diff options
author | Damien Miller <djm@mindrot.org> | 2000-01-20 23:13:36 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-01-20 23:13:36 +1100 |
commit | 886c63a2c533e8ce8818580920232e4903a27da7 (patch) | |
tree | fe165f9c88b10cdef0b09873c14f118d127ce64e /sshd.8.in | |
parent | 88b86e40d65b3cf1238ad9eee67555a2acae61a8 (diff) |
- Big manpage and config file cleanup from Andre Lucas
<andre.lucas@dial.pipex.com>
- Re-added latest (unmodified) OpenBSD manpages
Diffstat (limited to 'sshd.8.in')
-rw-r--r-- | sshd.8.in | 806 |
1 files changed, 0 insertions, 806 deletions
diff --git a/sshd.8.in b/sshd.8.in deleted file mode 100644 index 7448fd1a4..000000000 --- a/sshd.8.in +++ /dev/null | |||
@@ -1,806 +0,0 @@ | |||
1 | .\" -*- nroff -*- | ||
2 | .\" | ||
3 | .\" sshd.8.in | ||
4 | .\" | ||
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
6 | .\" | ||
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
8 | .\" All rights reserved | ||
9 | .\" | ||
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | ||
11 | .\" | ||
12 | .\" $Id: sshd.8.in,v 1.4 2000/01/20 11:44:10 damien Exp $ | ||
13 | .\" | ||
14 | .Dd September 25, 1999 | ||
15 | .Dt SSHD 8 | ||
16 | .Os | ||
17 | .Sh NAME | ||
18 | .Nm sshd | ||
19 | .Nd secure shell daemon | ||
20 | .Sh SYNOPSIS | ||
21 | .Nm sshd | ||
22 | .Op Fl diqQ46 | ||
23 | .Op Fl b Ar bits | ||
24 | .Op Fl f Ar config_file | ||
25 | .Op Fl g Ar login_grace_time | ||
26 | .Op Fl h Ar host_key_file | ||
27 | .Op Fl k Ar key_gen_time | ||
28 | .Op Fl p Ar port | ||
29 | .Op Fl V Ar client_protocol_id | ||
30 | .Sh DESCRIPTION | ||
31 | .Nm | ||
32 | (Secure Shell Daemon) is the daemon program for | ||
33 | .Xr ssh 1 . | ||
34 | Together these programs replace rlogin and rsh programs, and | ||
35 | provide secure encrypted communications between two untrusted hosts | ||
36 | over an insecure network. The programs are intended to be as easy to | ||
37 | install and use as possible. | ||
38 | .Pp | ||
39 | .Nm | ||
40 | is the daemon that listens for connections from clients. It is | ||
41 | normally started at boot from | ||
42 | .Pa /etc/rc . | ||
43 | It forks a new | ||
44 | daemon for each incoming connection. The forked daemons handle | ||
45 | key exchange, encryption, authentication, command execution, | ||
46 | and data exchange. | ||
47 | .Pp | ||
48 | .Nm | ||
49 | works as follows. Each host has a host-specific RSA key | ||
50 | (normally 1024 bits) used to identify the host. Additionally, when | ||
51 | the daemon starts, it generates a server RSA key (normally 768 bits). | ||
52 | This key is normally regenerated every hour if it has been used, and | ||
53 | is never stored on disk. | ||
54 | .Pp | ||
55 | Whenever a client connects the daemon, the daemon sends its host | ||
56 | and server public keys to the client. The client compares the | ||
57 | host key against its own database to verify that it has not changed. | ||
58 | The client then generates a 256 bit random number. It encrypts this | ||
59 | random number using both the host key and the server key, and sends | ||
60 | the encrypted number to the server. Both sides then start to use this | ||
61 | random number as a session key which is used to encrypt all further | ||
62 | communications in the session. The rest of the session is encrypted | ||
63 | using a conventional cipher, currently Blowfish and 3DES, with 3DES | ||
64 | being is used by default. The client selects the encryption algorithm | ||
65 | to use from those offered by the server. | ||
66 | .Pp | ||
67 | Next, the server and the client enter an authentication dialog. The | ||
68 | client tries to authenticate itself using | ||
69 | .Pa .rhosts | ||
70 | authentication, | ||
71 | .Pa .rhosts | ||
72 | authentication combined with RSA host | ||
73 | authentication, RSA challenge-response authentication, or password | ||
74 | based authentication. | ||
75 | .Pp | ||
76 | Rhosts authentication is normally disabled | ||
77 | because it is fundamentally insecure, but can be enabled in the server | ||
78 | configuration file if desired. System security is not improved unless | ||
79 | .Xr rshd 8 , | ||
80 | .Xr rlogind 8 , | ||
81 | .Xr rexecd 8 , | ||
82 | and | ||
83 | .Xr rexd 8 | ||
84 | are disabled (thus completely disabling | ||
85 | .Xr rlogin 1 | ||
86 | and | ||
87 | .Xr rsh 1 | ||
88 | into that machine). | ||
89 | .Pp | ||
90 | If the client successfully authenticates itself, a dialog for | ||
91 | preparing the session is entered. At this time the client may request | ||
92 | things like allocating a pseudo-tty, forwarding X11 connections, | ||
93 | forwarding TCP/IP connections, or forwarding the authentication agent | ||
94 | connection over the secure channel. | ||
95 | .Pp | ||
96 | Finally, the client either requests a shell or execution of a command. | ||
97 | The sides then enter session mode. In this mode, either side may send | ||
98 | data at any time, and such data is forwarded to/from the shell or | ||
99 | command on the server side, and the user terminal in the client side. | ||
100 | .Pp | ||
101 | When the user program terminates and all forwarded X11 and other | ||
102 | connections have been closed, the server sends command exit status to | ||
103 | the client, and both sides exit. | ||
104 | .Pp | ||
105 | .Nm | ||
106 | can be configured using command-line options or a configuration | ||
107 | file. Command-line options override values specified in the | ||
108 | configuration file. | ||
109 | .Pp | ||
110 | .Nm | ||
111 | rereads its configuration file when it receives a hangup signal, | ||
112 | .Dv SIGHUP . | ||
113 | .Pp | ||
114 | The options are as follows: | ||
115 | .Bl -tag -width Ds | ||
116 | .It Fl b Ar bits | ||
117 | Specifies the number of bits in the server key (default 768). | ||
118 | .Pp | ||
119 | .It Fl d | ||
120 | Debug mode. The server sends verbose debug output to the system | ||
121 | log, and does not put itself in the background. The server also will | ||
122 | not fork and will only process one connection. This option is only | ||
123 | intended for debugging for the server. | ||
124 | .It Fl f Ar configuration_file | ||
125 | Specifies the name of the configuration file. The default is | ||
126 | .Pa @sysconfdir@/sshd_config . | ||
127 | .Nm | ||
128 | refuses to start if there is no configuration file. | ||
129 | .It Fl g Ar login_grace_time | ||
130 | Gives the grace time for clients to authenticate themselves (default | ||
131 | 300 seconds). If the client fails to authenticate the user within | ||
132 | this many seconds, the server disconnects and exits. A value of zero | ||
133 | indicates no limit. | ||
134 | .It Fl h Ar host_key_file | ||
135 | Specifies the file from which the host key is read (default | ||
136 | .Pa @sysconfdir@/ssh_host_key ) . | ||
137 | This option must be given if | ||
138 | .Nm | ||
139 | is not run as root (as the normal | ||
140 | host file is normally not readable by anyone but root). | ||
141 | .It Fl i | ||
142 | Specifies that | ||
143 | .Nm | ||
144 | is being run from inetd. | ||
145 | .Nm | ||
146 | is normally not run | ||
147 | from inetd because it needs to generate the server key before it can | ||
148 | respond to the client, and this may take tens of seconds. Clients | ||
149 | would have to wait too long if the key was regenerated every time. | ||
150 | However, with small key sizes (e.g. 512) using | ||
151 | .Nm | ||
152 | from inetd may | ||
153 | be feasible. | ||
154 | .It Fl k Ar key_gen_time | ||
155 | Specifies how often the server key is regenerated (default 3600 | ||
156 | seconds, or one hour). The motivation for regenerating the key fairly | ||
157 | often is that the key is not stored anywhere, and after about an hour, | ||
158 | it becomes impossible to recover the key for decrypting intercepted | ||
159 | communications even if the machine is cracked into or physically | ||
160 | seized. A value of zero indicates that the key will never be regenerated. | ||
161 | .It Fl p Ar port | ||
162 | Specifies the port on which the server listens for connections | ||
163 | (default 22). | ||
164 | .It Fl q | ||
165 | Quiet mode. Nothing is sent to the system log. Normally the beginning, | ||
166 | authentication, and termination of each connection is logged. | ||
167 | .It Fl Q | ||
168 | Do not print an error message if RSA support is missing. | ||
169 | .It Fl V Ar client_protocol_id | ||
170 | SSH2 compatibility mode. | ||
171 | When this options is specified | ||
172 | .Nm | ||
173 | assumes the client has sent the given version string | ||
174 | and skips the | ||
175 | Protocol Version Identification Exchange. | ||
176 | .It Fl 4 | ||
177 | Forces | ||
178 | .Nm | ||
179 | to use IPv4 addresses only. | ||
180 | .It Fl 6 | ||
181 | Forces | ||
182 | .Nm | ||
183 | to use IPv6 addresses only. | ||
184 | .El | ||
185 | .Sh CONFIGURATION FILE | ||
186 | .Nm | ||
187 | reads configuration data from | ||
188 | .Pa @sysconfdir@/sshd_config | ||
189 | (or the file specified with | ||
190 | .Fl f | ||
191 | on the command line). The file | ||
192 | contains keyword-value pairs, one per line. Lines starting with | ||
193 | .Ql # | ||
194 | and empty lines are interpreted as comments. | ||
195 | .Pp | ||
196 | The following keywords are possible. | ||
197 | .Bl -tag -width Ds | ||
198 | .It Cm AFSTokenPassing | ||
199 | Specifies whether an AFS token may be forwarded to the server. Default is | ||
200 | .Dq yes . | ||
201 | .It Cm AllowGroups | ||
202 | This keyword can be followed by a number of group names, separated | ||
203 | by spaces. If specified, login is allowed only for users whose primary | ||
204 | group matches one of the patterns. | ||
205 | .Ql \&* | ||
206 | and | ||
207 | .Ql ? | ||
208 | can be used as | ||
209 | wildcards in the patterns. Only group names are valid, a numerical group | ||
210 | id isn't recognized. By default login is allowed regardless of | ||
211 | the primary group. | ||
212 | .Pp | ||
213 | .It Cm AllowUsers | ||
214 | This keyword can be followed by a number of user names, separated | ||
215 | by spaces. If specified, login is allowed only for users names that | ||
216 | match one of the patterns. | ||
217 | .Ql \&* | ||
218 | and | ||
219 | .Ql ? | ||
220 | can be used as | ||
221 | wildcards in the patterns. Only user names are valid, a numerical user | ||
222 | id isn't recognized. By default login is allowed regardless of | ||
223 | the user name. | ||
224 | .Pp | ||
225 | .It Cm CheckMail | ||
226 | Specifies whether | ||
227 | .Nm | ||
228 | should check for new mail for interactive logins. | ||
229 | The default is | ||
230 | .Dq no . | ||
231 | .It Cm DenyGroups | ||
232 | This keyword can be followed by a number of group names, separated | ||
233 | by spaces. Users whose primary group matches one of the patterns | ||
234 | aren't allowed to log in. | ||
235 | .Ql \&* | ||
236 | and | ||
237 | .Ql ? | ||
238 | can be used as | ||
239 | wildcards in the patterns. Only group names are valid, a numerical group | ||
240 | id isn't recognized. By default login is allowed regardless of | ||
241 | the primary group. | ||
242 | .Pp | ||
243 | .It Cm DenyUsers | ||
244 | This keyword can be followed by a number of user names, separated | ||
245 | by spaces. Login is disallowed for user names that match | ||
246 | one of the patterns. | ||
247 | .Ql \&* | ||
248 | and | ||
249 | .Ql ? | ||
250 | can be used as | ||
251 | wildcards in the patterns. Only user names are valid, a numerical user | ||
252 | id isn't recognized. By default login is allowed regardless of | ||
253 | the user name. | ||
254 | .It Cm HostKey | ||
255 | Specifies the file containing the private host key (default | ||
256 | .Pa @sysconfdir@/ssh_host_key ) . | ||
257 | Note that | ||
258 | .Nm | ||
259 | does not start if this file is group/world-accessible. | ||
260 | .It Cm IgnoreRhosts | ||
261 | Specifies that rhosts and shosts files will not be used in | ||
262 | authentication. | ||
263 | .Pa /etc/hosts.equiv | ||
264 | and | ||
265 | .Pa @sysconfdir@/shosts.equiv | ||
266 | are still used. The default is | ||
267 | .Dq no . | ||
268 | .It Cm IgnoreUserKnownHosts | ||
269 | Specifies whether | ||
270 | .Nm | ||
271 | should ignore the user's | ||
272 | .Pa $HOME/.ssh/known_hosts | ||
273 | during | ||
274 | .Cm RhostsRSAAuthentication . | ||
275 | The default is | ||
276 | .Dq no . | ||
277 | .It Cm KeepAlive | ||
278 | Specifies whether the system should send keepalive messages to the | ||
279 | other side. If they are sent, death of the connection or crash of one | ||
280 | of the machines will be properly noticed. However, this means that | ||
281 | connections will die if the route is down temporarily, and some people | ||
282 | find it annoying. On the other hand, if keepalives are not send, | ||
283 | sessions may hang indefinitely on the server, leaving | ||
284 | .Dq ghost | ||
285 | users and consuming server resources. | ||
286 | .Pp | ||
287 | The default is | ||
288 | .Dq yes | ||
289 | (to send keepalives), and the server will notice | ||
290 | if the network goes down or the client host reboots. This avoids | ||
291 | infinitely hanging sessions. | ||
292 | .Pp | ||
293 | To disable keepalives, the value should be set to | ||
294 | .Dq no | ||
295 | in both the server and the client configuration files. | ||
296 | .It Cm KerberosAuthentication | ||
297 | Specifies whether Kerberos authentication is allowed. This can | ||
298 | be in the form of a Kerberos ticket, or if | ||
299 | .Cm PasswordAuthentication | ||
300 | is yes, the password provided by the user will be validated through | ||
301 | the Kerberos KDC. Default is | ||
302 | .Dq yes . | ||
303 | .It Cm KerberosOrLocalPasswd | ||
304 | If set then if password authentication through Kerberos fails then | ||
305 | the password will be validated via any additional local mechanism | ||
306 | such as | ||
307 | .Pa /etc/passwd | ||
308 | or SecurID. Default is | ||
309 | .Dq yes . | ||
310 | .It Cm KerberosTgtPassing | ||
311 | Specifies whether a Kerberos TGT may be forwarded to the server. | ||
312 | Default is | ||
313 | .Dq no , | ||
314 | as this only works when the Kerberos KDC is actually an AFS kaserver. | ||
315 | .It Cm KerberosTicketCleanup | ||
316 | Specifies whether to automatically destroy the user's ticket cache | ||
317 | file on logout. Default is | ||
318 | .Dq yes . | ||
319 | .It Cm KeyRegenerationInterval | ||
320 | The server key is automatically regenerated after this many seconds | ||
321 | (if it has been used). The purpose of regeneration is to prevent | ||
322 | decrypting captured sessions by later breaking into the machine and | ||
323 | stealing the keys. The key is never stored anywhere. If the value is | ||
324 | 0, the key is never regenerated. The default is 3600 | ||
325 | (seconds). | ||
326 | .It Cm ListenAddress | ||
327 | Specifies what local address | ||
328 | .Nm | ||
329 | should listen on. | ||
330 | The default is to listen to all local addresses. | ||
331 | Multiple options of this type are permitted. | ||
332 | Additionally, the | ||
333 | .Cm Ports | ||
334 | options must precede this option. | ||
335 | .It Cm LoginGraceTime | ||
336 | The server disconnects after this time if the user has not | ||
337 | successfully logged in. If the value is 0, there is no time limit. | ||
338 | The default is 600 (seconds). | ||
339 | .It Cm LogLevel | ||
340 | Gives the verbosity level that is used when logging messages from | ||
341 | .Nm sshd . | ||
342 | The possible values are: | ||
343 | QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. | ||
344 | The default is INFO. | ||
345 | Logging with level DEBUG violates the privacy of users | ||
346 | and is not recommended. | ||
347 | .It Cm PasswordAuthentication | ||
348 | Specifies whether password authentication is allowed. | ||
349 | The default is | ||
350 | .Dq yes . | ||
351 | .It Cm PermitEmptyPasswords | ||
352 | When password authentication is allowed, it specifies whether the | ||
353 | server allows login to accounts with empty password strings. The default | ||
354 | is | ||
355 | .Dq yes . | ||
356 | .It Cm PermitRootLogin | ||
357 | Specifies whether the root can log in using | ||
358 | .Xr ssh 1 . | ||
359 | The argument must be | ||
360 | .Dq yes , | ||
361 | .Dq without-password | ||
362 | or | ||
363 | .Dq no . | ||
364 | The default is | ||
365 | .Dq yes . | ||
366 | If this options is set to | ||
367 | .Dq without-password | ||
368 | only password authentication is disabled for root. | ||
369 | .Pp | ||
370 | Root login with RSA authentication when the | ||
371 | .Ar command | ||
372 | option has been | ||
373 | specified will be allowed regardless of the value of this setting | ||
374 | (which may be useful for taking remote backups even if root login is | ||
375 | normally not allowed). | ||
376 | .It Cm Port | ||
377 | Specifies the port number that | ||
378 | .Nm | ||
379 | listens on. The default is 22. | ||
380 | Multiple options of this type are permitted. | ||
381 | .It Cm PrintMotd | ||
382 | Specifies whether | ||
383 | .Nm | ||
384 | should print | ||
385 | .Pa /etc/motd | ||
386 | when a user logs in interactively. (On some systems it is also | ||
387 | printed by the shell, | ||
388 | .Pa /etc/profile , | ||
389 | or equivalent.) The default is | ||
390 | .Dq yes . | ||
391 | .It Cm RandomSeed | ||
392 | Obsolete. Random number generation uses other techniques. | ||
393 | .It Cm RhostsAuthentication | ||
394 | Specifies whether authentication using rhosts or /etc/hosts.equiv | ||
395 | files is sufficient. Normally, this method should not be permitted | ||
396 | because it is insecure. | ||
397 | .Cm RhostsRSAAuthentication | ||
398 | should be used | ||
399 | instead, because it performs RSA-based host authentication in addition | ||
400 | to normal rhosts or /etc/hosts.equiv authentication. | ||
401 | The default is | ||
402 | .Dq no . | ||
403 | .It Cm RhostsRSAAuthentication | ||
404 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
405 | with successful RSA host authentication is allowed. The default is | ||
406 | .Dq yes . | ||
407 | .It Cm RSAAuthentication | ||
408 | Specifies whether pure RSA authentication is allowed. The default is | ||
409 | .Dq yes . | ||
410 | .It Cm ServerKeyBits | ||
411 | Defines the number of bits in the server key. The minimum value is | ||
412 | 512, and the default is 768. | ||
413 | .It Cm SkeyAuthentication | ||
414 | Specifies whether | ||
415 | .Xr skey 1 | ||
416 | authentication is allowed. The default is | ||
417 | .Dq yes . | ||
418 | Note that s/key authentication is enabled only if | ||
419 | .Cm PasswordAuthentication | ||
420 | is allowed, too. | ||
421 | .It Cm StrictModes | ||
422 | Specifies whether | ||
423 | .Nm | ||
424 | should check file modes and ownership of the | ||
425 | user's files and home directory before accepting login. This | ||
426 | is normally desirable because novices sometimes accidentally leave their | ||
427 | directory or files world-writable. The default is | ||
428 | .Dq yes . | ||
429 | .It Cm SyslogFacility | ||
430 | Gives the facility code that is used when logging messages from | ||
431 | .Nm sshd . | ||
432 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | ||
433 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. | ||
434 | .It Cm UseLogin | ||
435 | Specifies whether | ||
436 | .Xr login 1 | ||
437 | is used. The default is | ||
438 | .Dq no . | ||
439 | .It Cm X11DisplayOffset | ||
440 | Specifies the first display number available for | ||
441 | .Nm sshd Ns 's | ||
442 | X11 forwarding. This prevents | ||
443 | .Nm | ||
444 | from interfering with real X11 servers. | ||
445 | .It Cm X11Forwarding | ||
446 | Specifies whether X11 forwarding is permitted. The default is | ||
447 | .Dq yes . | ||
448 | Note that disabling X11 forwarding does not improve security in any | ||
449 | way, as users can always install their own forwarders. | ||
450 | .El | ||
451 | .Sh LOGIN PROCESS | ||
452 | When a user successfully logs in, | ||
453 | .Nm | ||
454 | does the following: | ||
455 | .Bl -enum -offset indent | ||
456 | .It | ||
457 | If the login is on a tty, and no command has been specified, | ||
458 | prints last login time and | ||
459 | .Pa /etc/motd | ||
460 | (unless prevented in the configuration file or by | ||
461 | .Pa $HOME/.hushlogin ; | ||
462 | see the | ||
463 | .Sx FILES | ||
464 | section). | ||
465 | .It | ||
466 | If the login is on a tty, records login time. | ||
467 | .It | ||
468 | Checks | ||
469 | .Pa /etc/nologin ; | ||
470 | if it exists, prints contents and quits | ||
471 | (unless root). | ||
472 | .It | ||
473 | Changes to run with normal user privileges. | ||
474 | .It | ||
475 | Sets up basic environment. | ||
476 | .It | ||
477 | Reads | ||
478 | .Pa $HOME/.ssh/environment | ||
479 | if it exists. | ||
480 | .It | ||
481 | Changes to user's home directory. | ||
482 | .It | ||
483 | If | ||
484 | .Pa $HOME/.ssh/rc | ||
485 | exists, runs it; else if | ||
486 | .Pa @sysconfdir@/sshrc | ||
487 | exists, runs | ||
488 | it; otherwise runs xauth. The | ||
489 | .Dq rc | ||
490 | files are given the X11 | ||
491 | authentication protocol and cookie in standard input. | ||
492 | .It | ||
493 | Runs user's shell or command. | ||
494 | .El | ||
495 | .Sh AUTHORIZED_KEYS FILE FORMAT | ||
496 | The | ||
497 | .Pa $HOME/.ssh/authorized_keys | ||
498 | file lists the RSA keys that are | ||
499 | permitted for RSA authentication. Each line of the file contains one | ||
500 | key (empty lines and lines starting with a | ||
501 | .Ql # | ||
502 | are ignored as | ||
503 | comments). Each line consists of the following fields, separated by | ||
504 | spaces: options, bits, exponent, modulus, comment. The options field | ||
505 | is optional; its presence is determined by whether the line starts | ||
506 | with a number or not (the option field never starts with a number). | ||
507 | The bits, exponent, modulus and comment fields give the RSA key; the | ||
508 | comment field is not used for anything (but may be convenient for the | ||
509 | user to identify the key). | ||
510 | .Pp | ||
511 | Note that lines in this file are usually several hundred bytes long | ||
512 | (because of the size of the RSA key modulus). You don't want to type | ||
513 | them in; instead, copy the | ||
514 | .Pa identity.pub | ||
515 | file and edit it. | ||
516 | .Pp | ||
517 | The options (if present) consists of comma-separated option | ||
518 | specifications. No spaces are permitted, except within double quotes. | ||
519 | The following option specifications are supported: | ||
520 | .Bl -tag -width Ds | ||
521 | .It Cm from="pattern-list" | ||
522 | Specifies that in addition to RSA authentication, the canonical name | ||
523 | of the remote host must be present in the comma-separated list of | ||
524 | patterns ('*' and '?' serve as wildcards). The list may also contain | ||
525 | patterns negated by prefixing them with '!'; if the canonical host | ||
526 | name matches a negated pattern, the key is not accepted. The purpose | ||
527 | of this option is to optionally increase security: RSA authentication | ||
528 | by itself does not trust the network or name servers or anything (but | ||
529 | the key); however, if somebody somehow steals the key, the key | ||
530 | permits an intruder to log in from anywhere in the world. This | ||
531 | additional option makes using a stolen key more difficult (name | ||
532 | servers and/or routers would have to be compromised in addition to | ||
533 | just the key). | ||
534 | .It Cm command="command" | ||
535 | Specifies that the command is executed whenever this key is used for | ||
536 | authentication. The command supplied by the user (if any) is ignored. | ||
537 | The command is run on a pty if the connection requests a pty; | ||
538 | otherwise it is run without a tty. A quote may be included in the | ||
539 | command by quoting it with a backslash. This option might be useful | ||
540 | to restrict certain RSA keys to perform just a specific operation. An | ||
541 | example might be a key that permits remote backups but nothing | ||
542 | else. Notice that the client may specify TCP/IP and/or X11 | ||
543 | forwardings unless they are explicitly prohibited. | ||
544 | .It Cm environment="NAME=value" | ||
545 | Specifies that the string is to be added to the environment when | ||
546 | logging in using this key. Environment variables set this way | ||
547 | override other default environment values. Multiple options of this | ||
548 | type are permitted. | ||
549 | .It Cm no-port-forwarding | ||
550 | Forbids TCP/IP forwarding when this key is used for authentication. | ||
551 | Any port forward requests by the client will return an error. This | ||
552 | might be used, e.g., in connection with the | ||
553 | .Cm command | ||
554 | option. | ||
555 | .It Cm no-X11-forwarding | ||
556 | Forbids X11 forwarding when this key is used for authentication. | ||
557 | Any X11 forward requests by the client will return an error. | ||
558 | .It Cm no-agent-forwarding | ||
559 | Forbids authentication agent forwarding when this key is used for | ||
560 | authentication. | ||
561 | .It Cm no-pty | ||
562 | Prevents tty allocation (a request to allocate a pty will fail). | ||
563 | .El | ||
564 | .Ss Examples | ||
565 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar | ||
566 | .Pp | ||
567 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula | ||
568 | .Pp | ||
569 | command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi | ||
570 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | ||
571 | The | ||
572 | .Pa @sysconfdir@/ssh_known_hosts | ||
573 | and | ||
574 | .Pa $HOME/.ssh/known_hosts | ||
575 | files contain host public keys for all known hosts. The global file should | ||
576 | be prepared by the admistrator (optional), and the per-user file is | ||
577 | maintained automatically: whenever the user connects an unknown host | ||
578 | its key is added to the per-user file. | ||
579 | .Pp | ||
580 | Each line in these files contains the following fields: hostnames, | ||
581 | bits, exponent, modulus, comment. The fields are separated by spaces. | ||
582 | .Pp | ||
583 | Hostnames is a comma-separated list of patterns ('*' and '?' act as | ||
584 | wildcards); each pattern in turn is matched against the canonical host | ||
585 | name (when authenticating a client) or against the user-supplied | ||
586 | name (when authenticating a server). A pattern may also be preceded | ||
587 | by | ||
588 | .Ql ! | ||
589 | to indicate negation: if the host name matches a negated | ||
590 | pattern, it is not accepted (by that line) even if it matched another | ||
591 | pattern on the line. | ||
592 | .Pp | ||
593 | Bits, exponent, and modulus are taken directly from the host key; they | ||
594 | can be obtained, e.g., from | ||
595 | .Pa @sysconfdir@/ssh_host_key.pub . | ||
596 | The optional comment field continues to the end of the line, and is not used. | ||
597 | .Pp | ||
598 | Lines starting with | ||
599 | .Ql # | ||
600 | and empty lines are ignored as comments. | ||
601 | .Pp | ||
602 | When performing host authentication, authentication is accepted if any | ||
603 | matching line has the proper key. It is thus permissible (but not | ||
604 | recommended) to have several lines or different host keys for the same | ||
605 | names. This will inevitably happen when short forms of host names | ||
606 | from different domains are put in the file. It is possible | ||
607 | that the files contain conflicting information; authentication is | ||
608 | accepted if valid information can be found from either file. | ||
609 | .Pp | ||
610 | Note that the lines in these files are typically hundreds of characters | ||
611 | long, and you definitely don't want to type in the host keys by hand. | ||
612 | Rather, generate them by a script | ||
613 | or by taking | ||
614 | .Pa @sysconfdir@/ssh_host_key.pub | ||
615 | and adding the host names at the front. | ||
616 | .Ss Examples | ||
617 | closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi | ||
618 | .Sh FILES | ||
619 | .Bl -tag -width Ds | ||
620 | .It Pa @sysconfdir@/sshd_config | ||
621 | Contains configuration data for | ||
622 | .Nm sshd . | ||
623 | This file should be writable by root only, but it is recommended | ||
624 | (though not necessary) that it be world-readable. | ||
625 | .It Pa @sysconfdir@/ssh_host_key | ||
626 | Contains the private part of the host key. | ||
627 | This file should only be owned by root, readable only by root, and not | ||
628 | accessible to others. | ||
629 | Note that | ||
630 | .Nm | ||
631 | does not start if this file is group/world-accessible. | ||
632 | .It Pa @sysconfdir@/ssh_host_key.pub | ||
633 | Contains the public part of the host key. | ||
634 | This file should be world-readable but writable only by | ||
635 | root. Its contents should match the private part. This file is not | ||
636 | really used for anything; it is only provided for the convenience of | ||
637 | the user so its contents can be copied to known hosts files. | ||
638 | These two files are created using | ||
639 | .Xr ssh-keygen 1 . | ||
640 | .It Pa @piddir@/sshd.pid | ||
641 | Contains the process ID of the | ||
642 | .Nm | ||
643 | listening for connections (if there are several daemons running | ||
644 | concurrently for different ports, this contains the pid of the one | ||
645 | started last). The contents of this file are not sensitive; it can be | ||
646 | world-readable. | ||
647 | .It Pa $HOME/.ssh/authorized_keys | ||
648 | Lists the RSA keys that can be used to log into the user's account. | ||
649 | This file must be readable by root (which may on some machines imply | ||
650 | it being world-readable if the user's home directory resides on an NFS | ||
651 | volume). It is recommended that it not be accessible by others. The | ||
652 | format of this file is described above. | ||
653 | .It Pa "@sysconfdir@_known_hosts" and "$HOME/.ssh/known_hosts" | ||
654 | These files are consulted when using rhosts with RSA host | ||
655 | authentication to check the public key of the host. The key must be | ||
656 | listed in one of these files to be accepted. | ||
657 | The client uses the same files | ||
658 | to verify that the remote host is the one we intended to | ||
659 | connect. These files should be writable only by root/the owner. | ||
660 | .Pa @sysconfdir@/ssh_known_hosts | ||
661 | should be world-readable, and | ||
662 | .Pa $HOME/.ssh/known_hosts | ||
663 | can but need not be world-readable. | ||
664 | .It Pa /etc/nologin | ||
665 | If this file exists, | ||
666 | .Nm | ||
667 | refuses to let anyone except root log in. The contents of the file | ||
668 | are displayed to anyone trying to log in, and non-root connections are | ||
669 | refused. The file should be world-readable. | ||
670 | .It Pa /etc/hosts.allow, /etc/hosts.deny | ||
671 | If compiled with | ||
672 | .Sy LIBWRAP | ||
673 | support, tcp-wrappers access controls may be defined here as described in | ||
674 | .Xr hosts_access 5 . | ||
675 | .It Pa $HOME/.rhosts | ||
676 | This file contains host-username pairs, separated by a space, one per | ||
677 | line. The given user on the corresponding host is permitted to log in | ||
678 | without password. The same file is used by rlogind and rshd. | ||
679 | The file must | ||
680 | be writable only by the user; it is recommended that it not be | ||
681 | accessible by others. | ||
682 | .Pp | ||
683 | If is also possible to use netgroups in the file. Either host or user | ||
684 | name may be of the form +@groupname to specify all hosts or all users | ||
685 | in the group. | ||
686 | .It Pa $HOME/.shosts | ||
687 | For ssh, | ||
688 | this file is exactly the same as for | ||
689 | .Pa .rhosts . | ||
690 | However, this file is | ||
691 | not used by rlogin and rshd, so using this permits access using SSH only. | ||
692 | .Pa /etc/hosts.equiv | ||
693 | This file is used during | ||
694 | .Pa .rhosts | ||
695 | authentication. In the | ||
696 | simplest form, this file contains host names, one per line. Users on | ||
697 | those hosts are permitted to log in without a password, provided they | ||
698 | have the same user name on both machines. The host name may also be | ||
699 | followed by a user name; such users are permitted to log in as | ||
700 | .Em any | ||
701 | user on this machine (except root). Additionally, the syntax | ||
702 | .Dq +@group | ||
703 | can be used to specify netgroups. Negated entries start with | ||
704 | .Ql \&- . | ||
705 | .Pp | ||
706 | If the client host/user is successfully matched in this file, login is | ||
707 | automatically permitted provided the client and server user names are the | ||
708 | same. Additionally, successful RSA host authentication is normally | ||
709 | required. This file must be writable only by root; it is recommended | ||
710 | that it be world-readable. | ||
711 | .Pp | ||
712 | .Sy "Warning: It is almost never a good idea to use user names in" | ||
713 | .Pa hosts.equiv . | ||
714 | Beware that it really means that the named user(s) can log in as | ||
715 | .Em anybody , | ||
716 | which includes bin, daemon, adm, and other accounts that own critical | ||
717 | binaries and directories. Using a user name practically grants the | ||
718 | user root access. The only valid use for user names that I can think | ||
719 | of is in negative entries. | ||
720 | .Pp | ||
721 | Note that this warning also applies to rsh/rlogin. | ||
722 | .It Pa @sysconfdir@/shosts.equiv | ||
723 | This is processed exactly as | ||
724 | .Pa /etc/hosts.equiv . | ||
725 | However, this file may be useful in environments that want to run both | ||
726 | rsh/rlogin and ssh. | ||
727 | .It Pa $HOME/.ssh/environment | ||
728 | This file is read into the environment at login (if it exists). It | ||
729 | can only contain empty lines, comment lines (that start with | ||
730 | .Ql # ) , | ||
731 | and assignment lines of the form name=value. The file should be writable | ||
732 | only by the user; it need not be readable by anyone else. | ||
733 | .It Pa $HOME/.ssh/rc | ||
734 | If this file exists, it is run with /bin/sh after reading the | ||
735 | environment files but before starting the user's shell or command. If | ||
736 | X11 spoofing is in use, this will receive the "proto cookie" pair in | ||
737 | standard input (and | ||
738 | .Ev DISPLAY | ||
739 | in environment). This must call | ||
740 | .Xr xauth 1 | ||
741 | in that case. | ||
742 | .Pp | ||
743 | The primary purpose of this file is to run any initialization routines | ||
744 | which may be needed before the user's home directory becomes | ||
745 | accessible; AFS is a particular example of such an environment. | ||
746 | .Pp | ||
747 | This file will probably contain some initialization code followed by | ||
748 | something similar to: "if read proto cookie; then echo add $DISPLAY | ||
749 | $proto $cookie | xauth -q -; fi". | ||
750 | .Pp | ||
751 | If this file does not exist, | ||
752 | .Pa @sysconfdir@/sshrc | ||
753 | is run, and if that | ||
754 | does not exist either, xauth is used to store the cookie. | ||
755 | .Pp | ||
756 | This file should be writable only by the user, and need not be | ||
757 | readable by anyone else. | ||
758 | .It Pa @sysconfdir@/sshrc | ||
759 | Like | ||
760 | .Pa $HOME/.ssh/rc . | ||
761 | This can be used to specify | ||
762 | machine-specific login-time initializations globally. This file | ||
763 | should be writable only by root, and should be world-readable. | ||
764 | .Sh AUTHOR | ||
765 | Tatu Ylonen <ylo@cs.hut.fi> | ||
766 | .Pp | ||
767 | Information about new releases, mailing lists, and other related | ||
768 | issues can be found from the SSH WWW home page: | ||
769 | .Pp | ||
770 | .Dl http://www.cs.hut.fi/ssh. | ||
771 | .Pp | ||
772 | OpenSSH | ||
773 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs | ||
774 | removed and newer features re-added. Rapidly after the 1.2.12 release, | ||
775 | newer versions bore successively more restrictive licenses. This version | ||
776 | of OpenSSH | ||
777 | .Bl -bullet | ||
778 | .It | ||
779 | has all components of a restrictive nature (ie. patents, see | ||
780 | .Xr ssl 8 ) | ||
781 | directly removed from the source code; any licensed or patented components | ||
782 | are chosen from | ||
783 | external libraries. | ||
784 | .It | ||
785 | has been updated to support ssh protocol 1.5. | ||
786 | .It | ||
787 | contains added support for | ||
788 | .Xr kerberos 8 | ||
789 | authentication and ticket passing. | ||
790 | .It | ||
791 | supports one-time password authentication with | ||
792 | .Xr skey 1 . | ||
793 | .El | ||
794 | .Pp | ||
795 | The libraries described in | ||
796 | .Xr ssl 8 | ||
797 | are required for proper operation. | ||
798 | .Sh SEE ALSO | ||
799 | .Xr rlogin 1 , | ||
800 | .Xr rsh 1 , | ||
801 | .Xr scp 1 , | ||
802 | .Xr ssh 1 , | ||
803 | .Xr ssh-add 1 , | ||
804 | .Xr ssh-agent 1 , | ||
805 | .Xr ssh-keygen 1 , | ||
806 | .Xr ssl 8 | ||