summaryrefslogtreecommitdiff
path: root/sshd.8
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-01-24 11:46:57 +0000
committerColin Watson <cjwatson@debian.org>2011-01-24 11:46:57 +0000
commit0970072c89b079b022538e3c366fbfa2c53fc821 (patch)
treeb7024712d74234bb5a8b036ccbc9109e2e211296 /sshd.8
parent4e8aa4da57000c7bba8e5c49163bc0c0ca383f78 (diff)
parent478ff799463ca926a8dfbabf058f4e84aaffc65a (diff)
merge 5.7p1
Diffstat (limited to 'sshd.8')
-rw-r--r--sshd.873
1 files changed, 40 insertions, 33 deletions
diff --git a/sshd.8 b/sshd.8
index d3685b92b..5503b1331 100644
--- a/sshd.8
+++ b/sshd.8
@@ -1,4 +1,3 @@
1.\" -*- nroff -*-
2.\" 1.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,8 +33,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 35.\"
37.\" $OpenBSD: sshd.8,v 1.257 2010/08/04 05:37:01 djm Exp $ 36.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $
38.Dd $Mdocdate: August 4 2010 $ 37.Dd $Mdocdate: October 28 2010 $
39.Dt SSHD 8 38.Dt SSHD 8
40.Os 39.Os
41.Sh NAME 40.Sh NAME
@@ -170,9 +169,10 @@ host key files are normally not readable by anyone but root).
170The default is 169The default is
171.Pa /etc/ssh/ssh_host_key 170.Pa /etc/ssh/ssh_host_key
172for protocol version 1, and 171for protocol version 1, and
173.Pa /etc/ssh/ssh_host_rsa_key 172.Pa /etc/ssh/ssh_host_dsa_key ,
173.Pa /etc/ssh/ssh_host_ecdsa_key
174and 174and
175.Pa /etc/ssh/ssh_host_dsa_key 175.Pa /etc/ssh/ssh_host_rsa_key
176for protocol version 2. 176for protocol version 2.
177It is possible to have multiple host key files for 177It is possible to have multiple host key files for
178the different protocol versions and host key algorithms. 178the different protocol versions and host key algorithms.
@@ -275,7 +275,7 @@ though this can be changed via the
275.Cm Protocol 275.Cm Protocol
276option in 276option in
277.Xr sshd_config 5 . 277.Xr sshd_config 5 .
278Protocol 2 supports both RSA and DSA keys; 278Protocol 2 supports DSA, ECDSA and RSA keys;
279protocol 1 only supports RSA keys. 279protocol 1 only supports RSA keys.
280For both protocols, 280For both protocols,
281each host has a host-specific key, 281each host has a host-specific key,
@@ -483,6 +483,9 @@ protocol version 1; the
483comment field is not used for anything (but may be convenient for the 483comment field is not used for anything (but may be convenient for the
484user to identify the key). 484user to identify the key).
485For protocol version 2 the keytype is 485For protocol version 2 the keytype is
486.Dq ecdsa-sha2-nistp256 ,
487.Dq ecdsa-sha2-nistp384 ,
488.Dq ecdsa-sha2-nistp521 ,
486.Dq ssh-dss 489.Dq ssh-dss
487or 490or
488.Dq ssh-rsa . 491.Dq ssh-rsa .
@@ -494,6 +497,7 @@ keys up to 16 kilobits.
494You don't want to type them in; instead, copy the 497You don't want to type them in; instead, copy the
495.Pa identity.pub , 498.Pa identity.pub ,
496.Pa id_dsa.pub , 499.Pa id_dsa.pub ,
500.Pa id_ecdsa.pub ,
497or the 501or the
498.Pa id_rsa.pub 502.Pa id_rsa.pub
499file and edit it. 503file and edit it.
@@ -751,7 +755,7 @@ AAAA1234.....=
751.Ed 755.Ed
752.Sh FILES 756.Sh FILES
753.Bl -tag -width Ds -compact 757.Bl -tag -width Ds -compact
754.It ~/.hushlogin 758.It Pa ~/.hushlogin
755This file is used to suppress printing the last login time and 759This file is used to suppress printing the last login time and
756.Pa /etc/motd , 760.Pa /etc/motd ,
757if 761if
@@ -763,7 +767,7 @@ are enabled.
763It does not suppress printing of the banner specified by 767It does not suppress printing of the banner specified by
764.Cm Banner . 768.Cm Banner .
765.Pp 769.Pp
766.It ~/.rhosts 770.It Pa ~/.rhosts
767This file is used for host-based authentication (see 771This file is used for host-based authentication (see
768.Xr ssh 1 772.Xr ssh 1
769for more information). 773for more information).
@@ -778,21 +782,22 @@ The recommended
778permission for most machines is read/write for the user, and not 782permission for most machines is read/write for the user, and not
779accessible by others. 783accessible by others.
780.Pp 784.Pp
781.It ~/.shosts 785.It Pa ~/.shosts
782This file is used in exactly the same way as 786This file is used in exactly the same way as
783.Pa .rhosts , 787.Pa .rhosts ,
784but allows host-based authentication without permitting login with 788but allows host-based authentication without permitting login with
785rlogin/rsh. 789rlogin/rsh.
786.Pp 790.Pp
787.It ~/.ssh/ 791.It Pa ~/.ssh/
788This directory is the default location for all user-specific configuration 792This directory is the default location for all user-specific configuration
789and authentication information. 793and authentication information.
790There is no general requirement to keep the entire contents of this directory 794There is no general requirement to keep the entire contents of this directory
791secret, but the recommended permissions are read/write/execute for the user, 795secret, but the recommended permissions are read/write/execute for the user,
792and not accessible by others. 796and not accessible by others.
793.Pp 797.Pp
794.It ~/.ssh/authorized_keys 798.It Pa ~/.ssh/authorized_keys
795Lists the public keys (RSA/DSA) that can be used for logging in as this user. 799Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
800as this user.
796The format of this file is described above. 801The format of this file is described above.
797The content of the file is not highly sensitive, but the recommended 802The content of the file is not highly sensitive, but the recommended
798permissions are read/write for the user, and not accessible by others. 803permissions are read/write for the user, and not accessible by others.
@@ -809,7 +814,7 @@ will not allow it to be used unless the
809option has been set to 814option has been set to
810.Dq no . 815.Dq no .
811.Pp 816.Pp
812.It ~/.ssh/environment 817.It Pa ~/.ssh/environment
813This file is read into the environment at login (if it exists). 818This file is read into the environment at login (if it exists).
814It can only contain empty lines, comment lines (that start with 819It can only contain empty lines, comment lines (that start with
815.Ql # ) , 820.Ql # ) ,
@@ -821,40 +826,40 @@ controlled via the
821.Cm PermitUserEnvironment 826.Cm PermitUserEnvironment
822option. 827option.
823.Pp 828.Pp
824.It ~/.ssh/known_hosts 829.It Pa ~/.ssh/known_hosts
825Contains a list of host keys for all hosts the user has logged into 830Contains a list of host keys for all hosts the user has logged into
826that are not already in the systemwide list of known host keys. 831that are not already in the systemwide list of known host keys.
827The format of this file is described above. 832The format of this file is described above.
828This file should be writable only by root/the owner and 833This file should be writable only by root/the owner and
829can, but need not be, world-readable. 834can, but need not be, world-readable.
830.Pp 835.Pp
831.It ~/.ssh/rc 836.It Pa ~/.ssh/rc
832Contains initialization routines to be run before 837Contains initialization routines to be run before
833the user's home directory becomes accessible. 838the user's home directory becomes accessible.
834This file should be writable only by the user, and need not be 839This file should be writable only by the user, and need not be
835readable by anyone else. 840readable by anyone else.
836.Pp 841.Pp
837.It /etc/hosts.allow 842.It Pa /etc/hosts.allow
838.It /etc/hosts.deny 843.It Pa /etc/hosts.deny
839Access controls that should be enforced by tcp-wrappers are defined here. 844Access controls that should be enforced by tcp-wrappers are defined here.
840Further details are described in 845Further details are described in
841.Xr hosts_access 5 . 846.Xr hosts_access 5 .
842.Pp 847.Pp
843.It /etc/hosts.equiv 848.It Pa /etc/hosts.equiv
844This file is for host-based authentication (see 849This file is for host-based authentication (see
845.Xr ssh 1 ) . 850.Xr ssh 1 ) .
846It should only be writable by root. 851It should only be writable by root.
847.Pp 852.Pp
848.It /etc/moduli 853.It Pa /etc/moduli
849Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 854Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
850The file format is described in 855The file format is described in
851.Xr moduli 5 . 856.Xr moduli 5 .
852.Pp 857.Pp
853.It /etc/motd 858.It Pa /etc/motd
854See 859See
855.Xr motd 5 . 860.Xr motd 5 .
856.Pp 861.Pp
857.It /etc/nologin 862.It Pa /etc/nologin
858If this file exists, 863If this file exists,
859.Nm 864.Nm
860refuses to let anyone except root log in. 865refuses to let anyone except root log in.
@@ -863,15 +868,16 @@ are displayed to anyone trying to log in, and non-root connections are
863refused. 868refused.
864The file should be world-readable. 869The file should be world-readable.
865.Pp 870.Pp
866.It /etc/shosts.equiv 871.It Pa /etc/shosts.equiv
867This file is used in exactly the same way as 872This file is used in exactly the same way as
868.Pa hosts.equiv , 873.Pa hosts.equiv ,
869but allows host-based authentication without permitting login with 874but allows host-based authentication without permitting login with
870rlogin/rsh. 875rlogin/rsh.
871.Pp 876.Pp
872.It /etc/ssh/ssh_host_key 877.It Pa /etc/ssh/ssh_host_key
873.It /etc/ssh/ssh_host_dsa_key 878.It Pa /etc/ssh/ssh_host_dsa_key
874.It /etc/ssh/ssh_host_rsa_key 879.It Pa /etc/ssh/ssh_host_ecdsa_key
880.It Pa /etc/ssh/ssh_host_rsa_key
875These three files contain the private parts of the host keys. 881These three files contain the private parts of the host keys.
876These files should only be owned by root, readable only by root, and not 882These files should only be owned by root, readable only by root, and not
877accessible to others. 883accessible to others.
@@ -879,9 +885,10 @@ Note that
879.Nm 885.Nm
880does not start if these files are group/world-accessible. 886does not start if these files are group/world-accessible.
881.Pp 887.Pp
882.It /etc/ssh/ssh_host_key.pub 888.It Pa /etc/ssh/ssh_host_key.pub
883.It /etc/ssh/ssh_host_dsa_key.pub 889.It Pa /etc/ssh/ssh_host_dsa_key.pub
884.It /etc/ssh/ssh_host_rsa_key.pub 890.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
891.It Pa /etc/ssh/ssh_host_rsa_key.pub
885These three files contain the public parts of the host keys. 892These three files contain the public parts of the host keys.
886These files should be world-readable but writable only by 893These files should be world-readable but writable only by
887root. 894root.
@@ -892,7 +899,7 @@ the user so their contents can be copied to known hosts files.
892These files are created using 899These files are created using
893.Xr ssh-keygen 1 . 900.Xr ssh-keygen 1 .
894.Pp 901.Pp
895.It /etc/ssh/ssh_known_hosts 902.It Pa /etc/ssh/ssh_known_hosts
896Systemwide list of known host keys. 903Systemwide list of known host keys.
897This file should be prepared by the 904This file should be prepared by the
898system administrator to contain the public host keys of all machines in the 905system administrator to contain the public host keys of all machines in the
@@ -901,20 +908,20 @@ The format of this file is described above.
901This file should be writable only by root/the owner and 908This file should be writable only by root/the owner and
902should be world-readable. 909should be world-readable.
903.Pp 910.Pp
904.It /etc/ssh/sshd_config 911.It Pa /etc/ssh/sshd_config
905Contains configuration data for 912Contains configuration data for
906.Nm sshd . 913.Nm sshd .
907The file format and configuration options are described in 914The file format and configuration options are described in
908.Xr sshd_config 5 . 915.Xr sshd_config 5 .
909.Pp 916.Pp
910.It /etc/ssh/sshrc 917.It Pa /etc/ssh/sshrc
911Similar to 918Similar to
912.Pa ~/.ssh/rc , 919.Pa ~/.ssh/rc ,
913it can be used to specify 920it can be used to specify
914machine-specific login-time initializations globally. 921machine-specific login-time initializations globally.
915This file should be writable only by root, and should be world-readable. 922This file should be writable only by root, and should be world-readable.
916.Pp 923.Pp
917.It /var/empty 924.It Pa /var/empty
918.Xr chroot 2 925.Xr chroot 2
919directory used by 926directory used by
920.Nm 927.Nm
@@ -922,7 +929,7 @@ during privilege separation in the pre-authentication phase.
922The directory should not contain any files and must be owned by root 929The directory should not contain any files and must be owned by root
923and not group or world-writable. 930and not group or world-writable.
924.Pp 931.Pp
925.It /var/run/sshd.pid 932.It Pa /var/run/sshd.pid
926Contains the process ID of the 933Contains the process ID of the
927.Nm 934.Nm
928listening for connections (if there are several daemons running 935listening for connections (if there are several daemons running