diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 50 |
1 files changed, 24 insertions, 26 deletions
@@ -21,7 +21,7 @@ DESCRIPTION | |||
21 | sshd works as follows: | 21 | sshd works as follows: |
22 | 22 | ||
23 | SSH protocol version 1 | 23 | SSH protocol version 1 |
24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | 24 | Each host has a host-specific RSA key (normally 2048 bits) used to iden- |
25 | tify the host. Additionally, when the daemon starts, it generates a | 25 | tify the host. Additionally, when the daemon starts, it generates a |
26 | server RSA key (normally 768 bits). This key is normally regenerated ev- | 26 | server RSA key (normally 768 bits). This key is normally regenerated ev- |
27 | ery hour if it has been used, and is never stored on disk. | 27 | ery hour if it has been used, and is never stored on disk. |
@@ -200,8 +200,7 @@ LOGIN PROCESS | |||
200 | 200 | ||
201 | 1. If the login is on a tty, and no command has been specified, | 201 | 1. If the login is on a tty, and no command has been specified, |
202 | prints last login time and /etc/motd (unless prevented in the | 202 | prints last login time and /etc/motd (unless prevented in the |
203 | configuration file or by $HOME/.hushlogin; see the FILES sec- | 203 | configuration file or by ~/.hushlogin; see the FILES section). |
204 | tion). | ||
205 | 204 | ||
206 | 2. If the login is on a tty, records login time. | 205 | 2. If the login is on a tty, records login time. |
207 | 206 | ||
@@ -212,21 +211,20 @@ LOGIN PROCESS | |||
212 | 211 | ||
213 | 5. Sets up basic environment. | 212 | 5. Sets up basic environment. |
214 | 213 | ||
215 | 6. Reads the file $HOME/.ssh/environment, if it exists, and users | 214 | 6. Reads the file ~/.ssh/environment, if it exists, and users are |
216 | are allowed to change their environment. See the | 215 | allowed to change their environment. See the |
217 | PermitUserEnvironment option in sshd_config(5). | 216 | PermitUserEnvironment option in sshd_config(5). |
218 | 217 | ||
219 | 7. Changes to user's home directory. | 218 | 7. Changes to user's home directory. |
220 | 219 | ||
221 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- | 220 | 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, |
222 | ists, runs it; otherwise runs xauth. The ``rc'' files are | 221 | runs it; otherwise runs xauth. The ``rc'' files are given the |
223 | given the X11 authentication protocol and cookie in standard | 222 | X11 authentication protocol and cookie in standard input. |
224 | input. | ||
225 | 223 | ||
226 | 9. Runs user's shell or command. | 224 | 9. Runs user's shell or command. |
227 | 225 | ||
228 | AUTHORIZED_KEYS FILE FORMAT | 226 | AUTHORIZED_KEYS FILE FORMAT |
229 | $HOME/.ssh/authorized_keys is the default file that lists the public keys | 227 | ~/.ssh/authorized_keys is the default file that lists the public keys |
230 | that are permitted for RSA authentication in protocol version 1 and for | 228 | that are permitted for RSA authentication in protocol version 1 and for |
231 | public key authentication (PubkeyAuthentication) in protocol version 2. | 229 | public key authentication (PubkeyAuthentication) in protocol version 2. |
232 | AuthorizedKeysFile may be used to specify an alternative file. | 230 | AuthorizedKeysFile may be used to specify an alternative file. |
@@ -329,10 +327,10 @@ AUTHORIZED_KEYS FILE FORMAT | |||
329 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 327 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
330 | 328 | ||
331 | SSH_KNOWN_HOSTS FILE FORMAT | 329 | SSH_KNOWN_HOSTS FILE FORMAT |
332 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain | 330 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host |
333 | host public keys for all known hosts. The global file should be prepared | 331 | public keys for all known hosts. The global file should be prepared by |
334 | by the administrator (optional), and the per-user file is maintained au- | 332 | the administrator (optional), and the per-user file is maintained auto- |
335 | tomatically: whenever the user connects from an unknown host its key is | 333 | matically: whenever the user connects from an unknown host its key is |
336 | added to the per-user file. | 334 | added to the per-user file. |
337 | 335 | ||
338 | Each line in these files contains the following fields: hostnames, bits, | 336 | Each line in these files contains the following fields: hostnames, bits, |
@@ -417,7 +415,7 @@ FILES | |||
417 | The content of this file is not sensitive; it can be world-read- | 415 | The content of this file is not sensitive; it can be world-read- |
418 | able. | 416 | able. |
419 | 417 | ||
420 | $HOME/.ssh/authorized_keys | 418 | ~/.ssh/authorized_keys |
421 | Lists the public keys (RSA or DSA) that can be used to log into | 419 | Lists the public keys (RSA or DSA) that can be used to log into |
422 | the user's account. This file must be readable by root (which | 420 | the user's account. This file must be readable by root (which |
423 | may on some machines imply it being world-readable if the user's | 421 | may on some machines imply it being world-readable if the user's |
@@ -427,7 +425,7 @@ FILES | |||
427 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | 425 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
428 | as described in ssh-keygen(1). | 426 | as described in ssh-keygen(1). |
429 | 427 | ||
430 | /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts | 428 | /etc/ssh/ssh_known_hosts, ~/.ssh/known_hosts |
431 | These files are consulted when using rhosts with RSA host authen- | 429 | These files are consulted when using rhosts with RSA host authen- |
432 | tication or protocol version 2 hostbased authentication to check | 430 | tication or protocol version 2 hostbased authentication to check |
433 | the public key of the host. The key must be listed in one of | 431 | the public key of the host. The key must be listed in one of |
@@ -435,12 +433,12 @@ FILES | |||
435 | verify that it is connecting to the correct remote host. These | 433 | verify that it is connecting to the correct remote host. These |
436 | files should be writable only by root/the owner. | 434 | files should be writable only by root/the owner. |
437 | /etc/ssh/ssh_known_hosts should be world-readable, and | 435 | /etc/ssh/ssh_known_hosts should be world-readable, and |
438 | $HOME/.ssh/known_hosts can, but need not be, world-readable. | 436 | ~/.ssh/known_hosts can, but need not be, world-readable. |
439 | 437 | ||
440 | /etc/motd | 438 | /etc/motd |
441 | See motd(5). | 439 | See motd(5). |
442 | 440 | ||
443 | $HOME/.hushlogin | 441 | ~/.hushlogin |
444 | This file is used to suppress printing the last login time and | 442 | This file is used to suppress printing the last login time and |
445 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | 443 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- |
446 | abled. It does not suppress printing of the banner specified by | 444 | abled. It does not suppress printing of the banner specified by |
@@ -456,7 +454,7 @@ FILES | |||
456 | Access controls that should be enforced by tcp-wrappers are de- | 454 | Access controls that should be enforced by tcp-wrappers are de- |
457 | fined here. Further details are described in hosts_access(5). | 455 | fined here. Further details are described in hosts_access(5). |
458 | 456 | ||
459 | $HOME/.rhosts | 457 | ~/.rhosts |
460 | This file is used during RhostsRSAAuthentication and | 458 | This file is used during RhostsRSAAuthentication and |
461 | HostbasedAuthentication and contains host-username pairs, sepa- | 459 | HostbasedAuthentication and contains host-username pairs, sepa- |
462 | rated by a space, one per line. The given user on the corre- | 460 | rated by a space, one per line. The given user on the corre- |
@@ -469,7 +467,7 @@ FILES | |||
469 | user name may be of the form +@groupname to specify all hosts or | 467 | user name may be of the form +@groupname to specify all hosts or |
470 | all users in the group. | 468 | all users in the group. |
471 | 469 | ||
472 | $HOME/.shosts | 470 | ~/.shosts |
473 | For ssh, this file is exactly the same as for .rhosts. However, | 471 | For ssh, this file is exactly the same as for .rhosts. However, |
474 | this file is not used by rlogin and rshd, so using this permits | 472 | this file is not used by rlogin and rshd, so using this permits |
475 | access using SSH only. | 473 | access using SSH only. |
@@ -505,7 +503,7 @@ FILES | |||
505 | file may be useful in environments that want to run both | 503 | file may be useful in environments that want to run both |
506 | rsh/rlogin and ssh. | 504 | rsh/rlogin and ssh. |
507 | 505 | ||
508 | $HOME/.ssh/environment | 506 | ~/.ssh/environment |
509 | This file is read into the environment at login (if it exists). | 507 | This file is read into the environment at login (if it exists). |
510 | It can only contain empty lines, comment lines (that start with | 508 | It can only contain empty lines, comment lines (that start with |
511 | `#'), and assignment lines of the form name=value. The file | 509 | `#'), and assignment lines of the form name=value. The file |
@@ -513,7 +511,7 @@ FILES | |||
513 | anyone else. Environment processing is disabled by default and | 511 | anyone else. Environment processing is disabled by default and |
514 | is controlled via the PermitUserEnvironment option. | 512 | is controlled via the PermitUserEnvironment option. |
515 | 513 | ||
516 | $HOME/.ssh/rc | 514 | ~/.ssh/rc |
517 | If this file exists, it is run with /bin/sh after reading the en- | 515 | If this file exists, it is run with /bin/sh after reading the en- |
518 | vironment files but before starting the user's shell or command. | 516 | vironment files but before starting the user's shell or command. |
519 | It must not produce any output on stdout; stderr must be used in- | 517 | It must not produce any output on stdout; stderr must be used in- |
@@ -548,9 +546,9 @@ FILES | |||
548 | readable by anyone else. | 546 | readable by anyone else. |
549 | 547 | ||
550 | /etc/ssh/sshrc | 548 | /etc/ssh/sshrc |
551 | Like $HOME/.ssh/rc. This can be used to specify machine-specific | 549 | Like ~/.ssh/rc. This can be used to specify machine-specific lo- |
552 | login-time initializations globally. This file should be | 550 | gin-time initializations globally. This file should be writable |
553 | writable only by root, and should be world-readable. | 551 | only by root, and should be world-readable. |
554 | 552 | ||
555 | SEE ALSO | 553 | SEE ALSO |
556 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 554 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
@@ -573,4 +571,4 @@ AUTHORS | |||
573 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 571 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
574 | for privilege separation. | 572 | for privilege separation. |
575 | 573 | ||
576 | OpenBSD 3.6 September 25, 1999 9 | 574 | OpenBSD 3.8 September 25, 1999 9 |