diff options
author | Colin Watson <cjwatson@debian.org> | 2005-05-30 21:44:32 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2005-05-30 21:44:32 +0000 |
commit | a55bd782aa819b7f5ae716de000f19f4f531850e (patch) | |
tree | 12638b19bc0ed9c8d48541d460693ab0fbb58e89 /sshd.0 | |
parent | fe9489f7e522f780f3fa5c2f28208124d193398c (diff) | |
parent | 5d05471f6657646d1d6500c7c43134462c407ee6 (diff) |
Import OpenSSH 4.1p1.
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 576 |
1 files changed, 576 insertions, 0 deletions
@@ -0,0 +1,576 @@ | |||
1 | SSHD(8) OpenBSD System Manager's Manual SSHD(8) | ||
2 | |||
3 | NAME | ||
4 | sshd - OpenSSH SSH daemon | ||
5 | |||
6 | SYNOPSIS | ||
7 | sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] | ||
8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] | ||
9 | |||
10 | DESCRIPTION | ||
11 | sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- | ||
12 | grams replace rlogin and rsh, and provide secure encrypted communications | ||
13 | between two untrusted hosts over an insecure network. The programs are | ||
14 | intended to be as easy to install and use as possible. | ||
15 | |||
16 | sshd is the daemon that listens for connections from clients. It is nor- | ||
17 | mally started at boot from /etc/rc. It forks a new daemon for each in- | ||
18 | coming connection. The forked daemons handle key exchange, encryption, | ||
19 | authentication, command execution, and data exchange. This implementa- | ||
20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. | ||
21 | sshd works as follows: | ||
22 | |||
23 | SSH protocol version 1 | ||
24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | ||
25 | tify the host. Additionally, when the daemon starts, it generates a | ||
26 | server RSA key (normally 768 bits). This key is normally regenerated ev- | ||
27 | ery hour if it has been used, and is never stored on disk. | ||
28 | |||
29 | Whenever a client connects, the daemon responds with its public host and | ||
30 | server keys. The client compares the RSA host key against its own | ||
31 | database to verify that it has not changed. The client then generates a | ||
32 | 256-bit random number. It encrypts this random number using both the | ||
33 | host key and the server key, and sends the encrypted number to the serv- | ||
34 | er. Both sides then use this random number as a session key which is | ||
35 | used to encrypt all further communications in the session. The rest of | ||
36 | the session is encrypted using a conventional cipher, currently Blowfish | ||
37 | or 3DES, with 3DES being used by default. The client selects the encryp- | ||
38 | tion algorithm to use from those offered by the server. | ||
39 | |||
40 | Next, the server and the client enter an authentication dialog. The | ||
41 | client tries to authenticate itself using .rhosts authentication combined | ||
42 | with RSA host authentication, RSA challenge-response authentication, or | ||
43 | password based authentication. | ||
44 | |||
45 | Regardless of the authentication type, the account is checked to ensure | ||
46 | that it is accessible. An account is not accessible if it is locked, | ||
47 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | ||
48 | tion of a locked account is system dependant. Some platforms have their | ||
49 | own account database (eg AIX) and some modify the passwd field ( `*LK*' | ||
50 | on Solaris, `*' on HP-UX, containing `Nologin' on Tru64 and a leading | ||
51 | `!!' on Linux). If there is a requirement to disable password authenti- | ||
52 | cation for the account while allowing still public-key, then the passwd | ||
53 | field should be set to something other than these values (eg `NP' or | ||
54 | `*NP*' ). | ||
55 | |||
56 | rshd, rlogind, and rexecd are disabled (thus completely disabling rlogin | ||
57 | and rsh into the machine). | ||
58 | |||
59 | SSH protocol version 2 | ||
60 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | ||
61 | used to identify the host. However, when the daemon starts, it does not | ||
62 | generate a server key. Forward security is provided through a Diffie- | ||
63 | Hellman key agreement. This key agreement results in a shared session | ||
64 | key. | ||
65 | |||
66 | The rest of the session is encrypted using a symmetric cipher, currently | ||
67 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit | ||
68 | AES. The client selects the encryption algorithm to use from those of- | ||
69 | fered by the server. Additionally, session integrity is provided through | ||
70 | a cryptographic message authentication code (hmac-sha1 or hmac-md5). | ||
71 | |||
72 | Protocol version 2 provides a public key based user (PubkeyAuthentica- | ||
73 | tion) or client host (HostbasedAuthentication) authentication method, | ||
74 | conventional password authentication and challenge response based meth- | ||
75 | ods. | ||
76 | |||
77 | Command execution and data forwarding | ||
78 | If the client successfully authenticates itself, a dialog for preparing | ||
79 | the session is entered. At this time the client may request things like | ||
80 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP | ||
81 | connections, or forwarding the authentication agent connection over the | ||
82 | secure channel. | ||
83 | |||
84 | Finally, the client either requests a shell or execution of a command. | ||
85 | The sides then enter session mode. In this mode, either side may send | ||
86 | data at any time, and such data is forwarded to/from the shell or command | ||
87 | on the server side, and the user terminal in the client side. | ||
88 | |||
89 | When the user program terminates and all forwarded X11 and other connec- | ||
90 | tions have been closed, the server sends command exit status to the | ||
91 | client, and both sides exit. | ||
92 | |||
93 | sshd can be configured using command-line options or a configuration file | ||
94 | (by default sshd_config(5)). Command-line options override values speci- | ||
95 | fied in the configuration file. | ||
96 | |||
97 | sshd rereads its configuration file when it receives a hangup signal, | ||
98 | SIGHUP, by executing itself with the name and options it was started | ||
99 | with, e.g., /usr/sbin/sshd. | ||
100 | |||
101 | The options are as follows: | ||
102 | |||
103 | -4 Forces sshd to use IPv4 addresses only. | ||
104 | |||
105 | -6 Forces sshd to use IPv6 addresses only. | ||
106 | |||
107 | -b bits | ||
108 | Specifies the number of bits in the ephemeral protocol version 1 | ||
109 | server key (default 768). | ||
110 | |||
111 | -D When this option is specified, sshd will not detach and does not | ||
112 | become a daemon. This allows easy monitoring of sshd. | ||
113 | |||
114 | -d Debug mode. The server sends verbose debug output to the system | ||
115 | log, and does not put itself in the background. The server also | ||
116 | will not fork and will only process one connection. This option | ||
117 | is only intended for debugging for the server. Multiple -d op- | ||
118 | tions increase the debugging level. Maximum is 3. | ||
119 | |||
120 | -e When this option is specified, sshd will send the output to the | ||
121 | standard error instead of the system log. | ||
122 | |||
123 | -f configuration_file | ||
124 | Specifies the name of the configuration file. The default is | ||
125 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- | ||
126 | figuration file. | ||
127 | |||
128 | -g login_grace_time | ||
129 | Gives the grace time for clients to authenticate themselves (de- | ||
130 | fault 120 seconds). If the client fails to authenticate the user | ||
131 | within this many seconds, the server disconnects and exits. A | ||
132 | value of zero indicates no limit. | ||
133 | |||
134 | -h host_key_file | ||
135 | Specifies a file from which a host key is read. This option must | ||
136 | be given if sshd is not run as root (as the normal host key files | ||
137 | are normally not readable by anyone but root). The default is | ||
138 | /etc/ssh/ssh_host_key for protocol version 1, and | ||
139 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | ||
140 | tocol version 2. It is possible to have multiple host key files | ||
141 | for the different protocol versions and host key algorithms. | ||
142 | |||
143 | -i Specifies that sshd is being run from inetd(8). sshd is normally | ||
144 | not run from inetd because it needs to generate the server key | ||
145 | before it can respond to the client, and this may take tens of | ||
146 | seconds. Clients would have to wait too long if the key was re- | ||
147 | generated every time. However, with small key sizes (e.g., 512) | ||
148 | using sshd from inetd may be feasible. | ||
149 | |||
150 | -k key_gen_time | ||
151 | Specifies how often the ephemeral protocol version 1 server key | ||
152 | is regenerated (default 3600 seconds, or one hour). The motiva- | ||
153 | tion for regenerating the key fairly often is that the key is not | ||
154 | stored anywhere, and after about an hour it becomes impossible to | ||
155 | recover the key for decrypting intercepted communications even if | ||
156 | the machine is cracked into or physically seized. A value of ze- | ||
157 | ro indicates that the key will never be regenerated. | ||
158 | |||
159 | -o option | ||
160 | Can be used to give options in the format used in the configura- | ||
161 | tion file. This is useful for specifying options for which there | ||
162 | is no separate command-line flag. For full details of the op- | ||
163 | tions, and their values, see sshd_config(5). | ||
164 | |||
165 | -p port | ||
166 | Specifies the port on which the server listens for connections | ||
167 | (default 22). Multiple port options are permitted. Ports speci- | ||
168 | fied in the configuration file are ignored when a command-line | ||
169 | port is specified. | ||
170 | |||
171 | -q Quiet mode. Nothing is sent to the system log. Normally the be- | ||
172 | ginning, authentication, and termination of each connection is | ||
173 | logged. | ||
174 | |||
175 | -t Test mode. Only check the validity of the configuration file and | ||
176 | sanity of the keys. This is useful for updating sshd reliably as | ||
177 | configuration options may change. | ||
178 | |||
179 | -u len This option is used to specify the size of the field in the utmp | ||
180 | structure that holds the remote host name. If the resolved host | ||
181 | name is longer than len, the dotted decimal value will be used | ||
182 | instead. This allows hosts with very long host names that over- | ||
183 | flow this field to still be uniquely identified. Specifying -u0 | ||
184 | indicates that only dotted decimal addresses should be put into | ||
185 | the utmp file. -u0 may also be used to prevent sshd from making | ||
186 | DNS requests unless the authentication mechanism or configuration | ||
187 | requires it. Authentication mechanisms that may require DNS in- | ||
188 | clude RhostsRSAAuthentication, HostbasedAuthentication and using | ||
189 | a from="pattern-list" option in a key file. Configuration op- | ||
190 | tions that require DNS include using a USER@HOST pattern in | ||
191 | AllowUsers or DenyUsers. | ||
192 | |||
193 | CONFIGURATION FILE | ||
194 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | ||
195 | specified with -f on the command line). The file format and configura- | ||
196 | tion options are described in sshd_config(5). | ||
197 | |||
198 | LOGIN PROCESS | ||
199 | When a user successfully logs in, sshd does the following: | ||
200 | |||
201 | 1. If the login is on a tty, and no command has been specified, | ||
202 | prints last login time and /etc/motd (unless prevented in the | ||
203 | configuration file or by $HOME/.hushlogin; see the FILES sec- | ||
204 | tion). | ||
205 | |||
206 | 2. If the login is on a tty, records login time. | ||
207 | |||
208 | 3. Checks /etc/nologin; if it exists, prints contents and quits | ||
209 | (unless root). | ||
210 | |||
211 | 4. Changes to run with normal user privileges. | ||
212 | |||
213 | 5. Sets up basic environment. | ||
214 | |||
215 | 6. Reads the file $HOME/.ssh/environment, if it exists, and users | ||
216 | are allowed to change their environment. See the | ||
217 | PermitUserEnvironment option in sshd_config(5). | ||
218 | |||
219 | 7. Changes to user's home directory. | ||
220 | |||
221 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- | ||
222 | ists, runs it; otherwise runs xauth. The ``rc'' files are | ||
223 | given the X11 authentication protocol and cookie in standard | ||
224 | input. | ||
225 | |||
226 | 9. Runs user's shell or command. | ||
227 | |||
228 | AUTHORIZED_KEYS FILE FORMAT | ||
229 | $HOME/.ssh/authorized_keys is the default file that lists the public keys | ||
230 | that are permitted for RSA authentication in protocol version 1 and for | ||
231 | public key authentication (PubkeyAuthentication) in protocol version 2. | ||
232 | AuthorizedKeysFile may be used to specify an alternative file. | ||
233 | |||
234 | Each line of the file contains one key (empty lines and lines starting | ||
235 | with a `#' are ignored as comments). Each RSA public key consists of the | ||
236 | following fields, separated by spaces: options, bits, exponent, modulus, | ||
237 | comment. Each protocol version 2 public key consists of: options, key- | ||
238 | type, base64 encoded key, comment. The options field is optional; its | ||
239 | presence is determined by whether the line starts with a number or not | ||
240 | (the options field never starts with a number). The bits, exponent, mod- | ||
241 | ulus and comment fields give the RSA key for protocol version 1; the com- | ||
242 | ment field is not used for anything (but may be convenient for the user | ||
243 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' | ||
244 | or ``ssh-rsa''. | ||
245 | |||
246 | Note that lines in this file are usually several hundred bytes long (be- | ||
247 | cause of the size of the public key encoding) up to a limit of 8 kilo- | ||
248 | bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 | ||
249 | kilobits. You don't want to type them in; instead, copy the | ||
250 | identity.pub, id_dsa.pub or the id_rsa.pub file and edit it. | ||
251 | |||
252 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | ||
253 | 2 keys of 768 bits. | ||
254 | |||
255 | The options (if present) consist of comma-separated option specifica- | ||
256 | tions. No spaces are permitted, except within double quotes. The fol- | ||
257 | lowing option specifications are supported (note that option keywords are | ||
258 | case-insensitive): | ||
259 | |||
260 | from="pattern-list" | ||
261 | Specifies that in addition to public key authentication, the | ||
262 | canonical name of the remote host must be present in the comma- | ||
263 | separated list of patterns (`*' and `?' serve as wildcards). The | ||
264 | list may also contain patterns negated by prefixing them with | ||
265 | `!'; if the canonical host name matches a negated pattern, the | ||
266 | key is not accepted. The purpose of this option is to optionally | ||
267 | increase security: public key authentication by itself does not | ||
268 | trust the network or name servers or anything (but the key); how- | ||
269 | ever, if somebody somehow steals the key, the key permits an in- | ||
270 | truder to log in from anywhere in the world. This additional op- | ||
271 | tion makes using a stolen key more difficult (name servers and/or | ||
272 | routers would have to be compromised in addition to just the | ||
273 | key). | ||
274 | |||
275 | command="command" | ||
276 | Specifies that the command is executed whenever this key is used | ||
277 | for authentication. The command supplied by the user (if any) is | ||
278 | ignored. The command is run on a pty if the client requests a | ||
279 | pty; otherwise it is run without a tty. If an 8-bit clean chan- | ||
280 | nel is required, one must not request a pty or should specify no- | ||
281 | pty. A quote may be included in the command by quoting it with a | ||
282 | backslash. This option might be useful to restrict certain pub- | ||
283 | lic keys to perform just a specific operation. An example might | ||
284 | be a key that permits remote backups but nothing else. Note that | ||
285 | the client may specify TCP/IP and/or X11 forwarding unless they | ||
286 | are explicitly prohibited. Note that this option applies to | ||
287 | shell, command or subsystem execution. | ||
288 | |||
289 | environment="NAME=value" | ||
290 | Specifies that the string is to be added to the environment when | ||
291 | logging in using this key. Environment variables set this way | ||
292 | override other default environment values. Multiple options of | ||
293 | this type are permitted. Environment processing is disabled by | ||
294 | default and is controlled via the PermitUserEnvironment option. | ||
295 | This option is automatically disabled if UseLogin is enabled. | ||
296 | |||
297 | no-port-forwarding | ||
298 | Forbids TCP/IP forwarding when this key is used for authentica- | ||
299 | tion. Any port forward requests by the client will return an er- | ||
300 | ror. This might be used, e.g., in connection with the command | ||
301 | option. | ||
302 | |||
303 | no-X11-forwarding | ||
304 | Forbids X11 forwarding when this key is used for authentication. | ||
305 | Any X11 forward requests by the client will return an error. | ||
306 | |||
307 | no-agent-forwarding | ||
308 | Forbids authentication agent forwarding when this key is used for | ||
309 | authentication. | ||
310 | |||
311 | no-pty Prevents tty allocation (a request to allocate a pty will fail). | ||
312 | |||
313 | permitopen="host:port" | ||
314 | Limit local ``ssh -L'' port forwarding such that it may only con- | ||
315 | nect to the specified host and port. IPv6 addresses can be spec- | ||
316 | ified with an alternative syntax: host/port. Multiple permitopen | ||
317 | options may be applied separated by commas. No pattern matching | ||
318 | is performed on the specified hostnames, they must be literal do- | ||
319 | mains or addresses. | ||
320 | |||
321 | Examples | ||
322 | 1024 33 12121...312314325 ylo@foo.bar | ||
323 | |||
324 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula | ||
325 | |||
326 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- | ||
327 | up.hut.fi | ||
328 | |||
329 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | ||
330 | |||
331 | SSH_KNOWN_HOSTS FILE FORMAT | ||
332 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain | ||
333 | host public keys for all known hosts. The global file should be prepared | ||
334 | by the administrator (optional), and the per-user file is maintained au- | ||
335 | tomatically: whenever the user connects from an unknown host its key is | ||
336 | added to the per-user file. | ||
337 | |||
338 | Each line in these files contains the following fields: hostnames, bits, | ||
339 | exponent, modulus, comment. The fields are separated by spaces. | ||
340 | |||
341 | Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- | ||
342 | cards); each pattern in turn is matched against the canonical host name | ||
343 | (when authenticating a client) or against the user-supplied name (when | ||
344 | authenticating a server). A pattern may also be preceded by `!' to indi- | ||
345 | cate negation: if the host name matches a negated pattern, it is not ac- | ||
346 | cepted (by that line) even if it matched another pattern on the line. | ||
347 | |||
348 | Alternately, hostnames may be stored in a hashed form which hides host | ||
349 | names and addresses should the file's contents be disclosed. Hashed | ||
350 | hostnames start with a `|' character. Only one hashed hostname may ap- | ||
351 | pear on a single line and none of the above negation or wildcard opera- | ||
352 | tors may be applied. | ||
353 | |||
354 | Bits, exponent, and modulus are taken directly from the RSA host key; | ||
355 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional | ||
356 | comment field continues to the end of the line, and is not used. | ||
357 | |||
358 | Lines starting with `#' and empty lines are ignored as comments. | ||
359 | |||
360 | When performing host authentication, authentication is accepted if any | ||
361 | matching line has the proper key. It is thus permissible (but not recom- | ||
362 | mended) to have several lines or different host keys for the same names. | ||
363 | This will inevitably happen when short forms of host names from different | ||
364 | domains are put in the file. It is possible that the files contain con- | ||
365 | flicting information; authentication is accepted if valid information can | ||
366 | be found from either file. | ||
367 | |||
368 | Note that the lines in these files are typically hundreds of characters | ||
369 | long, and you definitely don't want to type in the host keys by hand. | ||
370 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub | ||
371 | and adding the host names at the front. | ||
372 | |||
373 | Examples | ||
374 | |||
375 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | ||
376 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | ||
377 | |||
378 | # A hashed hostname | ||
379 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | ||
380 | AAAA1234.....= | ||
381 | |||
382 | FILES | ||
383 | /etc/ssh/sshd_config | ||
384 | Contains configuration data for sshd. The file format and con- | ||
385 | figuration options are described in sshd_config(5). | ||
386 | |||
387 | /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, | ||
388 | /etc/ssh/ssh_host_rsa_key | ||
389 | These three files contain the private parts of the host keys. | ||
390 | These files should only be owned by root, readable only by root, | ||
391 | and not accessible to others. Note that sshd does not start if | ||
392 | this file is group/world-accessible. | ||
393 | |||
394 | /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, | ||
395 | /etc/ssh/ssh_host_rsa_key.pub | ||
396 | These three files contain the public parts of the host keys. | ||
397 | These files should be world-readable but writable only by root. | ||
398 | Their contents should match the respective private parts. These | ||
399 | files are not really used for anything; they are provided for the | ||
400 | convenience of the user so their contents can be copied to known | ||
401 | hosts files. These files are created using ssh-keygen(1). | ||
402 | |||
403 | /etc/moduli | ||
404 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | ||
405 | Exchange". The file format is described in moduli(5). | ||
406 | |||
407 | /var/empty | ||
408 | chroot(2) directory used by sshd during privilege separation in | ||
409 | the pre-authentication phase. The directory should not contain | ||
410 | any files and must be owned by root and not group or world- | ||
411 | writable. | ||
412 | |||
413 | /var/run/sshd.pid | ||
414 | Contains the process ID of the sshd listening for connections (if | ||
415 | there are several daemons running concurrently for different | ||
416 | ports, this contains the process ID of the one started last). | ||
417 | The content of this file is not sensitive; it can be world-read- | ||
418 | able. | ||
419 | |||
420 | $HOME/.ssh/authorized_keys | ||
421 | Lists the public keys (RSA or DSA) that can be used to log into | ||
422 | the user's account. This file must be readable by root (which | ||
423 | may on some machines imply it being world-readable if the user's | ||
424 | home directory resides on an NFS volume). It is recommended that | ||
425 | it not be accessible by others. The format of this file is de- | ||
426 | scribed above. Users will place the contents of their | ||
427 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | ||
428 | as described in ssh-keygen(1). | ||
429 | |||
430 | /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts | ||
431 | These files are consulted when using rhosts with RSA host authen- | ||
432 | tication or protocol version 2 hostbased authentication to check | ||
433 | the public key of the host. The key must be listed in one of | ||
434 | these files to be accepted. The client uses the same files to | ||
435 | verify that it is connecting to the correct remote host. These | ||
436 | files should be writable only by root/the owner. | ||
437 | /etc/ssh/ssh_known_hosts should be world-readable, and | ||
438 | $HOME/.ssh/known_hosts can, but need not be, world-readable. | ||
439 | |||
440 | /etc/motd | ||
441 | See motd(5). | ||
442 | |||
443 | $HOME/.hushlogin | ||
444 | This file is used to suppress printing the last login time and | ||
445 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | ||
446 | abled. It does not suppress printing of the banner specified by | ||
447 | Banner. | ||
448 | |||
449 | /etc/nologin | ||
450 | If this file exists, sshd refuses to let anyone except root log | ||
451 | in. The contents of the file are displayed to anyone trying to | ||
452 | log in, and non-root connections are refused. The file should be | ||
453 | world-readable. | ||
454 | |||
455 | /etc/hosts.allow, /etc/hosts.deny | ||
456 | Access controls that should be enforced by tcp-wrappers are de- | ||
457 | fined here. Further details are described in hosts_access(5). | ||
458 | |||
459 | $HOME/.rhosts | ||
460 | This file is used during RhostsRSAAuthentication and | ||
461 | HostbasedAuthentication and contains host-username pairs, sepa- | ||
462 | rated by a space, one per line. The given user on the corre- | ||
463 | sponding host is permitted to log in without a password. The | ||
464 | same file is used by rlogind and rshd. The file must be writable | ||
465 | only by the user; it is recommended that it not be accessible by | ||
466 | others. | ||
467 | |||
468 | It is also possible to use netgroups in the file. Either host or | ||
469 | user name may be of the form +@groupname to specify all hosts or | ||
470 | all users in the group. | ||
471 | |||
472 | $HOME/.shosts | ||
473 | For ssh, this file is exactly the same as for .rhosts. However, | ||
474 | this file is not used by rlogin and rshd, so using this permits | ||
475 | access using SSH only. | ||
476 | |||
477 | /etc/hosts.equiv | ||
478 | This file is used during RhostsRSAAuthentication and | ||
479 | HostbasedAuthentication authentication. In the simplest form, | ||
480 | this file contains host names, one per line. Users on those | ||
481 | hosts are permitted to log in without a password, provided they | ||
482 | have the same user name on both machines. The host name may also | ||
483 | be followed by a user name; such users are permitted to log in as | ||
484 | any user on this machine (except root). Additionally, the syntax | ||
485 | ``+@group'' can be used to specify netgroups. Negated entries | ||
486 | start with `-'. | ||
487 | |||
488 | If the client host/user is successfully matched in this file, lo- | ||
489 | gin is automatically permitted provided the client and server us- | ||
490 | er names are the same. Additionally, successful client host key | ||
491 | authentication is required. This file must be writable only by | ||
492 | root; it is recommended that it be world-readable. | ||
493 | |||
494 | Warning: It is almost never a good idea to use user names in | ||
495 | hosts.equiv. Beware that it really means that the named user(s) | ||
496 | can log in as anybody, which includes bin, daemon, adm, and other | ||
497 | accounts that own critical binaries and directories. Using a us- | ||
498 | er name practically grants the user root access. The only valid | ||
499 | use for user names that I can think of is in negative entries. | ||
500 | |||
501 | Note that this warning also applies to rsh/rlogin. | ||
502 | |||
503 | /etc/shosts.equiv | ||
504 | This is processed exactly as /etc/hosts.equiv. However, this | ||
505 | file may be useful in environments that want to run both | ||
506 | rsh/rlogin and ssh. | ||
507 | |||
508 | $HOME/.ssh/environment | ||
509 | This file is read into the environment at login (if it exists). | ||
510 | It can only contain empty lines, comment lines (that start with | ||
511 | `#'), and assignment lines of the form name=value. The file | ||
512 | should be writable only by the user; it need not be readable by | ||
513 | anyone else. Environment processing is disabled by default and | ||
514 | is controlled via the PermitUserEnvironment option. | ||
515 | |||
516 | $HOME/.ssh/rc | ||
517 | If this file exists, it is run with /bin/sh after reading the en- | ||
518 | vironment files but before starting the user's shell or command. | ||
519 | It must not produce any output on stdout; stderr must be used in- | ||
520 | stead. If X11 forwarding is in use, it will receive the "proto | ||
521 | cookie" pair in its standard input (and DISPLAY in its environ- | ||
522 | ment). The script must call xauth(1) because sshd will not run | ||
523 | xauth automatically to add X11 cookies. | ||
524 | |||
525 | The primary purpose of this file is to run any initialization | ||
526 | routines which may be needed before the user's home directory be- | ||
527 | comes accessible; AFS is a particular example of such an environ- | ||
528 | ment. | ||
529 | |||
530 | This file will probably contain some initialization code followed | ||
531 | by something similar to: | ||
532 | |||
533 | if read proto cookie && [ -n "$DISPLAY" ]; then | ||
534 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | ||
535 | # X11UseLocalhost=yes | ||
536 | echo add unix:`echo $DISPLAY | | ||
537 | cut -c11-` $proto $cookie | ||
538 | else | ||
539 | # X11UseLocalhost=no | ||
540 | echo add $DISPLAY $proto $cookie | ||
541 | fi | xauth -q - | ||
542 | fi | ||
543 | |||
544 | If this file does not exist, /etc/ssh/sshrc is run, and if that | ||
545 | does not exist either, xauth is used to add the cookie. | ||
546 | |||
547 | This file should be writable only by the user, and need not be | ||
548 | readable by anyone else. | ||
549 | |||
550 | /etc/ssh/sshrc | ||
551 | Like $HOME/.ssh/rc. This can be used to specify machine-specific | ||
552 | login-time initializations globally. This file should be | ||
553 | writable only by root, and should be world-readable. | ||
554 | |||
555 | SEE ALSO | ||
556 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | ||
557 | chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), | ||
558 | inetd(8), sftp-server(8) | ||
559 | |||
560 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH | ||
561 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January | ||
562 | 2002, work in progress material. | ||
563 | |||
564 | M. Friedl, N. Provos, and W. A. Simpson, Diffie-Hellman Group Exchange | ||
565 | for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- | ||
566 | exchange-02.txt, January 2002, work in progress material. | ||
567 | |||
568 | AUTHORS | ||
569 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | ||
570 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | ||
571 | de Raadt and Dug Song removed many bugs, re-added newer features and | ||
572 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | ||
573 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | ||
574 | for privilege separation. | ||
575 | |||
576 | OpenBSD 3.7 September 25, 1999 9 | ||