diff options
author | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2004-03-01 02:25:32 +0000 |
commit | ea8116a11e3de70036dbc665ccb0d486cf89cac9 (patch) | |
tree | d73ccdff78d8608e156465af42e6a1b3527fb2d6 /sshd.0 | |
parent | e39b311381a5609cc05acf298c42fba196dc524b (diff) | |
parent | f5bda272678ec6dccaa5f29379cf60cb855018e8 (diff) |
Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested it
extensively yet.
ProtocolKeepAlives is now just a compatibility alias for
ServerAliveInterval.
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 263 |
1 files changed, 132 insertions, 131 deletions
@@ -1,10 +1,10 @@ | |||
1 | SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8) | 1 | SSHD(8) OpenBSD System Manager's Manual SSHD(8) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd - OpenSSH SSH daemon | 4 | sshd - OpenSSH SSH daemon |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | sshd [-deiqtD46] [-b bits] [-f config_file] [-g login_grace_time] | 7 | sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] |
8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] | 8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] |
9 | 9 | ||
10 | DESCRIPTION | 10 | DESCRIPTION |
@@ -14,8 +14,8 @@ DESCRIPTION | |||
14 | intended to be as easy to install and use as possible. | 14 | intended to be as easy to install and use as possible. |
15 | 15 | ||
16 | sshd is the daemon that listens for connections from clients. It is nor- | 16 | sshd is the daemon that listens for connections from clients. It is nor- |
17 | mally started at boot from /etc/rc. It forks a new daemon for each | 17 | mally started at boot from /etc/rc. It forks a new daemon for each in- |
18 | incoming connection. The forked daemons handle key exchange, encryption, | 18 | coming connection. The forked daemons handle key exchange, encryption, |
19 | authentication, command execution, and data exchange. This implementa- | 19 | authentication, command execution, and data exchange. This implementa- |
20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. | 20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. |
21 | sshd works as follows: | 21 | sshd works as follows: |
@@ -23,15 +23,15 @@ DESCRIPTION | |||
23 | SSH protocol version 1 | 23 | SSH protocol version 1 |
24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | 24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- |
25 | tify the host. Additionally, when the daemon starts, it generates a | 25 | tify the host. Additionally, when the daemon starts, it generates a |
26 | server RSA key (normally 768 bits). This key is normally regenerated | 26 | server RSA key (normally 768 bits). This key is normally regenerated ev- |
27 | every hour if it has been used, and is never stored on disk. | 27 | ery hour if it has been used, and is never stored on disk. |
28 | 28 | ||
29 | Whenever a client connects, the daemon responds with its public host and | 29 | Whenever a client connects, the daemon responds with its public host and |
30 | server keys. The client compares the RSA host key against its own | 30 | server keys. The client compares the RSA host key against its own |
31 | database to verify that it has not changed. The client then generates a | 31 | database to verify that it has not changed. The client then generates a |
32 | 256 bit random number. It encrypts this random number using both the | 32 | 256-bit random number. It encrypts this random number using both the |
33 | host key and the server key, and sends the encrypted number to the | 33 | host key and the server key, and sends the encrypted number to the serv- |
34 | server. Both sides then use this random number as a session key which is | 34 | er. Both sides then use this random number as a session key which is |
35 | used to encrypt all further communications in the session. The rest of | 35 | used to encrypt all further communications in the session. The rest of |
36 | the session is encrypted using a conventional cipher, currently Blowfish | 36 | the session is encrypted using a conventional cipher, currently Blowfish |
37 | or 3DES, with 3DES being used by default. The client selects the encryp- | 37 | or 3DES, with 3DES being used by default. The client selects the encryp- |
@@ -39,21 +39,21 @@ DESCRIPTION | |||
39 | 39 | ||
40 | Next, the server and the client enter an authentication dialog. The | 40 | Next, the server and the client enter an authentication dialog. The |
41 | client tries to authenticate itself using .rhosts authentication, .rhosts | 41 | client tries to authenticate itself using .rhosts authentication, .rhosts |
42 | authentication combined with RSA host authentication, RSA challenge- | 42 | authentication combined with RSA host authentication, RSA challenge-re- |
43 | response authentication, or password based authentication. | 43 | sponse authentication, or password based authentication. |
44 | 44 | ||
45 | Regardless of the authentication type, the account is checked to ensure | 45 | Regardless of the authentication type, the account is checked to ensure |
46 | that it is accessible. An account is not accessible if it is locked, | 46 | that it is accessible. An account is not accessible if it is locked, |
47 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | 47 | listed in DenyUsers or its group is listed in DenyGroups . The defini- |
48 | tion of a locked account is system dependant. Some platforms have their | 48 | tion of a locked account is system dependant. Some platforms have their |
49 | own account database (eg AIX) and some modify the passwd field ( M-bM-^@M-^X*LK*M-bM-^@M-^Y | 49 | own account database (eg AIX) and some modify the passwd field ( `*LK*' |
50 | on Solaris, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on Tru64 and a leading | 50 | on Solaris, `*' on HP-UX, containing `Nologin' on Tru64 and a leading |
51 | M-bM-^@M-^X!!M-bM-^@M-^Y on Linux). If there is a requirement to disable password authenti- | 51 | `!!' on Linux). If there is a requirement to disable password authenti- |
52 | cation for the account while allowing still public-key, then the passwd | 52 | cation for the account while allowing still public-key, then the passwd |
53 | field should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or | 53 | field should be set to something other than these values (eg `NP' or |
54 | M-bM-^@M-^X*NP*M-bM-^@M-^Y ). | 54 | `*NP*' ). |
55 | 55 | ||
56 | Rhosts authentication is normally disabled because it is fundamentally | 56 | rhosts authentication is normally disabled because it is fundamentally |
57 | insecure, but can be enabled in the server configuration file if desired. | 57 | insecure, but can be enabled in the server configuration file if desired. |
58 | System security is not improved unless rshd, rlogind, and rexecd are dis- | 58 | System security is not improved unless rshd, rlogind, and rexecd are dis- |
59 | abled (thus completely disabling rlogin and rsh into the machine). | 59 | abled (thus completely disabling rlogin and rsh into the machine). |
@@ -66,11 +66,10 @@ DESCRIPTION | |||
66 | key. | 66 | key. |
67 | 67 | ||
68 | The rest of the session is encrypted using a symmetric cipher, currently | 68 | The rest of the session is encrypted using a symmetric cipher, currently |
69 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit | 69 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit |
70 | AES. The client selects the encryption algorithm to use from those | 70 | AES. The client selects the encryption algorithm to use from those of- |
71 | offered by the server. Additionally, session integrity is provided | 71 | fered by the server. Additionally, session integrity is provided through |
72 | through a cryptographic message authentication code (hmac-sha1 or hmac- | 72 | a cryptographic message authentication code (hmac-sha1 or hmac-md5). |
73 | md5). | ||
74 | 73 | ||
75 | Protocol version 2 provides a public key based user (PubkeyAuthentica- | 74 | Protocol version 2 provides a public key based user (PubkeyAuthentica- |
76 | tion) or client host (HostbasedAuthentication) authentication method, | 75 | tion) or client host (HostbasedAuthentication) authentication method, |
@@ -93,9 +92,9 @@ DESCRIPTION | |||
93 | tions have been closed, the server sends command exit status to the | 92 | tions have been closed, the server sends command exit status to the |
94 | client, and both sides exit. | 93 | client, and both sides exit. |
95 | 94 | ||
96 | sshd can be configured using command-line options or a configuration | 95 | sshd can be configured using command-line options or a configuration file |
97 | file. Command-line options override values specified in the configura- | 96 | (by default sshd_config(5)). Command-line options override values speci- |
98 | tion file. | 97 | fied in the configuration file. |
99 | 98 | ||
100 | sshd rereads its configuration file when it receives a hangup signal, | 99 | sshd rereads its configuration file when it receives a hangup signal, |
101 | SIGHUP, by executing itself with the name it was started as, i.e., | 100 | SIGHUP, by executing itself with the name it was started as, i.e., |
@@ -103,15 +102,22 @@ DESCRIPTION | |||
103 | 102 | ||
104 | The options are as follows: | 103 | The options are as follows: |
105 | 104 | ||
105 | -4 Forces sshd to use IPv4 addresses only. | ||
106 | |||
107 | -6 Forces sshd to use IPv6 addresses only. | ||
108 | |||
106 | -b bits | 109 | -b bits |
107 | Specifies the number of bits in the ephemeral protocol version 1 | 110 | Specifies the number of bits in the ephemeral protocol version 1 |
108 | server key (default 768). | 111 | server key (default 768). |
109 | 112 | ||
113 | -D When this option is specified, sshd will not detach and does not | ||
114 | become a daemon. This allows easy monitoring of sshd. | ||
115 | |||
110 | -d Debug mode. The server sends verbose debug output to the system | 116 | -d Debug mode. The server sends verbose debug output to the system |
111 | log, and does not put itself in the background. The server also | 117 | log, and does not put itself in the background. The server also |
112 | will not fork and will only process one connection. This option | 118 | will not fork and will only process one connection. This option |
113 | is only intended for debugging for the server. Multiple -d | 119 | is only intended for debugging for the server. Multiple -d op- |
114 | options increase the debugging level. Maximum is 3. | 120 | tions increase the debugging level. Maximum is 3. |
115 | 121 | ||
116 | -e When this option is specified, sshd will send the output to the | 122 | -e When this option is specified, sshd will send the output to the |
117 | standard error instead of the system log. | 123 | standard error instead of the system log. |
@@ -122,10 +128,10 @@ DESCRIPTION | |||
122 | figuration file. | 128 | figuration file. |
123 | 129 | ||
124 | -g login_grace_time | 130 | -g login_grace_time |
125 | Gives the grace time for clients to authenticate themselves | 131 | Gives the grace time for clients to authenticate themselves (de- |
126 | (default 120 seconds). If the client fails to authenticate the | 132 | fault 120 seconds). If the client fails to authenticate the user |
127 | user within this many seconds, the server disconnects and exits. | 133 | within this many seconds, the server disconnects and exits. A |
128 | A value of zero indicates no limit. | 134 | value of zero indicates no limit. |
129 | 135 | ||
130 | -h host_key_file | 136 | -h host_key_file |
131 | Specifies a file from which a host key is read. This option must | 137 | Specifies a file from which a host key is read. This option must |
@@ -139,23 +145,24 @@ DESCRIPTION | |||
139 | -i Specifies that sshd is being run from inetd(8). sshd is normally | 145 | -i Specifies that sshd is being run from inetd(8). sshd is normally |
140 | not run from inetd because it needs to generate the server key | 146 | not run from inetd because it needs to generate the server key |
141 | before it can respond to the client, and this may take tens of | 147 | before it can respond to the client, and this may take tens of |
142 | seconds. Clients would have to wait too long if the key was | 148 | seconds. Clients would have to wait too long if the key was re- |
143 | regenerated every time. However, with small key sizes (e.g., | 149 | generated every time. However, with small key sizes (e.g., 512) |
144 | 512) using sshd from inetd may be feasible. | 150 | using sshd from inetd may be feasible. |
145 | 151 | ||
146 | -k key_gen_time | 152 | -k key_gen_time |
147 | Specifies how often the ephemeral protocol version 1 server key | 153 | Specifies how often the ephemeral protocol version 1 server key |
148 | is regenerated (default 3600 seconds, or one hour). The motiva- | 154 | is regenerated (default 3600 seconds, or one hour). The motiva- |
149 | tion for regenerating the key fairly often is that the key is not | 155 | tion for regenerating the key fairly often is that the key is not |
150 | stored anywhere, and after about an hour, it becomes impossible | 156 | stored anywhere, and after about an hour it becomes impossible to |
151 | to recover the key for decrypting intercepted communications even | 157 | recover the key for decrypting intercepted communications even if |
152 | if the machine is cracked into or physically seized. A value of | 158 | the machine is cracked into or physically seized. A value of ze- |
153 | zero indicates that the key will never be regenerated. | 159 | ro indicates that the key will never be regenerated. |
154 | 160 | ||
155 | -o option | 161 | -o option |
156 | Can be used to give options in the format used in the configura- | 162 | Can be used to give options in the format used in the configura- |
157 | tion file. This is useful for specifying options for which there | 163 | tion file. This is useful for specifying options for which there |
158 | is no separate command-line flag. | 164 | is no separate command-line flag. For full details of the op- |
165 | tions, and their values, see sshd_config(5). | ||
159 | 166 | ||
160 | -p port | 167 | -p port |
161 | Specifies the port on which the server listens for connections | 168 | Specifies the port on which the server listens for connections |
@@ -163,8 +170,8 @@ DESCRIPTION | |||
163 | fied in the configuration file are ignored when a command-line | 170 | fied in the configuration file are ignored when a command-line |
164 | port is specified. | 171 | port is specified. |
165 | 172 | ||
166 | -q Quiet mode. Nothing is sent to the system log. Normally the | 173 | -q Quiet mode. Nothing is sent to the system log. Normally the be- |
167 | beginning, authentication, and termination of each connection is | 174 | ginning, authentication, and termination of each connection is |
168 | logged. | 175 | logged. |
169 | 176 | ||
170 | -t Test mode. Only check the validity of the configuration file and | 177 | -t Test mode. Only check the validity of the configuration file and |
@@ -179,19 +186,12 @@ DESCRIPTION | |||
179 | indicates that only dotted decimal addresses should be put into | 186 | indicates that only dotted decimal addresses should be put into |
180 | the utmp file. -u0 may also be used to prevent sshd from making | 187 | the utmp file. -u0 may also be used to prevent sshd from making |
181 | DNS requests unless the authentication mechanism or configuration | 188 | DNS requests unless the authentication mechanism or configuration |
182 | requires it. Authentication mechanisms that may require DNS | 189 | requires it. Authentication mechanisms that may require DNS in- |
183 | include RhostsRSAAuthentication, HostbasedAuthentication and | 190 | clude RhostsRSAAuthentication, HostbasedAuthentication and using |
184 | using a from="pattern-list" option in a key file. Configuration | 191 | a from="pattern-list" option in a key file. Configuration op- |
185 | options that require DNS include using a USER@HOST pattern in | 192 | tions that require DNS include using a USER@HOST pattern in |
186 | AllowUsers or DenyUsers. | 193 | AllowUsers or DenyUsers. |
187 | 194 | ||
188 | -D When this option is specified sshd will not detach and does not | ||
189 | become a daemon. This allows easy monitoring of sshd. | ||
190 | |||
191 | -4 Forces sshd to use IPv4 addresses only. | ||
192 | |||
193 | -6 Forces sshd to use IPv6 addresses only. | ||
194 | |||
195 | CONFIGURATION FILE | 195 | CONFIGURATION FILE |
196 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 196 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
197 | specified with -f on the command line). The file format and configura- | 197 | specified with -f on the command line). The file format and configura- |
@@ -214,18 +214,18 @@ LOGIN PROCESS | |||
214 | 214 | ||
215 | 5. Sets up basic environment. | 215 | 5. Sets up basic environment. |
216 | 216 | ||
217 | 6. Reads $HOME/.ssh/environment if it exists and users are | 217 | 6. Reads the file $HOME/.ssh/environment, if it exists, and users |
218 | allowed to change their environment. See the | 218 | are allowed to change their environment. See the |
219 | PermitUserEnvironment option in sshd_config(5). | 219 | PermitUserEnvironment option in sshd_config(5). |
220 | 220 | ||
221 | 7. Changes to userM-bM-^@M-^Ys home directory. | 221 | 7. Changes to user's home directory. |
222 | 222 | ||
223 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc | 223 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- |
224 | exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are | 224 | ists, runs it; otherwise runs xauth. The ``rc'' files are |
225 | given the X11 authentication protocol and cookie in standard | 225 | given the X11 authentication protocol and cookie in standard |
226 | input. | 226 | input. |
227 | 227 | ||
228 | 9. Runs userM-bM-^@M-^Ys shell or command. | 228 | 9. Runs user's shell or command. |
229 | 229 | ||
230 | AUTHORIZED_KEYS FILE FORMAT | 230 | AUTHORIZED_KEYS FILE FORMAT |
231 | $HOME/.ssh/authorized_keys is the default file that lists the public keys | 231 | $HOME/.ssh/authorized_keys is the default file that lists the public keys |
@@ -234,7 +234,7 @@ AUTHORIZED_KEYS FILE FORMAT | |||
234 | AuthorizedKeysFile may be used to specify an alternative file. | 234 | AuthorizedKeysFile may be used to specify an alternative file. |
235 | 235 | ||
236 | Each line of the file contains one key (empty lines and lines starting | 236 | Each line of the file contains one key (empty lines and lines starting |
237 | with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the | 237 | with a `#' are ignored as comments). Each RSA public key consists of the |
238 | following fields, separated by spaces: options, bits, exponent, modulus, | 238 | following fields, separated by spaces: options, bits, exponent, modulus, |
239 | comment. Each protocol version 2 public key consists of: options, key- | 239 | comment. Each protocol version 2 public key consists of: options, key- |
240 | type, base64 encoded key, comment. The options field is optional; its | 240 | type, base64 encoded key, comment. The options field is optional; its |
@@ -242,11 +242,11 @@ AUTHORIZED_KEYS FILE FORMAT | |||
242 | (the options field never starts with a number). The bits, exponent, mod- | 242 | (the options field never starts with a number). The bits, exponent, mod- |
243 | ulus and comment fields give the RSA key for protocol version 1; the com- | 243 | ulus and comment fields give the RSA key for protocol version 1; the com- |
244 | ment field is not used for anything (but may be convenient for the user | 244 | ment field is not used for anything (but may be convenient for the user |
245 | to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or | 245 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' |
246 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. | 246 | or ``ssh-rsa''. |
247 | 247 | ||
248 | Note that lines in this file are usually several hundred bytes long | 248 | Note that lines in this file are usually several hundred bytes long (be- |
249 | (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type | 249 | cause of the size of the public key encoding). You don't want to type |
250 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 250 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub |
251 | file and edit it. | 251 | file and edit it. |
252 | 252 | ||
@@ -261,31 +261,31 @@ AUTHORIZED_KEYS FILE FORMAT | |||
261 | from="pattern-list" | 261 | from="pattern-list" |
262 | Specifies that in addition to public key authentication, the | 262 | Specifies that in addition to public key authentication, the |
263 | canonical name of the remote host must be present in the comma- | 263 | canonical name of the remote host must be present in the comma- |
264 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y serve as wildcards). The | 264 | separated list of patterns (`*' and `?' serve as wildcards). The |
265 | list may also contain patterns negated by prefixing them with | 265 | list may also contain patterns negated by prefixing them with |
266 | M-bM-^@M-^X!M-bM-^@M-^Y; if the canonical host name matches a negated pattern, the | 266 | `!'; if the canonical host name matches a negated pattern, the |
267 | key is not accepted. The purpose of this option is to optionally | 267 | key is not accepted. The purpose of this option is to optionally |
268 | increase security: public key authentication by itself does not | 268 | increase security: public key authentication by itself does not |
269 | trust the network or name servers or anything (but the key); how- | 269 | trust the network or name servers or anything (but the key); how- |
270 | ever, if somebody somehow steals the key, the key permits an | 270 | ever, if somebody somehow steals the key, the key permits an in- |
271 | intruder to log in from anywhere in the world. This additional | 271 | truder to log in from anywhere in the world. This additional op- |
272 | option makes using a stolen key more difficult (name servers | 272 | tion makes using a stolen key more difficult (name servers and/or |
273 | and/or routers would have to be compromised in addition to just | 273 | routers would have to be compromised in addition to just the |
274 | the key). | 274 | key). |
275 | 275 | ||
276 | command="command" | 276 | command="command" |
277 | Specifies that the command is executed whenever this key is used | 277 | Specifies that the command is executed whenever this key is used |
278 | for authentication. The command supplied by the user (if any) is | 278 | for authentication. The command supplied by the user (if any) is |
279 | ignored. The command is run on a pty if the client requests a | 279 | ignored. The command is run on a pty if the client requests a |
280 | pty; otherwise it is run without a tty. If an 8-bit clean chan- | 280 | pty; otherwise it is run without a tty. If an 8-bit clean chan- |
281 | nel is required, one must not request a pty or should specify | 281 | nel is required, one must not request a pty or should specify no- |
282 | no-pty. A quote may be included in the command by quoting it | 282 | pty. A quote may be included in the command by quoting it with a |
283 | with a backslash. This option might be useful to restrict cer- | 283 | backslash. This option might be useful to restrict certain pub- |
284 | tain public keys to perform just a specific operation. An exam- | 284 | lic keys to perform just a specific operation. An example might |
285 | ple might be a key that permits remote backups but nothing else. | 285 | be a key that permits remote backups but nothing else. Note that |
286 | Note that the client may specify TCP/IP and/or X11 forwarding | 286 | the client may specify TCP/IP and/or X11 forwarding unless they |
287 | unless they are explicitly prohibited. Note that this option | 287 | are explicitly prohibited. Note that this option applies to |
288 | applies to shell, command or subsystem execution. | 288 | shell, command or subsystem execution. |
289 | 289 | ||
290 | environment="NAME=value" | 290 | environment="NAME=value" |
291 | Specifies that the string is to be added to the environment when | 291 | Specifies that the string is to be added to the environment when |
@@ -297,8 +297,8 @@ AUTHORIZED_KEYS FILE FORMAT | |||
297 | 297 | ||
298 | no-port-forwarding | 298 | no-port-forwarding |
299 | Forbids TCP/IP forwarding when this key is used for authentica- | 299 | Forbids TCP/IP forwarding when this key is used for authentica- |
300 | tion. Any port forward requests by the client will return an | 300 | tion. Any port forward requests by the client will return an er- |
301 | error. This might be used, e.g., in connection with the command | 301 | ror. This might be used, e.g., in connection with the command |
302 | option. | 302 | option. |
303 | 303 | ||
304 | no-X11-forwarding | 304 | no-X11-forwarding |
@@ -312,45 +312,45 @@ AUTHORIZED_KEYS FILE FORMAT | |||
312 | no-pty Prevents tty allocation (a request to allocate a pty will fail). | 312 | no-pty Prevents tty allocation (a request to allocate a pty will fail). |
313 | 313 | ||
314 | permitopen="host:port" | 314 | permitopen="host:port" |
315 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con- | 315 | Limit local ``ssh -L'' port forwarding such that it may only con- |
316 | nect to the specified host and port. IPv6 addresses can be spec- | 316 | nect to the specified host and port. IPv6 addresses can be spec- |
317 | ified with an alternative syntax: host/port. Multiple permitopen | 317 | ified with an alternative syntax: host/port. Multiple permitopen |
318 | options may be applied separated by commas. No pattern matching | 318 | options may be applied separated by commas. No pattern matching |
319 | is performed on the specified hostnames, they must be literal | 319 | is performed on the specified hostnames, they must be literal do- |
320 | domains or addresses. | 320 | mains or addresses. |
321 | 321 | ||
322 | Examples | 322 | Examples |
323 | 1024 33 12121...312314325 ylo@foo.bar | 323 | 1024 33 12121...312314325 ylo@foo.bar |
324 | 324 | ||
325 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula | 325 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
326 | 326 | ||
327 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 | 327 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- |
328 | backup.hut.fi | 328 | up.hut.fi |
329 | 329 | ||
330 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 330 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
331 | 331 | ||
332 | SSH_KNOWN_HOSTS FILE FORMAT | 332 | SSH_KNOWN_HOSTS FILE FORMAT |
333 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain | 333 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain |
334 | host public keys for all known hosts. The global file should be prepared | 334 | host public keys for all known hosts. The global file should be prepared |
335 | by the administrator (optional), and the per-user file is maintained | 335 | by the administrator (optional), and the per-user file is maintained au- |
336 | automatically: whenever the user connects from an unknown host its key is | 336 | tomatically: whenever the user connects from an unknown host its key is |
337 | added to the per-user file. | 337 | added to the per-user file. |
338 | 338 | ||
339 | Each line in these files contains the following fields: hostnames, bits, | 339 | Each line in these files contains the following fields: hostnames, bits, |
340 | exponent, modulus, comment. The fields are separated by spaces. | 340 | exponent, modulus, comment. The fields are separated by spaces. |
341 | 341 | ||
342 | Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as wild- | 342 | Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- |
343 | cards); each pattern in turn is matched against the canonical host name | 343 | cards); each pattern in turn is matched against the canonical host name |
344 | (when authenticating a client) or against the user-supplied name (when | 344 | (when authenticating a client) or against the user-supplied name (when |
345 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indi- | 345 | authenticating a server). A pattern may also be preceded by `!' to indi- |
346 | cate negation: if the host name matches a negated pattern, it is not | 346 | cate negation: if the host name matches a negated pattern, it is not ac- |
347 | accepted (by that line) even if it matched another pattern on the line. | 347 | cepted (by that line) even if it matched another pattern on the line. |
348 | 348 | ||
349 | Bits, exponent, and modulus are taken directly from the RSA host key; | 349 | Bits, exponent, and modulus are taken directly from the RSA host key; |
350 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional | 350 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional |
351 | comment field continues to the end of the line, and is not used. | 351 | comment field continues to the end of the line, and is not used. |
352 | 352 | ||
353 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. | 353 | Lines starting with `#' and empty lines are ignored as comments. |
354 | 354 | ||
355 | When performing host authentication, authentication is accepted if any | 355 | When performing host authentication, authentication is accepted if any |
356 | matching line has the proper key. It is thus permissible (but not recom- | 356 | matching line has the proper key. It is thus permissible (but not recom- |
@@ -361,11 +361,12 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
361 | be found from either file. | 361 | be found from either file. |
362 | 362 | ||
363 | Note that the lines in these files are typically hundreds of characters | 363 | Note that the lines in these files are typically hundreds of characters |
364 | long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand. | 364 | long, and you definitely don't want to type in the host keys by hand. |
365 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub | 365 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub |
366 | and adding the host names at the front. | 366 | and adding the host names at the front. |
367 | 367 | ||
368 | Examples | 368 | Examples |
369 | |||
369 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 370 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
370 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 371 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
371 | 372 | ||
@@ -409,15 +410,15 @@ FILES | |||
409 | 410 | ||
410 | $HOME/.ssh/authorized_keys | 411 | $HOME/.ssh/authorized_keys |
411 | Lists the public keys (RSA or DSA) that can be used to log into | 412 | Lists the public keys (RSA or DSA) that can be used to log into |
412 | the userM-bM-^@M-^Ys account. This file must be readable by root (which | 413 | the user's account. This file must be readable by root (which |
413 | may on some machines imply it being world-readable if the userM-bM-^@M-^Ys | 414 | may on some machines imply it being world-readable if the user's |
414 | home directory resides on an NFS volume). It is recommended that | 415 | home directory resides on an NFS volume). It is recommended that |
415 | it not be accessible by others. The format of this file is | 416 | it not be accessible by others. The format of this file is de- |
416 | described above. Users will place the contents of their | 417 | scribed above. Users will place the contents of their |
417 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | 418 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
418 | as described in ssh-keygen(1). | 419 | as described in ssh-keygen(1). |
419 | 420 | ||
420 | /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts | 421 | /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts |
421 | These files are consulted when using rhosts with RSA host authen- | 422 | These files are consulted when using rhosts with RSA host authen- |
422 | tication or protocol version 2 hostbased authentication to check | 423 | tication or protocol version 2 hostbased authentication to check |
423 | the public key of the host. The key must be listed in one of | 424 | the public key of the host. The key must be listed in one of |
@@ -434,8 +435,8 @@ FILES | |||
434 | world-readable. | 435 | world-readable. |
435 | 436 | ||
436 | /etc/hosts.allow, /etc/hosts.deny | 437 | /etc/hosts.allow, /etc/hosts.deny |
437 | Access controls that should be enforced by tcp-wrappers are | 438 | Access controls that should be enforced by tcp-wrappers are de- |
438 | defined here. Further details are described in hosts_access(5). | 439 | fined here. Further details are described in hosts_access(5). |
439 | 440 | ||
440 | $HOME/.rhosts | 441 | $HOME/.rhosts |
441 | This file contains host-username pairs, separated by a space, one | 442 | This file contains host-username pairs, separated by a space, one |
@@ -444,7 +445,7 @@ FILES | |||
444 | and rshd. The file must be writable only by the user; it is rec- | 445 | and rshd. The file must be writable only by the user; it is rec- |
445 | ommended that it not be accessible by others. | 446 | ommended that it not be accessible by others. |
446 | 447 | ||
447 | If is also possible to use netgroups in the file. Either host or | 448 | It is also possible to use netgroups in the file. Either host or |
448 | user name may be of the form +@groupname to specify all hosts or | 449 | user name may be of the form +@groupname to specify all hosts or |
449 | all users in the group. | 450 | all users in the group. |
450 | 451 | ||
@@ -454,28 +455,27 @@ FILES | |||
454 | access using SSH only. | 455 | access using SSH only. |
455 | 456 | ||
456 | /etc/hosts.equiv | 457 | /etc/hosts.equiv |
457 | This file is used during .rhosts authentication. In the simplest | 458 | This file is used during rhosts authentication. In the simplest |
458 | form, this file contains host names, one per line. Users on | 459 | form, this file contains host names, one per line. Users on |
459 | those hosts are permitted to log in without a password, provided | 460 | those hosts are permitted to log in without a password, provided |
460 | they have the same user name on both machines. The host name may | 461 | they have the same user name on both machines. The host name may |
461 | also be followed by a user name; such users are permitted to log | 462 | also be followed by a user name; such users are permitted to log |
462 | in as any user on this machine (except root). Additionally, the | 463 | in as any user on this machine (except root). Additionally, the |
463 | syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated | 464 | syntax ``+@group'' can be used to specify netgroups. Negated en- |
464 | entries start with M-bM-^@M-^X-M-bM-^@M-^Y. | 465 | tries start with `-'. |
465 | 466 | ||
466 | If the client host/user is successfully matched in this file, | 467 | If the client host/user is successfully matched in this file, lo- |
467 | login is automatically permitted provided the client and server | 468 | gin is automatically permitted provided the client and server us- |
468 | user names are the same. Additionally, successful RSA host | 469 | er names are the same. Additionally, successful RSA host authen- |
469 | authentication is normally required. This file must be writable | 470 | tication is normally required. This file must be writable only |
470 | only by root; it is recommended that it be world-readable. | 471 | by root; it is recommended that it be world-readable. |
471 | 472 | ||
472 | Warning: It is almost never a good idea to use user names in | 473 | Warning: It is almost never a good idea to use user names in |
473 | hosts.equiv. Beware that it really means that the named user(s) | 474 | hosts.equiv. Beware that it really means that the named user(s) |
474 | can log in as anybody, which includes bin, daemon, adm, and other | 475 | can log in as anybody, which includes bin, daemon, adm, and other |
475 | accounts that own critical binaries and directories. Using a | 476 | accounts that own critical binaries and directories. Using a us- |
476 | user name practically grants the user root access. The only | 477 | er name practically grants the user root access. The only valid |
477 | valid use for user names that I can think of is in negative | 478 | use for user names that I can think of is in negative entries. |
478 | entries. | ||
479 | 479 | ||
480 | Note that this warning also applies to rsh/rlogin. | 480 | Note that this warning also applies to rsh/rlogin. |
481 | 481 | ||
@@ -487,33 +487,33 @@ FILES | |||
487 | $HOME/.ssh/environment | 487 | $HOME/.ssh/environment |
488 | This file is read into the environment at login (if it exists). | 488 | This file is read into the environment at login (if it exists). |
489 | It can only contain empty lines, comment lines (that start with | 489 | It can only contain empty lines, comment lines (that start with |
490 | M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file | 490 | `#'), and assignment lines of the form name=value. The file |
491 | should be writable only by the user; it need not be readable by | 491 | should be writable only by the user; it need not be readable by |
492 | anyone else. Environment processing is disabled by default and | 492 | anyone else. Environment processing is disabled by default and |
493 | is controlled via the PermitUserEnvironment option. | 493 | is controlled via the PermitUserEnvironment option. |
494 | 494 | ||
495 | $HOME/.ssh/rc | 495 | $HOME/.ssh/rc |
496 | If this file exists, it is run with /bin/sh after reading the | 496 | If this file exists, it is run with /bin/sh after reading the en- |
497 | environment files but before starting the userM-bM-^@M-^Ys shell or com- | 497 | vironment files but before starting the user's shell or command. |
498 | mand. It must not produce any output on stdout; stderr must be | 498 | It must not produce any output on stdout; stderr must be used in- |
499 | used instead. If X11 forwarding is in use, it will receive the | 499 | stead. If X11 forwarding is in use, it will receive the "proto |
500 | "proto cookie" pair in its standard input (and DISPLAY in its | 500 | cookie" pair in its standard input (and DISPLAY in its environ- |
501 | environment). The script must call xauth(1) because sshd will | 501 | ment). The script must call xauth(1) because sshd will not run |
502 | not run xauth automatically to add X11 cookies. | 502 | xauth automatically to add X11 cookies. |
503 | 503 | ||
504 | The primary purpose of this file is to run any initialization | 504 | The primary purpose of this file is to run any initialization |
505 | routines which may be needed before the userM-bM-^@M-^Ys home directory | 505 | routines which may be needed before the user's home directory be- |
506 | becomes accessible; AFS is a particular example of such an envi- | 506 | comes accessible; AFS is a particular example of such an environ- |
507 | ronment. | 507 | ment. |
508 | 508 | ||
509 | This file will probably contain some initialization code followed | 509 | This file will probably contain some initialization code followed |
510 | by something similar to: | 510 | by something similar to: |
511 | 511 | ||
512 | if read proto cookie && [ -n "$DISPLAY" ]; then | 512 | if read proto cookie && [ -n "$DISPLAY" ]; then |
513 | if [ M-bM-^@M-^Xecho $DISPLAY | cut -c1-10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then | 513 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
514 | # X11UseLocalhost=yes | 514 | # X11UseLocalhost=yes |
515 | echo add unix:M-bM-^@M-^Xecho $DISPLAY | | 515 | echo add unix:`echo $DISPLAY | |
516 | cut -c11-M-bM-^@M-^X $proto $cookie | 516 | cut -c11-` $proto $cookie |
517 | else | 517 | else |
518 | # X11UseLocalhost=no | 518 | # X11UseLocalhost=no |
519 | echo add $DISPLAY $proto $cookie | 519 | echo add $DISPLAY $proto $cookie |
@@ -533,7 +533,8 @@ FILES | |||
533 | 533 | ||
534 | SEE ALSO | 534 | SEE ALSO |
535 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 535 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
536 | login.conf(5), moduli(5), sshd_config(5), sftp-server(8) | 536 | chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), |
537 | inetd(8), sftp-server(8) | ||
537 | 538 | ||
538 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH | 539 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH |
539 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January | 540 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January |
@@ -546,9 +547,9 @@ SEE ALSO | |||
546 | AUTHORS | 547 | AUTHORS |
547 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 548 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
548 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 549 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
549 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 550 | de Raadt and Dug Song removed many bugs, re-added newer features and |
550 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 551 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
551 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 552 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
552 | for privilege separation. | 553 | for privilege separation. |
553 | 554 | ||
554 | BSD September 25, 1999 BSD | 555 | OpenBSD 3.4 September 25, 1999 9 |