summaryrefslogtreecommitdiff
path: root/sshd.0
diff options
context:
space:
mode:
Diffstat (limited to 'sshd.0')
-rw-r--r--sshd.0667
1 files changed, 667 insertions, 0 deletions
diff --git a/sshd.0 b/sshd.0
new file mode 100644
index 000000000..5f9aadd66
--- /dev/null
+++ b/sshd.0
@@ -0,0 +1,667 @@
1SSHD(8) System Manager's Manual SSHD(8)
2
3NAME
4 sshd M-bM-^@M-^S OpenSSH daemon
5
6SYNOPSIS
7 sshd [-46DdeiqTt] [-C connection_spec] [-c host_certificate_file]
8 [-E log_file] [-f config_file] [-g login_grace_time]
9 [-h host_key_file] [-o option] [-p port] [-u len]
10
11DESCRIPTION
12 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
13 programs replace rlogin and rsh, and provide secure encrypted
14 communications between two untrusted hosts over an insecure network.
15
16 sshd listens for connections from clients. It is normally started at
17 boot from /etc/rc. It forks a new daemon for each incoming connection.
18 The forked daemons handle key exchange, encryption, authentication,
19 command execution, and data exchange.
20
21 sshd can be configured using command-line options or a configuration file
22 (by default sshd_config(5)); command-line options override values
23 specified in the configuration file. sshd rereads its configuration file
24 when it receives a hangup signal, SIGHUP, by executing itself with the
25 name and options it was started with, e.g. /usr/sbin/sshd.
26
27 The options are as follows:
28
29 -4 Forces sshd to use IPv4 addresses only.
30
31 -6 Forces sshd to use IPv6 addresses only.
32
33 -C connection_spec
34 Specify the connection parameters to use for the -T extended test
35 mode. If provided, any Match directives in the configuration
36 file that would apply are applied before the configuration is
37 written to standard output. The connection parameters are
38 supplied as keyword=value pairs and may be supplied in any order,
39 either with multiple -C options or as a comma-separated list.
40 The keywords are M-bM-^@M-^\addr,M-bM-^@M-^] M-bM-^@M-^\userM-bM-^@M-^], M-bM-^@M-^\hostM-bM-^@M-^], M-bM-^@M-^\laddrM-bM-^@M-^], M-bM-^@M-^\lportM-bM-^@M-^], and
41 M-bM-^@M-^\rdomainM-bM-^@M-^] and correspond to source address, user, resolved source
42 host name, local address, local port number and routing domain
43 respectively.
44
45 -c host_certificate_file
46 Specifies a path to a certificate file to identify sshd during
47 key exchange. The certificate file must match a host key file
48 specified using the -h option or the HostKey configuration
49 directive.
50
51 -D When this option is specified, sshd will not detach and does not
52 become a daemon. This allows easy monitoring of sshd.
53
54 -d Debug mode. The server sends verbose debug output to standard
55 error, and does not put itself in the background. The server
56 also will not fork and will only process one connection. This
57 option is only intended for debugging for the server. Multiple
58 -d options increase the debugging level. Maximum is 3.
59
60 -E log_file
61 Append debug logs to log_file instead of the system log.
62
63 -e Write debug logs to standard error instead of the system log.
64
65 -f config_file
66 Specifies the name of the configuration file. The default is
67 /etc/ssh/sshd_config. sshd refuses to start if there is no
68 configuration file.
69
70 -g login_grace_time
71 Gives the grace time for clients to authenticate themselves
72 (default 120 seconds). If the client fails to authenticate the
73 user within this many seconds, the server disconnects and exits.
74 A value of zero indicates no limit.
75
76 -h host_key_file
77 Specifies a file from which a host key is read. This option must
78 be given if sshd is not run as root (as the normal host key files
79 are normally not readable by anyone but root). The default is
80 /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
81 /etc/ssh/ssh_host_rsa_key. It is possible to have multiple host
82 key files for the different host key algorithms.
83
84 -i Specifies that sshd is being run from inetd(8).
85
86 -o option
87 Can be used to give options in the format used in the
88 configuration file. This is useful for specifying options for
89 which there is no separate command-line flag. For full details
90 of the options, and their values, see sshd_config(5).
91
92 -p port
93 Specifies the port on which the server listens for connections
94 (default 22). Multiple port options are permitted. Ports
95 specified in the configuration file with the Port option are
96 ignored when a command-line port is specified. Ports specified
97 using the ListenAddress option override command-line ports.
98
99 -q Quiet mode. Nothing is sent to the system log. Normally the
100 beginning, authentication, and termination of each connection is
101 logged.
102
103 -T Extended test mode. Check the validity of the configuration
104 file, output the effective configuration to stdout and then exit.
105 Optionally, Match rules may be applied by specifying the
106 connection parameters using one or more -C options.
107
108 -t Test mode. Only check the validity of the configuration file and
109 sanity of the keys. This is useful for updating sshd reliably as
110 configuration options may change.
111
112 -u len This option is used to specify the size of the field in the utmp
113 structure that holds the remote host name. If the resolved host
114 name is longer than len, the dotted decimal value will be used
115 instead. This allows hosts with very long host names that
116 overflow this field to still be uniquely identified. Specifying
117 -u0 indicates that only dotted decimal addresses should be put
118 into the utmp file. -u0 may also be used to prevent sshd from
119 making DNS requests unless the authentication mechanism or
120 configuration requires it. Authentication mechanisms that may
121 require DNS include HostbasedAuthentication and using a
122 from="pattern-list" option in a key file. Configuration options
123 that require DNS include using a USER@HOST pattern in AllowUsers
124 or DenyUsers.
125
126AUTHENTICATION
127 The OpenSSH SSH daemon supports SSH protocol 2 only. Each host has a
128 host-specific key, used to identify the host. Whenever a client
129 connects, the daemon responds with its public host key. The client
130 compares the host key against its own database to verify that it has not
131 changed. Forward secrecy is provided through a Diffie-Hellman key
132 agreement. This key agreement results in a shared session key. The rest
133 of the session is encrypted using a symmetric cipher. The client selects
134 the encryption algorithm to use from those offered by the server.
135 Additionally, session integrity is provided through a cryptographic
136 message authentication code (MAC).
137
138 Finally, the server and the client enter an authentication dialog. The
139 client tries to authenticate itself using host-based authentication,
140 public key authentication, challenge-response authentication, or password
141 authentication.
142
143 Regardless of the authentication type, the account is checked to ensure
144 that it is accessible. An account is not accessible if it is locked,
145 listed in DenyUsers or its group is listed in DenyGroups . The
146 definition of a locked account is system dependent. Some platforms have
147 their own account database (eg AIX) and some modify the passwd field (
148 M-bM-^@M-^X*LK*M-bM-^@M-^Y on Solaris and UnixWare, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on
149 Tru64, a leading M-bM-^@M-^X*LOCKED*M-bM-^@M-^Y on FreeBSD and a leading M-bM-^@M-^X!M-bM-^@M-^Y on most
150 Linuxes). If there is a requirement to disable password authentication
151 for the account while allowing still public-key, then the passwd field
152 should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or M-bM-^@M-^X*NP*M-bM-^@M-^Y ).
153
154 If the client successfully authenticates itself, a dialog for preparing
155 the session is entered. At this time the client may request things like
156 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP
157 connections, or forwarding the authentication agent connection over the
158 secure channel.
159
160 After this, the client either requests a shell or execution of a command.
161 The sides then enter session mode. In this mode, either side may send
162 data at any time, and such data is forwarded to/from the shell or command
163 on the server side, and the user terminal in the client side.
164
165 When the user program terminates and all forwarded X11 and other
166 connections have been closed, the server sends command exit status to the
167 client, and both sides exit.
168
169LOGIN PROCESS
170 When a user successfully logs in, sshd does the following:
171
172 1. If the login is on a tty, and no command has been specified,
173 prints last login time and /etc/motd (unless prevented in the
174 configuration file or by ~/.hushlogin; see the FILES section).
175
176 2. If the login is on a tty, records login time.
177
178 3. Checks /etc/nologin; if it exists, prints contents and quits
179 (unless root).
180
181 4. Changes to run with normal user privileges.
182
183 5. Sets up basic environment.
184
185 6. Reads the file ~/.ssh/environment, if it exists, and users are
186 allowed to change their environment. See the
187 PermitUserEnvironment option in sshd_config(5).
188
189 7. Changes to user's home directory.
190
191 8. If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option
192 is set, runs it; else if /etc/ssh/sshrc exists, runs it;
193 otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are given the X11
194 authentication protocol and cookie in standard input. See
195 SSHRC, below.
196
197 9. Runs user's shell or command. All commands are run under the
198 user's login shell as specified in the system password
199 database.
200
201SSHRC
202 If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment
203 files but before starting the user's shell or command. It must not
204 produce any output on stdout; stderr must be used instead. If X11
205 forwarding is in use, it will receive the "proto cookie" pair in its
206 standard input (and DISPLAY in its environment). The script must call
207 xauth(1) because sshd will not run xauth automatically to add X11
208 cookies.
209
210 The primary purpose of this file is to run any initialization routines
211 which may be needed before the user's home directory becomes accessible;
212 AFS is a particular example of such an environment.
213
214 This file will probably contain some initialization code followed by
215 something similar to:
216
217 if read proto cookie && [ -n "$DISPLAY" ]; then
218 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
219 # X11UseLocalhost=yes
220 echo add unix:`echo $DISPLAY |
221 cut -c11-` $proto $cookie
222 else
223 # X11UseLocalhost=no
224 echo add $DISPLAY $proto $cookie
225 fi | xauth -q -
226 fi
227
228 If this file does not exist, /etc/ssh/sshrc is run, and if that does not
229 exist either, xauth is used to add the cookie.
230
231AUTHORIZED_KEYS FILE FORMAT
232 AuthorizedKeysFile specifies the files containing public keys for public
233 key authentication; if this option is not specified, the default is
234 ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
235 file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are
236 ignored as comments). Public keys consist of the following space-
237 separated fields: options, keytype, base64-encoded key, comment. The
238 options field is optional. The supported key types are:
239
240 sk-ecdsa-sha2-nistp256@openssh.com
241 ecdsa-sha2-nistp256
242 ecdsa-sha2-nistp384
243 ecdsa-sha2-nistp521
244 sk-ssh-ed25519@openssh.com
245 ssh-ed25519
246 ssh-dss
247 ssh-rsa
248
249 The comment field is not used for anything (but may be convenient for the
250 user to identify the key).
251
252 Note that lines in this file can be several hundred bytes long (because
253 of the size of the public key encoding) up to a limit of 8 kilobytes,
254 which permits RSA keys up to 16 kilobits. You don't want to type them
255 in; instead, copy the id_dsa.pub, id_ecdsa.pub, id_ecdsa_sk.pub,
256 id_ed25519.pub, id_ed25519_sk.pub, or the id_rsa.pub file and edit it.
257
258 sshd enforces a minimum RSA key modulus size of 1024 bits.
259
260 The options (if present) consist of comma-separated option
261 specifications. No spaces are permitted, except within double quotes.
262 The following option specifications are supported (note that option
263 keywords are case-insensitive):
264
265 agent-forwarding
266 Enable authentication agent forwarding previously disabled by the
267 restrict option.
268
269 cert-authority
270 Specifies that the listed key is a certification authority (CA)
271 that is trusted to validate signed certificates for user
272 authentication.
273
274 Certificates may encode access restrictions similar to these key
275 options. If both certificate restrictions and key options are
276 present, the most restrictive union of the two is applied.
277
278 command="command"
279 Specifies that the command is executed whenever this key is used
280 for authentication. The command supplied by the user (if any) is
281 ignored. The command is run on a pty if the client requests a
282 pty; otherwise it is run without a tty. If an 8-bit clean
283 channel is required, one must not request a pty or should specify
284 no-pty. A quote may be included in the command by quoting it
285 with a backslash.
286
287 This option might be useful to restrict certain public keys to
288 perform just a specific operation. An example might be a key
289 that permits remote backups but nothing else. Note that the
290 client may specify TCP and/or X11 forwarding unless they are
291 explicitly prohibited, e.g. using the restrict key option.
292
293 The command originally supplied by the client is available in the
294 SSH_ORIGINAL_COMMAND environment variable. Note that this option
295 applies to shell, command or subsystem execution. Also note that
296 this command may be superseded by a sshd_config(5) ForceCommand
297 directive.
298
299 If a command is specified and a forced-command is embedded in a
300 certificate used for authentication, then the certificate will be
301 accepted only if the two commands are identical.
302
303 environment="NAME=value"
304 Specifies that the string is to be added to the environment when
305 logging in using this key. Environment variables set this way
306 override other default environment values. Multiple options of
307 this type are permitted. Environment processing is disabled by
308 default and is controlled via the PermitUserEnvironment option.
309
310 expiry-time="timespec"
311 Specifies a time after which the key will not be accepted. The
312 time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS]
313 time in the system time-zone.
314
315 from="pattern-list"
316 Specifies that in addition to public key authentication, either
317 the canonical name of the remote host or its IP address must be
318 present in the comma-separated list of patterns. See PATTERNS in
319 ssh_config(5) for more information on patterns.
320
321 In addition to the wildcard matching that may be applied to
322 hostnames or addresses, a from stanza may match IP addresses
323 using CIDR address/masklen notation.
324
325 The purpose of this option is to optionally increase security:
326 public key authentication by itself does not trust the network or
327 name servers or anything (but the key); however, if somebody
328 somehow steals the key, the key permits an intruder to log in
329 from anywhere in the world. This additional option makes using a
330 stolen key more difficult (name servers and/or routers would have
331 to be compromised in addition to just the key).
332
333 no-agent-forwarding
334 Forbids authentication agent forwarding when this key is used for
335 authentication.
336
337 no-port-forwarding
338 Forbids TCP forwarding when this key is used for authentication.
339 Any port forward requests by the client will return an error.
340 This might be used, e.g. in connection with the command option.
341
342 no-pty Prevents tty allocation (a request to allocate a pty will fail).
343
344 no-user-rc
345 Disables execution of ~/.ssh/rc.
346
347 no-X11-forwarding
348 Forbids X11 forwarding when this key is used for authentication.
349 Any X11 forward requests by the client will return an error.
350
351 permitlisten="[host:]port"
352 Limit remote port forwarding with the ssh(1) -R option such that
353 it may only listen on the specified host (optional) and port.
354 IPv6 addresses can be specified by enclosing the address in
355 square brackets. Multiple permitlisten options may be applied
356 separated by commas. Hostnames may include wildcards as
357 described in the PATTERNS section in ssh_config(5). A port
358 specification of * matches any port. Note that the setting of
359 GatewayPorts may further restrict listen addresses. Note that
360 ssh(1) will send a hostname of M-bM-^@M-^\localhostM-bM-^@M-^] if a listen host was
361 not specified when the forwarding was requested, and that this
362 name is treated differently to the explicit localhost addresses
363 M-bM-^@M-^\127.0.0.1M-bM-^@M-^] and M-bM-^@M-^\::1M-bM-^@M-^].
364
365 permitopen="host:port"
366 Limit local port forwarding with the ssh(1) -L option such that
367 it may only connect to the specified host and port. IPv6
368 addresses can be specified by enclosing the address in square
369 brackets. Multiple permitopen options may be applied separated
370 by commas. No pattern matching or name lookup is performed on
371 the specified hostnames, they must be literal host names and/or
372 addresses. A port specification of * matches any port.
373
374 port-forwarding
375 Enable port forwarding previously disabled by the restrict
376 option.
377
378 principals="principals"
379 On a cert-authority line, specifies allowed principals for
380 certificate authentication as a comma-separated list. At least
381 one name from the list must appear in the certificate's list of
382 principals for the certificate to be accepted. This option is
383 ignored for keys that are not marked as trusted certificate
384 signers using the cert-authority option.
385
386 pty Permits tty allocation previously disabled by the restrict
387 option.
388
389 no-touch-required
390 Do not require demonstration of user presence for signatures made
391 using this key. This option only makes sense for the FIDO
392 authenticator algorithms ecdsa-sk and ed25519-sk.
393
394 restrict
395 Enable all restrictions, i.e. disable port, agent and X11
396 forwarding, as well as disabling PTY allocation and execution of
397 ~/.ssh/rc. If any future restriction capabilities are added to
398 authorized_keys files they will be included in this set.
399
400 tunnel="n"
401 Force a tun(4) device on the server. Without this option, the
402 next available device will be used if the client requests a
403 tunnel.
404
405 user-rc
406 Enables execution of ~/.ssh/rc previously disabled by the
407 restrict option.
408
409 X11-forwarding
410 Permits X11 forwarding previously disabled by the restrict
411 option.
412
413 An example authorized_keys file:
414
415 # Comments allowed at start of line
416 ssh-rsa AAAAB3Nza...LiPk== user@example.net
417 from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
418 AAAAB2...19Q== john@example.net
419 command="dump /home",no-pty,no-port-forwarding ssh-rsa
420 AAAAC3...51R== example.net
421 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa
422 AAAAB5...21S==
423 permitlisten="localhost:8080",permitopen="localhost:22000" ssh-rsa
424 AAAAB5...21S==
425 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
426 jane@example.net
427 restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
428 user@example.net
429 restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5==
430 user@example.net
431 no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko==
432 user@example.net
433
434SSH_KNOWN_HOSTS FILE FORMAT
435 The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
436 public keys for all known hosts. The global file should be prepared by
437 the administrator (optional), and the per-user file is maintained
438 automatically: whenever the user connects to an unknown host, its key is
439 added to the per-user file.
440
441 Each line in these files contains the following fields: markers
442 (optional), hostnames, keytype, base64-encoded key, comment. The fields
443 are separated by spaces.
444
445 The marker is optional, but if it is present then it must be one of
446 M-bM-^@M-^\@cert-authorityM-bM-^@M-^], to indicate that the line contains a certification
447 authority (CA) key, or M-bM-^@M-^\@revokedM-bM-^@M-^], to indicate that the key contained on
448 the line is revoked and must not ever be accepted. Only one marker
449 should be used on a key line.
450
451 Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as
452 wildcards); each pattern in turn is matched against the host name. When
453 sshd is authenticating a client, such as when using
454 HostbasedAuthentication, this will be the canonical client host name.
455 When ssh(1) is authenticating a server, this will be the host name given
456 by the user, the value of the ssh(1) HostkeyAlias if it was specified, or
457 the canonical server hostname if the ssh(1) CanonicalizeHostname option
458 was used.
459
460 A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indicate negation: if the host
461 name matches a negated pattern, it is not accepted (by that line) even if
462 it matched another pattern on the line. A hostname or address may
463 optionally be enclosed within M-bM-^@M-^X[M-bM-^@M-^Y and M-bM-^@M-^X]M-bM-^@M-^Y brackets then followed by M-bM-^@M-^X:M-bM-^@M-^Y
464 and a non-standard port number.
465
466 Alternately, hostnames may be stored in a hashed form which hides host
467 names and addresses should the file's contents be disclosed. Hashed
468 hostnames start with a M-bM-^@M-^X|M-bM-^@M-^Y character. Only one hashed hostname may
469 appear on a single line and none of the above negation or wildcard
470 operators may be applied.
471
472 The keytype and base64-encoded key are taken directly from the host key;
473 they can be obtained, for example, from /etc/ssh/ssh_host_rsa_key.pub.
474 The optional comment field continues to the end of the line, and is not
475 used.
476
477 Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments.
478
479 When performing host authentication, authentication is accepted if any
480 matching line has the proper key; either one that matches exactly or, if
481 the server has presented a certificate for authentication, the key of the
482 certification authority that signed the certificate. For a key to be
483 trusted as a certification authority, it must use the M-bM-^@M-^\@cert-authorityM-bM-^@M-^]
484 marker described above.
485
486 The known hosts file also provides a facility to mark keys as revoked,
487 for example when it is known that the associated private key has been
488 stolen. Revoked keys are specified by including the M-bM-^@M-^\@revokedM-bM-^@M-^] marker at
489 the beginning of the key line, and are never accepted for authentication
490 or as certification authorities, but instead will produce a warning from
491 ssh(1) when they are encountered.
492
493 It is permissible (but not recommended) to have several lines or
494 different host keys for the same names. This will inevitably happen when
495 short forms of host names from different domains are put in the file. It
496 is possible that the files contain conflicting information;
497 authentication is accepted if valid information can be found from either
498 file.
499
500 Note that the lines in these files are typically hundreds of characters
501 long, and you definitely don't want to type in the host keys by hand.
502 Rather, generate them by a script, ssh-keyscan(1) or by taking, for
503 example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the
504 front. ssh-keygen(1) also offers some basic automated editing for
505 ~/.ssh/known_hosts including removing hosts matching a host name and
506 converting all host names to their hashed representations.
507
508 An example ssh_known_hosts file:
509
510 # Comments allowed at start of line
511 closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
512 cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
513 # A hashed hostname
514 |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
515 AAAA1234.....=
516 # A revoked key
517 @revoked * ssh-rsa AAAAB5W...
518 # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
519 @cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
520
521FILES
522 ~/.hushlogin
523 This file is used to suppress printing the last login time and
524 /etc/motd, if PrintLastLog and PrintMotd, respectively, are
525 enabled. It does not suppress printing of the banner specified
526 by Banner.
527
528 ~/.rhosts
529 This file is used for host-based authentication (see ssh(1) for
530 more information). On some machines this file may need to be
531 world-readable if the user's home directory is on an NFS
532 partition, because sshd reads it as root. Additionally, this
533 file must be owned by the user, and must not have write
534 permissions for anyone else. The recommended permission for most
535 machines is read/write for the user, and not accessible by
536 others.
537
538 ~/.shosts
539 This file is used in exactly the same way as .rhosts, but allows
540 host-based authentication without permitting login with
541 rlogin/rsh.
542
543 ~/.ssh/
544 This directory is the default location for all user-specific
545 configuration and authentication information. There is no
546 general requirement to keep the entire contents of this directory
547 secret, but the recommended permissions are read/write/execute
548 for the user, and not accessible by others.
549
550 ~/.ssh/authorized_keys
551 Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
552 for logging in as this user. The format of this file is
553 described above. The content of the file is not highly
554 sensitive, but the recommended permissions are read/write for the
555 user, and not accessible by others.
556
557 If this file, the ~/.ssh directory, or the user's home directory
558 are writable by other users, then the file could be modified or
559 replaced by unauthorized users. In this case, sshd will not
560 allow it to be used unless the StrictModes option has been set to
561 M-bM-^@M-^\noM-bM-^@M-^].
562
563 ~/.ssh/environment
564 This file is read into the environment at login (if it exists).
565 It can only contain empty lines, comment lines (that start with
566 M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file
567 should be writable only by the user; it need not be readable by
568 anyone else. Environment processing is disabled by default and
569 is controlled via the PermitUserEnvironment option.
570
571 ~/.ssh/known_hosts
572 Contains a list of host keys for all hosts the user has logged
573 into that are not already in the systemwide list of known host
574 keys. The format of this file is described above. This file
575 should be writable only by root/the owner and can, but need not
576 be, world-readable.
577
578 ~/.ssh/rc
579 Contains initialization routines to be run before the user's home
580 directory becomes accessible. This file should be writable only
581 by the user, and need not be readable by anyone else.
582
583 /etc/hosts.equiv
584 This file is for host-based authentication (see ssh(1)). It
585 should only be writable by root.
586
587 /etc/moduli
588 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
589 Exchange" key exchange method. The file format is described in
590 moduli(5). If no usable groups are found in this file then fixed
591 internal groups will be used.
592
593 /etc/motd
594 See motd(5).
595
596 /etc/nologin
597 If this file exists, sshd refuses to let anyone except root log
598 in. The contents of the file are displayed to anyone trying to
599 log in, and non-root connections are refused. The file should be
600 world-readable.
601
602 /etc/shosts.equiv
603 This file is used in exactly the same way as hosts.equiv, but
604 allows host-based authentication without permitting login with
605 rlogin/rsh.
606
607 /etc/ssh/ssh_host_ecdsa_key
608 /etc/ssh/ssh_host_ed25519_key
609 /etc/ssh/ssh_host_rsa_key
610 These files contain the private parts of the host keys. These
611 files should only be owned by root, readable only by root, and
612 not accessible to others. Note that sshd does not start if these
613 files are group/world-accessible.
614
615 /etc/ssh/ssh_host_ecdsa_key.pub
616 /etc/ssh/ssh_host_ed25519_key.pub
617 /etc/ssh/ssh_host_rsa_key.pub
618 These files contain the public parts of the host keys. These
619 files should be world-readable but writable only by root. Their
620 contents should match the respective private parts. These files
621 are not really used for anything; they are provided for the
622 convenience of the user so their contents can be copied to known
623 hosts files. These files are created using ssh-keygen(1).
624
625 /etc/ssh/ssh_known_hosts
626 Systemwide list of known host keys. This file should be prepared
627 by the system administrator to contain the public host keys of
628 all machines in the organization. The format of this file is
629 described above. This file should be writable only by root/the
630 owner and should be world-readable.
631
632 /etc/ssh/sshd_config
633 Contains configuration data for sshd. The file format and
634 configuration options are described in sshd_config(5).
635
636 /etc/ssh/sshrc
637 Similar to ~/.ssh/rc, it can be used to specify machine-specific
638 login-time initializations globally. This file should be
639 writable only by root, and should be world-readable.
640
641 /var/empty
642 chroot(2) directory used by sshd during privilege separation in
643 the pre-authentication phase. The directory should not contain
644 any files and must be owned by root and not group or world-
645 writable.
646
647 /var/run/sshd.pid
648 Contains the process ID of the sshd listening for connections (if
649 there are several daemons running concurrently for different
650 ports, this contains the process ID of the one started last).
651 The content of this file is not sensitive; it can be world-
652 readable.
653
654SEE ALSO
655 scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
656 ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
657 inetd(8), sftp-server(8)
658
659AUTHORS
660 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
661 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
662 de Raadt and Dug Song removed many bugs, re-added newer features and
663 created OpenSSH. Markus Friedl contributed the support for SSH protocol
664 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
665 for privilege separation.
666
667OpenBSD 6.7 January 25, 2020 OpenBSD 6.7
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 12:40:04 +0000