diff options
Diffstat (limited to 'sshd.0')
-rw-r--r-- | sshd.0 | 218 |
1 files changed, 110 insertions, 108 deletions
@@ -1,4 +1,4 @@ | |||
1 | SSHD(8) BSD System ManagerM-bM-^@M-^Ys Manual SSHD(8) | 1 | SSHD(8) OpenBSD System Manager's Manual SSHD(8) |
2 | 2 | ||
3 | NAME | 3 | NAME |
4 | sshd - OpenSSH SSH daemon | 4 | sshd - OpenSSH SSH daemon |
@@ -14,24 +14,25 @@ DESCRIPTION | |||
14 | intended to be as easy to install and use as possible. | 14 | intended to be as easy to install and use as possible. |
15 | 15 | ||
16 | sshd is the daemon that listens for connections from clients. It is nor- | 16 | sshd is the daemon that listens for connections from clients. It is nor- |
17 | mally started at boot from /etc/rc. It forks a new daemon for each | 17 | mally started at boot from /etc/rc. It forks a new daemon for each in- |
18 | incoming connection. The forked daemons handle key exchange, encryption, | 18 | coming connection. The forked daemons handle key exchange, encryption, |
19 | authentication, command execution, and data exchange. This implementa- | 19 | authentication, command execution, and data exchange. This implementa- |
20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. | 20 | tion of sshd supports both SSH protocol version 1 and 2 simultaneously. |
21 | sshd works as follows: | 21 | sshd works as follows: |
22 | 22 | ||
23 | SSH protocol version 1 | 23 | SSH protocol version 1 |
24 | |||
24 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- | 25 | Each host has a host-specific RSA key (normally 1024 bits) used to iden- |
25 | tify the host. Additionally, when the daemon starts, it generates a | 26 | tify the host. Additionally, when the daemon starts, it generates a |
26 | server RSA key (normally 768 bits). This key is normally regenerated | 27 | server RSA key (normally 768 bits). This key is normally regenerated ev- |
27 | every hour if it has been used, and is never stored on disk. | 28 | ery hour if it has been used, and is never stored on disk. |
28 | 29 | ||
29 | Whenever a client connects, the daemon responds with its public host and | 30 | Whenever a client connects, the daemon responds with its public host and |
30 | server keys. The client compares the RSA host key against its own | 31 | server keys. The client compares the RSA host key against its own |
31 | database to verify that it has not changed. The client then generates a | 32 | database to verify that it has not changed. The client then generates a |
32 | 256 bit random number. It encrypts this random number using both the | 33 | 256 bit random number. It encrypts this random number using both the |
33 | host key and the server key, and sends the encrypted number to the | 34 | host key and the server key, and sends the encrypted number to the serv- |
34 | server. Both sides then use this random number as a session key which is | 35 | er. Both sides then use this random number as a session key which is |
35 | used to encrypt all further communications in the session. The rest of | 36 | used to encrypt all further communications in the session. The rest of |
36 | the session is encrypted using a conventional cipher, currently Blowfish | 37 | the session is encrypted using a conventional cipher, currently Blowfish |
37 | or 3DES, with 3DES being used by default. The client selects the encryp- | 38 | or 3DES, with 3DES being used by default. The client selects the encryp- |
@@ -39,19 +40,19 @@ DESCRIPTION | |||
39 | 40 | ||
40 | Next, the server and the client enter an authentication dialog. The | 41 | Next, the server and the client enter an authentication dialog. The |
41 | client tries to authenticate itself using .rhosts authentication, .rhosts | 42 | client tries to authenticate itself using .rhosts authentication, .rhosts |
42 | authentication combined with RSA host authentication, RSA challenge- | 43 | authentication combined with RSA host authentication, RSA challenge-re- |
43 | response authentication, or password based authentication. | 44 | sponse authentication, or password based authentication. |
44 | 45 | ||
45 | Regardless of the authentication type, the account is checked to ensure | 46 | Regardless of the authentication type, the account is checked to ensure |
46 | that it is accessible. An account is not accessible if it is locked, | 47 | that it is accessible. An account is not accessible if it is locked, |
47 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | 48 | listed in DenyUsers or its group is listed in DenyGroups . The defini- |
48 | tion of a locked account is system dependant. Some platforms have their | 49 | tion of a locked account is system dependant. Some platforms have their |
49 | own account database (eg AIX) and some modify the passwd field ( M-bM-^@M-^X*LK*M-bM-^@M-^Y | 50 | own account database (eg AIX) and some modify the passwd field ( `*LK*' |
50 | on Solaris, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on Tru64 and a leading | 51 | on Solaris, `*' on HP-UX, containing `Nologin' on Tru64 and a leading |
51 | M-bM-^@M-^X!!M-bM-^@M-^Y on Linux). If there is a requirement to disable password authenti- | 52 | `!!' on Linux). If there is a requirement to disable password authenti- |
52 | cation for the account while allowing still public-key, then the passwd | 53 | cation for the account while allowing still public-key, then the passwd |
53 | field should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or | 54 | field should be set to something other than these values (eg `NP' or |
54 | M-bM-^@M-^X*NP*M-bM-^@M-^Y ). | 55 | `*NP*' ). |
55 | 56 | ||
56 | Rhosts authentication is normally disabled because it is fundamentally | 57 | Rhosts authentication is normally disabled because it is fundamentally |
57 | insecure, but can be enabled in the server configuration file if desired. | 58 | insecure, but can be enabled in the server configuration file if desired. |
@@ -59,6 +60,7 @@ DESCRIPTION | |||
59 | abled (thus completely disabling rlogin and rsh into the machine). | 60 | abled (thus completely disabling rlogin and rsh into the machine). |
60 | 61 | ||
61 | SSH protocol version 2 | 62 | SSH protocol version 2 |
63 | |||
62 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) | 64 | Version 2 works similarly: Each host has a host-specific key (RSA or DSA) |
63 | used to identify the host. However, when the daemon starts, it does not | 65 | used to identify the host. However, when the daemon starts, it does not |
64 | generate a server key. Forward security is provided through a Diffie- | 66 | generate a server key. Forward security is provided through a Diffie- |
@@ -67,10 +69,9 @@ DESCRIPTION | |||
67 | 69 | ||
68 | The rest of the session is encrypted using a symmetric cipher, currently | 70 | The rest of the session is encrypted using a symmetric cipher, currently |
69 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit | 71 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit |
70 | AES. The client selects the encryption algorithm to use from those | 72 | AES. The client selects the encryption algorithm to use from those of- |
71 | offered by the server. Additionally, session integrity is provided | 73 | fered by the server. Additionally, session integrity is provided through |
72 | through a cryptographic message authentication code (hmac-sha1 or hmac- | 74 | a cryptographic message authentication code (hmac-sha1 or hmac-md5). |
73 | md5). | ||
74 | 75 | ||
75 | Protocol version 2 provides a public key based user (PubkeyAuthentica- | 76 | Protocol version 2 provides a public key based user (PubkeyAuthentica- |
76 | tion) or client host (HostbasedAuthentication) authentication method, | 77 | tion) or client host (HostbasedAuthentication) authentication method, |
@@ -78,6 +79,7 @@ DESCRIPTION | |||
78 | ods. | 79 | ods. |
79 | 80 | ||
80 | Command execution and data forwarding | 81 | Command execution and data forwarding |
82 | |||
81 | If the client successfully authenticates itself, a dialog for preparing | 83 | If the client successfully authenticates itself, a dialog for preparing |
82 | the session is entered. At this time the client may request things like | 84 | the session is entered. At this time the client may request things like |
83 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP | 85 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP |
@@ -110,8 +112,8 @@ DESCRIPTION | |||
110 | -d Debug mode. The server sends verbose debug output to the system | 112 | -d Debug mode. The server sends verbose debug output to the system |
111 | log, and does not put itself in the background. The server also | 113 | log, and does not put itself in the background. The server also |
112 | will not fork and will only process one connection. This option | 114 | will not fork and will only process one connection. This option |
113 | is only intended for debugging for the server. Multiple -d | 115 | is only intended for debugging for the server. Multiple -d op- |
114 | options increase the debugging level. Maximum is 3. | 116 | tions increase the debugging level. Maximum is 3. |
115 | 117 | ||
116 | -e When this option is specified, sshd will send the output to the | 118 | -e When this option is specified, sshd will send the output to the |
117 | standard error instead of the system log. | 119 | standard error instead of the system log. |
@@ -122,10 +124,10 @@ DESCRIPTION | |||
122 | figuration file. | 124 | figuration file. |
123 | 125 | ||
124 | -g login_grace_time | 126 | -g login_grace_time |
125 | Gives the grace time for clients to authenticate themselves | 127 | Gives the grace time for clients to authenticate themselves (de- |
126 | (default 120 seconds). If the client fails to authenticate the | 128 | fault 120 seconds). If the client fails to authenticate the user |
127 | user within this many seconds, the server disconnects and exits. | 129 | within this many seconds, the server disconnects and exits. A |
128 | A value of zero indicates no limit. | 130 | value of zero indicates no limit. |
129 | 131 | ||
130 | -h host_key_file | 132 | -h host_key_file |
131 | Specifies a file from which a host key is read. This option must | 133 | Specifies a file from which a host key is read. This option must |
@@ -139,9 +141,9 @@ DESCRIPTION | |||
139 | -i Specifies that sshd is being run from inetd(8). sshd is normally | 141 | -i Specifies that sshd is being run from inetd(8). sshd is normally |
140 | not run from inetd because it needs to generate the server key | 142 | not run from inetd because it needs to generate the server key |
141 | before it can respond to the client, and this may take tens of | 143 | before it can respond to the client, and this may take tens of |
142 | seconds. Clients would have to wait too long if the key was | 144 | seconds. Clients would have to wait too long if the key was re- |
143 | regenerated every time. However, with small key sizes (e.g., | 145 | generated every time. However, with small key sizes (e.g., 512) |
144 | 512) using sshd from inetd may be feasible. | 146 | using sshd from inetd may be feasible. |
145 | 147 | ||
146 | -k key_gen_time | 148 | -k key_gen_time |
147 | Specifies how often the ephemeral protocol version 1 server key | 149 | Specifies how often the ephemeral protocol version 1 server key |
@@ -163,8 +165,8 @@ DESCRIPTION | |||
163 | fied in the configuration file are ignored when a command-line | 165 | fied in the configuration file are ignored when a command-line |
164 | port is specified. | 166 | port is specified. |
165 | 167 | ||
166 | -q Quiet mode. Nothing is sent to the system log. Normally the | 168 | -q Quiet mode. Nothing is sent to the system log. Normally the be- |
167 | beginning, authentication, and termination of each connection is | 169 | ginning, authentication, and termination of each connection is |
168 | logged. | 170 | logged. |
169 | 171 | ||
170 | -t Test mode. Only check the validity of the configuration file and | 172 | -t Test mode. Only check the validity of the configuration file and |
@@ -179,10 +181,10 @@ DESCRIPTION | |||
179 | indicates that only dotted decimal addresses should be put into | 181 | indicates that only dotted decimal addresses should be put into |
180 | the utmp file. -u0 may also be used to prevent sshd from making | 182 | the utmp file. -u0 may also be used to prevent sshd from making |
181 | DNS requests unless the authentication mechanism or configuration | 183 | DNS requests unless the authentication mechanism or configuration |
182 | requires it. Authentication mechanisms that may require DNS | 184 | requires it. Authentication mechanisms that may require DNS in- |
183 | include RhostsRSAAuthentication, HostbasedAuthentication and | 185 | clude RhostsRSAAuthentication, HostbasedAuthentication and using |
184 | using a from="pattern-list" option in a key file. Configuration | 186 | a from="pattern-list" option in a key file. Configuration op- |
185 | options that require DNS include using a USER@HOST pattern in | 187 | tions that require DNS include using a USER@HOST pattern in |
186 | AllowUsers or DenyUsers. | 188 | AllowUsers or DenyUsers. |
187 | 189 | ||
188 | -D When this option is specified sshd will not detach and does not | 190 | -D When this option is specified sshd will not detach and does not |
@@ -214,18 +216,18 @@ LOGIN PROCESS | |||
214 | 216 | ||
215 | 5. Sets up basic environment. | 217 | 5. Sets up basic environment. |
216 | 218 | ||
217 | 6. Reads $HOME/.ssh/environment if it exists and users are | 219 | 6. Reads $HOME/.ssh/environment if it exists and users are al- |
218 | allowed to change their environment. See the | 220 | lowed to change their environment. See the |
219 | PermitUserEnvironment option in sshd_config(5). | 221 | PermitUserEnvironment option in sshd_config(5). |
220 | 222 | ||
221 | 7. Changes to userM-bM-^@M-^Ys home directory. | 223 | 7. Changes to user's home directory. |
222 | 224 | ||
223 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc | 225 | 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- |
224 | exists, runs it; otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are | 226 | ists, runs it; otherwise runs xauth. The ``rc'' files are |
225 | given the X11 authentication protocol and cookie in standard | 227 | given the X11 authentication protocol and cookie in standard |
226 | input. | 228 | input. |
227 | 229 | ||
228 | 9. Runs userM-bM-^@M-^Ys shell or command. | 230 | 9. Runs user's shell or command. |
229 | 231 | ||
230 | AUTHORIZED_KEYS FILE FORMAT | 232 | AUTHORIZED_KEYS FILE FORMAT |
231 | $HOME/.ssh/authorized_keys is the default file that lists the public keys | 233 | $HOME/.ssh/authorized_keys is the default file that lists the public keys |
@@ -234,7 +236,7 @@ AUTHORIZED_KEYS FILE FORMAT | |||
234 | AuthorizedKeysFile may be used to specify an alternative file. | 236 | AuthorizedKeysFile may be used to specify an alternative file. |
235 | 237 | ||
236 | Each line of the file contains one key (empty lines and lines starting | 238 | Each line of the file contains one key (empty lines and lines starting |
237 | with a M-bM-^@M-^X#M-bM-^@M-^Y are ignored as comments). Each RSA public key consists of the | 239 | with a `#' are ignored as comments). Each RSA public key consists of the |
238 | following fields, separated by spaces: options, bits, exponent, modulus, | 240 | following fields, separated by spaces: options, bits, exponent, modulus, |
239 | comment. Each protocol version 2 public key consists of: options, key- | 241 | comment. Each protocol version 2 public key consists of: options, key- |
240 | type, base64 encoded key, comment. The options field is optional; its | 242 | type, base64 encoded key, comment. The options field is optional; its |
@@ -242,11 +244,11 @@ AUTHORIZED_KEYS FILE FORMAT | |||
242 | (the options field never starts with a number). The bits, exponent, mod- | 244 | (the options field never starts with a number). The bits, exponent, mod- |
243 | ulus and comment fields give the RSA key for protocol version 1; the com- | 245 | ulus and comment fields give the RSA key for protocol version 1; the com- |
244 | ment field is not used for anything (but may be convenient for the user | 246 | ment field is not used for anything (but may be convenient for the user |
245 | to identify the key). For protocol version 2 the keytype is M-bM-^@M-^\ssh-dssM-bM-^@M-^] or | 247 | to identify the key). For protocol version 2 the keytype is ``ssh-dss'' |
246 | M-bM-^@M-^\ssh-rsaM-bM-^@M-^]. | 248 | or ``ssh-rsa''. |
247 | 249 | ||
248 | Note that lines in this file are usually several hundred bytes long | 250 | Note that lines in this file are usually several hundred bytes long (be- |
249 | (because of the size of the public key encoding). You donM-bM-^@M-^Yt want to type | 251 | cause of the size of the public key encoding). You don't want to type |
250 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub | 252 | them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub |
251 | file and edit it. | 253 | file and edit it. |
252 | 254 | ||
@@ -261,31 +263,31 @@ AUTHORIZED_KEYS FILE FORMAT | |||
261 | from="pattern-list" | 263 | from="pattern-list" |
262 | Specifies that in addition to public key authentication, the | 264 | Specifies that in addition to public key authentication, the |
263 | canonical name of the remote host must be present in the comma- | 265 | canonical name of the remote host must be present in the comma- |
264 | separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y serve as wildcards). The | 266 | separated list of patterns (`*' and `?' serve as wildcards). The |
265 | list may also contain patterns negated by prefixing them with | 267 | list may also contain patterns negated by prefixing them with |
266 | M-bM-^@M-^X!M-bM-^@M-^Y; if the canonical host name matches a negated pattern, the | 268 | `!'; if the canonical host name matches a negated pattern, the |
267 | key is not accepted. The purpose of this option is to optionally | 269 | key is not accepted. The purpose of this option is to optionally |
268 | increase security: public key authentication by itself does not | 270 | increase security: public key authentication by itself does not |
269 | trust the network or name servers or anything (but the key); how- | 271 | trust the network or name servers or anything (but the key); how- |
270 | ever, if somebody somehow steals the key, the key permits an | 272 | ever, if somebody somehow steals the key, the key permits an in- |
271 | intruder to log in from anywhere in the world. This additional | 273 | truder to log in from anywhere in the world. This additional op- |
272 | option makes using a stolen key more difficult (name servers | 274 | tion makes using a stolen key more difficult (name servers and/or |
273 | and/or routers would have to be compromised in addition to just | 275 | routers would have to be compromised in addition to just the |
274 | the key). | 276 | key). |
275 | 277 | ||
276 | command="command" | 278 | command="command" |
277 | Specifies that the command is executed whenever this key is used | 279 | Specifies that the command is executed whenever this key is used |
278 | for authentication. The command supplied by the user (if any) is | 280 | for authentication. The command supplied by the user (if any) is |
279 | ignored. The command is run on a pty if the client requests a | 281 | ignored. The command is run on a pty if the client requests a |
280 | pty; otherwise it is run without a tty. If an 8-bit clean chan- | 282 | pty; otherwise it is run without a tty. If an 8-bit clean chan- |
281 | nel is required, one must not request a pty or should specify | 283 | nel is required, one must not request a pty or should specify no- |
282 | no-pty. A quote may be included in the command by quoting it | 284 | pty. A quote may be included in the command by quoting it with a |
283 | with a backslash. This option might be useful to restrict cer- | 285 | backslash. This option might be useful to restrict certain pub- |
284 | tain public keys to perform just a specific operation. An exam- | 286 | lic keys to perform just a specific operation. An example might |
285 | ple might be a key that permits remote backups but nothing else. | 287 | be a key that permits remote backups but nothing else. Note that |
286 | Note that the client may specify TCP/IP and/or X11 forwarding | 288 | the client may specify TCP/IP and/or X11 forwarding unless they |
287 | unless they are explicitly prohibited. Note that this option | 289 | are explicitly prohibited. Note that this option applies to |
288 | applies to shell, command or subsystem execution. | 290 | shell, command or subsystem execution. |
289 | 291 | ||
290 | environment="NAME=value" | 292 | environment="NAME=value" |
291 | Specifies that the string is to be added to the environment when | 293 | Specifies that the string is to be added to the environment when |
@@ -297,8 +299,8 @@ AUTHORIZED_KEYS FILE FORMAT | |||
297 | 299 | ||
298 | no-port-forwarding | 300 | no-port-forwarding |
299 | Forbids TCP/IP forwarding when this key is used for authentica- | 301 | Forbids TCP/IP forwarding when this key is used for authentica- |
300 | tion. Any port forward requests by the client will return an | 302 | tion. Any port forward requests by the client will return an er- |
301 | error. This might be used, e.g., in connection with the command | 303 | ror. This might be used, e.g., in connection with the command |
302 | option. | 304 | option. |
303 | 305 | ||
304 | no-X11-forwarding | 306 | no-X11-forwarding |
@@ -312,45 +314,45 @@ AUTHORIZED_KEYS FILE FORMAT | |||
312 | no-pty Prevents tty allocation (a request to allocate a pty will fail). | 314 | no-pty Prevents tty allocation (a request to allocate a pty will fail). |
313 | 315 | ||
314 | permitopen="host:port" | 316 | permitopen="host:port" |
315 | Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con- | 317 | Limit local ``ssh -L'' port forwarding such that it may only con- |
316 | nect to the specified host and port. IPv6 addresses can be spec- | 318 | nect to the specified host and port. IPv6 addresses can be spec- |
317 | ified with an alternative syntax: host/port. Multiple permitopen | 319 | ified with an alternative syntax: host/port. Multiple permitopen |
318 | options may be applied separated by commas. No pattern matching | 320 | options may be applied separated by commas. No pattern matching |
319 | is performed on the specified hostnames, they must be literal | 321 | is performed on the specified hostnames, they must be literal do- |
320 | domains or addresses. | 322 | mains or addresses. |
321 | 323 | ||
322 | Examples | 324 | Examples |
323 | 1024 33 12121...312314325 ylo@foo.bar | 325 | 1024 33 12121...312314325 ylo@foo.bar |
324 | 326 | ||
325 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula | 327 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
326 | 328 | ||
327 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 | 329 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- |
328 | backup.hut.fi | 330 | up.hut.fi |
329 | 331 | ||
330 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 | 332 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
331 | 333 | ||
332 | SSH_KNOWN_HOSTS FILE FORMAT | 334 | SSH_KNOWN_HOSTS FILE FORMAT |
333 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain | 335 | The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain |
334 | host public keys for all known hosts. The global file should be prepared | 336 | host public keys for all known hosts. The global file should be prepared |
335 | by the administrator (optional), and the per-user file is maintained | 337 | by the administrator (optional), and the per-user file is maintained au- |
336 | automatically: whenever the user connects from an unknown host its key is | 338 | tomatically: whenever the user connects from an unknown host its key is |
337 | added to the per-user file. | 339 | added to the per-user file. |
338 | 340 | ||
339 | Each line in these files contains the following fields: hostnames, bits, | 341 | Each line in these files contains the following fields: hostnames, bits, |
340 | exponent, modulus, comment. The fields are separated by spaces. | 342 | exponent, modulus, comment. The fields are separated by spaces. |
341 | 343 | ||
342 | Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as wild- | 344 | Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- |
343 | cards); each pattern in turn is matched against the canonical host name | 345 | cards); each pattern in turn is matched against the canonical host name |
344 | (when authenticating a client) or against the user-supplied name (when | 346 | (when authenticating a client) or against the user-supplied name (when |
345 | authenticating a server). A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indi- | 347 | authenticating a server). A pattern may also be preceded by `!' to indi- |
346 | cate negation: if the host name matches a negated pattern, it is not | 348 | cate negation: if the host name matches a negated pattern, it is not ac- |
347 | accepted (by that line) even if it matched another pattern on the line. | 349 | cepted (by that line) even if it matched another pattern on the line. |
348 | 350 | ||
349 | Bits, exponent, and modulus are taken directly from the RSA host key; | 351 | Bits, exponent, and modulus are taken directly from the RSA host key; |
350 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional | 352 | they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional |
351 | comment field continues to the end of the line, and is not used. | 353 | comment field continues to the end of the line, and is not used. |
352 | 354 | ||
353 | Lines starting with M-bM-^@M-^X#M-bM-^@M-^Y and empty lines are ignored as comments. | 355 | Lines starting with `#' and empty lines are ignored as comments. |
354 | 356 | ||
355 | When performing host authentication, authentication is accepted if any | 357 | When performing host authentication, authentication is accepted if any |
356 | matching line has the proper key. It is thus permissible (but not recom- | 358 | matching line has the proper key. It is thus permissible (but not recom- |
@@ -361,11 +363,12 @@ SSH_KNOWN_HOSTS FILE FORMAT | |||
361 | be found from either file. | 363 | be found from either file. |
362 | 364 | ||
363 | Note that the lines in these files are typically hundreds of characters | 365 | Note that the lines in these files are typically hundreds of characters |
364 | long, and you definitely donM-bM-^@M-^Yt want to type in the host keys by hand. | 366 | long, and you definitely don't want to type in the host keys by hand. |
365 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub | 367 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub |
366 | and adding the host names at the front. | 368 | and adding the host names at the front. |
367 | 369 | ||
368 | Examples | 370 | Examples |
371 | |||
369 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi | 372 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
370 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 373 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
371 | 374 | ||
@@ -409,11 +412,11 @@ FILES | |||
409 | 412 | ||
410 | $HOME/.ssh/authorized_keys | 413 | $HOME/.ssh/authorized_keys |
411 | Lists the public keys (RSA or DSA) that can be used to log into | 414 | Lists the public keys (RSA or DSA) that can be used to log into |
412 | the userM-bM-^@M-^Ys account. This file must be readable by root (which | 415 | the user's account. This file must be readable by root (which |
413 | may on some machines imply it being world-readable if the userM-bM-^@M-^Ys | 416 | may on some machines imply it being world-readable if the user's |
414 | home directory resides on an NFS volume). It is recommended that | 417 | home directory resides on an NFS volume). It is recommended that |
415 | it not be accessible by others. The format of this file is | 418 | it not be accessible by others. The format of this file is de- |
416 | described above. Users will place the contents of their | 419 | scribed above. Users will place the contents of their |
417 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, | 420 | identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, |
418 | as described in ssh-keygen(1). | 421 | as described in ssh-keygen(1). |
419 | 422 | ||
@@ -434,8 +437,8 @@ FILES | |||
434 | world-readable. | 437 | world-readable. |
435 | 438 | ||
436 | /etc/hosts.allow, /etc/hosts.deny | 439 | /etc/hosts.allow, /etc/hosts.deny |
437 | Access controls that should be enforced by tcp-wrappers are | 440 | Access controls that should be enforced by tcp-wrappers are de- |
438 | defined here. Further details are described in hosts_access(5). | 441 | fined here. Further details are described in hosts_access(5). |
439 | 442 | ||
440 | $HOME/.rhosts | 443 | $HOME/.rhosts |
441 | This file contains host-username pairs, separated by a space, one | 444 | This file contains host-username pairs, separated by a space, one |
@@ -460,22 +463,21 @@ FILES | |||
460 | they have the same user name on both machines. The host name may | 463 | they have the same user name on both machines. The host name may |
461 | also be followed by a user name; such users are permitted to log | 464 | also be followed by a user name; such users are permitted to log |
462 | in as any user on this machine (except root). Additionally, the | 465 | in as any user on this machine (except root). Additionally, the |
463 | syntax M-bM-^@M-^\+@groupM-bM-^@M-^] can be used to specify netgroups. Negated | 466 | syntax ``+@group'' can be used to specify netgroups. Negated en- |
464 | entries start with M-bM-^@M-^X-M-bM-^@M-^Y. | 467 | tries start with `-'. |
465 | 468 | ||
466 | If the client host/user is successfully matched in this file, | 469 | If the client host/user is successfully matched in this file, lo- |
467 | login is automatically permitted provided the client and server | 470 | gin is automatically permitted provided the client and server us- |
468 | user names are the same. Additionally, successful RSA host | 471 | er names are the same. Additionally, successful RSA host authen- |
469 | authentication is normally required. This file must be writable | 472 | tication is normally required. This file must be writable only |
470 | only by root; it is recommended that it be world-readable. | 473 | by root; it is recommended that it be world-readable. |
471 | 474 | ||
472 | Warning: It is almost never a good idea to use user names in | 475 | Warning: It is almost never a good idea to use user names in |
473 | hosts.equiv. Beware that it really means that the named user(s) | 476 | hosts.equiv. Beware that it really means that the named user(s) |
474 | can log in as anybody, which includes bin, daemon, adm, and other | 477 | can log in as anybody, which includes bin, daemon, adm, and other |
475 | accounts that own critical binaries and directories. Using a | 478 | accounts that own critical binaries and directories. Using a us- |
476 | user name practically grants the user root access. The only | 479 | er name practically grants the user root access. The only valid |
477 | valid use for user names that I can think of is in negative | 480 | use for user names that I can think of is in negative entries. |
478 | entries. | ||
479 | 481 | ||
480 | Note that this warning also applies to rsh/rlogin. | 482 | Note that this warning also applies to rsh/rlogin. |
481 | 483 | ||
@@ -487,33 +489,33 @@ FILES | |||
487 | $HOME/.ssh/environment | 489 | $HOME/.ssh/environment |
488 | This file is read into the environment at login (if it exists). | 490 | This file is read into the environment at login (if it exists). |
489 | It can only contain empty lines, comment lines (that start with | 491 | It can only contain empty lines, comment lines (that start with |
490 | M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file | 492 | `#'), and assignment lines of the form name=value. The file |
491 | should be writable only by the user; it need not be readable by | 493 | should be writable only by the user; it need not be readable by |
492 | anyone else. Environment processing is disabled by default and | 494 | anyone else. Environment processing is disabled by default and |
493 | is controlled via the PermitUserEnvironment option. | 495 | is controlled via the PermitUserEnvironment option. |
494 | 496 | ||
495 | $HOME/.ssh/rc | 497 | $HOME/.ssh/rc |
496 | If this file exists, it is run with /bin/sh after reading the | 498 | If this file exists, it is run with /bin/sh after reading the en- |
497 | environment files but before starting the userM-bM-^@M-^Ys shell or com- | 499 | vironment files but before starting the user's shell or command. |
498 | mand. It must not produce any output on stdout; stderr must be | 500 | It must not produce any output on stdout; stderr must be used in- |
499 | used instead. If X11 forwarding is in use, it will receive the | 501 | stead. If X11 forwarding is in use, it will receive the "proto |
500 | "proto cookie" pair in its standard input (and DISPLAY in its | 502 | cookie" pair in its standard input (and DISPLAY in its environ- |
501 | environment). The script must call xauth(1) because sshd will | 503 | ment). The script must call xauth(1) because sshd will not run |
502 | not run xauth automatically to add X11 cookies. | 504 | xauth automatically to add X11 cookies. |
503 | 505 | ||
504 | The primary purpose of this file is to run any initialization | 506 | The primary purpose of this file is to run any initialization |
505 | routines which may be needed before the userM-bM-^@M-^Ys home directory | 507 | routines which may be needed before the user's home directory be- |
506 | becomes accessible; AFS is a particular example of such an envi- | 508 | comes accessible; AFS is a particular example of such an environ- |
507 | ronment. | 509 | ment. |
508 | 510 | ||
509 | This file will probably contain some initialization code followed | 511 | This file will probably contain some initialization code followed |
510 | by something similar to: | 512 | by something similar to: |
511 | 513 | ||
512 | if read proto cookie && [ -n "$DISPLAY" ]; then | 514 | if read proto cookie && [ -n "$DISPLAY" ]; then |
513 | if [ M-bM-^@M-^Xecho $DISPLAY | cut -c1-10M-bM-^@M-^X = M-bM-^@M-^Ylocalhost:M-bM-^@M-^Y ]; then | 515 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
514 | # X11UseLocalhost=yes | 516 | # X11UseLocalhost=yes |
515 | echo add unix:M-bM-^@M-^Xecho $DISPLAY | | 517 | echo add unix:`echo $DISPLAY | |
516 | cut -c11-M-bM-^@M-^X $proto $cookie | 518 | cut -c11-` $proto $cookie |
517 | else | 519 | else |
518 | # X11UseLocalhost=no | 520 | # X11UseLocalhost=no |
519 | echo add $DISPLAY $proto $cookie | 521 | echo add $DISPLAY $proto $cookie |
@@ -546,9 +548,9 @@ SEE ALSO | |||
546 | AUTHORS | 548 | AUTHORS |
547 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 549 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
548 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 550 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
549 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | 551 | de Raadt and Dug Song removed many bugs, re-added newer features and |
550 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 552 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
551 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | 553 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support |
552 | for privilege separation. | 554 | for privilege separation. |
553 | 555 | ||
554 | BSD September 25, 1999 BSD | 556 | OpenBSD 3.4 September 25, 1999 9 |