diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 368 |
1 files changed, 182 insertions, 186 deletions
@@ -1,28 +1,27 @@ | |||
1 | SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8) | 1 | SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8) |
2 | 2 | ||
3 | ^[[1mNAME^[[0m | 3 | NAME |
4 | ^[[1msshd ^[[22mM-bMM-^R OpenSSH SSH daemon | 4 | sshd - OpenSSH SSH daemon |
5 | 5 | ||
6 | ^[[1mSYNOPSIS^[[0m | 6 | SYNOPSIS |
7 | ^[[1msshd ^[[22m[^[[1mM-bMM-^RdeiqtD46^[[22m] [^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[24m] [^[[1mM-bMM-^Rf ^[[4m^[[22mconfig_file^[[24m] [^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[24m] | 7 | sshd [-deiqtD46] [-b bits] [-f config_file] [-g login_grace_time] |
8 | [^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[24m] [^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[24m] [^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[24m] [^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[24m] [^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m] | 8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] |
9 | 9 | ||
10 | ^[[1mDESCRIPTION^[[0m | 10 | DESCRIPTION |
11 | ^[[1msshd ^[[22m(SSH Daemon) is the daemon program for ssh(1). Together these proM-bM-^@M-^P | 11 | sshd (SSH Daemon) is the daemon program for ssh(1). Together these pro- |
12 | grams replace rlogin and rsh, and provide secure encrypted communications | 12 | grams replace rlogin and rsh, and provide secure encrypted communications |
13 | between two untrusted hosts over an insecure network. The programs are | 13 | between two untrusted hosts over an insecure network. The programs are |
14 | intended to be as easy to install and use as possible. | 14 | intended to be as easy to install and use as possible. |
15 | 15 | ||
16 | ^[[1msshd ^[[22mis the daemon that listens for connections from clients. It is norM-bM-^@M-^P | 16 | sshd is the daemon that listens for connections from clients. It is nor- |
17 | mally started at boot from ^[[4m/etc/rc^[[24m. It forks a new daemon for each | 17 | mally started at boot from /etc/rc. It forks a new daemon for each |
18 | incoming connection. The forked daemons handle key exchange, encryption, | 18 | incoming connection. The forked daemons handle key exchange, encryption, |
19 | authentication, command execution, and data exchange. This implementaM-bM-^@M-^P | 19 | authentication, command execution, and data exchange. This implementa- |
20 | tion of ^[[1msshd ^[[22msupports both SSH protocol version 1 and 2 simultaneously. | 20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. |
21 | ^[[1msshd ^[[22mworks as follows: | 21 | sshd works as follows: |
22 | 22 | ||
23 | ^[[1mSSH protocol version 1^[[0m | 23 | SSH protocol version 1 |
24 | 24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | |
25 | Each host has a hostM-bM-^@M-^Pspecific RSA key (normally 1024 bits) used to idenM-bM-^@M-^P | ||
26 | tify the host. Additionally, when the daemon starts, it generates a | 25 | tify the host. Additionally, when the daemon starts, it generates a |
27 | server RSA key (normally 768 bits). This key is normally regenerated | 26 | server RSA key (normally 768 bits). This key is normally regenerated |
28 | every hour if it has been used, and is never stored on disk. | 27 | every hour if it has been used, and is never stored on disk. |
@@ -35,24 +34,23 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
35 | server. Both sides then use this random number as a session key which is | 34 | server. Both sides then use this random number as a session key which is |
36 | used to encrypt all further communications in the session. The rest of | 35 | used to encrypt all further communications in the session. The rest of |
37 | the session is encrypted using a conventional cipher, currently Blowfish | 36 | the session is encrypted using a conventional cipher, currently Blowfish |
38 | or 3DES, with 3DES being used by default. The client selects the encrypM-bM-^@M-^P | 37 | or 3DES, with 3DES being used by default. The client selects the encryp- |
39 | tion algorithm to use from those offered by the server. | 38 | tion algorithm to use from those offered by the server. |
40 | 39 | ||
41 | Next, the server and the client enter an authentication dialog. The | 40 | Next, the server and the client enter an authentication dialog. The |
42 | client tries to authenticate itself using ^[[4m.rhosts^[[24m authentication, ^[[4m.rhosts^[[0m | 41 | client tries to authenticate itself using .rhosts authentication, .rhosts |
43 | authentication combined with RSA host authentication, RSA challengeM-bM-^@M-^P | 42 | authentication combined with RSA host authentication, RSA challenge- |
44 | response authentication, or password based authentication. | 43 | response authentication, or password based authentication. |
45 | 44 | ||
46 | Rhosts authentication is normally disabled because it is fundamentally | 45 | Rhosts authentication is normally disabled because it is fundamentally |
47 | insecure, but can be enabled in the server configuration file if desired. | 46 | insecure, but can be enabled in the server configuration file if desired. |
48 | System security is not improved unless ^[[1mrshd^[[22m, ^[[1mrlogind^[[22m, and ^[[1mrexecd ^[[22mare disM-bM-^@M-^P | 47 | System security is not improved unless rshd, rlogind, and rexecd are dis- |
49 | abled (thus completely disabling rlogin and rsh into the machine). | 48 | abled (thus completely disabling rlogin and rsh into the machine). |
50 | 49 | ||
51 | ^[[1mSSH protocol version 2^[[0m | 50 | SSH protocol version 2 |
52 | 51 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | |
53 | Version 2 works similarly: Each host has a hostM-bM-^@M-^Pspecific key (RSA or DSA) | ||
54 | used to identify the host. However, when the daemon starts, it does not | 52 | used to identify the host. However, when the daemon starts, it does not |
55 | generate a server key. Forward security is provided through a DiffieM-bM-^@M-^P | 53 | generate a server key. Forward security is provided through a Diffie- |
56 | Hellman key agreement. This key agreement results in a shared session | 54 | Hellman key agreement. This key agreement results in a shared session |
57 | key. | 55 | key. |
58 | 56 | ||
@@ -60,19 +58,18 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
60 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit | 58 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit |
61 | AES. The client selects the encryption algorithm to use from those | 59 | AES. The client selects the encryption algorithm to use from those |
62 | offered by the server. Additionally, session integrity is provided | 60 | offered by the server. Additionally, session integrity is provided |
63 | through a cryptographic message authentication code (hmacM-bM-^@M-^Psha1 or hmacM-bM-^@M-^P | 61 | through a cryptographic message authentication code (hmac-sha1 or hmac- |
64 | md5). | 62 | md5). |
65 | 63 | ||
66 | Protocol version 2 provides a public key based user (PubkeyAuthenticaM-bM-^@M-^P | 64 | Protocol version 2 provides a public key based user (PubkeyAuthentica- |
67 | tion) or client host (HostbasedAuthentication) authentication method, | 65 | tion) or client host (HostbasedAuthentication) authentication method, |
68 | conventional password authentication and challenge response based methM-bM-^@M-^P | 66 | conventional password authentication and challenge response based meth- |
69 | ods. | 67 | ods. |
70 | 68 | ||
71 | ^[[1mCommand execution and data forwarding^[[0m | 69 | Command execution and data forwarding |
72 | |||
73 | If the client successfully authenticates itself, a dialog for preparing | 70 | If the client successfully authenticates itself, a dialog for preparing |
74 | the session is entered. At this time the client may request things like | 71 | the session is entered. At this time the client may request things like |
75 | allocating a pseudoM-bM-^@M-^Ptty, forwarding X11 connections, forwarding TCP/IP | 72 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP |
76 | connections, or forwarding the authentication agent connection over the | 73 | connections, or forwarding the authentication agent connection over the |
77 | secure channel. | 74 | secure channel. |
78 | 75 | ||
@@ -81,360 +78,359 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
81 | data at any time, and such data is forwarded to/from the shell or command | 78 | data at any time, and such data is forwarded to/from the shell or command |
82 | on the server side, and the user terminal in the client side. | 79 | on the server side, and the user terminal in the client side. |
83 | 80 | ||
84 | When the user program terminates and all forwarded X11 and other connecM-bM-^@M-^P | 81 | When the user program terminates and all forwarded X11 and other connec- |
85 | tions have been closed, the server sends command exit status to the | 82 | tions have been closed, the server sends command exit status to the |
86 | client, and both sides exit. | 83 | client, and both sides exit. |
87 | 84 | ||
88 | ^[[1msshd ^[[22mcan be configured using commandM-bM-^@M-^Pline options or a configuration | 85 | sshd can be configured using command-line options or a configuration |
89 | file. CommandM-bM-^@M-^Pline options override values specified in the configuraM-bM-^@M-^P | 86 | file. Command-line options override values specified in the configura- |
90 | tion file. | 87 | tion file. |
91 | 88 | ||
92 | ^[[1msshd ^[[22mrereads its configuration file when it receives a hangup signal, | 89 | sshd rereads its configuration file when it receives a hangup signal, |
93 | SIGHUP, by executing itself with the name it was started as, i.e., | 90 | SIGHUP, by executing itself with the name it was started as, i.e., |
94 | ^[[4m/usr/sbin/sshd^[[24m. | 91 | /usr/sbin/sshd. |
95 | 92 | ||
96 | The options are as follows: | 93 | The options are as follows: |
97 | 94 | ||
98 | ^[[1mM-bMM-^Rb ^[[4m^[[22mbits^[[0m | 95 | -b bits |
99 | Specifies the number of bits in the ephemeral protocol version 1 | 96 | Specifies the number of bits in the ephemeral protocol version 1 |
100 | server key (default 768). | 97 | server key (default 768). |
101 | 98 | ||
102 | ^[[1mM-bMM-^Rd ^[[22mDebug mode. The server sends verbose debug output to the system | 99 | -d Debug mode. The server sends verbose debug output to the system |
103 | log, and does not put itself in the background. The server also | 100 | log, and does not put itself in the background. The server also |
104 | will not fork and will only process one connection. This option | 101 | will not fork and will only process one connection. This option |
105 | is only intended for debugging for the server. Multiple ^[[1mM-bMM-^Rd^[[0m | 102 | is only intended for debugging for the server. Multiple -d |
106 | options increase the debugging level. Maximum is 3. | 103 | options increase the debugging level. Maximum is 3. |
107 | 104 | ||
108 | ^[[1mM-bMM-^Re ^[[22mWhen this option is specified, ^[[1msshd ^[[22mwill send the output to the | 105 | -e When this option is specified, sshd will send the output to the |
109 | standard error instead of the system log. | 106 | standard error instead of the system log. |
110 | 107 | ||
111 | ^[[1mM-bMM-^Rf ^[[4m^[[22mconfiguration_file^[[0m | 108 | -f configuration_file |
112 | Specifies the name of the configuration file. The default is | 109 | Specifies the name of the configuration file. The default is |
113 | ^[[4m/etc/ssh/sshd_config^[[24m. ^[[1msshd ^[[22mrefuses to start if there is no conM-bM-^@M-^P | 110 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- |
114 | figuration file. | 111 | figuration file. |
115 | 112 | ||
116 | ^[[1mM-bMM-^Rg ^[[4m^[[22mlogin_grace_time^[[0m | 113 | -g login_grace_time |
117 | Gives the grace time for clients to authenticate themselves | 114 | Gives the grace time for clients to authenticate themselves |
118 | (default 120 seconds). If the client fails to authenticate the | 115 | (default 120 seconds). If the client fails to authenticate the |
119 | user within this many seconds, the server disconnects and exits. | 116 | user within this many seconds, the server disconnects and exits. |
120 | A value of zero indicates no limit. | 117 | A value of zero indicates no limit. |
121 | 118 | ||
122 | ^[[1mM-bMM-^Rh ^[[4m^[[22mhost_key_file^[[0m | 119 | -h host_key_file |
123 | Specifies a file from which a host key is read. This option must | 120 | Specifies a file from which a host key is read. This option must |
124 | be given if ^[[1msshd ^[[22mis not run as root (as the normal host key files | 121 | be given if sshd is not run as root (as the normal host key files |
125 | are normally not readable by anyone but root). The default is | 122 | are normally not readable by anyone but root). The default is |
126 | ^[[4m/etc/ssh/ssh_host_key^[[24m for protocol version 1, and | 123 | /etc/ssh/ssh_host_key for protocol version 1, and |
127 | ^[[4m/etc/ssh/ssh_host_rsa_key^[[24m and ^[[4m/etc/ssh/ssh_host_dsa_key^[[24m for proM-bM-^@M-^P | 124 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- |
128 | tocol version 2. It is possible to have multiple host key files | 125 | tocol version 2. It is possible to have multiple host key files |
129 | for the different protocol versions and host key algorithms. | 126 | for the different protocol versions and host key algorithms. |
130 | 127 | ||
131 | ^[[1mM-bMM-^Ri ^[[22mSpecifies that ^[[1msshd ^[[22mis being run from inetd(8). ^[[1msshd ^[[22mis normally | 128 | -i Specifies that sshd is being run from inetd(8). sshd is normally |
132 | not run from inetd because it needs to generate the server key | 129 | not run from inetd because it needs to generate the server key |
133 | before it can respond to the client, and this may take tens of | 130 | before it can respond to the client, and this may take tens of |
134 | seconds. Clients would have to wait too long if the key was | 131 | seconds. Clients would have to wait too long if the key was |
135 | regenerated every time. However, with small key sizes (e.g., | 132 | regenerated every time. However, with small key sizes (e.g., |
136 | 512) using ^[[1msshd ^[[22mfrom inetd may be feasible. | 133 | 512) using sshd from inetd may be feasible. |
137 | 134 | ||
138 | ^[[1mM-bMM-^Rk ^[[4m^[[22mkey_gen_time^[[0m | 135 | -k key_gen_time |
139 | Specifies how often the ephemeral protocol version 1 server key | 136 | Specifies how often the ephemeral protocol version 1 server key |
140 | is regenerated (default 3600 seconds, or one hour). The motivaM-bM-^@M-^P | 137 | is regenerated (default 3600 seconds, or one hour). The motiva- |
141 | tion for regenerating the key fairly often is that the key is not | 138 | tion for regenerating the key fairly often is that the key is not |
142 | stored anywhere, and after about an hour, it becomes impossible | 139 | stored anywhere, and after about an hour, it becomes impossible |
143 | to recover the key for decrypting intercepted communications even | 140 | to recover the key for decrypting intercepted communications even |
144 | if the machine is cracked into or physically seized. A value of | 141 | if the machine is cracked into or physically seized. A value of |
145 | zero indicates that the key will never be regenerated. | 142 | zero indicates that the key will never be regenerated. |
146 | 143 | ||
147 | ^[[1mM-bMM-^Ro ^[[4m^[[22moption^[[0m | 144 | -o option |
148 | Can be used to give options in the format used in the configuraM-bM-^@M-^P | 145 | Can be used to give options in the format used in the configura- |
149 | tion file. This is useful for specifying options for which there | 146 | tion file. This is useful for specifying options for which there |
150 | is no separate commandM-bM-^@M-^Pline flag. | 147 | is no separate command-line flag. |
151 | 148 | ||
152 | ^[[1mM-bMM-^Rp ^[[4m^[[22mport^[[0m | 149 | -p port |
153 | Specifies the port on which the server listens for connections | 150 | Specifies the port on which the server listens for connections |
154 | (default 22). Multiple port options are permitted. Ports speciM-bM-^@M-^P | 151 | (default 22). Multiple port options are permitted. Ports speci- |
155 | fied in the configuration file are ignored when a commandM-bM-^@M-^Pline | 152 | fied in the configuration file are ignored when a command-line |
156 | port is specified. | 153 | port is specified. |
157 | 154 | ||
158 | ^[[1mM-bMM-^Rq ^[[22mQuiet mode. Nothing is sent to the system log. Normally the | 155 | -q Quiet mode. Nothing is sent to the system log. Normally the |
159 | beginning, authentication, and termination of each connection is | 156 | beginning, authentication, and termination of each connection is |
160 | logged. | 157 | logged. |
161 | 158 | ||
162 | ^[[1mM-bMM-^Rt ^[[22mTest mode. Only check the validity of the configuration file and | 159 | -t Test mode. Only check the validity of the configuration file and |
163 | sanity of the keys. This is useful for updating ^[[1msshd ^[[22mreliably as | 160 | sanity of the keys. This is useful for updating sshd reliably as |
164 | configuration options may change. | 161 | configuration options may change. |
165 | 162 | ||
166 | ^[[1mM-bMM-^Ru ^[[4m^[[22mlen^[[24m This option is used to specify the size of the field in the utmp | 163 | -u len This option is used to specify the size of the field in the utmp |
167 | structure that holds the remote host name. If the resolved host | 164 | structure that holds the remote host name. If the resolved host |
168 | name is longer than ^[[4mlen^[[24m, the dotted decimal value will be used | 165 | name is longer than len, the dotted decimal value will be used |
169 | instead. This allows hosts with very long host names that overM-bM-^@M-^P | 166 | instead. This allows hosts with very long host names that over- |
170 | flow this field to still be uniquely identified. Specifying ^[[1mM-bMM-^Ru0^[[0m | 167 | flow this field to still be uniquely identified. Specifying -u0 |
171 | indicates that only dotted decimal addresses should be put into | 168 | indicates that only dotted decimal addresses should be put into |
172 | the ^[[4mutmp^[[24m file. ^[[1mM-bMM-^Ru0 ^[[22mmay also be used to prevent ^[[1msshd ^[[22mfrom making | 169 | the utmp file. -u0 may also be used to prevent sshd from making |
173 | DNS requests unless the authentication mechanism or configuration | 170 | DNS requests unless the authentication mechanism or configuration |
174 | requires it. Authentication mechanisms that may require DNS | 171 | requires it. Authentication mechanisms that may require DNS |
175 | include ^[[1mRhostsAuthentication^[[22m, ^[[1mRhostsRSAAuthentication^[[22m, | 172 | include RhostsAuthentication, RhostsRSAAuthentication, |
176 | ^[[1mHostbasedAuthentication ^[[22mand using a ^[[1mfrom="patternM-bM-^@M-^Plist" ^[[22moption in | 173 | HostbasedAuthentication and using a from="pattern-list" option in |
177 | a key file. Configuration options that require DNS include using | 174 | a key file. Configuration options that require DNS include using |
178 | a USER@HOST pattern in ^[[1mAllowUsers ^[[22mor ^[[1mDenyUsers^[[22m. | 175 | a USER@HOST pattern in AllowUsers or DenyUsers. |
179 | 176 | ||
180 | ^[[1mM-bMM-^RD ^[[22mWhen this option is specified ^[[1msshd ^[[22mwill not detach and does not | 177 | -D When this option is specified sshd will not detach and does not |
181 | become a daemon. This allows easy monitoring of ^[[1msshd^[[22m. | 178 | become a daemon. This allows easy monitoring of sshd. |
182 | 179 | ||
183 | ^[[1mM-bMM-^R4 ^[[22mForces ^[[1msshd ^[[22mto use IPv4 addresses only. | 180 | -4 Forces sshd to use IPv4 addresses only. |
184 | 181 | ||
185 | ^[[1mM-bMM-^R6 ^[[22mForces ^[[1msshd ^[[22mto use IPv6 addresses only. | 182 | -6 Forces sshd to use IPv6 addresses only. |
186 | 183 | ||
187 | ^[[1mCONFIGURATION FILE^[[0m | 184 | CONFIGURATION FILE |
188 | ^[[1msshd ^[[22mreads configuration data from ^[[4m/etc/ssh/sshd_config^[[24m (or the file | 185 | sshd reads configuration data from /etc/ssh/sshd_config (or the file |
189 | specified with ^[[1mM-bMM-^Rf ^[[22mon the command line). The file format and configuraM-bM-^@M-^P | 186 | specified with -f on the command line). The file format and configura- |
190 | tion options are described in sshd_config(5). | 187 | tion options are described in sshd_config(5). |
191 | 188 | ||
192 | ^[[1mLOGIN PROCESS^[[0m | 189 | LOGIN PROCESS |
193 | When a user successfully logs in, ^[[1msshd ^[[22mdoes the following: | 190 | When a user successfully logs in, sshd does the following: |
194 | 191 | ||
195 | 1. If the login is on a tty, and no command has been specified, | 192 | 1. If the login is on a tty, and no command has been specified, |
196 | prints last login time and ^[[4m/etc/motd^[[24m (unless prevented in the | 193 | prints last login time and /etc/motd (unless prevented in the |
197 | configuration file or by ^[[4m$HOME/.hushlogin^[[24m; see the ^[[4mFILES^[[24m secM-bM-^@M-^P | 194 | configuration file or by $HOME/.hushlogin; see the FILES sec- |
198 | tion). | 195 | tion). |
199 | 196 | ||
200 | 2. If the login is on a tty, records login time. | 197 | 2. If the login is on a tty, records login time. |
201 | 198 | ||
202 | 3. Checks ^[[4m/etc/nologin^[[24m; if it exists, prints contents and quits | 199 | 3. Checks /etc/nologin; if it exists, prints contents and quits |
203 | (unless root). | 200 | (unless root). |
204 | 201 | ||
205 | 4. Changes to run with normal user privileges. | 202 | 4. Changes to run with normal user privileges. |
206 | 203 | ||
207 | 5. Sets up basic environment. | 204 | 5. Sets up basic environment. |
208 | 205 | ||
209 | 6. Reads ^[[4m$HOME/.ssh/environment^[[24m if it exists and users are | 206 | 6. Reads $HOME/.ssh/environment if it exists and users are |
210 | allowed to change their environment. See the | 207 | allowed to change their environment. See the |
211 | ^[[1mPermitUserEnvironment ^[[22moption in sshd_config(5). | 208 | PermitUserEnvironment option in sshd_config(5). |
212 | 209 | ||
213 | 7. Changes to userM-bM-^@M-^Ys home directory. | 210 | 7. Changes to userM-bM-^@M-^Ys home directory. |
214 | 211 | ||
215 | 8. If ^[[4m$HOME/.ssh/rc^[[24m exists, runs it; else if ^[[4m/etc/ssh/sshrc^[[0m | 212 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc |
216 | exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are | 213 | exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are |
217 | given the X11 authentication protocol and cookie in standard | 214 | given the X11 authentication protocol and cookie in standard |
218 | input. | 215 | input. |
219 | 216 | ||
220 | 9. Runs userM-bM-^@M-^Ys shell or command. | 217 | 9. Runs userM-bM-^@M-^Ys shell or command. |
221 | 218 | ||
222 | ^[[1mAUTHORIZED_KEYS FILE FORMAT^[[0m | 219 | AUTHORIZED_KEYS FILE FORMAT |
223 | ^[[4m$HOME/.ssh/authorized_keys^[[24m is the default file that lists the public keys | 220 | $HOME/.ssh/authorized_keys is the default file that lists the public keys |
224 | that are permitted for RSA authentication in protocol version 1 and for | 221 | that are permitted for RSA authentication in protocol version 1 and for |
225 | public key authentication (PubkeyAuthentication) in protocol version 2. | 222 | public key authentication (PubkeyAuthentication) in protocol version 2. |
226 | ^[[1mAuthorizedKeysFile ^[[22mmay be used to specify an alternative file. | 223 | AuthorizedKeysFile may be used to specify an alternative file. |
227 | 224 | ||
228 | Each line of the file contains one key (empty lines and lines starting | 225 | Each line of the file contains one key (empty lines and lines starting |
229 | with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the | 226 | with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the |
230 | following fields, separated by spaces: options, bits, exponent, modulus, | 227 | following fields, separated by spaces: options, bits, exponent, modulus, |
231 | comment. Each protocol version 2 public key consists of: options, keyM-bM-^@M-^P | 228 | comment. Each protocol version 2 public key consists of: options, key- |
232 | type, base64 encoded key, comment. The options field is optional; its | 229 | type, base64 encoded key, comment. The options field is optional; its |
233 | presence is determined by whether the line starts with a number or not | 230 | presence is determined by whether the line starts with a number or not |
234 | (the options field never starts with a number). The bits, exponent, modM-bM-^@M-^P | 231 | (the options field never starts with a number). The bits, exponent, mod- |
235 | ulus and comment fields give the RSA key for protocol version 1; the comM-bM-^@M-^P | 232 | ulus and comment fields give the RSA key for protocol version 1; the com- |
236 | ment field is not used for anything (but may be convenient for the user | 233 | ment field is not used for anything (but may be convenient for the user |
237 | to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\sshM-bM-^@M-^PdssM-bM-^@M-^] or | 234 | to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or |
238 | M-bM-^@M-^\sshM-bM-^@M-^PrsaM-bM-^@M-^]. | 235 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. |
239 | 236 | ||
240 | Note that lines in this file are usually several hundred bytes long | 237 | Note that lines in this file are usually several hundred bytes long |
241 | (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type | 238 | (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type |
242 | them in; instead, copy the ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m or the ^[[4mid_rsa.pub^[[0m | 239 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub |
243 | file and edit it. | 240 | file and edit it. |
244 | 241 | ||
245 | ^[[1msshd ^[[22menforces a minimum RSA key modulus size for protocol 1 and protocol | 242 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol |
246 | 2 keys of 768 bits. | 243 | 2 keys of 768 bits. |
247 | 244 | ||
248 | The options (if present) consist of commaM-bM-^@M-^Pseparated option specificaM-bM-^@M-^P | 245 | The options (if present) consist of comma-separated option specifica- |
249 | tions. No spaces are permitted, except within double quotes. The folM-bM-^@M-^P | 246 | tions. No spaces are permitted, except within double quotes. The fol- |
250 | lowing option specifications are supported (note that option keywords are | 247 | lowing option specifications are supported (note that option keywords are |
251 | caseM-bM-^@M-^Pinsensitive): | 248 | case-insensitive): |
252 | 249 | ||
253 | ^[[1mfrom="patternM-bM-^@M-^Plist"^[[0m | 250 | from="pattern-list" |
254 | Specifies that in addition to public key authentication, the | 251 | Specifies that in addition to public key authentication, the |
255 | canonical name of the remote host must be present in the commaM-bM-^@M-^P | 252 | canonical name of the remote host must be present in the comma- |
256 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? serve as wildcards). | 253 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y? serve as wildcards). |
257 | The list may also contain patterns negated by prefixing them with | 254 | The list may also contain patterns negated by prefixing them with |
258 | M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the | 255 | M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the |
259 | key is not accepted. The purpose of this option is to optionally | 256 | key is not accepted. The purpose of this option is to optionally |
260 | increase security: public key authentication by itself does not | 257 | increase security: public key authentication by itself does not |
261 | trust the network or name servers or anything (but the key); howM-bM-^@M-^P | 258 | trust the network or name servers or anything (but the key); how- |
262 | ever, if somebody somehow steals the key, the key permits an | 259 | ever, if somebody somehow steals the key, the key permits an |
263 | intruder to log in from anywhere in the world. This additional | 260 | intruder to log in from anywhere in the world. This additional |
264 | option makes using a stolen key more difficult (name servers | 261 | option makes using a stolen key more difficult (name servers |
265 | and/or routers would have to be compromised in addition to just | 262 | and/or routers would have to be compromised in addition to just |
266 | the key). | 263 | the key). |
267 | 264 | ||
268 | ^[[1mcommand="command"^[[0m | 265 | command="command" |
269 | Specifies that the command is executed whenever this key is used | 266 | Specifies that the command is executed whenever this key is used |
270 | for authentication. The command supplied by the user (if any) is | 267 | for authentication. The command supplied by the user (if any) is |
271 | ignored. The command is run on a pty if the client requests a | 268 | ignored. The command is run on a pty if the client requests a |
272 | pty; otherwise it is run without a tty. If an 8M-bM-^@M-^Pbit clean chanM-bM-^@M-^P | 269 | pty; otherwise it is run without a tty. If an 8-bit clean chan- |
273 | nel is required, one must not request a pty or should specify | 270 | nel is required, one must not request a pty or should specify |
274 | ^[[1mnoM-bM-^@M-^Ppty^[[22m. A quote may be included in the command by quoting it | 271 | no-pty. A quote may be included in the command by quoting it |
275 | with a backslash. This option might be useful to restrict cerM-bM-^@M-^P | 272 | with a backslash. This option might be useful to restrict cer- |
276 | tain public keys to perform just a specific operation. An examM-bM-^@M-^P | 273 | tain public keys to perform just a specific operation. An exam- |
277 | ple might be a key that permits remote backups but nothing else. | 274 | ple might be a key that permits remote backups but nothing else. |
278 | Note that the client may specify TCP/IP and/or X11 forwarding | 275 | Note that the client may specify TCP/IP and/or X11 forwarding |
279 | unless they are explicitly prohibited. Note that this option | 276 | unless they are explicitly prohibited. Note that this option |
280 | applies to shell, command or subsystem execution. | 277 | applies to shell, command or subsystem execution. |
281 | 278 | ||
282 | ^[[1menvironment="NAME=value"^[[0m | 279 | environment="NAME=value" |
283 | Specifies that the string is to be added to the environment when | 280 | Specifies that the string is to be added to the environment when |
284 | logging in using this key. Environment variables set this way | 281 | logging in using this key. Environment variables set this way |
285 | override other default environment values. Multiple options of | 282 | override other default environment values. Multiple options of |
286 | this type are permitted. Environment processing is disabled by | 283 | this type are permitted. Environment processing is disabled by |
287 | default and is controlled via the ^[[1mPermitUserEnvironment ^[[22moption. | 284 | default and is controlled via the PermitUserEnvironment option. |
288 | This option is automatically disabled if ^[[1mUseLogin ^[[22mis enabled. | 285 | This option is automatically disabled if UseLogin is enabled. |
289 | 286 | ||
290 | ^[[1mnoM-bM-^@M-^PportM-bM-^@M-^Pforwarding^[[0m | 287 | no-port-forwarding |
291 | Forbids TCP/IP forwarding when this key is used for authenticaM-bM-^@M-^P | 288 | Forbids TCP/IP forwarding when this key is used for authentica- |
292 | tion. Any port forward requests by the client will return an | 289 | tion. Any port forward requests by the client will return an |
293 | error. This might be used, e.g., in connection with the ^[[1mcommand^[[0m | 290 | error. This might be used, e.g., in connection with the command |
294 | option. | 291 | option. |
295 | 292 | ||
296 | ^[[1mnoM-bM-^@M-^PX11M-bM-^@M-^Pforwarding^[[0m | 293 | no-X11-forwarding |
297 | Forbids X11 forwarding when this key is used for authentication. | 294 | Forbids X11 forwarding when this key is used for authentication. |
298 | Any X11 forward requests by the client will return an error. | 295 | Any X11 forward requests by the client will return an error. |
299 | 296 | ||
300 | ^[[1mnoM-bM-^@M-^PagentM-bM-^@M-^Pforwarding^[[0m | 297 | no-agent-forwarding |
301 | Forbids authentication agent forwarding when this key is used for | 298 | Forbids authentication agent forwarding when this key is used for |
302 | authentication. | 299 | authentication. |
303 | 300 | ||
304 | ^[[1mnoM-bM-^@M-^Ppty ^[[22mPrevents tty allocation (a request to allocate a pty will fail). | 301 | no-pty Prevents tty allocation (a request to allocate a pty will fail). |
305 | 302 | ||
306 | ^[[1mpermitopen="host:port"^[[0m | 303 | permitopen="host:port" |
307 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh M-bM-^@M-^PLM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only conM-bM-^@M-^P | 304 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con- |
308 | nect to the specified host and port. IPv6 addresses can be specM-bM-^@M-^P | 305 | nect to the specified host and port. IPv6 addresses can be spec- |
309 | ified with an alternative syntax: ^[[4mhost/port^[[24m. Multiple ^[[1mpermitopen^[[0m | 306 | ified with an alternative syntax: host/port. Multiple permitopen |
310 | options may be applied separated by commas. No pattern matching | 307 | options may be applied separated by commas. No pattern matching |
311 | is performed on the specified hostnames, they must be literal | 308 | is performed on the specified hostnames, they must be literal |
312 | domains or addresses. | 309 | domains or addresses. |
313 | 310 | ||
314 | ^[[1mExamples^[[0m | 311 | Examples |
315 | 1024 33 12121...312314325 ylo@foo.bar | 312 | 1024 33 12121...312314325 ylo@foo.bar |
316 | 313 | ||
317 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula | 314 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
318 | 315 | ||
319 | command="dump /home",noM-bM-^@M-^Ppty,noM-bM-^@M-^PportM-bM-^@M-^Pforwarding 1024 33 23...2323 | 316 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 |
320 | backup.hut.fi | 317 | backup.hut.fi |
321 | 318 | ||
322 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 319 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
323 | 320 | ||
324 | ^[[1mSSH_KNOWN_HOSTS FILE FORMAT^[[0m | 321 | SSH_KNOWN_HOSTS FILE FORMAT |
325 | The ^[[4m/etc/ssh/ssh_known_hosts^[[24m and ^[[4m$HOME/.ssh/known_hosts^[[24m files contain | 322 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain |
326 | host public keys for all known hosts. The global file should be prepared | 323 | host public keys for all known hosts. The global file should be prepared |
327 | by the administrator (optional), and the perM-bM-^@M-^Puser file is maintained | 324 | by the administrator (optional), and the per-user file is maintained |
328 | automatically: whenever the user connects from an unknown host its key is | 325 | automatically: whenever the user connects from an unknown host its key is |
329 | added to the perM-bM-^@M-^Puser file. | 326 | added to the per-user file. |
330 | 327 | ||
331 | Each line in these files contains the following fields: hostnames, bits, | 328 | Each line in these files contains the following fields: hostnames, bits, |
332 | exponent, modulus, comment. The fields are separated by spaces. | 329 | exponent, modulus, comment. The fields are separated by spaces. |
333 | 330 | ||
334 | Hostnames is a commaM-bM-^@M-^Pseparated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wildM-bM-^@M-^P | 331 | Hostnames is a comma-separated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wild- |
335 | cards); each pattern in turn is matched against the canonical host name | 332 | cards); each pattern in turn is matched against the canonical host name |
336 | (when authenticating a client) or against the userM-bM-^@M-^Psupplied name (when | 333 | (when authenticating a client) or against the user-supplied name (when |
337 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y! to | 334 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y! to |
338 | indicate negation: if the host name matches a negated pattern, it is not | 335 | indicate negation: if the host name matches a negated pattern, it is not |
339 | accepted (by that line) even if it matched another pattern on the line. | 336 | accepted (by that line) even if it matched another pattern on the line. |
340 | 337 | ||
341 | Bits, exponent, and modulus are taken directly from the RSA host key; | 338 | Bits, exponent, and modulus are taken directly from the RSA host key; |
342 | they can be obtained, e.g., from ^[[4m/etc/ssh/ssh_host_key.pub^[[24m. The optional | 339 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional |
343 | comment field continues to the end of the line, and is not used. | 340 | comment field continues to the end of the line, and is not used. |
344 | 341 | ||
345 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. | 342 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. |
346 | 343 | ||
347 | When performing host authentication, authentication is accepted if any | 344 | When performing host authentication, authentication is accepted if any |
348 | matching line has the proper key. It is thus permissible (but not recomM-bM-^@M-^P | 345 | matching line has the proper key. It is thus permissible (but not recom- |
349 | mended) to have several lines or different host keys for the same names. | 346 | mended) to have several lines or different host keys for the same names. |
350 | This will inevitably happen when short forms of host names from different | 347 | This will inevitably happen when short forms of host names from different |
351 | domains are put in the file. It is possible that the files contain conM-bM-^@M-^P | 348 | domains are put in the file. It is possible that the files contain con- |
352 | flicting information; authentication is accepted if valid information can | 349 | flicting information; authentication is accepted if valid information can |
353 | be found from either file. | 350 | be found from either file. |
354 | 351 | ||
355 | Note that the lines in these files are typically hundreds of characters | 352 | Note that the lines in these files are typically hundreds of characters |
356 | long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand. | 353 | long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand. |
357 | Rather, generate them by a script or by taking ^[[4m/etc/ssh/ssh_host_key.pub^[[0m | 354 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub |
358 | and adding the host names at the front. | 355 | and adding the host names at the front. |
359 | 356 | ||
360 | ^[[1mExamples^[[0m | 357 | Examples |
361 | |||
362 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 358 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
363 | cvs.openbsd.org,199.185.137.3 sshM-bM-^@M-^Prsa AAAA1234.....= | 359 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
364 | 360 | ||
365 | ^[[1mFILES^[[0m | 361 | FILES |
366 | /etc/ssh/sshd_config | 362 | /etc/ssh/sshd_config |
367 | Contains configuration data for ^[[1msshd^[[22m. The file format and conM-bM-^@M-^P | 363 | Contains configuration data for sshd. The file format and con- |
368 | figuration options are described in sshd_config(5). | 364 | figuration options are described in sshd_config(5). |
369 | 365 | ||
370 | /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, | 366 | /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, |
371 | /etc/ssh/ssh_host_rsa_key | 367 | /etc/ssh/ssh_host_rsa_key |
372 | These three files contain the private parts of the host keys. | 368 | These three files contain the private parts of the host keys. |
373 | These files should only be owned by root, readable only by root, | 369 | These files should only be owned by root, readable only by root, |
374 | and not accessible to others. Note that ^[[1msshd ^[[22mdoes not start if | 370 | and not accessible to others. Note that sshd does not start if |
375 | this file is group/worldM-bM-^@M-^Paccessible. | 371 | this file is group/world-accessible. |
376 | 372 | ||
377 | /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, | 373 | /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, |
378 | /etc/ssh/ssh_host_rsa_key.pub | 374 | /etc/ssh/ssh_host_rsa_key.pub |
379 | These three files contain the public parts of the host keys. | 375 | These three files contain the public parts of the host keys. |
380 | These files should be worldM-bM-^@M-^Preadable but writable only by root. | 376 | These files should be world-readable but writable only by root. |
381 | Their contents should match the respective private parts. These | 377 | Their contents should match the respective private parts. These |
382 | files are not really used for anything; they are provided for the | 378 | files are not really used for anything; they are provided for the |
383 | convenience of the user so their contents can be copied to known | 379 | convenience of the user so their contents can be copied to known |
384 | hosts files. These files are created using sshM-bM-^@M-^Pkeygen(1). | 380 | hosts files. These files are created using ssh-keygen(1). |
385 | 381 | ||
386 | /etc/moduli | 382 | /etc/moduli |
387 | Contains DiffieM-bM-^@M-^PHellman groups used for the "DiffieM-bM-^@M-^PHellman Group | 383 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group |
388 | Exchange". The file format is described in moduli(5). | 384 | Exchange". The file format is described in moduli(5). |
389 | 385 | ||
390 | /var/empty | 386 | /var/empty |
391 | chroot(2) directory used by ^[[1msshd ^[[22mduring privilege separation in | 387 | chroot(2) directory used by sshd during privilege separation in |
392 | the preM-bM-^@M-^Pauthentication phase. The directory should not contain | 388 | the pre-authentication phase. The directory should not contain |
393 | any files and must be owned by root and not group or worldM-bM-^@M-^P | 389 | any files and must be owned by root and not group or world- |
394 | writable. | 390 | writable. |
395 | 391 | ||
396 | /var/run/sshd.pid | 392 | /var/run/sshd.pid |
397 | Contains the process ID of the ^[[1msshd ^[[22mlistening for connections (if | 393 | Contains the process ID of the sshd listening for connections (if |
398 | there are several daemons running concurrently for different | 394 | there are several daemons running concurrently for different |
399 | ports, this contains the process ID of the one started last). | 395 | ports, this contains the process ID of the one started last). |
400 | The content of this file is not sensitive; it can be worldM-bM-^@M-^PreadM-bM-^@M-^P | 396 | The content of this file is not sensitive; it can be world-read- |
401 | able. | 397 | able. |
402 | 398 | ||
403 | $HOME/.ssh/authorized_keys | 399 | $HOME/.ssh/authorized_keys |
404 | Lists the public keys (RSA or DSA) that can be used to log into | 400 | Lists the public keys (RSA or DSA) that can be used to log into |
405 | the userM-bM-^@M-^Ys account. This file must be readable by root (which | 401 | the userM-bM-^@M-^Ys account. This file must be readable by root (which |
406 | may on some machines imply it being worldM-bM-^@M-^Preadable if the userM-bM-^@M-^Ys | 402 | may on some machines imply it being world-readable if the userM-bM-^@M-^Ys |
407 | home directory resides on an NFS volume). It is recommended that | 403 | home directory resides on an NFS volume). It is recommended that |
408 | it not be accessible by others. The format of this file is | 404 | it not be accessible by others. The format of this file is |
409 | described above. Users will place the contents of their | 405 | described above. Users will place the contents of their |
410 | ^[[4midentity.pub^[[24m, ^[[4mid_dsa.pub^[[24m and/or ^[[4mid_rsa.pub^[[24m files into this file, | 406 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
411 | as described in sshM-bM-^@M-^Pkeygen(1). | 407 | as described in ssh-keygen(1). |
412 | 408 | ||
413 | /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts | 409 | /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts |
414 | These files are consulted when using rhosts with RSA host authenM-bM-^@M-^P | 410 | These files are consulted when using rhosts with RSA host authen- |
415 | tication or protocol version 2 hostbased authentication to check | 411 | tication or protocol version 2 hostbased authentication to check |
416 | the public key of the host. The key must be listed in one of | 412 | the public key of the host. The key must be listed in one of |
417 | these files to be accepted. The client uses the same files to | 413 | these files to be accepted. The client uses the same files to |
418 | verify that it is connecting to the correct remote host. These | 414 | verify that it is connecting to the correct remote host. These |
419 | files should be writable only by root/the owner. | 415 | files should be writable only by root/the owner. |
420 | ^[[4m/etc/ssh/ssh_known_hosts^[[24m should be worldM-bM-^@M-^Preadable, and | 416 | /etc/ssh/ssh_known_hosts should be world-readable, and |
421 | ^[[4m$HOME/.ssh/known_hosts^[[24m can, but need not be, worldM-bM-^@M-^Preadable. | 417 | $HOME/.ssh/known_hosts can, but need not be, world-readable. |
422 | 418 | ||
423 | /etc/nologin | 419 | /etc/nologin |
424 | If this file exists, ^[[1msshd ^[[22mrefuses to let anyone except root log | 420 | If this file exists, sshd refuses to let anyone except root log |
425 | in. The contents of the file are displayed to anyone trying to | 421 | in. The contents of the file are displayed to anyone trying to |
426 | log in, and nonM-bM-^@M-^Proot connections are refused. The file should be | 422 | log in, and non-root connections are refused. The file should be |
427 | worldM-bM-^@M-^Preadable. | 423 | world-readable. |
428 | 424 | ||
429 | /etc/hosts.allow, /etc/hosts.deny | 425 | /etc/hosts.allow, /etc/hosts.deny |
430 | Access controls that should be enforced by tcpM-bM-^@M-^Pwrappers are | 426 | Access controls that should be enforced by tcp-wrappers are |
431 | defined here. Further details are described in hosts_access(5). | 427 | defined here. Further details are described in hosts_access(5). |
432 | 428 | ||
433 | $HOME/.rhosts | 429 | $HOME/.rhosts |
434 | This file contains hostM-bM-^@M-^Pusername pairs, separated by a space, one | 430 | This file contains host-username pairs, separated by a space, one |
435 | per line. The given user on the corresponding host is permitted | 431 | per line. The given user on the corresponding host is permitted |
436 | to log in without a password. The same file is used by rlogind | 432 | to log in without a password. The same file is used by rlogind |
437 | and rshd. The file must be writable only by the user; it is recM-bM-^@M-^P | 433 | and rshd. The file must be writable only by the user; it is rec- |
438 | ommended that it not be accessible by others. | 434 | ommended that it not be accessible by others. |
439 | 435 | ||
440 | If is also possible to use netgroups in the file. Either host or | 436 | If is also possible to use netgroups in the file. Either host or |
@@ -442,29 +438,29 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
442 | all users in the group. | 438 | all users in the group. |
443 | 439 | ||
444 | $HOME/.shosts | 440 | $HOME/.shosts |
445 | For ssh, this file is exactly the same as for ^[[4m.rhosts^[[24m. However, | 441 | For ssh, this file is exactly the same as for .rhosts. However, |
446 | this file is not used by rlogin and rshd, so using this permits | 442 | this file is not used by rlogin and rshd, so using this permits |
447 | access using SSH only. | 443 | access using SSH only. |
448 | 444 | ||
449 | /etc/hosts.equiv | 445 | /etc/hosts.equiv |
450 | This file is used during ^[[4m.rhosts^[[24m authentication. In the simplest | 446 | This file is used during .rhosts authentication. In the simplest |
451 | form, this file contains host names, one per line. Users on | 447 | form, this file contains host names, one per line. Users on |
452 | those hosts are permitted to log in without a password, provided | 448 | those hosts are permitted to log in without a password, provided |
453 | they have the same user name on both machines. The host name may | 449 | they have the same user name on both machines. The host name may |
454 | also be followed by a user name; such users are permitted to log | 450 | also be followed by a user name; such users are permitted to log |
455 | in as ^[[4many^[[24m user on this machine (except root). Additionally, the | 451 | in as any user on this machine (except root). Additionally, the |
456 | syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated | 452 | syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated |
457 | entries start with M-bM-^@M-^XM-bM-^@M-^PM-bM-^@M-^Y. | 453 | entries start with M-bM-^@M-^X-M-bM-^@M-^Y. |
458 | 454 | ||
459 | If the client host/user is successfully matched in this file, | 455 | If the client host/user is successfully matched in this file, |
460 | login is automatically permitted provided the client and server | 456 | login is automatically permitted provided the client and server |
461 | user names are the same. Additionally, successful RSA host | 457 | user names are the same. Additionally, successful RSA host |
462 | authentication is normally required. This file must be writable | 458 | authentication is normally required. This file must be writable |
463 | only by root; it is recommended that it be worldM-bM-^@M-^Preadable. | 459 | only by root; it is recommended that it be world-readable. |
464 | 460 | ||
465 | ^[[1mWarning: It is almost never a good idea to use user names in^[[0m | 461 | Warning: It is almost never a good idea to use user names in |
466 | ^[[4mhosts.equiv^[[24m. Beware that it really means that the named user(s) | 462 | hosts.equiv. Beware that it really means that the named user(s) |
467 | can log in as ^[[4manybody^[[24m, which includes bin, daemon, adm, and other | 463 | can log in as anybody, which includes bin, daemon, adm, and other |
468 | accounts that own critical binaries and directories. Using a | 464 | accounts that own critical binaries and directories. Using a |
469 | user name practically grants the user root access. The only | 465 | user name practically grants the user root access. The only |
470 | valid use for user names that I can think of is in negative | 466 | valid use for user names that I can think of is in negative |
@@ -473,7 +469,7 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
473 | Note that this warning also applies to rsh/rlogin. | 469 | Note that this warning also applies to rsh/rlogin. |
474 | 470 | ||
475 | /etc/shosts.equiv | 471 | /etc/shosts.equiv |
476 | This is processed exactly as ^[[4m/etc/hosts.equiv^[[24m. However, this | 472 | This is processed exactly as /etc/hosts.equiv. However, this |
477 | file may be useful in environments that want to run both | 473 | file may be useful in environments that want to run both |
478 | rsh/rlogin and ssh. | 474 | rsh/rlogin and ssh. |
479 | 475 | ||
@@ -483,65 +479,65 @@ SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual | |||
483 | M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file | 479 | M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file |
484 | should be writable only by the user; it need not be readable by | 480 | should be writable only by the user; it need not be readable by |
485 | anyone else. Environment processing is disabled by default and | 481 | anyone else. Environment processing is disabled by default and |
486 | is controlled via the ^[[1mPermitUserEnvironment ^[[22moption. | 482 | is controlled via the PermitUserEnvironment option. |
487 | 483 | ||
488 | $HOME/.ssh/rc | 484 | $HOME/.ssh/rc |
489 | If this file exists, it is run with ^[[4m/bin/sh^[[24m after reading the | 485 | If this file exists, it is run with /bin/sh after reading the |
490 | environment files but before starting the userM-bM-^@M-^Ys shell or comM-bM-^@M-^P | 486 | environment files but before starting the userM-bM-^@M-^Ys shell or com- |
491 | mand. It must not produce any output on stdout; stderr must be | 487 | mand. It must not produce any output on stdout; stderr must be |
492 | used instead. If X11 forwarding is in use, it will receive the | 488 | used instead. If X11 forwarding is in use, it will receive the |
493 | "proto cookie" pair in its standard input (and DISPLAY in its | 489 | "proto cookie" pair in its standard input (and DISPLAY in its |
494 | environment). The script must call xauth(1) because ^[[1msshd ^[[22mwill | 490 | environment). The script must call xauth(1) because sshd will |
495 | not run xauth automatically to add X11 cookies. | 491 | not run xauth automatically to add X11 cookies. |
496 | 492 | ||
497 | The primary purpose of this file is to run any initialization | 493 | The primary purpose of this file is to run any initialization |
498 | routines which may be needed before the userM-bM-^@M-^Ys home directory | 494 | routines which may be needed before the userM-bM-^@M-^Ys home directory |
499 | becomes accessible; AFS is a particular example of such an enviM-bM-^@M-^P | 495 | becomes accessible; AFS is a particular example of such an envi- |
500 | ronment. | 496 | ronment. |
501 | 497 | ||
502 | This file will probably contain some initialization code followed | 498 | This file will probably contain some initialization code followed |
503 | by something similar to: | 499 | by something similar to: |
504 | 500 | ||
505 | if read proto cookie && [ M-bM-^@M-^Pn "$DISPLAY" ]; then | 501 | if read proto cookie && [ -n "$DISPLAY" ]; then |
506 | if [ M-bM-^@M-^Xecho $DISPLAY | cut M-bM-^@M-^Pc1M-bM-^@M-^P10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then | 502 | if [ M-bM-^@M-^Xecho $DISPLAY | cut -c1-10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then |
507 | # X11UseLocalhost=yes | 503 | # X11UseLocalhost=yes |
508 | echo add unix:M-bM-^@M-^Xecho $DISPLAY | | 504 | echo add unix:M-bM-^@M-^Xecho $DISPLAY | |
509 | cut M-bM-^@M-^Pc11M-bM-^@M-^PM-bM-^@M-^X $proto $cookie | 505 | cut -c11-M-bM-^@M-^X $proto $cookie |
510 | else | 506 | else |
511 | # X11UseLocalhost=no | 507 | # X11UseLocalhost=no |
512 | echo add $DISPLAY $proto $cookie | 508 | echo add $DISPLAY $proto $cookie |
513 | fi | xauth M-bM-^@M-^Pq M-bM-^@M-^P | 509 | fi | xauth -q - |
514 | fi | 510 | fi |
515 | 511 | ||
516 | If this file does not exist, ^[[4m/etc/ssh/sshrc^[[24m is run, and if that | 512 | If this file does not exist, /etc/ssh/sshrc is run, and if that |
517 | does not exist either, xauth is used to add the cookie. | 513 | does not exist either, xauth is used to add the cookie. |
518 | 514 | ||
519 | This file should be writable only by the user, and need not be | 515 | This file should be writable only by the user, and need not be |
520 | readable by anyone else. | 516 | readable by anyone else. |
521 | 517 | ||
522 | /etc/ssh/sshrc | 518 | /etc/ssh/sshrc |
523 | Like ^[[4m$HOME/.ssh/rc^[[24m. This can be used to specify machineM-bM-^@M-^Pspecific | 519 | Like $HOME/.ssh/rc. This can be used to specify machine-specific |
524 | loginM-bM-^@M-^Ptime initializations globally. This file should be | 520 | login-time initializations globally. This file should be |
525 | writable only by root, and should be worldM-bM-^@M-^Preadable. | 521 | writable only by root, and should be world-readable. |
526 | 522 | ||
527 | ^[[1mAUTHORS^[[0m | 523 | AUTHORS |
528 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 524 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
529 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 525 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
530 | de Raadt and Dug Song removed many bugs, reM-bM-^@M-^Padded newer features and creM-bM-^@M-^P | 526 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- |
531 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 527 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
532 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 528 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
533 | for privilege separation. | 529 | for privilege separation. |
534 | 530 | ||
535 | ^[[1mSEE ALSO^[[0m | 531 | SEE ALSO |
536 | scp(1), sftp(1), ssh(1), sshM-bM-^@M-^Padd(1), sshM-bM-^@M-^Pagent(1), sshM-bM-^@M-^Pkeygen(1), | 532 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
537 | login.conf(5), moduli(5), sshd_config(5), sftpM-bM-^@M-^Pserver(8) | 533 | login.conf(5), moduli(5), sshd_config(5), sftp-server(8) |
538 | 534 | ||
539 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, ^[[4mSSH^[[0m | 535 | T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, SSH |
540 | ^[[4mProtocol^[[24m ^[[4mArchitecture^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^ParchitectureM-bM-^@M-^P12.txt, January | 536 | Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January |
541 | 2002, work in progress material. | 537 | 2002, work in progress material. |
542 | 538 | ||
543 | M. Friedl, N. Provos, and W. A. Simpson, ^[[4mDiffieM-bM-^@M-^PHellman^[[24m ^[[4mGroup^[[24m ^[[4mExchange^[[0m | 539 | M. Friedl, N. Provos, and W. A. Simpson, Diffie-Hellman Group Exchange |
544 | ^[[4mfor^[[24m ^[[4mthe^[[24m ^[[4mSSH^[[24m ^[[4mTransport^[[24m ^[[4mLayer^[[24m ^[[4mProtocol^[[24m, draftM-bM-^@M-^PietfM-bM-^@M-^PsecshM-bM-^@M-^PdhM-bM-^@M-^PgroupM-bM-^@M-^P | 540 | for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group- |
545 | exchangeM-bM-^@M-^P02.txt, January 2002, work in progress material. | 541 | exchange-02.txt, January 2002, work in progress material. |
546 | 542 | ||
547 | BSD September 25, 1999 BSD | 543 | BSD September 25, 1999 BSD |