very long host names that over- | ||
125 | flow this field to still be uniquely identified. Specifying -u0 | ||
126 | indicates that only dotted decimal addresses should be put into | ||
127 | the utmp file. -u0 may also be used to prevent sshd from making | ||
128 | DNS requests unless the authentication mechanism or configuration | ||
129 | requires it. Authentication mechanisms that may require DNS in- | ||
130 | clude RhostsRSAAuthentication, HostbasedAuthentication, and using | ||
131 | a from="pattern-list" option in a key file. Configuration op- | ||
132 | tions that require DNS include using a USER@HOST pattern in | ||
133 | AllowUsers or DenyUsers. | ||
134 | |||
135 | AUTHENTICATION | ||
136 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols | ||
137 | are supported by default, though this can be changed via the Protocol op- | ||
138 | tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro- | ||
139 | tocol 1 only supports RSA keys. For both protocols, each host has a | ||
140 | host-specific key, normally 2048 bits, used to identify the host. | ||
141 | |||
142 | Forward security for protocol 1 is provided through an additional server | ||
143 | key, normally 768 bits, generated when the server starts. This key is | ||
144 | normally regenerated every hour if it has been used, and is never stored | ||
145 | on disk. Whenever a client connects, the daemon responds with its public | ||
146 | host and server keys. The client compares the RSA host key against its | ||
147 | own database to verify that it has not changed. The client then gener- | ||
148 | ates a 256-bit random number. It encrypts this random number using both | ||
149 | the host key and the server key, and sends the encrypted number to the | ||
150 | server. Both sides then use this random number as a session key which is | ||
151 | used to encrypt all further communications in the session. The rest of | ||
152 | the session is encrypted using a conventional cipher, currently Blowfish | ||
153 | or 3DES, with 3DES being used by default. The client selects the encryp- | ||
154 | tion algorithm to use from those offered by the server. | ||
155 | |||
156 | For protocol 2, forward security is provided through a Diffie-Hellman key | ||
157 | agreement. This key agreement results in a shared session key. The rest | ||
158 | of the session is encrypted using a symmetric cipher, currently 128-bit | ||
159 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The | ||
160 | client selects the encryption algorithm to use from those offered by the | ||
161 | server. Additionally, session integrity is provided through a crypto- | ||
162 | graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or | ||
163 | hmac-ripemd160). | ||
164 | |||
165 | Finally, the server and the client enter an authentication dialog. The | ||
166 | client tries to authenticate itself using host-based authentication, pub- | ||
167 | lic key authentication, challenge-response authentication, or password | ||
168 | authentication. | ||
169 | |||
170 | Regardless of the authentication type, the account is checked to ensure | ||
171 | that it is accessible. An account is not accessible if it is locked, | ||
172 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | ||
173 | tion of a locked account is system dependant. Some platforms have their | ||
174 | own account database (eg AIX) and some modify the passwd field ( `*LK*' | ||
175 | on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a | ||
176 | leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If | ||
177 | there is a requirement to disable password authentication for the account | ||
178 | while allowing still public-key, then the passwd field should be set to | ||
179 | something other than these values (eg `NP' or `*NP*' ). | ||
180 | |||
181 | If the client successfully authenticates itself, a dialog for preparing | ||
182 | the session is entered. At this time the client may request things like | ||
183 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con- | ||
184 | nections, or forwarding the authentication agent connection over the se- | ||
185 | cure channel. | ||
186 | |||
187 | After this, the client either requests a shell or execution of a command. | ||
188 | The sides then enter session mode. In this mode, either side may send | ||
189 | data at any time, and such data is forwarded to/from the shell or command | ||
190 | on the server side, and the user terminal in the client side. | ||
191 | |||
192 | When the user program terminates and all forwarded X11 and other connec- | ||
193 | tions have been closed, the server sends command exit status to the | ||
194 | client, and both sides exit. | ||
195 | |||
196 | LOGIN PROCESS | ||
197 | When a user successfully logs in, sshd does the following: | ||
198 | |||
199 | 1. If the login is on a tty, and no command has been specified, | ||
200 | prints last login time and /etc/motd (unless prevented in the | ||
201 | configuration file or by ~/.hushlogin; see the FILES section). | ||
202 | |||
203 | 2. If the login is on a tty, records login time. | ||
204 | |||
205 | 3. Checks /etc/nologin; if it exists, prints contents and quits | ||
206 | (unless root). | ||
207 | |||
208 | 4. Changes to run with normal user privileges. | ||
209 | |||
210 | 5. Sets up basic environment. | ||
211 | |||
212 | 6. Reads the file ~/.ssh/environment, if it exists, and users are | ||
213 | allowed to change their environment. See the | ||
214 | PermitUserEnvironment option in sshd_config(5). | ||
215 | |||
216 | 7. Changes to user's home directory. | ||
217 | |||
218 | 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, | ||
219 | runs it; otherwise runs xauth. The ``rc'' files are given the | ||
220 | X11 authentication protocol and cookie in standard input. See | ||
221 | SSHRC, below. | ||
222 | |||
223 | 9. Runs user's shell or command. | ||
224 | |||
225 | SSHRC | ||
226 | If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment | ||
227 | files but before starting the user's shell or command. It must not pro- | ||
228 | duce any output on stdout; stderr must be used instead. If X11 forward- | ||
229 | ing is in use, it will receive the "proto cookie" pair in its standard | ||
230 | input (and DISPLAY in its environment). The script must call xauth(1) | ||
231 | because sshd will not run xauth automatically to add X11 cookies. | ||
232 | |||
233 | The primary purpose of this file is to run any initialization routines | ||
234 | which may be needed before the user's home directory becomes accessible; | ||
235 | AFS is a particular example of such an environment. | ||
236 | |||
237 | This file will probably contain some initialization code followed by | ||
238 | something similar to: | ||
239 | |||
240 | if read proto cookie && [ -n "$DISPLAY" ]; then | ||
241 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | ||
242 | # X11UseLocalhost=yes | ||
243 | echo add unix:`echo $DISPLAY | | ||
244 | cut -c11-` $proto $cookie | ||
245 | else | ||
246 | # X11UseLocalhost=no | ||
247 | echo add $DISPLAY $proto $cookie | ||
248 | fi | xauth -q - | ||
249 | fi | ||
250 | |||
251 | If this file does not exist, /etc/ssh/sshrc is run, and if that does not | ||
252 | exist either, xauth is used to add the cookie. | ||
253 | |||
254 | AUTHORIZED_KEYS FILE FORMAT | ||
255 | AuthorizedKeysFile specifies the file containing public keys for public | ||
256 | key authentication; if none is specified, the default is | ||
257 | ~/.ssh/authorized_keys. Each line of the file contains one key (empty | ||
258 | lines and lines starting with a `#' are ignored as comments). Protocol 1 | ||
259 | public keys consist of the following space-separated fields: options, | ||
260 | bits, exponent, modulus, comment. Protocol 2 public key consist of: op- | ||
261 | tions, keytype, base64-encoded key, comment. The options field is op- | ||
262 | tional; its presence is determined by whether the line starts with a num- | ||
263 | ber or not (the options field never starts with a number). The bits, ex- | ||
264 | ponent, modulus, and comment fields give the RSA key for protocol version | ||
265 | 1; the comment field is not used for anything (but may be convenient for | ||
266 | the user to identify the key). For protocol version 2 the keytype is | ||
267 | ``ssh-dss'' or ``ssh-rsa''. | ||
268 | |||
269 | Note that lines in this file are usually several hundred bytes long (be- | ||
270 | cause of the size of the public key encoding) up to a limit of 8 kilo- | ||
271 | bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 | ||
272 | kilobits. You don't want to type them in; instead, copy the | ||
273 | identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. | ||
274 | |||
275 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | ||
276 | 2 keys of 768 bits. | ||
277 | |||
278 | The options (if present) consist of comma-separated option specifica- | ||
279 | tions. No spaces are permitted, except within double quotes. The fol- | ||
280 | lowing option specifications are supported (note that option keywords are | ||
281 | case-insensitive): | ||
282 | |||
283 | command="command" | ||
284 | Specifies that the command is executed whenever this key is used | ||
285 | for authentication. The command supplied by the user (if any) is | ||
286 | ignored. The command is run on a pty if the client requests a | ||
287 | pty; otherwise it is run without a tty. If an 8-bit clean chan- | ||
288 | nel is required, one must not request a pty or should specify no- | ||
289 | pty. A quote may be included in the command by quoting it with a | ||
290 | backslash. This option might be useful to restrict certain pub- | ||
291 | lic keys to perform just a specific operation. An example might | ||
292 | be a key that permits remote backups but nothing else. Note that | ||
293 | the client may specify TCP and/or X11 forwarding unless they are | ||
294 | explicitly prohibited. The command originally supplied by the | ||
295 | client is available in the SSH_ORIGINAL_COMMAND environment vari- | ||
296 | able. Note that this option applies to shell, command or subsys- | ||
297 | tem execution. | ||
298 | |||
299 | environment="NAME=value" | ||
300 | Specifies that the string is to be added to the environment when | ||
301 | logging in using this key. Environment variables set this way | ||
302 | override other default environment values. Multiple options of | ||
303 | this type are permitted. Environment processing is disabled by | ||
304 | default and is controlled via the PermitUserEnvironment option. | ||
305 | This option is automatically disabled if UseLogin is enabled. | ||
306 | |||
307 | from="pattern-list" | ||
308 | Specifies that in addition to public key authentication, either | ||
309 | the canonical name of the remote host or its IP address must be | ||
310 | present in the comma-separated list of patterns. See PATTERNS in | ||
311 | ssh_config(5) for more information on patterns. | ||
312 | |||
313 | In addition to the wildcard matching that may be applied to host- | ||
314 | names or addresses, a from stanza may match IP addresses using | ||
315 | CIDR address/masklen notation. | ||
316 | |||
317 | The purpose of this option is to optionally increase security: | ||
318 | public key authentication by itself does not trust the network or | ||
319 | name servers or anything (but the key); however, if somebody | ||
320 | somehow steals the key, the key permits an intruder to log in | ||
321 | from anywhere in the world. This additional option makes using a | ||
322 | stolen key more difficult (name servers and/or routers would have | ||
323 | to be compromised in addition to just the key). | ||
324 | |||
325 | no-agent-forwarding | ||
326 | Forbids authentication agent forwarding when this key is used for | ||
327 | authentication. | ||
328 | |||
329 | no-port-forwarding | ||
330 | Forbids TCP forwarding when this key is used for authentication. | ||
331 | Any port forward requests by the client will return an error. | ||
332 | This might be used, e.g. in connection with the command option. | ||
333 | |||
334 | no-pty Prevents tty allocation (a request to allocate a pty will fail). | ||
335 | |||
336 | no-user-rc | ||
337 | Disables execution of ~/.ssh/rc. | ||
338 | |||
339 | no-X11-forwarding | ||
340 | Forbids X11 forwarding when this key is used for authentication. | ||
341 | Any X11 forward requests by the client will return an error. | ||
342 | |||
343 | permitopen="host:port" | ||
344 | Limit local ``ssh -L'' port forwarding such that it may only con- | ||
345 | nect to the specified host and port. IPv6 addresses can be spec- | ||
346 | ified with an alternative syntax: host/port. Multiple permitopen | ||
347 | options may be applied separated by commas. No pattern matching | ||
348 | is performed on the specified hostnames, they must be literal do- | ||
349 | mains or addresses. | ||
350 | |||
351 | tunnel="n" | ||
352 | Force a tun(4) device on the server. Without this option, the | ||
353 | next available device will be used if the client requests a tun- | ||
354 | nel. | ||
355 | |||
356 | An example authorized_keys file: | ||
357 | |||
358 | # Comments allowed at start of line | ||
359 | ssh-rsa AAAAB3Nza...LiPk== user@example.net | ||
360 | from="*.sales.example.net,!pc.sales.example.net" ssh-rsa | ||
361 | AAAAB2...19Q== john@example.net | ||
362 | command="dump /home",no-pty,no-port-forwarding ssh-dss | ||
363 | AAAAC3...51R== example.net | ||
364 | permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | ||
365 | AAAAB5...21S== | ||
366 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | ||
367 | jane@example.net | ||
368 | |||
369 | SSH_KNOWN_HOSTS FILE FORMAT | ||
370 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host | ||
371 | public keys for all known hosts. The global file should be prepared by | ||
372 | the administrator (optional), and the per-user file is maintained auto- | ||
373 | matically: whenever the user connects from an unknown host, its key is | ||
374 | added to the per-user file. | ||
375 | |||
376 | Each line in these files contains the following fields: hostnames, bits, | ||
377 | exponent, modulus, comment. The fields are separated by spaces. | ||
378 | |||
379 | Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- | ||
380 | cards); each pattern in turn is matched against the canonical host name | ||
381 | (when authenticating a client) or against the user-supplied name (when | ||
382 | authenticating a server). A pattern may also be preceded by `!' to indi- | ||
383 | cate negation: if the host name matches a negated pattern, it is not ac- | ||
384 | cepted (by that line) even if it matched another pattern on the line. A | ||
385 | hostname or address may optionally be enclosed within `[' and `]' brack- | ||
386 | ets then followed by `:' and a non-standard port number. | ||
387 | |||
388 | Alternately, hostnames may be stored in a hashed form which hides host | ||
389 | names and addresses should the file's contents be disclosed. Hashed | ||
390 | hostnames start with a `|' character. Only one hashed hostname may ap- | ||
391 | pear on a single line and none of the above negation or wildcard opera- | ||
392 | tors may be applied. | ||
393 | |||
394 | Bits, exponent, and modulus are taken directly from the RSA host key; | ||
395 | they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The | ||
396 | optional comment field continues to the end of the line, and is not used. | ||
397 | |||
398 | Lines starting with `#' and empty lines are ignored as comments. | ||
399 | |||
400 | When performing host authentication, authentication is accepted if any | ||
401 | matching line has the proper key. It is thus permissible (but not recom- | ||
402 | mended) to have several lines or different host keys for the same names. | ||
403 | This will inevitably happen when short forms of host names from different | ||
404 | domains are put in the file. It is possible that the files contain con- | ||
405 | flicting information; authentication is accepted if valid information can | ||
406 | be found from either file. | ||
407 | |||
408 | Note that the lines in these files are typically hundreds of characters | ||
409 | long, and you definitely don't want to type in the host keys by hand. | ||
410 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub | ||
411 | and adding the host names at the front. | ||
412 | |||
413 | An example ssh_known_hosts file: | ||
414 | |||
415 | # Comments allowed at start of line | ||
416 | closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net | ||
417 | cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= | ||
418 | # A hashed hostname | ||
419 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
420 | AAAA1234.....= | ||
421 | |||
422 | FILES | ||
423 | ~/.hushlogin | ||
424 | This file is used to suppress printing the last login time and | ||
425 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | ||
426 | abled. It does not suppress printing of the banner specified by | ||
427 | Banner. | ||
428 | |||
429 | ~/.rhosts | ||
430 | This file is used for host-based authentication (see ssh(1) for | ||
431 | more information). On some machines this file may need to be | ||
432 | world-readable if the user's home directory is on an NFS parti- | ||
433 | tion, because sshd reads it as root. Additionally, this file | ||
434 | must be owned by the user, and must not have write permissions | ||
435 | for anyone else. The recommended permission for most machines is | ||
436 | read/write for the user, and not accessible by others. | ||
437 | |||
438 | ~/.shosts | ||
439 | This file is used in exactly the same way as .rhosts, but allows | ||
440 | host-based authentication without permitting login with | ||
441 | rlogin/rsh. | ||
442 | |||
443 | ~/.ssh/ | ||
444 | This directory is the default location for all user-specific con- | ||
445 | figuration and authentication information. There is no general | ||
446 | requirement to keep the entire contents of this directory secret, | ||
447 | but the recommended permissions are read/write/execute for the | ||
448 | user, and not accessible by others. | ||
449 | |||
450 | ~/.ssh/authorized_keys | ||
451 | Lists the public keys (RSA/DSA) that can be used for logging in | ||
452 | as this user. The format of this file is described above. The | ||
453 | content of the file is not highly sensitive, but the recommended | ||
454 | permissions are read/write for the user, and not accessible by | ||
455 | others. | ||
456 | |||
457 | If this file, the ~/.ssh directory, or the user's home directory | ||
458 | are writable by other users, then the file could be modified or | ||
459 | replaced by unauthorized users. In this case, sshd will not al- | ||
460 | low it to be used unless the StrictModes option has been set to | ||
461 | ``no''. | ||
462 | |||
463 | ~/.ssh/environment | ||
464 | This file is read into the environment at login (if it exists). | ||
465 | It can only contain empty lines, comment lines (that start with | ||
466 | `#'), and assignment lines of the form name=value. The file | ||
467 | should be writable only by the user; it need not be readable by | ||
468 | anyone else. Environment processing is disabled by default and | ||
469 | is controlled via the PermitUserEnvironment option. | ||
470 | |||
471 | ~/.ssh/known_hosts | ||
472 | Contains a list of host keys for all hosts the user has logged | ||
473 | into that are not already in the systemwide list of known host | ||
474 | keys. The format of this file is described above. This file | ||
475 | should be writable only by root/the owner and can, but need not | ||
476 | be, world-readable. | ||
477 | |||
478 | ~/.ssh/rc | ||
479 | Contains initialization routines to be run before the user's home | ||
480 | directory becomes accessible. This file should be writable only | ||
481 | by the user, and need not be readable by anyone else. | ||
482 | |||
483 | /etc/hosts.allow | ||
484 | /etc/hosts.deny | ||
485 | Access controls that should be enforced by tcp-wrappers are de- | ||
486 | fined here. Further details are described in hosts_access(5). | ||
487 | |||
488 | /etc/hosts.equiv | ||
489 | This file is for host-based authentication (see ssh(1)). It | ||
490 | should only be writable by root. | ||
491 | |||
492 | /etc/moduli | ||
493 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | ||
494 | Exchange". The file format is described in moduli(5). | ||
495 | |||
496 | /etc/motd | ||
497 | See motd(5). | ||
498 | |||
499 | /etc/nologin | ||
500 | If this file exists, sshd refuses to let anyone except root log | ||
501 | in. The contents of the file are displayed to anyone trying to | ||
502 | log in, and non-root connections are refused. The file should be | ||
503 | world-readable. | ||
504 | |||
505 | /etc/shosts.equiv | ||
506 | This file is used in exactly the same way as hosts.equiv, but al- | ||
507 | lows host-based authentication without permitting login with | ||
508 | rlogin/rsh. | ||
509 | |||
510 | /etc/ssh/ssh_host_key | ||
511 | /etc/ssh/ssh_host_dsa_key | ||
512 | /etc/ssh/ssh_host_rsa_key | ||
513 | These three files contain the private parts of the host keys. | ||
514 | These files should only be owned by root, readable only by root, | ||
515 | and not accessible to others. Note that sshd does not start if | ||
516 | these files are group/world-accessible. | ||
517 | |||
518 | /etc/ssh/ssh_host_key.pub | ||
519 | /etc/ssh/ssh_host_dsa_key.pub | ||
520 | /etc/ssh/ssh_host_rsa_key.pub | ||
521 | These three files contain the public parts of the host keys. | ||
522 | These files should be world-readable but writable only by root. | ||
523 | Their contents should match the respective private parts. These | ||
524 | files are not really used for anything; they are provided for the | ||
525 | convenience of the user so their contents can be copied to known | ||
526 | hosts files. These files are created using ssh-keygen(1). | ||
527 | |||
528 | /etc/ssh/ssh_known_hosts | ||
529 | Systemwide list of known host keys. This file should be prepared | ||
530 | by the system administrator to contain the public host keys of | ||
531 | all machines in the organization. The format of this file is de- | ||
532 | scribed above. This file should be writable only by root/the | ||
533 | owner and should be world-readable. | ||
534 | |||
535 | /etc/ssh/sshd_config | ||
536 | Contains configuration data for sshd. The file format and con- | ||
537 | figuration options are described in sshd_config(5). | ||
538 | |||
539 | /etc/ssh/sshrc | ||
540 | Similar to ~/.ssh/rc, it can be used to specify machine-specific | ||
541 | login-time initializations globally. This file should be | ||
542 | writable only by root, and should be world-readable. | ||
543 | |||
544 | /var/empty | ||
545 | chroot(2) directory used by sshd during privilege separation in | ||
546 | the pre-authentication phase. The directory should not contain | ||
547 | any files and must be owned by root and not group or world- | ||
548 | writable. | ||
549 | |||
550 | /var/run/sshd.pid | ||
551 | Contains the process ID of the sshd listening for connections (if | ||
552 | there are several daemons running concurrently for different | ||
553 | ports, this contains the process ID of the one started last). | ||
554 | The content of this file is not sensitive; it can be world-read- | ||
555 | able. | ||
556 | |||
557 | SEE ALSO | ||
558 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | ||
559 | ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5), | ||
560 | sshd_config(5), inetd(8), sftp-server(8) | ||
561 | |||
562 | AUTHORS | ||
563 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
564 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
565 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | ||
566 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
567 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
568 | for privilege separation. | ||
569 | |||
570 | CAVEATS | ||
571 | System security is not improved unless rshd, rlogind, and rexecd are dis- | ||
572 | abled (thus completely disabling rlogin and rsh into the machine). | ||
573 | |||
574 | OpenBSD 4.6 March 26, 2009 9 | ||