diff options
Diffstat (limited to 'sshd.8')
-rw-r--r-- | sshd.8 | 85 |
1 files changed, 43 insertions, 42 deletions
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $ | 37 | .\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD 8 | 39 | .Dt SSHD 8 |
40 | .Os | 40 | .Os |
@@ -44,7 +44,7 @@ | |||
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm sshd | 45 | .Nm sshd |
46 | .Bk -words | 46 | .Bk -words |
47 | .Op Fl deiqtD46 | 47 | .Op Fl 46Ddeiqt |
48 | .Op Fl b Ar bits | 48 | .Op Fl b Ar bits |
49 | .Op Fl f Ar config_file | 49 | .Op Fl f Ar config_file |
50 | .Op Fl g Ar login_grace_time | 50 | .Op Fl g Ar login_grace_time |
@@ -78,9 +78,7 @@ This implementation of | |||
78 | supports both SSH protocol version 1 and 2 simultaneously. | 78 | supports both SSH protocol version 1 and 2 simultaneously. |
79 | .Nm | 79 | .Nm |
80 | works as follows: | 80 | works as follows: |
81 | .Pp | ||
82 | .Ss SSH protocol version 1 | 81 | .Ss SSH protocol version 1 |
83 | .Pp | ||
84 | Each host has a host-specific RSA key | 82 | Each host has a host-specific RSA key |
85 | (normally 1024 bits) used to identify the host. | 83 | (normally 1024 bits) used to identify the host. |
86 | Additionally, when | 84 | Additionally, when |
@@ -92,7 +90,7 @@ Whenever a client connects, the daemon responds with its public | |||
92 | host and server keys. | 90 | host and server keys. |
93 | The client compares the | 91 | The client compares the |
94 | RSA host key against its own database to verify that it has not changed. | 92 | RSA host key against its own database to verify that it has not changed. |
95 | The client then generates a 256 bit random number. | 93 | The client then generates a 256-bit random number. |
96 | It encrypts this | 94 | It encrypts this |
97 | random number using both the host key and the server key, and sends | 95 | random number using both the host key and the server key, and sends |
98 | the encrypted number to the server. | 96 | the encrypted number to the server. |
@@ -107,9 +105,9 @@ to use from those offered by the server. | |||
107 | .Pp | 105 | .Pp |
108 | Next, the server and the client enter an authentication dialog. | 106 | Next, the server and the client enter an authentication dialog. |
109 | The client tries to authenticate itself using | 107 | The client tries to authenticate itself using |
110 | .Pa .rhosts | 108 | .Em .rhosts |
111 | authentication, | 109 | authentication, |
112 | .Pa .rhosts | 110 | .Em .rhosts |
113 | authentication combined with RSA host | 111 | authentication combined with RSA host |
114 | authentication, RSA challenge-response authentication, or password | 112 | authentication, RSA challenge-response authentication, or password |
115 | based authentication. | 113 | based authentication. |
@@ -137,7 +135,8 @@ or | |||
137 | .Ql \&*NP\&* | 135 | .Ql \&*NP\&* |
138 | ). | 136 | ). |
139 | .Pp | 137 | .Pp |
140 | Rhosts authentication is normally disabled | 138 | .Em rhosts |
139 | authentication is normally disabled | ||
141 | because it is fundamentally insecure, but can be enabled in the server | 140 | because it is fundamentally insecure, but can be enabled in the server |
142 | configuration file if desired. | 141 | configuration file if desired. |
143 | System security is not improved unless | 142 | System security is not improved unless |
@@ -150,9 +149,7 @@ are disabled (thus completely disabling | |||
150 | and | 149 | and |
151 | .Xr rsh | 150 | .Xr rsh |
152 | into the machine). | 151 | into the machine). |
153 | .Pp | ||
154 | .Ss SSH protocol version 2 | 152 | .Ss SSH protocol version 2 |
155 | .Pp | ||
156 | Version 2 works similarly: | 153 | Version 2 works similarly: |
157 | Each host has a host-specific key (RSA or DSA) used to identify the host. | 154 | Each host has a host-specific key (RSA or DSA) used to identify the host. |
158 | However, when the daemon starts, it does not generate a server key. | 155 | However, when the daemon starts, it does not generate a server key. |
@@ -160,7 +157,7 @@ Forward security is provided through a Diffie-Hellman key agreement. | |||
160 | This key agreement results in a shared session key. | 157 | This key agreement results in a shared session key. |
161 | .Pp | 158 | .Pp |
162 | The rest of the session is encrypted using a symmetric cipher, currently | 159 | The rest of the session is encrypted using a symmetric cipher, currently |
163 | 128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. | 160 | 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. |
164 | The client selects the encryption algorithm | 161 | The client selects the encryption algorithm |
165 | to use from those offered by the server. | 162 | to use from those offered by the server. |
166 | Additionally, session integrity is provided | 163 | Additionally, session integrity is provided |
@@ -171,9 +168,7 @@ Protocol version 2 provides a public key based | |||
171 | user (PubkeyAuthentication) or | 168 | user (PubkeyAuthentication) or |
172 | client host (HostbasedAuthentication) authentication method, | 169 | client host (HostbasedAuthentication) authentication method, |
173 | conventional password authentication and challenge response based methods. | 170 | conventional password authentication and challenge response based methods. |
174 | .Pp | ||
175 | .Ss Command execution and data forwarding | 171 | .Ss Command execution and data forwarding |
176 | .Pp | ||
177 | If the client successfully authenticates itself, a dialog for | 172 | If the client successfully authenticates itself, a dialog for |
178 | preparing the session is entered. | 173 | preparing the session is entered. |
179 | At this time the client may request | 174 | At this time the client may request |
@@ -192,8 +187,9 @@ connections have been closed, the server sends command exit status to | |||
192 | the client, and both sides exit. | 187 | the client, and both sides exit. |
193 | .Pp | 188 | .Pp |
194 | .Nm | 189 | .Nm |
195 | can be configured using command-line options or a configuration | 190 | can be configured using command-line options or a configuration file |
196 | file. | 191 | (by default |
192 | .Xr sshd_config 5 ) . | ||
197 | Command-line options override values specified in the | 193 | Command-line options override values specified in the |
198 | configuration file. | 194 | configuration file. |
199 | .Pp | 195 | .Pp |
@@ -205,9 +201,23 @@ by executing itself with the name it was started as, i.e., | |||
205 | .Pp | 201 | .Pp |
206 | The options are as follows: | 202 | The options are as follows: |
207 | .Bl -tag -width Ds | 203 | .Bl -tag -width Ds |
204 | .It Fl 4 | ||
205 | Forces | ||
206 | .Nm | ||
207 | to use IPv4 addresses only. | ||
208 | .It Fl 6 | ||
209 | Forces | ||
210 | .Nm | ||
211 | to use IPv6 addresses only. | ||
208 | .It Fl b Ar bits | 212 | .It Fl b Ar bits |
209 | Specifies the number of bits in the ephemeral protocol version 1 | 213 | Specifies the number of bits in the ephemeral protocol version 1 |
210 | server key (default 768). | 214 | server key (default 768). |
215 | .It Fl D | ||
216 | When this option is specified, | ||
217 | .Nm | ||
218 | will not detach and does not become a daemon. | ||
219 | This allows easy monitoring of | ||
220 | .Nm sshd . | ||
211 | .It Fl d | 221 | .It Fl d |
212 | Debug mode. | 222 | Debug mode. |
213 | The server sends verbose debug output to the system | 223 | The server sends verbose debug output to the system |
@@ -267,7 +277,7 @@ be feasible. | |||
267 | Specifies how often the ephemeral protocol version 1 server key is | 277 | Specifies how often the ephemeral protocol version 1 server key is |
268 | regenerated (default 3600 seconds, or one hour). | 278 | regenerated (default 3600 seconds, or one hour). |
269 | The motivation for regenerating the key fairly | 279 | The motivation for regenerating the key fairly |
270 | often is that the key is not stored anywhere, and after about an hour, | 280 | often is that the key is not stored anywhere, and after about an hour |
271 | it becomes impossible to recover the key for decrypting intercepted | 281 | it becomes impossible to recover the key for decrypting intercepted |
272 | communications even if the machine is cracked into or physically | 282 | communications even if the machine is cracked into or physically |
273 | seized. | 283 | seized. |
@@ -276,6 +286,8 @@ A value of zero indicates that the key will never be regenerated. | |||
276 | Can be used to give options in the format used in the configuration file. | 286 | Can be used to give options in the format used in the configuration file. |
277 | This is useful for specifying options for which there is no separate | 287 | This is useful for specifying options for which there is no separate |
278 | command-line flag. | 288 | command-line flag. |
289 | For full details of the options, and their values, see | ||
290 | .Xr sshd_config 5 . | ||
279 | .It Fl p Ar port | 291 | .It Fl p Ar port |
280 | Specifies the port on which the server listens for connections | 292 | Specifies the port on which the server listens for connections |
281 | (default 22). | 293 | (default 22). |
@@ -325,20 +337,6 @@ USER@HOST pattern in | |||
325 | .Cm AllowUsers | 337 | .Cm AllowUsers |
326 | or | 338 | or |
327 | .Cm DenyUsers . | 339 | .Cm DenyUsers . |
328 | .It Fl D | ||
329 | When this option is specified | ||
330 | .Nm | ||
331 | will not detach and does not become a daemon. | ||
332 | This allows easy monitoring of | ||
333 | .Nm sshd . | ||
334 | .It Fl 4 | ||
335 | Forces | ||
336 | .Nm | ||
337 | to use IPv4 addresses only. | ||
338 | .It Fl 6 | ||
339 | Forces | ||
340 | .Nm | ||
341 | to use IPv6 addresses only. | ||
342 | .El | 340 | .El |
343 | .Sh CONFIGURATION FILE | 341 | .Sh CONFIGURATION FILE |
344 | .Nm | 342 | .Nm |
@@ -375,9 +373,9 @@ Changes to run with normal user privileges. | |||
375 | .It | 373 | .It |
376 | Sets up basic environment. | 374 | Sets up basic environment. |
377 | .It | 375 | .It |
378 | Reads | 376 | Reads the file |
379 | .Pa $HOME/.ssh/environment | 377 | .Pa $HOME/.ssh/environment , |
380 | if it exists and users are allowed to change their environment. | 378 | if it exists, and users are allowed to change their environment. |
381 | See the | 379 | See the |
382 | .Cm PermitUserEnvironment | 380 | .Cm PermitUserEnvironment |
383 | option in | 381 | option in |
@@ -516,7 +514,7 @@ Limit local | |||
516 | port forwarding such that it may only connect to the specified host and | 514 | port forwarding such that it may only connect to the specified host and |
517 | port. | 515 | port. |
518 | IPv6 addresses can be specified with an alternative syntax: | 516 | IPv6 addresses can be specified with an alternative syntax: |
519 | .Ar host/port . | 517 | .Ar host Ns / Ns Ar port . |
520 | Multiple | 518 | Multiple |
521 | .Cm permitopen | 519 | .Cm permitopen |
522 | options may be applied separated by commas. | 520 | options may be applied separated by commas. |
@@ -524,13 +522,13 @@ No pattern matching is performed on the specified hostnames, | |||
524 | they must be literal domains or addresses. | 522 | they must be literal domains or addresses. |
525 | .El | 523 | .El |
526 | .Ss Examples | 524 | .Ss Examples |
527 | 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar | 525 | 1024 33 12121...312314325 ylo@foo.bar |
528 | .Pp | 526 | .Pp |
529 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula | 527 | from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
530 | .Pp | 528 | .Pp |
531 | command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi | 529 | command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi |
532 | .Pp | 530 | .Pp |
533 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 | 531 | permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
534 | .Sh SSH_KNOWN_HOSTS FILE FORMAT | 532 | .Sh SSH_KNOWN_HOSTS FILE FORMAT |
535 | The | 533 | The |
536 | .Pa /etc/ssh/ssh_known_hosts | 534 | .Pa /etc/ssh/ssh_known_hosts |
@@ -588,7 +586,7 @@ or by taking | |||
588 | and adding the host names at the front. | 586 | and adding the host names at the front. |
589 | .Ss Examples | 587 | .Ss Examples |
590 | .Bd -literal | 588 | .Bd -literal |
591 | closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi | 589 | closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
592 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= | 590 | cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
593 | .Ed | 591 | .Ed |
594 | .Sh FILES | 592 | .Sh FILES |
@@ -647,7 +645,7 @@ and/or | |||
647 | .Pa id_rsa.pub | 645 | .Pa id_rsa.pub |
648 | files into this file, as described in | 646 | files into this file, as described in |
649 | .Xr ssh-keygen 1 . | 647 | .Xr ssh-keygen 1 . |
650 | .It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts" | 648 | .It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" |
651 | These files are consulted when using rhosts with RSA host | 649 | These files are consulted when using rhosts with RSA host |
652 | authentication or protocol version 2 hostbased authentication | 650 | authentication or protocol version 2 hostbased authentication |
653 | to check the public key of the host. | 651 | to check the public key of the host. |
@@ -681,7 +679,7 @@ The file must | |||
681 | be writable only by the user; it is recommended that it not be | 679 | be writable only by the user; it is recommended that it not be |
682 | accessible by others. | 680 | accessible by others. |
683 | .Pp | 681 | .Pp |
684 | If is also possible to use netgroups in the file. | 682 | It is also possible to use netgroups in the file. |
685 | Either host or user | 683 | Either host or user |
686 | name may be of the form +@groupname to specify all hosts or all users | 684 | name may be of the form +@groupname to specify all hosts or all users |
687 | in the group. | 685 | in the group. |
@@ -693,7 +691,7 @@ However, this file is | |||
693 | not used by rlogin and rshd, so using this permits access using SSH only. | 691 | not used by rlogin and rshd, so using this permits access using SSH only. |
694 | .It Pa /etc/hosts.equiv | 692 | .It Pa /etc/hosts.equiv |
695 | This file is used during | 693 | This file is used during |
696 | .Pa .rhosts | 694 | .Em rhosts |
697 | authentication. | 695 | authentication. |
698 | In the simplest form, this file contains host names, one per line. | 696 | In the simplest form, this file contains host names, one per line. |
699 | Users on | 697 | Users on |
@@ -800,9 +798,12 @@ This file should be writable only by root, and should be world-readable. | |||
800 | .Xr ssh-add 1 , | 798 | .Xr ssh-add 1 , |
801 | .Xr ssh-agent 1 , | 799 | .Xr ssh-agent 1 , |
802 | .Xr ssh-keygen 1 , | 800 | .Xr ssh-keygen 1 , |
801 | .Xr chroot 2 , | ||
802 | .Xr hosts_access 5 , | ||
803 | .Xr login.conf 5 , | 803 | .Xr login.conf 5 , |
804 | .Xr moduli 5 , | 804 | .Xr moduli 5 , |
805 | .Xr sshd_config 5 , | 805 | .Xr sshd_config 5 , |
806 | .Xr inetd 8 , | ||
806 | .Xr sftp-server 8 | 807 | .Xr sftp-server 8 |
807 | .Rs | 808 | .Rs |
808 | .%A T. Ylonen | 809 | .%A T. Ylonen |