summaryrefslogtreecommitdiff
path: root/sshd.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-12-20 00:22:52 +0000
committerColin Watson <cjwatson@debian.org>2016-12-20 00:22:52 +0000
commit971a7653746a6972b907dfe0ce139c06e4a6f482 (patch)
tree70fb964265d57ae4967be55b75dbb2a122e9b969 /sshd.0
parenta8ed8d256b2e2c05b0c15565a7938028c5192277 (diff)
parent4a354fc231174901f2629437c2a6e924a2dd6772 (diff)
Import openssh_7.4p1.orig.tar.gz
Diffstat (limited to 'sshd.0')
-rw-r--r--sshd.0151
1 files changed, 56 insertions, 95 deletions
diff --git a/sshd.0 b/sshd.0
index 0f7db5fc3..089244c93 100644
--- a/sshd.0
+++ b/sshd.0
@@ -4,10 +4,9 @@ NAME
4 sshd M-bM-^@M-^S OpenSSH SSH daemon 4 sshd M-bM-^@M-^S OpenSSH SSH daemon
5 5
6SYNOPSIS 6SYNOPSIS
7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec] 7 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
8 [-c host_certificate_file] [-E log_file] [-f config_file] 8 [-E log_file] [-f config_file] [-g login_grace_time]
9 [-g login_grace_time] [-h host_key_file] [-k key_gen_time] 9 [-h host_key_file] [-o option] [-p port] [-u len]
10 [-o option] [-p port] [-u len]
11 10
12DESCRIPTION 11DESCRIPTION
13 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these 12 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
@@ -31,10 +30,6 @@ DESCRIPTION
31 30
32 -6 Forces sshd to use IPv6 addresses only. 31 -6 Forces sshd to use IPv6 addresses only.
33 32
34 -b bits
35 Specifies the number of bits in the ephemeral protocol version 1
36 server key (default 1024).
37
38 -C connection_spec 33 -C connection_spec
39 Specify the connection parameters to use for the -T extended test 34 Specify the connection parameters to use for the -T extended test
40 mode. If provided, any Match directives in the configuration 35 mode. If provided, any Match directives in the configuration
@@ -80,28 +75,12 @@ DESCRIPTION
80 Specifies a file from which a host key is read. This option must 75 Specifies a file from which a host key is read. This option must
81 be given if sshd is not run as root (as the normal host key files 76 be given if sshd is not run as root (as the normal host key files
82 are normally not readable by anyone but root). The default is 77 are normally not readable by anyone but root). The default is
83 /etc/ssh/ssh_host_key for protocol version 1, and 78 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key,
84 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key. 79 /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key. It
85 /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key for 80 is possible to have multiple host key files for the different
86 protocol version 2. It is possible to have multiple host key 81 host key algorithms.
87 files for the different protocol versions and host key 82
88 algorithms. 83 -i Specifies that sshd is being run from inetd(8).
89
90 -i Specifies that sshd is being run from inetd(8). If SSH protocol
91 1 is enabled, sshd should not normally be run from inetd because
92 it needs to generate the server key before it can respond to the
93 client, and this may take some time. Clients may have to wait
94 too long if the key was regenerated every time.
95
96 -k key_gen_time
97 Specifies how often the ephemeral protocol version 1 server key
98 is regenerated (default 3600 seconds, or one hour). The
99 motivation for regenerating the key fairly often is that the key
100 is not stored anywhere, and after about an hour it becomes
101 impossible to recover the key for decrypting intercepted
102 communications even if the machine is cracked into or physically
103 seized. A value of zero indicates that the key will never be
104 regenerated.
105 84
106 -o option 85 -o option
107 Can be used to give options in the format used in the 86 Can be used to give options in the format used in the
@@ -138,33 +117,17 @@ DESCRIPTION
138 into the utmp file. -u0 may also be used to prevent sshd from 117 into the utmp file. -u0 may also be used to prevent sshd from
139 making DNS requests unless the authentication mechanism or 118 making DNS requests unless the authentication mechanism or
140 configuration requires it. Authentication mechanisms that may 119 configuration requires it. Authentication mechanisms that may
141 require DNS include RhostsRSAAuthentication, 120 require DNS include HostbasedAuthentication and using a
142 HostbasedAuthentication, and using a from="pattern-list" option 121 from="pattern-list" option in a key file. Configuration options
143 in a key file. Configuration options that require DNS include 122 that require DNS include using a USER@HOST pattern in AllowUsers
144 using a USER@HOST pattern in AllowUsers or DenyUsers. 123 or DenyUsers.
145 124
146AUTHENTICATION 125AUTHENTICATION
147 The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to 126 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
148 use protocol 2 only, though this can be changed via the Protocol option 127 host-specific key, used to identify the host. Whenever a client
149 in sshd_config(5). Protocol 1 should not be used and is only offered to 128 connects, the daemon responds with its public host key. The client
150 support legacy devices. 129 compares the host key against its own database to verify that it has not
151 130 changed. Forward security is provided through a Diffie-Hellman key
152 Each host has a host-specific key, used to identify the host. Partial
153 forward security for protocol 1 is provided through an additional server
154 key, normally 1024 bits, generated when the server starts. This key is
155 normally regenerated every hour if it has been used, and is never stored
156 on disk. Whenever a client connects, the daemon responds with its public
157 host and server keys. The client compares the RSA host key against its
158 own database to verify that it has not changed. The client then
159 generates a 256-bit random number. It encrypts this random number using
160 both the host key and the server key, and sends the encrypted number to
161 the server. Both sides then use this random number as a session key
162 which is used to encrypt all further communications in the session. The
163 rest of the session is encrypted using a conventional cipher, currently
164 Blowfish or 3DES, with 3DES being used by default. The client selects
165 the encryption algorithm to use from those offered by the server.
166
167 For protocol 2, forward security is provided through a Diffie-Hellman key
168 agreement. This key agreement results in a shared session key. The rest 131 agreement. This key agreement results in a shared session key. The rest
169 of the session is encrypted using a symmetric cipher, currently 128-bit 132 of the session is encrypted using a symmetric cipher, currently 128-bit
170 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The 133 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
@@ -271,27 +234,20 @@ AUTHORIZED_KEYS FILE FORMAT
271 key authentication; if this option is not specified, the default is 234 key authentication; if this option is not specified, the default is
272 ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the 235 ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
273 file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are 236 file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
274 ignored as comments). Protocol 1 public keys consist of the following 237 ignored as comments). Public keys consist of the following space-
275 space-separated fields: options, bits, exponent, modulus, comment. 238 separated fields: options, keytype, base64-encoded key, comment. The
276 Protocol 2 public key consist of: options, keytype, base64-encoded key, 239 options field is optional. The keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
277 comment. The options field is optional; its presence is determined by
278 whether the line starts with a number or not (the options field never
279 starts with a number). The bits, exponent, modulus, and comment fields
280 give the RSA key for protocol version 1; the comment field is not used
281 for anything (but may be convenient for the user to identify the key).
282 For protocol version 2 the keytype is M-bM-^@M-^\ecdsa-sha2-nistp256M-bM-^@M-^],
283 M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or 240 M-bM-^@M-^\ecdsa-sha2-nistp384M-bM-^@M-^], M-bM-^@M-^\ecdsa-sha2-nistp521M-bM-^@M-^], M-bM-^@M-^\ssh-ed25519M-bM-^@M-^], M-bM-^@M-^\ssh-dssM-bM-^@M-^] or
284 M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. 241 M-bM-^@M-^\ssh-rsaM-bM-^@M-^]; the comment field is not used for anything (but may be
242 convenient for the user to identify the key).
285 243
286 Note that lines in this file are usually several hundred bytes long 244 Note that lines in this file can be several hundred bytes long (because
287 (because of the size of the public key encoding) up to a limit of 8 245 of the size of the public key encoding) up to a limit of 8 kilobytes,
288 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 246 which permits DSA keys up to 8 kilobits and RSA keys up to 16 kilobits.
289 kilobits. You don't want to type them in; instead, copy the 247 You don't want to type them in; instead, copy the id_dsa.pub,
290 identity.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub 248 id_ecdsa.pub, id_ed25519.pub, or the id_rsa.pub file and edit it.
291 file and edit it.
292 249
293 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 250 sshd enforces a minimum RSA key modulus size of 768 bits.
294 2 keys of 768 bits.
295 251
296 The options (if present) consist of comma-separated option 252 The options (if present) consist of comma-separated option
297 specifications. No spaces are permitted, except within double quotes. 253 specifications. No spaces are permitted, except within double quotes.
@@ -318,16 +274,23 @@ AUTHORIZED_KEYS FILE FORMAT
318 pty; otherwise it is run without a tty. If an 8-bit clean 274 pty; otherwise it is run without a tty. If an 8-bit clean
319 channel is required, one must not request a pty or should specify 275 channel is required, one must not request a pty or should specify
320 no-pty. A quote may be included in the command by quoting it 276 no-pty. A quote may be included in the command by quoting it
321 with a backslash. This option might be useful to restrict 277 with a backslash.
322 certain public keys to perform just a specific operation. An 278
323 example might be a key that permits remote backups but nothing 279 This option might be useful to restrict certain public keys to
324 else. Note that the client may specify TCP and/or X11 forwarding 280 perform just a specific operation. An example might be a key
325 unless they are explicitly prohibited. The command originally 281 that permits remote backups but nothing else. Note that the
326 supplied by the client is available in the SSH_ORIGINAL_COMMAND 282 client may specify TCP and/or X11 forwarding unless they are
327 environment variable. Note that this option applies to shell, 283 explicitly prohibited, e.g. using the restrict key option.
328 command or subsystem execution. Also note that this command may 284
329 be superseded by either a sshd_config(5) ForceCommand directive 285 The command originally supplied by the client is available in the
330 or a command embedded in a certificate. 286 SSH_ORIGINAL_COMMAND environment variable. Note that this option
287 applies to shell, command or subsystem execution. Also note that
288 this command may be superseded by a sshd_config(5) ForceCommand
289 directive.
290
291 If a command is specified and a forced-command is embedded in a
292 certificate used for authentication, then the certificate will be
293 accepted only if the two commands are identical.
331 294
332 environment="NAME=value" 295 environment="NAME=value"
333 Specifies that the string is to be added to the environment when 296 Specifies that the string is to be added to the environment when
@@ -335,7 +298,6 @@ AUTHORIZED_KEYS FILE FORMAT
335 override other default environment values. Multiple options of 298 override other default environment values. Multiple options of
336 this type are permitted. Environment processing is disabled by 299 this type are permitted. Environment processing is disabled by
337 default and is controlled via the PermitUserEnvironment option. 300 default and is controlled via the PermitUserEnvironment option.
338 This option is automatically disabled if UseLogin is enabled.
339 301
340 from="pattern-list" 302 from="pattern-list"
341 Specifies that in addition to public key authentication, either 303 Specifies that in addition to public key authentication, either
@@ -440,8 +402,8 @@ SSH_KNOWN_HOSTS FILE FORMAT
440 is added to the per-user file. 402 is added to the per-user file.
441 403
442 Each line in these files contains the following fields: markers 404 Each line in these files contains the following fields: markers
443 (optional), hostnames, bits, exponent, modulus, comment. The fields are 405 (optional), hostnames, keytype, base64-encoded key, comment. The fields
444 separated by spaces. 406 are separated by spaces.
445 407
446 The marker is optional, but if it is present then it must be one of 408 The marker is optional, but if it is present then it must be one of
447 M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification 409 M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification
@@ -464,9 +426,10 @@ SSH_KNOWN_HOSTS FILE FORMAT
464 appear on a single line and none of the above negation or wildcard 426 appear on a single line and none of the above negation or wildcard
465 operators may be applied. 427 operators may be applied.
466 428
467 Bits, exponent, and modulus are taken directly from the RSA host key; 429 The keytype and base64-encoded key are taken directly from the host key;
468 they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The 430 they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub.
469 optional comment field continues to the end of the line, and is not used. 431 The optional comment field continues to the end of the line, and is not
432 used.
470 433
471 Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. 434 Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
472 435
@@ -493,9 +456,9 @@ SSH_KNOWN_HOSTS FILE FORMAT
493 456
494 Note that the lines in these files are typically hundreds of characters 457 Note that the lines in these files are typically hundreds of characters
495 long, and you definitely don't want to type in the host keys by hand. 458 long, and you definitely don't want to type in the host keys by hand.
496 Rather, generate them by a script, ssh-keyscan(1) or by taking 459 Rather, generate them by a script, ssh-keyscan(1) or by taking, for
497 /etc/ssh/ssh_host_key.pub and adding the host names at the front. 460 example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
498 ssh-keygen(1) also offers some basic automated editing for 461 front. ssh-keygen(1) also offers some basic automated editing for
499 ~/.ssh/known_hosts including removing hosts matching a host name and 462 ~/.ssh/known_hosts including removing hosts matching a host name and
500 converting all host names to their hashed representations. 463 converting all host names to their hashed representations.
501 464
@@ -598,7 +561,6 @@ FILES
598 allows host-based authentication without permitting login with 561 allows host-based authentication without permitting login with
599 rlogin/rsh. 562 rlogin/rsh.
600 563
601 /etc/ssh/ssh_host_key
602 /etc/ssh/ssh_host_dsa_key 564 /etc/ssh/ssh_host_dsa_key
603 /etc/ssh/ssh_host_ecdsa_key 565 /etc/ssh/ssh_host_ecdsa_key
604 /etc/ssh/ssh_host_ed25519_key 566 /etc/ssh/ssh_host_ed25519_key
@@ -608,7 +570,6 @@ FILES
608 not accessible to others. Note that sshd does not start if these 570 not accessible to others. Note that sshd does not start if these
609 files are group/world-accessible. 571 files are group/world-accessible.
610 572
611 /etc/ssh/ssh_host_key.pub
612 /etc/ssh/ssh_host_dsa_key.pub 573 /etc/ssh/ssh_host_dsa_key.pub
613 /etc/ssh/ssh_host_ecdsa_key.pub 574 /etc/ssh/ssh_host_ecdsa_key.pub
614 /etc/ssh/ssh_host_ed25519_key.pub 575 /etc/ssh/ssh_host_ed25519_key.pub
@@ -662,4 +623,4 @@ AUTHORS
662 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 623 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
663 for privilege separation. 624 for privilege separation.
664 625
665OpenBSD 6.0 February 17, 2016 OpenBSD 6.0 626OpenBSD 6.0 November 30, 2016 OpenBSD 6.0