diff options
Diffstat (limited to 'sshd.0')
| -rw-r--r-- | sshd.0 | 55 |
1 files changed, 27 insertions, 28 deletions
| @@ -4,7 +4,7 @@ NAME | |||
| 4 | sshd - OpenSSH SSH daemon | 4 | sshd - OpenSSH SSH daemon |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | sshd [-deiqtD46] [-b bits] [-f config_file] [-g login_grace_time] | 7 | sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] |
| 8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] | 8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] |
| 9 | 9 | ||
| 10 | DESCRIPTION | 10 | DESCRIPTION |
| @@ -21,7 +21,6 @@ DESCRIPTION | |||
| 21 | sshd works as follows: | 21 | sshd works as follows: |
| 22 | 22 | ||
| 23 | SSH protocol version 1 | 23 | SSH protocol version 1 |
| 24 | |||
| 25 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | 24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- |
| 26 | tify the host. Additionally, when the daemon starts, it generates a | 25 | tify the host. Additionally, when the daemon starts, it generates a |
| 27 | server RSA key (normally 768 bits). This key is normally regenerated ev- | 26 | server RSA key (normally 768 bits). This key is normally regenerated ev- |
| @@ -30,7 +29,7 @@ DESCRIPTION | |||
| 30 | Whenever a client connects, the daemon responds with its public host and | 29 | Whenever a client connects, the daemon responds with its public host and |
| 31 | server keys. The client compares the RSA host key against its own | 30 | server keys. The client compares the RSA host key against its own |
| 32 | database to verify that it has not changed. The client then generates a | 31 | database to verify that it has not changed. The client then generates a |
| 33 | 256 bit random number. It encrypts this random number using both the | 32 | 256-bit random number. It encrypts this random number using both the |
| 34 | host key and the server key, and sends the encrypted number to the serv- | 33 | host key and the server key, and sends the encrypted number to the serv- |
| 35 | er. Both sides then use this random number as a session key which is | 34 | er. Both sides then use this random number as a session key which is |
| 36 | used to encrypt all further communications in the session. The rest of | 35 | used to encrypt all further communications in the session. The rest of |
| @@ -54,13 +53,12 @@ DESCRIPTION | |||
| 54 | field should be set to something other than these values (eg `NP' or | 53 | field should be set to something other than these values (eg `NP' or |
| 55 | `*NP*' ). | 54 | `*NP*' ). |
| 56 | 55 | ||
| 57 | Rhosts authentication is normally disabled because it is fundamentally | 56 | rhosts authentication is normally disabled because it is fundamentally |
| 58 | insecure, but can be enabled in the server configuration file if desired. | 57 | insecure, but can be enabled in the server configuration file if desired. |
| 59 | System security is not improved unless rshd, rlogind, and rexecd are dis- | 58 | System security is not improved unless rshd, rlogind, and rexecd are dis- |
| 60 | abled (thus completely disabling rlogin and rsh into the machine). | 59 | abled (thus completely disabling rlogin and rsh into the machine). |
| 61 | 60 | ||
| 62 | SSH protocol version 2 | 61 | SSH protocol version 2 |
| 63 | |||
| 64 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | 62 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) |
| 65 | used to identify the host. However, when the daemon starts, it does not | 63 | used to identify the host. However, when the daemon starts, it does not |
| 66 | generate a server key. Forward security is provided through a Diffie- | 64 | generate a server key. Forward security is provided through a Diffie- |
| @@ -68,7 +66,7 @@ DESCRIPTION | |||
| 68 | key. | 66 | key. |
| 69 | 67 | ||
| 70 | The rest of the session is encrypted using a symmetric cipher, currently | 68 | The rest of the session is encrypted using a symmetric cipher, currently |
| 71 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit | 69 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit |
| 72 | AES. The client selects the encryption algorithm to use from those of- | 70 | AES. The client selects the encryption algorithm to use from those of- |
| 73 | fered by the server. Additionally, session integrity is provided through | 71 | fered by the server. Additionally, session integrity is provided through |
| 74 | a cryptographic message authentication code (hmac-sha1 or hmac-md5). | 72 | a cryptographic message authentication code (hmac-sha1 or hmac-md5). |
| @@ -79,7 +77,6 @@ DESCRIPTION | |||
| 79 | ods. | 77 | ods. |
| 80 | 78 | ||
| 81 | Command execution and data forwarding | 79 | Command execution and data forwarding |
| 82 | |||
| 83 | If the client successfully authenticates itself, a dialog for preparing | 80 | If the client successfully authenticates itself, a dialog for preparing |
| 84 | the session is entered. At this time the client may request things like | 81 | the session is entered. At this time the client may request things like |
| 85 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP | 82 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP |
| @@ -95,9 +92,9 @@ DESCRIPTION | |||
| 95 | tions have been closed, the server sends command exit status to the | 92 | tions have been closed, the server sends command exit status to the |
| 96 | client, and both sides exit. | 93 | client, and both sides exit. |
| 97 | 94 | ||
| 98 | sshd can be configured using command-line options or a configuration | 95 | sshd can be configured using command-line options or a configuration file |
| 99 | file. Command-line options override values specified in the configura- | 96 | (by default sshd_config(5)). Command-line options override values speci- |
| 100 | tion file. | 97 | fied in the configuration file. |
| 101 | 98 | ||
| 102 | sshd rereads its configuration file when it receives a hangup signal, | 99 | sshd rereads its configuration file when it receives a hangup signal, |
| 103 | SIGHUP, by executing itself with the name it was started as, i.e., | 100 | SIGHUP, by executing itself with the name it was started as, i.e., |
| @@ -105,10 +102,17 @@ DESCRIPTION | |||
| 105 | 102 | ||
| 106 | The options are as follows: | 103 | The options are as follows: |
| 107 | 104 | ||
| 105 | -4 Forces sshd to use IPv4 addresses only. | ||
| 106 | |||
| 107 | -6 Forces sshd to use IPv6 addresses only. | ||
| 108 | |||
| 108 | -b bits | 109 | -b bits |
| 109 | Specifies the number of bits in the ephemeral protocol version 1 | 110 | Specifies the number of bits in the ephemeral protocol version 1 |
| 110 | server key (default 768). | 111 | server key (default 768). |
| 111 | 112 | ||
| 113 | -D When this option is specified, sshd will not detach and does not | ||
| 114 | become a daemon. This allows easy monitoring of sshd. | ||
| 115 | |||
| 112 | -d Debug mode. The server sends verbose debug output to the system | 116 | -d Debug mode. The server sends verbose debug output to the system |
| 113 | log, and does not put itself in the background. The server also | 117 | log, and does not put itself in the background. The server also |
| 114 | will not fork and will only process one connection. This option | 118 | will not fork and will only process one connection. This option |
| @@ -149,15 +153,16 @@ DESCRIPTION | |||
| 149 | Specifies how often the ephemeral protocol version 1 server key | 153 | Specifies how often the ephemeral protocol version 1 server key |
| 150 | is regenerated (default 3600 seconds, or one hour). The motiva- | 154 | is regenerated (default 3600 seconds, or one hour). The motiva- |
| 151 | tion for regenerating the key fairly often is that the key is not | 155 | tion for regenerating the key fairly often is that the key is not |
| 152 | stored anywhere, and after about an hour, it becomes impossible | 156 | stored anywhere, and after about an hour it becomes impossible to |
| 153 | to recover the key for decrypting intercepted communications even | 157 | recover the key for decrypting intercepted communications even if |
| 154 | if the machine is cracked into or physically seized. A value of | 158 | the machine is cracked into or physically seized. A value of ze- |
| 155 | zero indicates that the key will never be regenerated. | 159 | ro indicates that the key will never be regenerated. |
| 156 | 160 | ||
| 157 | -o option | 161 | -o option |
| 158 | Can be used to give options in the format used in the configura- | 162 | Can be used to give options in the format used in the configura- |
| 159 | tion file. This is useful for specifying options for which there | 163 | tion file. This is useful for specifying options for which there |
| 160 | is no separate command-line flag. | 164 | is no separate command-line flag. For full details of the op- |
| 165 | tions, and their values, see sshd_config(5). | ||
| 161 | 166 | ||
| 162 | -p port | 167 | -p port |
| 163 | Specifies the port on which the server listens for connections | 168 | Specifies the port on which the server listens for connections |
| @@ -187,13 +192,6 @@ DESCRIPTION | |||
| 187 | tions that require DNS include using a USER@HOST pattern in | 192 | tions that require DNS include using a USER@HOST pattern in |
| 188 | AllowUsers or DenyUsers. | 193 | AllowUsers or DenyUsers. |
| 189 | 194 | ||
| 190 | -D When this option is specified sshd will not detach and does not | ||
| 191 | become a daemon. This allows easy monitoring of sshd. | ||
| 192 | |||
| 193 | -4 Forces sshd to use IPv4 addresses only. | ||
| 194 | |||
| 195 | -6 Forces sshd to use IPv6 addresses only. | ||
| 196 | |||
| 197 | CONFIGURATION FILE | 195 | CONFIGURATION FILE |
| 198 | sshd reads configuration data from /etc/ssh/sshd_config (or the file | 196 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
| 199 | specified with -f on the command line). The file format and configura- | 197 | specified with -f on the command line). The file format and configura- |
| @@ -216,8 +214,8 @@ LOGIN PROCESS | |||
| 216 | 214 | ||
| 217 | 5. Sets up basic environment. | 215 | 5. Sets up basic environment. |
| 218 | 216 | ||
| 219 | 6. Reads $HOME/.ssh/environment if it exists and users are al- | 217 | 6. Reads the file $HOME/.ssh/environment, if it exists, and users |
| 220 | lowed to change their environment. See the | 218 | are allowed to change their environment. See the |
| 221 | PermitUserEnvironment option in sshd_config(5). | 219 | PermitUserEnvironment option in sshd_config(5). |
| 222 | 220 | ||
| 223 | 7. Changes to user's home directory. | 221 | 7. Changes to user's home directory. |
| @@ -420,7 +418,7 @@ FILES | |||
| 420 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | 418 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
| 421 | as described in ssh-keygen(1). | 419 | as described in ssh-keygen(1). |
| 422 | 420 | ||
| 423 | /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts | 421 | /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts |
| 424 | These files are consulted when using rhosts with RSA host authen- | 422 | These files are consulted when using rhosts with RSA host authen- |
| 425 | tication or protocol version 2 hostbased authentication to check | 423 | tication or protocol version 2 hostbased authentication to check |
| 426 | the public key of the host. The key must be listed in one of | 424 | the public key of the host. The key must be listed in one of |
| @@ -447,7 +445,7 @@ FILES | |||
| 447 | and rshd. The file must be writable only by the user; it is rec- | 445 | and rshd. The file must be writable only by the user; it is rec- |
| 448 | ommended that it not be accessible by others. | 446 | ommended that it not be accessible by others. |
| 449 | 447 | ||
| 450 | If is also possible to use netgroups in the file. Either host or | 448 | It is also possible to use netgroups in the file. Either host or |
| 451 | user name may be of the form +@groupname to specify all hosts or | 449 | user name may be of the form +@groupname to specify all hosts or |
| 452 | all users in the group. | 450 | all users in the group. |
| 453 | 451 | ||
| @@ -457,7 +455,7 @@ FILES | |||
| 457 | access using SSH only. | 455 | access using SSH only. |
| 458 | 456 | ||
| 459 | /etc/hosts.equiv | 457 | /etc/hosts.equiv |
| 460 | This file is used during .rhosts authentication. In the simplest | 458 | This file is used during rhosts authentication. In the simplest |
| 461 | form, this file contains host names, one per line. Users on | 459 | form, this file contains host names, one per line. Users on |
| 462 | those hosts are permitted to log in without a password, provided | 460 | those hosts are permitted to log in without a password, provided |
| 463 | they have the same user name on both machines. The host name may | 461 | they have the same user name on both machines. The host name may |
| @@ -535,7 +533,8 @@ FILES | |||
| 535 | 533 | ||
| 536 | SEE ALSO | 534 | SEE ALSO |
| 537 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 535 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
| 538 | login.conf(5), moduli(5), sshd_config(5), sftp-server(8) | 536 | chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), |
| 537 | inetd(8), sftp-server(8) | ||
| 539 | 538 | ||
| 540 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH | 539 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH |
| 541 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January | 540 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January |