diff options
author | Damien Miller <djm@mindrot.org> | 1999-12-27 09:23:58 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-12-27 09:23:58 +1100 |
commit | c0d739039807abaa7985112370b4c5f4e85e02d7 (patch) | |
tree | 70d1579e28003ac341dfa9330d6e1d63e8108bc2 /sshd.8.in | |
parent | aae1093640162022abba350d94c3051e6d730425 (diff) |
- Automatically correct paths in manpages and configuration files. Patch
and script from Andre Lucas <andre.lucas@dial.pipex.com>
- Removed credits from README to CREDITS file, updated.
Diffstat (limited to 'sshd.8.in')
-rw-r--r-- | sshd.8.in | 793 |
1 files changed, 793 insertions, 0 deletions
diff --git a/sshd.8.in b/sshd.8.in new file mode 100644 index 000000000..871e79ed9 --- /dev/null +++ b/sshd.8.in | |||
@@ -0,0 +1,793 @@ | |||
1 | .\" -*- nroff -*- | ||
2 | .\" | ||
3 | .\" sshd.8.in | ||
4 | .\" | ||
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
6 | .\" | ||
7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
8 | .\" All rights reserved | ||
9 | .\" | ||
10 | .\" Created: Sat Apr 22 21:55:14 1995 ylo | ||
11 | .\" | ||
12 | .\" $Id: sshd.8.in,v 1.1 1999/12/26 22:23:59 damien Exp $ | ||
13 | .\" | ||
14 | .Dd September 25, 1999 | ||
15 | .Dt SSHD 8 | ||
16 | .Os | ||
17 | .Sh NAME | ||
18 | .Nm sshd | ||
19 | .Nd secure shell daemon | ||
20 | .Sh SYNOPSIS | ||
21 | .Nm sshd | ||
22 | .Op Fl diqQ | ||
23 | .Op Fl b Ar bits | ||
24 | .Op Fl f Ar config_file | ||
25 | .Op Fl g Ar login_grace_time | ||
26 | .Op Fl h Ar host_key_file | ||
27 | .Op Fl k Ar key_gen_time | ||
28 | .Op Fl p Ar port | ||
29 | .Op Fl V Ar client_protocol_id | ||
30 | .Sh DESCRIPTION | ||
31 | .Nm | ||
32 | (Secure Shell Daemon) is the daemon program for | ||
33 | .Xr ssh 1 . | ||
34 | Together these programs replace rlogin and rsh programs, and | ||
35 | provide secure encrypted communications between two untrusted hosts | ||
36 | over an insecure network. The programs are intended to be as easy to | ||
37 | install and use as possible. | ||
38 | .Pp | ||
39 | .Nm | ||
40 | is the daemon that listens for connections from clients. It is | ||
41 | normally started at boot from | ||
42 | .Pa /etc/rc . | ||
43 | It forks a new | ||
44 | daemon for each incoming connection. The forked daemons handle | ||
45 | key exchange, encryption, authentication, command execution, | ||
46 | and data exchange. | ||
47 | .Pp | ||
48 | .Nm | ||
49 | works as follows. Each host has a host-specific RSA key | ||
50 | (normally 1024 bits) used to identify the host. Additionally, when | ||
51 | the daemon starts, it generates a server RSA key (normally 768 bits). | ||
52 | This key is normally regenerated every hour if it has been used, and | ||
53 | is never stored on disk. | ||
54 | .Pp | ||
55 | Whenever a client connects the daemon, the daemon sends its host | ||
56 | and server public keys to the client. The client compares the | ||
57 | host key against its own database to verify that it has not changed. | ||
58 | The client then generates a 256 bit random number. It encrypts this | ||
59 | random number using both the host key and the server key, and sends | ||
60 | the encrypted number to the server. Both sides then start to use this | ||
61 | random number as a session key which is used to encrypt all further | ||
62 | communications in the session. The rest of the session is encrypted | ||
63 | using a conventional cipher, currently Blowfish and 3DES, with 3DES | ||
64 | being is used by default. The client selects the encryption algorithm | ||
65 | to use from those offered by the server. | ||
66 | .Pp | ||
67 | Next, the server and the client enter an authentication dialog. The | ||
68 | client tries to authenticate itself using | ||
69 | .Pa .rhosts | ||
70 | authentication, | ||
71 | .Pa .rhosts | ||
72 | authentication combined with RSA host | ||
73 | authentication, RSA challenge-response authentication, or password | ||
74 | based authentication. | ||
75 | .Pp | ||
76 | Rhosts authentication is normally disabled | ||
77 | because it is fundamentally insecure, but can be enabled in the server | ||
78 | configuration file if desired. System security is not improved unless | ||
79 | .Xr rshd 8 , | ||
80 | .Xr rlogind 8 , | ||
81 | .Xr rexecd 8 , | ||
82 | and | ||
83 | .Xr rexd 8 | ||
84 | are disabled (thus completely disabling | ||
85 | .Xr rlogin 1 | ||
86 | and | ||
87 | .Xr rsh 1 | ||
88 | into that machine). | ||
89 | .Pp | ||
90 | If the client successfully authenticates itself, a dialog for | ||
91 | preparing the session is entered. At this time the client may request | ||
92 | things like allocating a pseudo-tty, forwarding X11 connections, | ||
93 | forwarding TCP/IP connections, or forwarding the authentication agent | ||
94 | connection over the secure channel. | ||
95 | .Pp | ||
96 | Finally, the client either requests a shell or execution of a command. | ||
97 | The sides then enter session mode. In this mode, either side may send | ||
98 | data at any time, and such data is forwarded to/from the shell or | ||
99 | command on the server side, and the user terminal in the client side. | ||
100 | .Pp | ||
101 | When the user program terminates and all forwarded X11 and other | ||
102 | connections have been closed, the server sends command exit status to | ||
103 | the client, and both sides exit. | ||
104 | .Pp | ||
105 | .Nm | ||
106 | can be configured using command-line options or a configuration | ||
107 | file. Command-line options override values specified in the | ||
108 | configuration file. | ||
109 | .Pp | ||
110 | .Nm | ||
111 | rereads its configuration file when it receives a hangup signal, | ||
112 | .Dv SIGHUP . | ||
113 | .Pp | ||
114 | The options are as follows: | ||
115 | .Bl -tag -width Ds | ||
116 | .It Fl b Ar bits | ||
117 | Specifies the number of bits in the server key (default 768). | ||
118 | .Pp | ||
119 | .It Fl d | ||
120 | Debug mode. The server sends verbose debug output to the system | ||
121 | log, and does not put itself in the background. The server also will | ||
122 | not fork and will only process one connection. This option is only | ||
123 | intended for debugging for the server. | ||
124 | .It Fl f Ar configuration_file | ||
125 | Specifies the name of the configuration file. The default is | ||
126 | .Pa @sysconfdir@/sshd_config . | ||
127 | .Nm | ||
128 | refuses to start if there is no configuration file. | ||
129 | .It Fl g Ar login_grace_time | ||
130 | Gives the grace time for clients to authenticate themselves (default | ||
131 | 300 seconds). If the client fails to authenticate the user within | ||
132 | this many seconds, the server disconnects and exits. A value of zero | ||
133 | indicates no limit. | ||
134 | .It Fl h Ar host_key_file | ||
135 | Specifies the file from which the host key is read (default | ||
136 | .Pa @sysconfdir@/ssh_host_key ) . | ||
137 | This option must be given if | ||
138 | .Nm | ||
139 | is not run as root (as the normal | ||
140 | host file is normally not readable by anyone but root). | ||
141 | .It Fl i | ||
142 | Specifies that | ||
143 | .Nm | ||
144 | is being run from inetd. | ||
145 | .Nm | ||
146 | is normally not run | ||
147 | from inetd because it needs to generate the server key before it can | ||
148 | respond to the client, and this may take tens of seconds. Clients | ||
149 | would have to wait too long if the key was regenerated every time. | ||
150 | However, with small key sizes (e.g. 512) using | ||
151 | .Nm | ||
152 | from inetd may | ||
153 | be feasible. | ||
154 | .It Fl k Ar key_gen_time | ||
155 | Specifies how often the server key is regenerated (default 3600 | ||
156 | seconds, or one hour). The motivation for regenerating the key fairly | ||
157 | often is that the key is not stored anywhere, and after about an hour, | ||
158 | it becomes impossible to recover the key for decrypting intercepted | ||
159 | communications even if the machine is cracked into or physically | ||
160 | seized. A value of zero indicates that the key will never be regenerated. | ||
161 | .It Fl p Ar port | ||
162 | Specifies the port on which the server listens for connections | ||
163 | (default 22). | ||
164 | .It Fl q | ||
165 | Quiet mode. Nothing is sent to the system log. Normally the beginning, | ||
166 | authentication, and termination of each connection is logged. | ||
167 | .It Fl Q | ||
168 | Do not print an error message if RSA support is missing. | ||
169 | .It Fl V Ar client_protocol_id | ||
170 | SSH2 compatibility mode. | ||
171 | When this options is specified | ||
172 | .Nm | ||
173 | assumes the client has sent the given version string | ||
174 | and skips the | ||
175 | Protocol Version Identification Exchange. | ||
176 | .El | ||
177 | .Sh CONFIGURATION FILE | ||
178 | .Nm | ||
179 | reads configuration data from | ||
180 | .Pa @sysconfdir@/sshd_config | ||
181 | (or the file specified with | ||
182 | .Fl f | ||
183 | on the command line). The file | ||
184 | contains keyword-value pairs, one per line. Lines starting with | ||
185 | .Ql # | ||
186 | and empty lines are interpreted as comments. | ||
187 | .Pp | ||
188 | The following keywords are possible. | ||
189 | .Bl -tag -width Ds | ||
190 | .It Cm AFSTokenPassing | ||
191 | Specifies whether an AFS token may be forwarded to the server. Default is | ||
192 | .Dq yes . | ||
193 | .It Cm AllowGroups | ||
194 | This keyword can be followed by a number of group names, separated | ||
195 | by spaces. If specified, login is allowed only for users whose primary | ||
196 | group matches one of the patterns. | ||
197 | .Ql \&* | ||
198 | and | ||
199 | .Ql ? | ||
200 | can be used as | ||
201 | wildcards in the patterns. Only group names are valid, a numerical group | ||
202 | id isn't recognized. By default login is allowed regardless of | ||
203 | the primary group. | ||
204 | .Pp | ||
205 | .It Cm AllowUsers | ||
206 | This keyword can be followed by a number of user names, separated | ||
207 | by spaces. If specified, login is allowed only for users names that | ||
208 | match one of the patterns. | ||
209 | .Ql \&* | ||
210 | and | ||
211 | .Ql ? | ||
212 | can be used as | ||
213 | wildcards in the patterns. Only user names are valid, a numerical user | ||
214 | id isn't recognized. By default login is allowed regardless of | ||
215 | the user name. | ||
216 | .Pp | ||
217 | .It Cm CheckMail | ||
218 | Specifies whether | ||
219 | .Nm | ||
220 | should check for new mail for interactive logins. | ||
221 | The default is | ||
222 | .Dq no . | ||
223 | .It Cm DenyGroups | ||
224 | This keyword can be followed by a number of group names, separated | ||
225 | by spaces. Users whose primary group matches one of the patterns | ||
226 | aren't allowed to log in. | ||
227 | .Ql \&* | ||
228 | and | ||
229 | .Ql ? | ||
230 | can be used as | ||
231 | wildcards in the patterns. Only group names are valid, a numerical group | ||
232 | id isn't recognized. By default login is allowed regardless of | ||
233 | the primary group. | ||
234 | .Pp | ||
235 | .It Cm DenyUsers | ||
236 | This keyword can be followed by a number of user names, separated | ||
237 | by spaces. Login is allowed disallowed for user names that match | ||
238 | one of the patterns. | ||
239 | .Ql \&* | ||
240 | and | ||
241 | .Ql ? | ||
242 | can be used as | ||
243 | wildcards in the patterns. Only user names are valid, a numerical user | ||
244 | id isn't recognized. By default login is allowed regardless of | ||
245 | the user name. | ||
246 | .It Cm HostKey | ||
247 | Specifies the file containing the private host key (default | ||
248 | .Pa @sysconfdir@/ssh_host_key ) . | ||
249 | Note that | ||
250 | .Nm | ||
251 | does not start if this file is group/world-accessible. | ||
252 | .It Cm IgnoreRhosts | ||
253 | Specifies that rhosts and shosts files will not be used in | ||
254 | authentication. | ||
255 | .Pa /etc/hosts.equiv | ||
256 | and | ||
257 | .Pa @sysconfdir@/shosts.equiv | ||
258 | are still used. The default is | ||
259 | .Dq no . | ||
260 | .It Cm IgnoreUserKnownHosts | ||
261 | Specifies whether | ||
262 | .Nm | ||
263 | should ignore the user's | ||
264 | .Pa $HOME/.ssh/known_hosts | ||
265 | during | ||
266 | .Cm RhostsRSAAuthentication . | ||
267 | The default is | ||
268 | .Dq no . | ||
269 | .It Cm KeepAlive | ||
270 | Specifies whether the system should send keepalive messages to the | ||
271 | other side. If they are sent, death of the connection or crash of one | ||
272 | of the machines will be properly noticed. However, this means that | ||
273 | connections will die if the route is down temporarily, and some people | ||
274 | find it annoying. On the other hand, if keepalives are not send, | ||
275 | sessions may hang indefinitely on the server, leaving | ||
276 | .Dq ghost | ||
277 | users and consuming server resources. | ||
278 | .Pp | ||
279 | The default is | ||
280 | .Dq yes | ||
281 | (to send keepalives), and the server will notice | ||
282 | if the network goes down or the client host reboots. This avoids | ||
283 | infinitely hanging sessions. | ||
284 | .Pp | ||
285 | To disable keepalives, the value should be set to | ||
286 | .Dq no | ||
287 | in both the server and the client configuration files. | ||
288 | .It Cm KerberosAuthentication | ||
289 | Specifies whether Kerberos authentication is allowed. This can | ||
290 | be in the form of a Kerberos ticket, or if | ||
291 | .Cm PasswordAuthentication | ||
292 | is yes, the password provided by the user will be validated through | ||
293 | the Kerberos KDC. Default is | ||
294 | .Dq yes . | ||
295 | .It Cm KerberosOrLocalPasswd | ||
296 | If set then if password authentication through Kerberos fails then | ||
297 | the password will be validated via any additional local mechanism | ||
298 | such as | ||
299 | .Pa /etc/passwd | ||
300 | or SecurID. Default is | ||
301 | .Dq yes . | ||
302 | .It Cm KerberosTgtPassing | ||
303 | Specifies whether a Kerberos TGT may be forwarded to the server. | ||
304 | Default is | ||
305 | .Dq no , | ||
306 | as this only works when the Kerberos KDC is actually an AFS kaserver. | ||
307 | .It Cm KerberosTicketCleanup | ||
308 | Specifies whether to automatically destroy the user's ticket cache | ||
309 | file on logout. Default is | ||
310 | .Dq yes . | ||
311 | .It Cm KeyRegenerationInterval | ||
312 | The server key is automatically regenerated after this many seconds | ||
313 | (if it has been used). The purpose of regeneration is to prevent | ||
314 | decrypting captured sessions by later breaking into the machine and | ||
315 | stealing the keys. The key is never stored anywhere. If the value is | ||
316 | 0, the key is never regenerated. The default is 3600 | ||
317 | (seconds). | ||
318 | .It Cm ListenAddress | ||
319 | Specifies what local address | ||
320 | .Nm | ||
321 | should listen on. | ||
322 | The default is to listen to all local addresses. | ||
323 | .It Cm LoginGraceTime | ||
324 | The server disconnects after this time if the user has not | ||
325 | successfully logged in. If the value is 0, there is no time limit. | ||
326 | The default is 600 (seconds). | ||
327 | .It Cm LogLevel | ||
328 | Gives the verbosity level that is used when logging messages from | ||
329 | .Nm sshd . | ||
330 | The possible values are: | ||
331 | QUIET, FATAL, ERROR, INFO, VERBOSE and DEBUG. | ||
332 | The default is INFO. | ||
333 | Logging with level DEBUG violates the privacy of users | ||
334 | and is not recommended. | ||
335 | .It Cm PasswordAuthentication | ||
336 | Specifies whether password authentication is allowed. | ||
337 | The default is | ||
338 | .Dq yes . | ||
339 | .It Cm PermitEmptyPasswords | ||
340 | When password authentication is allowed, it specifies whether the | ||
341 | server allows login to accounts with empty password strings. The default | ||
342 | is | ||
343 | .Dq yes . | ||
344 | .It Cm PermitRootLogin | ||
345 | Specifies whether the root can log in using | ||
346 | .Xr ssh 1 . | ||
347 | The argument must be | ||
348 | .Dq yes , | ||
349 | .Dq without-password | ||
350 | or | ||
351 | .Dq no . | ||
352 | The default is | ||
353 | .Dq yes . | ||
354 | If this options is set to | ||
355 | .Dq without-password | ||
356 | only password authentication is disabled for root. | ||
357 | .Pp | ||
358 | Root login with RSA authentication when the | ||
359 | .Ar command | ||
360 | option has been | ||
361 | specified will be allowed regardless of the value of this setting | ||
362 | (which may be useful for taking remote backups even if root login is | ||
363 | normally not allowed). | ||
364 | .It Cm Port | ||
365 | Specifies the port number that | ||
366 | .Nm | ||
367 | listens on. The default is 22. | ||
368 | .It Cm PrintMotd | ||
369 | Specifies whether | ||
370 | .Nm | ||
371 | should print | ||
372 | .Pa /etc/motd | ||
373 | when a user logs in interactively. (On some systems it is also | ||
374 | printed by the shell, | ||
375 | .Pa /etc/profile , | ||
376 | or equivalent.) The default is | ||
377 | .Dq yes . | ||
378 | .It Cm RandomSeed | ||
379 | Obsolete. Random number generation uses other techniques. | ||
380 | .It Cm RhostsAuthentication | ||
381 | Specifies whether authentication using rhosts or /etc/hosts.equiv | ||
382 | files is sufficient. Normally, this method should not be permitted | ||
383 | because it is insecure. | ||
384 | .Cm RhostsRSAAuthentication | ||
385 | should be used | ||
386 | instead, because it performs RSA-based host authentication in addition | ||
387 | to normal rhosts or /etc/hosts.equiv authentication. | ||
388 | The default is | ||
389 | .Dq no . | ||
390 | .It Cm RhostsRSAAuthentication | ||
391 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
392 | with successful RSA host authentication is allowed. The default is | ||
393 | .Dq yes . | ||
394 | .It Cm RSAAuthentication | ||
395 | Specifies whether pure RSA authentication is allowed. The default is | ||
396 | .Dq yes . | ||
397 | .It Cm ServerKeyBits | ||
398 | Defines the number of bits in the server key. The minimum value is | ||
399 | 512, and the default is 768. | ||
400 | .It Cm SkeyAuthentication | ||
401 | Specifies whether | ||
402 | .Xr skey 1 | ||
403 | authentication is allowed. The default is | ||
404 | .Dq yes . | ||
405 | Note that s/key authentication is enabled only if | ||
406 | .Cm PasswordAuthentication | ||
407 | is allowed, too. | ||
408 | .It Cm StrictModes | ||
409 | Specifies whether | ||
410 | .Nm | ||
411 | should check file modes and ownership of the | ||
412 | user's files and home directory before accepting login. This | ||
413 | is normally desirable because novices sometimes accidentally leave their | ||
414 | directory or files world-writable. The default is | ||
415 | .Dq yes . | ||
416 | .It Cm SyslogFacility | ||
417 | Gives the facility code that is used when logging messages from | ||
418 | .Nm sshd . | ||
419 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | ||
420 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. | ||
421 | .It Cm UseLogin | ||
422 | Specifies whether | ||
423 | .Xr login 1 | ||
424 | is used. The default is | ||
425 | .Dq no . | ||
426 | .It Cm X11Forwarding | ||
427 | Specifies whether X11 forwarding is permitted. The default is | ||
428 | .Dq yes . | ||
429 | Note that disabling X11 forwarding does not improve security in any | ||
430 | way, as users can always install their own forwarders. | ||
431 | .It Cm X11DisplayOffset | ||
432 | Specifies the first display number available for | ||
433 | .Nm sshd Ns 's | ||
434 | X11 forwarding. This prevents | ||
435 | .Nm | ||
436 | from interfering with real X11 servers. | ||
437 | .El | ||
438 | .Sh LOGIN PROCESS | ||
439 | When a user successfully logs in, | ||
440 | .Nm | ||
441 | does the following: | ||
442 | .Bl -enum -offset indent | ||
443 | .It | ||
444 | If the login is on a tty, and no command has been specified, | ||
445 | prints last login time and | ||
446 | .Pa /etc/motd | ||
447 | (unless prevented in the configuration file or by | ||
448 | .Pa $HOME/.hushlogin ; | ||
449 | see the | ||
450 | .Sx FILES | ||
451 | section). | ||
452 | .It | ||
453 | If the login is on a tty, records login time. | ||
454 | .It | ||
455 | Checks | ||
456 | .Pa /etc/nologin ; | ||
457 | if it exists, prints contents and quits | ||
458 | (unless root). | ||
459 | .It | ||
460 | Changes to run with normal user privileges. | ||
461 | .It | ||
462 | Sets up basic environment. | ||
463 | .It | ||
464 | Reads | ||
465 | .Pa $HOME/.ssh/environment | ||
466 | if it exists. | ||
467 | .It | ||
468 | Changes to user's home directory. | ||
469 | .It | ||
470 | If | ||
471 | .Pa $HOME/.ssh/rc | ||
472 | exists, runs it; else if | ||
473 | .Pa @sysconfdir@/sshrc | ||
474 | exists, runs | ||
475 | it; otherwise runs xauth. The | ||
476 | .Dq rc | ||
477 | files are given the X11 | ||
478 | authentication protocol and cookie in standard input. | ||
479 | .It | ||
480 | Runs user's shell or command. | ||
481 | .El | ||
482 | .Sh AUTHORIZED_KEYS FILE FORMAT | ||
483 | The | ||
484 | .Pa $HOME/.ssh/authorized_keys | ||
485 | file lists the RSA keys that are | ||
486 | permitted for RSA authentication. Each line of the file contains one | ||
487 | key (empty lines and lines starting with a | ||
488 | .Ql # | ||
489 | are ignored as | ||
490 | comments). Each line consists of the following fields, separated by | ||
491 | spaces: options, bits, exponent, modulus, comment. The options field | ||
492 | is optional; its presence is determined by whether the line starts | ||
493 | with a number or not (the option field never starts with a number). | ||
494 | The bits, exponent, modulus and comment fields give the RSA key; the | ||
495 | comment field is not used for anything (but may be convenient for the | ||
496 | user to identify the key). | ||
497 | .Pp | ||
498 | Note that lines in this file are usually several hundred bytes long | ||
499 | (because of the size of the RSA key modulus). You don't want to type | ||
500 | them in; instead, copy the | ||
501 | .Pa identity.pub | ||
502 | file and edit it. | ||
503 | .Pp | ||
504 | The options (if present) consists of comma-separated option | ||
505 | specifications. No spaces are permitted, except within double quotes. | ||
506 | The following option specifications are supported: | ||
507 | .Bl -tag -width Ds | ||
508 | .It Cm from="pattern-list" | ||
509 | Specifies that in addition to RSA authentication, the canonical name | ||
510 | of the remote host must be present in the comma-separated list of | ||
511 | patterns ('*' and '?' serve as wildcards). The list may also contain | ||
512 | patterns negated by prefixing them with '!'; if the canonical host | ||
513 | name matches a negated pattern, the key is not accepted. The purpose | ||
514 | of this option is to optionally increase security: RSA authentication | ||
515 | by itself does not trust the network or name servers or anything (but | ||
516 | the key); however, if somebody somehow steals the key, the key | ||
517 | permits an intruder to log in from anywhere in the world. This | ||
518 | additional option makes using a stolen key more difficult (name | ||
519 | servers and/or routers would have to be compromised in addition to | ||
520 | just the key). | ||
521 | .It Cm command="command" | ||
522 | Specifies that the command is executed whenever this key is used for | ||
523 | authentication. The command supplied by the user (if any) is ignored. | ||
524 | The command is run on a pty if the connection requests a pty; | ||
525 | otherwise it is run without a tty. A quote may be included in the | ||
526 | command by quoting it with a backslash. This option might be useful | ||
527 | to restrict certain RSA keys to perform just a specific operation. An | ||
528 | example might be a key that permits remote backups but nothing | ||
529 | else. Notice that the client may specify TCP/IP and/or X11 | ||
530 | forwardings unless they are explicitly prohibited. | ||
531 | .It Cm environment="NAME=value" | ||
532 | Specifies that the string is to be added to the environment when | ||
533 | logging in using this key. Environment variables set this way | ||
534 | override other default environment values. Multiple options of this | ||
535 | type are permitted. | ||
536 | .It Cm no-port-forwarding | ||
537 | Forbids TCP/IP forwarding when this key is used for authentication. | ||
538 | Any port forward requests by the client will return an error. This | ||
539 | might be used, e.g., in connection with the | ||
540 | .Cm command | ||
541 | option. | ||
542 | .It Cm no-X11-forwarding | ||
543 | Forbids X11 forwarding when this key is used for authentication. | ||
544 | Any X11 forward requests by the client will return an error. | ||
545 | .It Cm no-agent-forwarding | ||
546 | Forbids authentication agent forwarding when this key is used for | ||
547 | authentication. | ||
548 | .It Cm no-pty | ||
549 | Prevents tty allocation (a request to allocate a pty will fail). | ||
550 | .El | ||
551 | .Ss Examples | ||
552 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar | ||
553 | .Pp | ||
554 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula | ||
555 | .Pp | ||
556 | command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi | ||
557 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | ||
558 | The | ||
559 | .Pa @sysconfdir@/ssh_known_hosts | ||
560 | and | ||
561 | .Pa $HOME/.ssh/known_hosts | ||
562 | files contain host public keys for all known hosts. The global file should | ||
563 | be prepared by the admistrator (optional), and the per-user file is | ||
564 | maintained automatically: whenever the user connects an unknown host | ||
565 | its key is added to the per-user file. | ||
566 | .Pp | ||
567 | Each line in these files contains the following fields: hostnames, | ||
568 | bits, exponent, modulus, comment. The fields are separated by spaces. | ||
569 | .Pp | ||
570 | Hostnames is a comma-separated list of patterns ('*' and '?' act as | ||
571 | wildcards); each pattern in turn is matched against the canonical host | ||
572 | name (when authenticating a client) or against the user-supplied | ||
573 | name (when authenticating a server). A pattern may also be preceded | ||
574 | by | ||
575 | .Ql ! | ||
576 | to indicate negation: if the host name matches a negated | ||
577 | pattern, it is not accepted (by that line) even if it matched another | ||
578 | pattern on the line. | ||
579 | .Pp | ||
580 | Bits, exponent, and modulus are taken directly from the host key; they | ||
581 | can be obtained, e.g., from | ||
582 | .Pa @sysconfdir@/ssh_host_key.pub . | ||
583 | The optional comment field continues to the end of the line, and is not used. | ||
584 | .Pp | ||
585 | Lines starting with | ||
586 | .Ql # | ||
587 | and empty lines are ignored as comments. | ||
588 | .Pp | ||
589 | When performing host authentication, authentication is accepted if any | ||
590 | matching line has the proper key. It is thus permissible (but not | ||
591 | recommended) to have several lines or different host keys for the same | ||
592 | names. This will inevitably happen when short forms of host names | ||
593 | from different domains are put in the file. It is possible | ||
594 | that the files contain conflicting information; authentication is | ||
595 | accepted if valid information can be found from either file. | ||
596 | .Pp | ||
597 | Note that the lines in these files are typically hundreds of characters | ||
598 | long, and you definitely don't want to type in the host keys by hand. | ||
599 | Rather, generate them by a script | ||
600 | or by taking | ||
601 | .Pa @sysconfdir@/ssh_host_key.pub | ||
602 | and adding the host names at the front. | ||
603 | .Ss Examples | ||
604 | closenet,closenet.hut.fi,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi | ||
605 | .Sh FILES | ||
606 | .Bl -tag -width Ds | ||
607 | .It Pa @sysconfdir@/sshd_config | ||
608 | Contains configuration data for | ||
609 | .Nm sshd . | ||
610 | This file should be writable by root only, but it is recommended | ||
611 | (though not necessary) that it be world-readable. | ||
612 | .It Pa @sysconfdir@/ssh_host_key | ||
613 | Contains the private part of the host key. | ||
614 | This file should only be owned by root, readable only by root, and not | ||
615 | accessible to others. | ||
616 | Note that | ||
617 | .Nm | ||
618 | does not start if this file is group/world-accessible. | ||
619 | .It Pa @sysconfdir@/ssh_host_key.pub | ||
620 | Contains the public part of the host key. | ||
621 | This file should be world-readable but writable only by | ||
622 | root. Its contents should match the private part. This file is not | ||
623 | really used for anything; it is only provided for the convenience of | ||
624 | the user so its contents can be copied to known hosts files. | ||
625 | These two files are created using | ||
626 | .Xr ssh-keygen 1 . | ||
627 | .It Pa /var/run/sshd.pid | ||
628 | Contains the process ID of the | ||
629 | .Nm | ||
630 | listening for connections (if there are several daemons running | ||
631 | concurrently for different ports, this contains the pid of the one | ||
632 | started last). The contents of this file are not sensitive; it can be | ||
633 | world-readable. | ||
634 | .It Pa $HOME/.ssh/authorized_keys | ||
635 | Lists the RSA keys that can be used to log into the user's account. | ||
636 | This file must be readable by root (which may on some machines imply | ||
637 | it being world-readable if the user's home directory resides on an NFS | ||
638 | volume). It is recommended that it not be accessible by others. The | ||
639 | format of this file is described above. | ||
640 | .It Pa "@sysconfdir@_known_hosts" and "$HOME/.ssh/known_hosts" | ||
641 | These files are consulted when using rhosts with RSA host | ||
642 | authentication to check the public key of the host. The key must be | ||
643 | listed in one of these files to be accepted. | ||
644 | The client uses the same files | ||
645 | to verify that the remote host is the one we intended to | ||
646 | connect. These files should be writable only by root/the owner. | ||
647 | .Pa @sysconfdir@/ssh_known_hosts | ||
648 | should be world-readable, and | ||
649 | .Pa $HOME/.ssh/known_hosts | ||
650 | can but need not be world-readable. | ||
651 | .It Pa /etc/nologin | ||
652 | If this file exists, | ||
653 | .Nm | ||
654 | refuses to let anyone except root log in. The contents of the file | ||
655 | are displayed to anyone trying to log in, and non-root connections are | ||
656 | refused. The file should be world-readable. | ||
657 | .It Pa /etc/hosts.allow, /etc/hosts.deny | ||
658 | If compiled with | ||
659 | .Sy LIBWRAP | ||
660 | support, tcp-wrappers access controls may be defined here as described in | ||
661 | .Xr hosts_access 5 . | ||
662 | .It Pa $HOME/.rhosts | ||
663 | This file contains host-username pairs, separated by a space, one per | ||
664 | line. The given user on the corresponding host is permitted to log in | ||
665 | without password. The same file is used by rlogind and rshd. | ||
666 | The file must | ||
667 | be writable only by the user; it is recommended that it not be | ||
668 | accessible by others. | ||
669 | .Pp | ||
670 | If is also possible to use netgroups in the file. Either host or user | ||
671 | name may be of the form +@groupname to specify all hosts or all users | ||
672 | in the group. | ||
673 | .It Pa $HOME/.shosts | ||
674 | For ssh, | ||
675 | this file is exactly the same as for | ||
676 | .Pa .rhosts . | ||
677 | However, this file is | ||
678 | not used by rlogin and rshd, so using this permits access using SSH only. | ||
679 | .Pa /etc/hosts.equiv | ||
680 | This file is used during | ||
681 | .Pa .rhosts | ||
682 | authentication. In the | ||
683 | simplest form, this file contains host names, one per line. Users on | ||
684 | those hosts are permitted to log in without a password, provided they | ||
685 | have the same user name on both machines. The host name may also be | ||
686 | followed by a user name; such users are permitted to log in as | ||
687 | .Em any | ||
688 | user on this machine (except root). Additionally, the syntax | ||
689 | .Dq +@group | ||
690 | can be used to specify netgroups. Negated entries start with | ||
691 | .Ql \&- . | ||
692 | .Pp | ||
693 | If the client host/user is successfully matched in this file, login is | ||
694 | automatically permitted provided the client and server user names are the | ||
695 | same. Additionally, successful RSA host authentication is normally | ||
696 | required. This file must be writable only by root; it is recommended | ||
697 | that it be world-readable. | ||
698 | .Pp | ||
699 | .Sy "Warning: It is almost never a good idea to use user names in" | ||
700 | .Pa hosts.equiv . | ||
701 | Beware that it really means that the named user(s) can log in as | ||
702 | .Em anybody , | ||
703 | which includes bin, daemon, adm, and other accounts that own critical | ||
704 | binaries and directories. Using a user name practically grants the | ||
705 | user root access. The only valid use for user names that I can think | ||
706 | of is in negative entries. | ||
707 | .Pp | ||
708 | Note that this warning also applies to rsh/rlogin. | ||
709 | .It Pa @sysconfdir@/shosts.equiv | ||
710 | This is processed exactly as | ||
711 | .Pa /etc/hosts.equiv . | ||
712 | However, this file may be useful in environments that want to run both | ||
713 | rsh/rlogin and ssh. | ||
714 | .It Pa $HOME/.ssh/environment | ||
715 | This file is read into the environment at login (if it exists). It | ||
716 | can only contain empty lines, comment lines (that start with | ||
717 | .Ql # ) , | ||
718 | and assignment lines of the form name=value. The file should be writable | ||
719 | only by the user; it need not be readable by anyone else. | ||
720 | .It Pa $HOME/.ssh/rc | ||
721 | If this file exists, it is run with /bin/sh after reading the | ||
722 | environment files but before starting the user's shell or command. If | ||
723 | X11 spoofing is in use, this will receive the "proto cookie" pair in | ||
724 | standard input (and | ||
725 | .Ev DISPLAY | ||
726 | in environment). This must call | ||
727 | .Xr xauth 1 | ||
728 | in that case. | ||
729 | .Pp | ||
730 | The primary purpose of this file is to run any initialization routines | ||
731 | which may be needed before the user's home directory becomes | ||
732 | accessible; AFS is a particular example of such an environment. | ||
733 | .Pp | ||
734 | This file will probably contain some initialization code followed by | ||
735 | something similar to: "if read proto cookie; then echo add $DISPLAY | ||
736 | $proto $cookie | xauth -q -; fi". | ||
737 | .Pp | ||
738 | If this file does not exist, | ||
739 | .Pa @sysconfdir@/sshrc | ||
740 | is run, and if that | ||
741 | does not exist either, xauth is used to store the cookie. | ||
742 | .Pp | ||
743 | This file should be writable only by the user, and need not be | ||
744 | readable by anyone else. | ||
745 | .It Pa @sysconfdir@/sshrc | ||
746 | Like | ||
747 | .Pa $HOME/.ssh/rc . | ||
748 | This can be used to specify | ||
749 | machine-specific login-time initializations globally. This file | ||
750 | should be writable only by root, and should be world-readable. | ||
751 | .Sh AUTHOR | ||
752 | Tatu Ylonen <ylo@cs.hut.fi> | ||
753 | .Pp | ||
754 | Information about new releases, mailing lists, and other related | ||
755 | issues can be found from the SSH WWW home page: | ||
756 | .Pp | ||
757 | .Dl http://www.cs.hut.fi/ssh. | ||
758 | .Pp | ||
759 | OpenSSH | ||
760 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs | ||
761 | removed and newer features re-added. Rapidly after the 1.2.12 release, | ||
762 | newer versions bore successively more restrictive licenses. This version | ||
763 | of OpenSSH | ||
764 | .Bl -bullet | ||
765 | .It | ||
766 | has all components of a restrictive nature (ie. patents, see | ||
767 | .Xr ssl 8 ) | ||
768 | directly removed from the source code; any licensed or patented components | ||
769 | are chosen from | ||
770 | external libraries. | ||
771 | .It | ||
772 | has been updated to support ssh protocol 1.5. | ||
773 | .It | ||
774 | contains added support for | ||
775 | .Xr kerberos 8 | ||
776 | authentication and ticket passing. | ||
777 | .It | ||
778 | supports one-time password authentication with | ||
779 | .Xr skey 1 . | ||
780 | .El | ||
781 | .Pp | ||
782 | The libraries described in | ||
783 | .Xr ssl 8 | ||
784 | are required for proper operation. | ||
785 | .Sh SEE ALSO | ||
786 | .Xr rlogin 1 , | ||
787 | .Xr rsh 1 , | ||
788 | .Xr scp 1 , | ||
789 | .Xr ssh 1 , | ||
790 | .Xr ssh-add 1 , | ||
791 | .Xr ssh-agent 1 , | ||
792 | .Xr ssh-keygen 1 , | ||
793 | .Xr ssl 8 | ||