diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:52 +0000 |
commit | 971a7653746a6972b907dfe0ce139c06e4a6f482 (patch) | |
tree | 70fb964265d57ae4967be55b75dbb2a122e9b969 /sshd.0 | |
parent | a8ed8d256b2e2c05b0c15565a7938028c5192277 (diff) | |
parent | 4a354fc231174901f2629437c2a6e924a2dd6772 (diff) |
Import openssh_7.4p1.orig.tar.gz
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 151 |
1 files changed, 56 insertions, 95 deletions
@@ -4,10 +4,9 @@ NAME | |||
4 | sshd M-bM-^@M-^S OpenSSH SSH daemon | 4 | sshd M-bM-^@M-^S OpenSSH SSH daemon |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | sshd [-46DdeiqTt] [-b bits] [-C connection_spec] | 7 | sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file] |
8 | [-c host_certificate_file] [-E log_file] [-f config_file] | 8 | [-E log_file] [-f config_file] [-g login_grace_time] |
9 | [-g login_grace_time] [-h host_key_file] [-k key_gen_time] | 9 | [-h host_key_file] [-o option] [-p port] [-u len] |
10 | [-o option] [-p port] [-u len] | ||
11 | 10 | ||
12 | DESCRIPTION | 11 | DESCRIPTION |
13 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these | 12 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these |
@@ -31,10 +30,6 @@ DESCRIPTION | |||
31 | 30 | ||
32 | -6 Forces sshd to use IPv6 addresses only. | 31 | -6 Forces sshd to use IPv6 addresses only. |
33 | 32 | ||
34 | -b bits | ||
35 | Specifies the number of bits in the ephemeral protocol version 1 | ||
36 | server key (default 1024). | ||
37 | |||
38 | -C connection_spec | 33 | -C connection_spec |
39 | Specify the connection parameters to use for the -T extended test | 34 | Specify the connection parameters to use for the -T extended test |
40 | mode. If provided, any Match directives in the configuration | 35 | mode. If provided, any Match directives in the configuration |
@@ -80,28 +75,12 @@ DESCRIPTION | |||
80 | Specifies a file from which a host key is read. This option must | 75 | Specifies a file from which a host key is read. This option must |
81 | be given if sshd is not run as root (as the normal host key files | 76 | be given if sshd is not run as root (as the normal host key files |
82 | are normally not readable by anyone but root). The default is | 77 | are normally not readable by anyone but root). The default is |
83 | /etc/ssh/ssh_host_key for protocol version 1, and | 78 | /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, |
84 | /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. | 79 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. It |
85 | /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for | 80 | is possible to have multiple host key files for the different |
86 | protocol version 2. It is possible to have multiple host key | 81 | host key algorithms. |
87 | files for the different protocol versions and host key | 82 | |
88 | algorithms. | 83 | -i Specifies that sshd is being run from inetd(8). |
89 | |||
90 | -i Specifies that sshd is being run from inetd(8). If SSH protocol | ||
91 | 1 is enabled, sshd should not normally be run from inetd because | ||
92 | it needs to generate the server key before it can respond to the | ||
93 | client, and this may take some time. Clients may have to wait | ||
94 | too long if the key was regenerated every time. | ||
95 | |||
96 | -k key_gen_time | ||
97 | Specifies how often the ephemeral protocol version 1 server key | ||
98 | is regenerated (default 3600 seconds, or one hour). The | ||
99 | motivation for regenerating the key fairly often is that the key | ||
100 | is not stored anywhere, and after about an hour it becomes | ||
101 | impossible to recover the key for decrypting intercepted | ||
102 | communications even if the machine is cracked into or physically | ||
103 | seized. A value of zero indicates that the key will never be | ||
104 | regenerated. | ||
105 | 84 | ||
106 | -o option | 85 | -o option |
107 | Can be used to give options in the format used in the | 86 | Can be used to give options in the format used in the |
@@ -138,33 +117,17 @@ DESCRIPTION | |||
138 | into the utmp file. -u0 may also be used to prevent sshd from | 117 | into the utmp file. -u0 may also be used to prevent sshd from |
139 | making DNS requests unless the authentication mechanism or | 118 | making DNS requests unless the authentication mechanism or |
140 | configuration requires it. Authentication mechanisms that may | 119 | configuration requires it. Authentication mechanisms that may |
141 | require DNS include RhostsRSAAuthentication, | 120 | require DNS include HostbasedAuthentication and using a |
142 | HostbasedAuthentication, and using a from="pattern-list" option | 121 | from="pattern-list" option in a key file. Configuration options |
143 | in a key file. Configuration options that require DNS include | 122 | that require DNS include using a USER@HOST pattern in AllowUsers |
144 | using a USER@HOST pattern in AllowUsers or DenyUsers. | 123 | or DenyUsers. |
145 | 124 | ||
146 | AUTHENTICATION | 125 | AUTHENTICATION |
147 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to | 126 | The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a |
148 | use protocol 2 only, though this can be changed via the Protocol option | 127 | host-specific key, used to identify the host. Whenever a client |
149 | in sshd_config(5). Protocol 1 should not be used and is only offered to | 128 | connects, the daemon responds with its public host key. The client |
150 | support legacy devices. | 129 | compares the host key against its own database to verify that it has not |
151 | 130 | changed. Forward security is provided through a Diffie-Hellman key | |
152 | Each host has a host-specific key, used to identify the host. Partial | ||
153 | forward security for protocol 1 is provided through an additional server | ||
154 | key, normally 1024 bits, generated when the server starts. This key is | ||
155 | normally regenerated every hour if it has been used, and is never stored | ||
156 | on disk. Whenever a client connects, the daemon responds with its public | ||
157 | host and server keys. The client compares the RSA host key against its | ||
158 | own database to verify that it has not changed. The client then | ||
159 | generates a 256-bit random number. It encrypts this random number using | ||
160 | both the host key and the server key, and sends the encrypted number to | ||
161 | the server. Both sides then use this random number as a session key | ||
162 | which is used to encrypt all further communications in the session. The | ||
163 | rest of the session is encrypted using a conventional cipher, currently | ||
164 | Blowfish or 3DES, with 3DES being used by default. The client selects | ||
165 | the encryption algorithm to use from those offered by the server. | ||
166 | |||
167 | For protocol 2, forward security is provided through a Diffie-Hellman key | ||
168 | agreement. This key agreement results in a shared session key. The rest | 131 | agreement. This key agreement results in a shared session key. The rest |
169 | of the session is encrypted using a symmetric cipher, currently 128-bit | 132 | of the session is encrypted using a symmetric cipher, currently 128-bit |
170 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The | 133 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The |
@@ -271,27 +234,20 @@ AUTHORIZED_KEYS FILE FORMAT | |||
271 | key authentication; if this option is not specified, the default is | 234 | key authentication; if this option is not specified, the default is |
272 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the | 235 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the |
273 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are | 236 | file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are |
274 | ignored as comments). Protocol 1 public keys consist of the following | 237 | ignored as comments). Public keys consist of the following space- |
275 | space-separated fields: options, bits, exponent, modulus, comment. | 238 | separated fields: options, keytype, base64-encoded key, comment. The |
276 | Protocol 2 public key consist of: options, keytype, base64-encoded key, | 239 | options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], |
277 | comment. The options field is optional; its presence is determined by | ||
278 | whether the line starts with a number or not (the options field never | ||
279 | starts with a number). The bits, exponent, modulus, and comment fields | ||
280 | give the RSA key for protocol version 1; the comment field is not used | ||
281 | for anything (but may be convenient for the user to identify the key). | ||
282 | For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^], | ||
283 | M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or | 240 | M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or |
284 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. | 241 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be |
242 | convenient for the user to identify the key). | ||
285 | 243 | ||
286 | Note that lines in this file are usually several hundred bytes long | 244 | Note that lines in this file can be several hundred bytes long (because |
287 | (because of the size of the public key encoding) up to a limit of 8 | 245 | of the size of the public key encoding) up to a limit of 8 kilobytes, |
288 | kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 | 246 | which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits. |
289 | kilobits. You don't want to type them in; instead, copy the | 247 | You don't want to type them in; instead, copy the id_dsa.pub, |
290 | identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub | 248 | id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it. |
291 | file and edit it. | ||
292 | 249 | ||
293 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | 250 | sshd enforces a minimum RSA key modulus size of 768 bits. |
294 | 2 keys of 768 bits. | ||
295 | 251 | ||
296 | The options (if present) consist of comma-separated option | 252 | The options (if present) consist of comma-separated option |
297 | specifications. No spaces are permitted, except within double quotes. | 253 | specifications. No spaces are permitted, except within double quotes. |
@@ -318,16 +274,23 @@ AUTHORIZED_KEYS FILE FORMAT | |||
318 | pty; otherwise it is run without a tty. If an 8-bit clean | 274 | pty; otherwise it is run without a tty. If an 8-bit clean |
319 | channel is required, one must not request a pty or should specify | 275 | channel is required, one must not request a pty or should specify |
320 | no-pty. A quote may be included in the command by quoting it | 276 | no-pty. A quote may be included in the command by quoting it |
321 | with a backslash. This option might be useful to restrict | 277 | with a backslash. |
322 | certain public keys to perform just a specific operation. An | 278 | |
323 | example might be a key that permits remote backups but nothing | 279 | This option might be useful to restrict certain public keys to |
324 | else. Note that the client may specify TCP and/or X11 forwarding | 280 | perform just a specific operation. An example might be a key |
325 | unless they are explicitly prohibited. The command originally | 281 | that permits remote backups but nothing else. Note that the |
326 | supplied by the client is available in the SSH_ORIGINAL_COMMAND | 282 | client may specify TCP and/or X11 forwarding unless they are |
327 | environment variable. Note that this option applies to shell, | 283 | explicitly prohibited, e.g. using the restrict key option. |
328 | command or subsystem execution. Also note that this command may | 284 | |
329 | be superseded by either a sshd_config(5) ForceCommand directive | 285 | The command originally supplied by the client is available in the |
330 | or a command embedded in a certificate. | 286 | SSH_ORIGINAL_COMMAND environment variable. Note that this option |
287 | applies to shell, command or subsystem execution. Also note that | ||
288 | this command may be superseded by a sshd_config(5) ForceCommand | ||
289 | directive. | ||
290 | |||
291 | If a command is specified and a forced-command is embedded in a | ||
292 | certificate used for authentication, then the certificate will be | ||
293 | accepted only if the two commands are identical. | ||
331 | 294 | ||
332 | environment="NAME=value" | 295 | environment="NAME=value" |
333 | Specifies that the string is to be added to the environment when | 296 | Specifies that the string is to be added to the environment when |
@@ -335,7 +298,6 @@ AUTHORIZED_KEYS FILE FORMAT | |||
335 | override other default environment values. Multiple options of | 298 | override other default environment values. Multiple options of |
336 | this type are permitted. Environment processing is disabled by | 299 | this type are permitted. Environment processing is disabled by |
337 | default and is controlled via the PermitUserEnvironment option. | 300 | default and is controlled via the PermitUserEnvironment option. |
338 | This option is automatically disabled if UseLogin is enabled. | ||
339 | 301 | ||
340 | from="pattern-list" | 302 | from="pattern-list" |
341 | Specifies that in addition to public key authentication, either | 303 | Specifies that in addition to public key authentication, either |
@@ -440,8 +402,8 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
440 | is added to the per-user file. | 402 | is added to the per-user file. |
441 | 403 | ||
442 | Each line in these files contains the following fields: markers | 404 | Each line in these files contains the following fields: markers |
443 | (optional), hostnames, bits, exponent, modulus, comment. The fields are | 405 | (optional), hostnames, keytype, base64-encoded key, comment. The fields |
444 | separated by spaces. | 406 | are separated by spaces. |
445 | 407 | ||
446 | The marker is optional, but if it is present then it must be one of | 408 | The marker is optional, but if it is present then it must be one of |
447 | M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification | 409 | M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification |
@@ -464,9 +426,10 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
464 | appear on a single line and none of the above negation or wildcard | 426 | appear on a single line and none of the above negation or wildcard |
465 | operators may be applied. | 427 | operators may be applied. |
466 | 428 | ||
467 | Bits, exponent, and modulus are taken directly from the RSA host key; | 429 | The keytype and base64-encoded key are taken directly from the host key; |
468 | they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The | 430 | they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub. |
469 | optional comment field continues to the end of the line, and is not used. | 431 | The optional comment field continues to the end of the line, and is not |
432 | used. | ||
470 | 433 | ||
471 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. | 434 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. |
472 | 435 | ||
@@ -493,9 +456,9 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
493 | 456 | ||
494 | Note that the lines in these files are typically hundreds of characters | 457 | Note that the lines in these files are typically hundreds of characters |
495 | long, and you definitely don't want to type in the host keys by hand. | 458 | long, and you definitely don't want to type in the host keys by hand. |
496 | Rather, generate them by a script, ssh-keyscan(1) or by taking | 459 | Rather, generate them by a script, ssh-keyscan(1) or by taking, for |
497 | /etc/ssh/ssh_host_key.pub and adding the host names at the front. | 460 | example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the |
498 | ssh-keygen(1) also offers some basic automated editing for | 461 | front. ssh-keygen(1) also offers some basic automated editing for |
499 | ~/.ssh/known_hosts including removing hosts matching a host name and | 462 | ~/.ssh/known_hosts including removing hosts matching a host name and |
500 | converting all host names to their hashed representations. | 463 | converting all host names to their hashed representations. |
501 | 464 | ||
@@ -598,7 +561,6 @@ FILES | |||
598 | allows host-based authentication without permitting login with | 561 | allows host-based authentication without permitting login with |
599 | rlogin/rsh. | 562 | rlogin/rsh. |
600 | 563 | ||
601 | /etc/ssh/ssh_host_key | ||
602 | /etc/ssh/ssh_host_dsa_key | 564 | /etc/ssh/ssh_host_dsa_key |
603 | /etc/ssh/ssh_host_ecdsa_key | 565 | /etc/ssh/ssh_host_ecdsa_key |
604 | /etc/ssh/ssh_host_ed25519_key | 566 | /etc/ssh/ssh_host_ed25519_key |
@@ -608,7 +570,6 @@ FILES | |||
608 | not accessible to others. Note that sshd does not start if these | 570 | not accessible to others. Note that sshd does not start if these |
609 | files are group/world-accessible. | 571 | files are group/world-accessible. |
610 | 572 | ||
611 | /etc/ssh/ssh_host_key.pub | ||
612 | /etc/ssh/ssh_host_dsa_key.pub | 573 | /etc/ssh/ssh_host_dsa_key.pub |
613 | /etc/ssh/ssh_host_ecdsa_key.pub | 574 | /etc/ssh/ssh_host_ecdsa_key.pub |
614 | /etc/ssh/ssh_host_ed25519_key.pub | 575 | /etc/ssh/ssh_host_ed25519_key.pub |
@@ -662,4 +623,4 @@ AUTHORS | |||
662 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 623 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
663 | for privilege separation. | 624 | for privilege separation. |
664 | 625 | ||
665 | OpenBSD 6.0 February 17, 2016 OpenBSD 6.0 | 626 | OpenBSD 6.0 November 30, 2016 OpenBSD 6.0 |