1.\" -*- nroff -*-
| |
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
14.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
15.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
16.\"
17.\" Redistribution and use in source and binary forms, with or without
18.\" modification, are permitted provided that the following conditions
19.\" are met:
20.\" 1. Redistributions of source code must retain the above copyright
21.\" notice, this list of conditions and the following disclaimer.
22.\" 2. Redistributions in binary form must reproduce the above copyright
23.\" notice, this list of conditions and the following disclaimer in the
24.\" documentation and/or other materials provided with the distribution.
25.\"
26.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\"
| 1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\" All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose. Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\" notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\" notice, this list of conditions and the following disclaimer in the
23.\" documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
|
37.\" $OpenBSD: sshd.8,v 1.257 2010/08/04 05:37:01 djm Exp $
38.\" $FreeBSD: head/crypto/openssh/sshd.8 215116 2010-11-11 11:46:19Z des $
39.Dd August 4, 2010
| 36.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $
37.\" $FreeBSD: head/crypto/openssh/sshd.8 221420 2011-05-04 07:34:44Z des $
38.Dd October 28, 2010
|
40.Dt SSHD 8
41.Os
42.Sh NAME
43.Nm sshd
44.Nd OpenSSH SSH daemon
45.Sh SYNOPSIS
46.Nm sshd
47.Bk -words
48.Op Fl 46DdeiqTt
49.Op Fl b Ar bits
50.Op Fl C Ar connection_spec
51.Op Fl c Ar host_certificate_file
52.Op Fl f Ar config_file
53.Op Fl g Ar login_grace_time
54.Op Fl h Ar host_key_file
55.Op Fl k Ar key_gen_time
56.Op Fl o Ar option
57.Op Fl p Ar port
58.Op Fl u Ar len
59.Ek
60.Sh DESCRIPTION
61.Nm
62(OpenSSH Daemon) is the daemon program for
63.Xr ssh 1 .
64Together these programs replace
65.Xr rlogin 1
66and
67.Xr rsh 1 ,
68and provide secure encrypted communications between two untrusted hosts
69over an insecure network.
70.Pp
71.Nm
72listens for connections from clients.
73It is normally started at boot from
74.Pa /etc/rc.d/sshd .
75It forks a new
76daemon for each incoming connection.
77The forked daemons handle
78key exchange, encryption, authentication, command execution,
79and data exchange.
80.Pp
81.Nm
82can be configured using command-line options or a configuration file
83(by default
84.Xr sshd_config 5 ) ;
85command-line options override values specified in the
86configuration file.
87.Nm
88rereads its configuration file when it receives a hangup signal,
89.Dv SIGHUP ,
90by executing itself with the name and options it was started with, e.g.\&
91.Pa /usr/sbin/sshd .
92.Pp
93The options are as follows:
94.Bl -tag -width Ds
95.It Fl 4
96Forces
97.Nm
98to use IPv4 addresses only.
99.It Fl 6
100Forces
101.Nm
102to use IPv6 addresses only.
103.It Fl b Ar bits
104Specifies the number of bits in the ephemeral protocol version 1
105server key (default 1024).
106.It Fl C Ar connection_spec
107Specify the connection parameters to use for the
108.Fl T
109extended test mode.
110If provided, any
111.Cm Match
112directives in the configuration file
113that would apply to the specified user, host, and address will be set before
114the configuration is written to standard output.
115The connection parameters are supplied as keyword=value pairs.
116The keywords are
117.Dq user ,
118.Dq host ,
119and
120.Dq addr .
121All are required and may be supplied in any order, either with multiple
122.Fl C
123options or as a comma-separated list.
124.It Fl c Ar host_certificate_file
125Specifies a path to a certificate file to identify
126.Nm
127during key exchange.
128The certificate file must match a host key file specified using the
129.Fl h
130option or the
131.Cm HostKey
132configuration directive.
133.It Fl D
134When this option is specified,
135.Nm
136will not detach and does not become a daemon.
137This allows easy monitoring of
138.Nm sshd .
139.It Fl d
140Debug mode.
141The server sends verbose debug output to standard error,
142and does not put itself in the background.
143The server also will not fork and will only process one connection.
144This option is only intended for debugging for the server.
145Multiple
146.Fl d
147options increase the debugging level.
148Maximum is 3.
149.It Fl e
150When this option is specified,
151.Nm
152will send the output to the standard error instead of the system log.
153.It Fl f Ar config_file
154Specifies the name of the configuration file.
155The default is
156.Pa /etc/ssh/sshd_config .
157.Nm
158refuses to start if there is no configuration file.
159.It Fl g Ar login_grace_time
160Gives the grace time for clients to authenticate themselves (default
161120 seconds).
162If the client fails to authenticate the user within
163this many seconds, the server disconnects and exits.
164A value of zero indicates no limit.
165.It Fl h Ar host_key_file
166Specifies a file from which a host key is read.
167This option must be given if
168.Nm
169is not run as root (as the normal
170host key files are normally not readable by anyone but root).
171The default is
172.Pa /etc/ssh/ssh_host_key
173for protocol version 1, and
| 39.Dt SSHD 8
40.Os
41.Sh NAME
42.Nm sshd
43.Nd OpenSSH SSH daemon
44.Sh SYNOPSIS
45.Nm sshd
46.Bk -words
47.Op Fl 46DdeiqTt
48.Op Fl b Ar bits
49.Op Fl C Ar connection_spec
50.Op Fl c Ar host_certificate_file
51.Op Fl f Ar config_file
52.Op Fl g Ar login_grace_time
53.Op Fl h Ar host_key_file
54.Op Fl k Ar key_gen_time
55.Op Fl o Ar option
56.Op Fl p Ar port
57.Op Fl u Ar len
58.Ek
59.Sh DESCRIPTION
60.Nm
61(OpenSSH Daemon) is the daemon program for
62.Xr ssh 1 .
63Together these programs replace
64.Xr rlogin 1
65and
66.Xr rsh 1 ,
67and provide secure encrypted communications between two untrusted hosts
68over an insecure network.
69.Pp
70.Nm
71listens for connections from clients.
72It is normally started at boot from
73.Pa /etc/rc.d/sshd .
74It forks a new
75daemon for each incoming connection.
76The forked daemons handle
77key exchange, encryption, authentication, command execution,
78and data exchange.
79.Pp
80.Nm
81can be configured using command-line options or a configuration file
82(by default
83.Xr sshd_config 5 ) ;
84command-line options override values specified in the
85configuration file.
86.Nm
87rereads its configuration file when it receives a hangup signal,
88.Dv SIGHUP ,
89by executing itself with the name and options it was started with, e.g.\&
90.Pa /usr/sbin/sshd .
91.Pp
92The options are as follows:
93.Bl -tag -width Ds
94.It Fl 4
95Forces
96.Nm
97to use IPv4 addresses only.
98.It Fl 6
99Forces
100.Nm
101to use IPv6 addresses only.
102.It Fl b Ar bits
103Specifies the number of bits in the ephemeral protocol version 1
104server key (default 1024).
105.It Fl C Ar connection_spec
106Specify the connection parameters to use for the
107.Fl T
108extended test mode.
109If provided, any
110.Cm Match
111directives in the configuration file
112that would apply to the specified user, host, and address will be set before
113the configuration is written to standard output.
114The connection parameters are supplied as keyword=value pairs.
115The keywords are
116.Dq user ,
117.Dq host ,
118and
119.Dq addr .
120All are required and may be supplied in any order, either with multiple
121.Fl C
122options or as a comma-separated list.
123.It Fl c Ar host_certificate_file
124Specifies a path to a certificate file to identify
125.Nm
126during key exchange.
127The certificate file must match a host key file specified using the
128.Fl h
129option or the
130.Cm HostKey
131configuration directive.
132.It Fl D
133When this option is specified,
134.Nm
135will not detach and does not become a daemon.
136This allows easy monitoring of
137.Nm sshd .
138.It Fl d
139Debug mode.
140The server sends verbose debug output to standard error,
141and does not put itself in the background.
142The server also will not fork and will only process one connection.
143This option is only intended for debugging for the server.
144Multiple
145.Fl d
146options increase the debugging level.
147Maximum is 3.
148.It Fl e
149When this option is specified,
150.Nm
151will send the output to the standard error instead of the system log.
152.It Fl f Ar config_file
153Specifies the name of the configuration file.
154The default is
155.Pa /etc/ssh/sshd_config .
156.Nm
157refuses to start if there is no configuration file.
158.It Fl g Ar login_grace_time
159Gives the grace time for clients to authenticate themselves (default
160120 seconds).
161If the client fails to authenticate the user within
162this many seconds, the server disconnects and exits.
163A value of zero indicates no limit.
164.It Fl h Ar host_key_file
165Specifies a file from which a host key is read.
166This option must be given if
167.Nm
168is not run as root (as the normal
169host key files are normally not readable by anyone but root).
170The default is
171.Pa /etc/ssh/ssh_host_key
172for protocol version 1, and
|
174.Pa /etc/ssh/ssh_host_rsa_key
| 173.Pa /etc/ssh/ssh_host_dsa_key ,
174.Pa /etc/ssh/ssh_host_ecdsa_key
|
175and
| 175and
|
176.Pa /etc/ssh/ssh_host_dsa_key
| 176.Pa /etc/ssh/ssh_host_rsa_key
|
177for protocol version 2.
178It is possible to have multiple host key files for
179the different protocol versions and host key algorithms.
180.It Fl i
181Specifies that
182.Nm
183is being run from
184.Xr inetd 8 .
185.Nm
186is normally not run
187from inetd because it needs to generate the server key before it can
188respond to the client, and this may take tens of seconds.
189Clients would have to wait too long if the key was regenerated every time.
190However, with small key sizes (e.g. 512) using
191.Nm
192from inetd may
193be feasible.
194.It Fl k Ar key_gen_time
195Specifies how often the ephemeral protocol version 1 server key is
196regenerated (default 3600 seconds, or one hour).
197The motivation for regenerating the key fairly
198often is that the key is not stored anywhere, and after about an hour
199it becomes impossible to recover the key for decrypting intercepted
200communications even if the machine is cracked into or physically
201seized.
202A value of zero indicates that the key will never be regenerated.
203.It Fl o Ar option
204Can be used to give options in the format used in the configuration file.
205This is useful for specifying options for which there is no separate
206command-line flag.
207For full details of the options, and their values, see
208.Xr sshd_config 5 .
209.It Fl p Ar port
210Specifies the port on which the server listens for connections
211(default 22).
212Multiple port options are permitted.
213Ports specified in the configuration file with the
214.Cm Port
215option are ignored when a command-line port is specified.
216Ports specified using the
217.Cm ListenAddress
218option override command-line ports.
219.It Fl q
220Quiet mode.
221Nothing is sent to the system log.
222Normally the beginning,
223authentication, and termination of each connection is logged.
224.It Fl T
225Extended test mode.
226Check the validity of the configuration file, output the effective configuration
227to stdout and then exit.
228Optionally,
229.Cm Match
230rules may be applied by specifying the connection parameters using one or more
231.Fl C
232options.
233.It Fl t
234Test mode.
235Only check the validity of the configuration file and sanity of the keys.
236This is useful for updating
237.Nm
238reliably as configuration options may change.
239.It Fl u Ar len
240This option is used to specify the size of the field
241in the
242.Li utmp
243structure that holds the remote host name.
244If the resolved host name is longer than
245.Ar len ,
246the dotted decimal value will be used instead.
247This allows hosts with very long host names that
248overflow this field to still be uniquely identified.
249Specifying
250.Fl u0
251indicates that only dotted decimal addresses
252should be put into the
253.Pa utmp
254file.
255.Fl u0
256may also be used to prevent
257.Nm
258from making DNS requests unless the authentication
259mechanism or configuration requires it.
260Authentication mechanisms that may require DNS include
261.Cm RhostsRSAAuthentication ,
262.Cm HostbasedAuthentication ,
263and using a
264.Cm from="pattern-list"
265option in a key file.
266Configuration options that require DNS include using a
267USER@HOST pattern in
268.Cm AllowUsers
269or
270.Cm DenyUsers .
271.El
272.Sh AUTHENTICATION
273The OpenSSH SSH daemon supports SSH protocols 1 and 2.
274The default is to use protocol 2 only,
275though this can be changed via the
276.Cm Protocol
277option in
278.Xr sshd_config 5 .
| 177for protocol version 2.
178It is possible to have multiple host key files for
179the different protocol versions and host key algorithms.
180.It Fl i
181Specifies that
182.Nm
183is being run from
184.Xr inetd 8 .
185.Nm
186is normally not run
187from inetd because it needs to generate the server key before it can
188respond to the client, and this may take tens of seconds.
189Clients would have to wait too long if the key was regenerated every time.
190However, with small key sizes (e.g. 512) using
191.Nm
192from inetd may
193be feasible.
194.It Fl k Ar key_gen_time
195Specifies how often the ephemeral protocol version 1 server key is
196regenerated (default 3600 seconds, or one hour).
197The motivation for regenerating the key fairly
198often is that the key is not stored anywhere, and after about an hour
199it becomes impossible to recover the key for decrypting intercepted
200communications even if the machine is cracked into or physically
201seized.
202A value of zero indicates that the key will never be regenerated.
203.It Fl o Ar option
204Can be used to give options in the format used in the configuration file.
205This is useful for specifying options for which there is no separate
206command-line flag.
207For full details of the options, and their values, see
208.Xr sshd_config 5 .
209.It Fl p Ar port
210Specifies the port on which the server listens for connections
211(default 22).
212Multiple port options are permitted.
213Ports specified in the configuration file with the
214.Cm Port
215option are ignored when a command-line port is specified.
216Ports specified using the
217.Cm ListenAddress
218option override command-line ports.
219.It Fl q
220Quiet mode.
221Nothing is sent to the system log.
222Normally the beginning,
223authentication, and termination of each connection is logged.
224.It Fl T
225Extended test mode.
226Check the validity of the configuration file, output the effective configuration
227to stdout and then exit.
228Optionally,
229.Cm Match
230rules may be applied by specifying the connection parameters using one or more
231.Fl C
232options.
233.It Fl t
234Test mode.
235Only check the validity of the configuration file and sanity of the keys.
236This is useful for updating
237.Nm
238reliably as configuration options may change.
239.It Fl u Ar len
240This option is used to specify the size of the field
241in the
242.Li utmp
243structure that holds the remote host name.
244If the resolved host name is longer than
245.Ar len ,
246the dotted decimal value will be used instead.
247This allows hosts with very long host names that
248overflow this field to still be uniquely identified.
249Specifying
250.Fl u0
251indicates that only dotted decimal addresses
252should be put into the
253.Pa utmp
254file.
255.Fl u0
256may also be used to prevent
257.Nm
258from making DNS requests unless the authentication
259mechanism or configuration requires it.
260Authentication mechanisms that may require DNS include
261.Cm RhostsRSAAuthentication ,
262.Cm HostbasedAuthentication ,
263and using a
264.Cm from="pattern-list"
265option in a key file.
266Configuration options that require DNS include using a
267USER@HOST pattern in
268.Cm AllowUsers
269or
270.Cm DenyUsers .
271.El
272.Sh AUTHENTICATION
273The OpenSSH SSH daemon supports SSH protocols 1 and 2.
274The default is to use protocol 2 only,
275though this can be changed via the
276.Cm Protocol
277option in
278.Xr sshd_config 5 .
|
279Protocol 2 supports both RSA and DSA keys;
| 279Protocol 2 supports DSA, ECDSA and RSA keys;
|
280protocol 1 only supports RSA keys.
281For both protocols,
282each host has a host-specific key,
283normally 2048 bits,
284used to identify the host.
285.Pp
286Forward security for protocol 1 is provided through
287an additional server key,
288normally 768 bits,
289generated when the server starts.
290This key is normally regenerated every hour if it has been used, and
291is never stored on disk.
292Whenever a client connects, the daemon responds with its public
293host and server keys.
294The client compares the
295RSA host key against its own database to verify that it has not changed.
296The client then generates a 256-bit random number.
297It encrypts this
298random number using both the host key and the server key, and sends
299the encrypted number to the server.
300Both sides then use this
301random number as a session key which is used to encrypt all further
302communications in the session.
303The rest of the session is encrypted
304using a conventional cipher, currently Blowfish or 3DES, with 3DES
305being used by default.
306The client selects the encryption algorithm
307to use from those offered by the server.
308.Pp
309For protocol 2,
310forward security is provided through a Diffie-Hellman key agreement.
311This key agreement results in a shared session key.
312The rest of the session is encrypted using a symmetric cipher, currently
313128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
314The client selects the encryption algorithm
315to use from those offered by the server.
316Additionally, session integrity is provided
317through a cryptographic message authentication code
318(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
319.Pp
320Finally, the server and the client enter an authentication dialog.
321The client tries to authenticate itself using
322host-based authentication,
323public key authentication,
324challenge-response authentication,
325or password authentication.
326.Pp
327Regardless of the authentication type, the account is checked to
328ensure that it is accessible. An account is not accessible if it is
329locked, listed in
330.Cm DenyUsers
331or its group is listed in
332.Cm DenyGroups
333\&. The definition of a locked account is system dependant. Some platforms
334have their own account database (eg AIX) and some modify the passwd field (
335.Ql \&*LK\&*
336on Solaris and UnixWare,
337.Ql \&*
338on HP-UX, containing
339.Ql Nologin
340on Tru64,
341a leading
342.Ql \&*LOCKED\&*
343on FreeBSD and a leading
344.Ql \&!
345on most Linuxes).
346If there is a requirement to disable password authentication
347for the account while allowing still public-key, then the passwd field
348should be set to something other than these values (eg
349.Ql NP
350or
351.Ql \&*NP\&*
352).
353.Pp
354If the client successfully authenticates itself, a dialog for
355preparing the session is entered.
356At this time the client may request
357things like allocating a pseudo-tty, forwarding X11 connections,
358forwarding TCP connections, or forwarding the authentication agent
359connection over the secure channel.
360.Pp
361After this, the client either requests a shell or execution of a command.
362The sides then enter session mode.
363In this mode, either side may send
364data at any time, and such data is forwarded to/from the shell or
365command on the server side, and the user terminal in the client side.
366.Pp
367When the user program terminates and all forwarded X11 and other
368connections have been closed, the server sends command exit status to
369the client, and both sides exit.
370.Sh LOGIN PROCESS
371When a user successfully logs in,
372.Nm
373does the following:
374.Bl -enum -offset indent
375.It
376If the login is on a tty, and no command has been specified,
377prints last login time and
378.Pa /etc/motd
379(unless prevented in the configuration file or by
380.Pa ~/.hushlogin ;
381see the
382.Sx FILES
383section).
384.It
385If the login is on a tty, records login time.
386.It
387Checks
388.Pa /etc/nologin and
389.Pa /var/run/nologin ;
390if one exists, it prints the contents and quits
391(unless root).
392.It
393Changes to run with normal user privileges.
394.It
395Sets up basic environment.
396.It
397Reads the file
398.Pa ~/.ssh/environment ,
399if it exists, and users are allowed to change their environment.
400See the
401.Cm PermitUserEnvironment
402option in
403.Xr sshd_config 5 .
404.It
405Changes to user's home directory.
406.It
407If
408.Pa ~/.ssh/rc
409exists, runs it; else if
410.Pa /etc/ssh/sshrc
411exists, runs
412it; otherwise runs
413.Xr xauth 1 .
414The
415.Dq rc
416files are given the X11
417authentication protocol and cookie in standard input.
418See
419.Sx SSHRC ,
420below.
421.It
422Runs user's shell or command.
423.El
424.Sh SSHRC
425If the file
426.Pa ~/.ssh/rc
427exists,
428.Xr sh 1
429runs it after reading the
430environment files but before starting the user's shell or command.
431It must not produce any output on stdout; stderr must be used
432instead.
433If X11 forwarding is in use, it will receive the "proto cookie" pair in
434its standard input (and
435.Ev DISPLAY
436in its environment).
437The script must call
438.Xr xauth 1
439because
440.Nm
441will not run xauth automatically to add X11 cookies.
442.Pp
443The primary purpose of this file is to run any initialization routines
444which may be needed before the user's home directory becomes
445accessible; AFS is a particular example of such an environment.
446.Pp
447This file will probably contain some initialization code followed by
448something similar to:
449.Bd -literal -offset 3n
450if read proto cookie && [ -n "$DISPLAY" ]; then
451 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
452 # X11UseLocalhost=yes
453 echo add unix:`echo $DISPLAY |
454 cut -c11-` $proto $cookie
455 else
456 # X11UseLocalhost=no
457 echo add $DISPLAY $proto $cookie
458 fi | xauth -q -
459fi
460.Ed
461.Pp
462If this file does not exist,
463.Pa /etc/ssh/sshrc
464is run, and if that
465does not exist either, xauth is used to add the cookie.
466.Sh AUTHORIZED_KEYS FILE FORMAT
467.Cm AuthorizedKeysFile
468specifies the file containing public keys for
469public key authentication;
470if none is specified, the default is
471.Pa ~/.ssh/authorized_keys .
472Each line of the file contains one
473key (empty lines and lines starting with a
474.Ql #
475are ignored as
476comments).
477Protocol 1 public keys consist of the following space-separated fields:
478options, bits, exponent, modulus, comment.
479Protocol 2 public key consist of:
480options, keytype, base64-encoded key, comment.
481The options field is optional;
482its presence is determined by whether the line starts
483with a number or not (the options field never starts with a number).
484The bits, exponent, modulus, and comment fields give the RSA key for
485protocol version 1; the
486comment field is not used for anything (but may be convenient for the
487user to identify the key).
488For protocol version 2 the keytype is
| 280protocol 1 only supports RSA keys.
281For both protocols,
282each host has a host-specific key,
283normally 2048 bits,
284used to identify the host.
285.Pp
286Forward security for protocol 1 is provided through
287an additional server key,
288normally 768 bits,
289generated when the server starts.
290This key is normally regenerated every hour if it has been used, and
291is never stored on disk.
292Whenever a client connects, the daemon responds with its public
293host and server keys.
294The client compares the
295RSA host key against its own database to verify that it has not changed.
296The client then generates a 256-bit random number.
297It encrypts this
298random number using both the host key and the server key, and sends
299the encrypted number to the server.
300Both sides then use this
301random number as a session key which is used to encrypt all further
302communications in the session.
303The rest of the session is encrypted
304using a conventional cipher, currently Blowfish or 3DES, with 3DES
305being used by default.
306The client selects the encryption algorithm
307to use from those offered by the server.
308.Pp
309For protocol 2,
310forward security is provided through a Diffie-Hellman key agreement.
311This key agreement results in a shared session key.
312The rest of the session is encrypted using a symmetric cipher, currently
313128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
314The client selects the encryption algorithm
315to use from those offered by the server.
316Additionally, session integrity is provided
317through a cryptographic message authentication code
318(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
319.Pp
320Finally, the server and the client enter an authentication dialog.
321The client tries to authenticate itself using
322host-based authentication,
323public key authentication,
324challenge-response authentication,
325or password authentication.
326.Pp
327Regardless of the authentication type, the account is checked to
328ensure that it is accessible. An account is not accessible if it is
329locked, listed in
330.Cm DenyUsers
331or its group is listed in
332.Cm DenyGroups
333\&. The definition of a locked account is system dependant. Some platforms
334have their own account database (eg AIX) and some modify the passwd field (
335.Ql \&*LK\&*
336on Solaris and UnixWare,
337.Ql \&*
338on HP-UX, containing
339.Ql Nologin
340on Tru64,
341a leading
342.Ql \&*LOCKED\&*
343on FreeBSD and a leading
344.Ql \&!
345on most Linuxes).
346If there is a requirement to disable password authentication
347for the account while allowing still public-key, then the passwd field
348should be set to something other than these values (eg
349.Ql NP
350or
351.Ql \&*NP\&*
352).
353.Pp
354If the client successfully authenticates itself, a dialog for
355preparing the session is entered.
356At this time the client may request
357things like allocating a pseudo-tty, forwarding X11 connections,
358forwarding TCP connections, or forwarding the authentication agent
359connection over the secure channel.
360.Pp
361After this, the client either requests a shell or execution of a command.
362The sides then enter session mode.
363In this mode, either side may send
364data at any time, and such data is forwarded to/from the shell or
365command on the server side, and the user terminal in the client side.
366.Pp
367When the user program terminates and all forwarded X11 and other
368connections have been closed, the server sends command exit status to
369the client, and both sides exit.
370.Sh LOGIN PROCESS
371When a user successfully logs in,
372.Nm
373does the following:
374.Bl -enum -offset indent
375.It
376If the login is on a tty, and no command has been specified,
377prints last login time and
378.Pa /etc/motd
379(unless prevented in the configuration file or by
380.Pa ~/.hushlogin ;
381see the
382.Sx FILES
383section).
384.It
385If the login is on a tty, records login time.
386.It
387Checks
388.Pa /etc/nologin and
389.Pa /var/run/nologin ;
390if one exists, it prints the contents and quits
391(unless root).
392.It
393Changes to run with normal user privileges.
394.It
395Sets up basic environment.
396.It
397Reads the file
398.Pa ~/.ssh/environment ,
399if it exists, and users are allowed to change their environment.
400See the
401.Cm PermitUserEnvironment
402option in
403.Xr sshd_config 5 .
404.It
405Changes to user's home directory.
406.It
407If
408.Pa ~/.ssh/rc
409exists, runs it; else if
410.Pa /etc/ssh/sshrc
411exists, runs
412it; otherwise runs
413.Xr xauth 1 .
414The
415.Dq rc
416files are given the X11
417authentication protocol and cookie in standard input.
418See
419.Sx SSHRC ,
420below.
421.It
422Runs user's shell or command.
423.El
424.Sh SSHRC
425If the file
426.Pa ~/.ssh/rc
427exists,
428.Xr sh 1
429runs it after reading the
430environment files but before starting the user's shell or command.
431It must not produce any output on stdout; stderr must be used
432instead.
433If X11 forwarding is in use, it will receive the "proto cookie" pair in
434its standard input (and
435.Ev DISPLAY
436in its environment).
437The script must call
438.Xr xauth 1
439because
440.Nm
441will not run xauth automatically to add X11 cookies.
442.Pp
443The primary purpose of this file is to run any initialization routines
444which may be needed before the user's home directory becomes
445accessible; AFS is a particular example of such an environment.
446.Pp
447This file will probably contain some initialization code followed by
448something similar to:
449.Bd -literal -offset 3n
450if read proto cookie && [ -n "$DISPLAY" ]; then
451 if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
452 # X11UseLocalhost=yes
453 echo add unix:`echo $DISPLAY |
454 cut -c11-` $proto $cookie
455 else
456 # X11UseLocalhost=no
457 echo add $DISPLAY $proto $cookie
458 fi | xauth -q -
459fi
460.Ed
461.Pp
462If this file does not exist,
463.Pa /etc/ssh/sshrc
464is run, and if that
465does not exist either, xauth is used to add the cookie.
466.Sh AUTHORIZED_KEYS FILE FORMAT
467.Cm AuthorizedKeysFile
468specifies the file containing public keys for
469public key authentication;
470if none is specified, the default is
471.Pa ~/.ssh/authorized_keys .
472Each line of the file contains one
473key (empty lines and lines starting with a
474.Ql #
475are ignored as
476comments).
477Protocol 1 public keys consist of the following space-separated fields:
478options, bits, exponent, modulus, comment.
479Protocol 2 public key consist of:
480options, keytype, base64-encoded key, comment.
481The options field is optional;
482its presence is determined by whether the line starts
483with a number or not (the options field never starts with a number).
484The bits, exponent, modulus, and comment fields give the RSA key for
485protocol version 1; the
486comment field is not used for anything (but may be convenient for the
487user to identify the key).
488For protocol version 2 the keytype is
|
| 489.Dq ecdsa-sha2-nistp256 ,
490.Dq ecdsa-sha2-nistp384 ,
491.Dq ecdsa-sha2-nistp521 ,
|
489.Dq ssh-dss
490or
491.Dq ssh-rsa .
492.Pp
493Note that lines in this file are usually several hundred bytes long
494(because of the size of the public key encoding) up to a limit of
4958 kilobytes, which permits DSA keys up to 8 kilobits and RSA
496keys up to 16 kilobits.
497You don't want to type them in; instead, copy the
498.Pa identity.pub ,
499.Pa id_dsa.pub ,
| 492.Dq ssh-dss
493or
494.Dq ssh-rsa .
495.Pp
496Note that lines in this file are usually several hundred bytes long
497(because of the size of the public key encoding) up to a limit of
4988 kilobytes, which permits DSA keys up to 8 kilobits and RSA
499keys up to 16 kilobits.
500You don't want to type them in; instead, copy the
501.Pa identity.pub ,
502.Pa id_dsa.pub ,
|
| 503.Pa id_ecdsa.pub ,
|
500or the
501.Pa id_rsa.pub
502file and edit it.
503.Pp
504.Nm
505enforces a minimum RSA key modulus size for protocol 1
506and protocol 2 keys of 768 bits.
507.Pp
508The options (if present) consist of comma-separated option
509specifications.
510No spaces are permitted, except within double quotes.
511The following option specifications are supported (note
512that option keywords are case-insensitive):
513.Bl -tag -width Ds
514.It Cm cert-authority
515Specifies that the listed key is a certification authority (CA) that is
516trusted to validate signed certificates for user authentication.
517.Pp
518Certificates may encode access restrictions similar to these key options.
519If both certificate restrictions and key options are present, the most
520restrictive union of the two is applied.
521.It Cm command="command"
522Specifies that the command is executed whenever this key is used for
523authentication.
524The command supplied by the user (if any) is ignored.
525The command is run on a pty if the client requests a pty;
526otherwise it is run without a tty.
527If an 8-bit clean channel is required,
528one must not request a pty or should specify
529.Cm no-pty .
530A quote may be included in the command by quoting it with a backslash.
531This option might be useful
532to restrict certain public keys to perform just a specific operation.
533An example might be a key that permits remote backups but nothing else.
534Note that the client may specify TCP and/or X11
535forwarding unless they are explicitly prohibited.
536The command originally supplied by the client is available in the
537.Ev SSH_ORIGINAL_COMMAND
538environment variable.
539Note that this option applies to shell, command or subsystem execution.
540Also note that this command may be superseded by either a
541.Xr sshd_config 5
542.Cm ForceCommand
543directive or a command embedded in a certificate.
544.It Cm environment="NAME=value"
545Specifies that the string is to be added to the environment when
546logging in using this key.
547Environment variables set this way
548override other default environment values.
549Multiple options of this type are permitted.
550Environment processing is disabled by default and is
551controlled via the
552.Cm PermitUserEnvironment
553option.
554This option is automatically disabled if
555.Cm UseLogin
556is enabled.
557.It Cm from="pattern-list"
558Specifies that in addition to public key authentication, either the canonical
559name of the remote host or its IP address must be present in the
560comma-separated list of patterns.
561See
562.Sx PATTERNS
563in
564.Xr ssh_config 5
565for more information on patterns.
566.Pp
567In addition to the wildcard matching that may be applied to hostnames or
568addresses, a
569.Cm from
570stanza may match IP addresses using CIDR address/masklen notation.
571.Pp
572The purpose of this option is to optionally increase security: public key
573authentication by itself does not trust the network or name servers or
574anything (but the key); however, if somebody somehow steals the key, the key
575permits an intruder to log in from anywhere in the world.
576This additional option makes using a stolen key more difficult (name
577servers and/or routers would have to be compromised in addition to
578just the key).
579.It Cm no-agent-forwarding
580Forbids authentication agent forwarding when this key is used for
581authentication.
582.It Cm no-port-forwarding
583Forbids TCP forwarding when this key is used for authentication.
584Any port forward requests by the client will return an error.
585This might be used, e.g. in connection with the
586.Cm command
587option.
588.It Cm no-pty
589Prevents tty allocation (a request to allocate a pty will fail).
590.It Cm no-user-rc
591Disables execution of
592.Pa ~/.ssh/rc .
593.It Cm no-X11-forwarding
594Forbids X11 forwarding when this key is used for authentication.
595Any X11 forward requests by the client will return an error.
596.It Cm permitopen="host:port"
597Limit local
598.Li ``ssh -L''
599port forwarding such that it may only connect to the specified host and
600port.
601IPv6 addresses can be specified by enclosing the address in square brackets.
602Multiple
603.Cm permitopen
604options may be applied separated by commas.
605No pattern matching is performed on the specified hostnames,
606they must be literal domains or addresses.
607.It Cm principals="principals"
608On a
609.Cm cert-authority
610line, specifies allowed principals for certificate authentication as a
611comma-separated list.
612At least one name from the list must appear in the certificate's
613list of principals for the certificate to be accepted.
614This option is ignored for keys that are not marked as trusted certificate
615signers using the
616.Cm cert-authority
617option.
618.It Cm tunnel="n"
619Force a
620.Xr tun 4
621device on the server.
622Without this option, the next available device will be used if
623the client requests a tunnel.
624.El
625.Pp
626An example authorized_keys file:
627.Bd -literal -offset 3n
628# Comments allowed at start of line
629ssh-rsa AAAAB3Nza...LiPk== user@example.net
630from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
631AAAAB2...19Q== john@example.net
632command="dump /home",no-pty,no-port-forwarding ssh-dss
633AAAAC3...51R== example.net
634permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
635AAAAB5...21S==
636tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
637jane@example.net
638.Ed
639.Sh SSH_KNOWN_HOSTS FILE FORMAT
640The
641.Pa /etc/ssh/ssh_known_hosts
642and
643.Pa ~/.ssh/known_hosts
644files contain host public keys for all known hosts.
645The global file should
646be prepared by the administrator (optional), and the per-user file is
647maintained automatically: whenever the user connects from an unknown host,
648its key is added to the per-user file.
649.Pp
650Each line in these files contains the following fields: markers (optional),
651hostnames, bits, exponent, modulus, comment.
652The fields are separated by spaces.
653.Pp
654The marker is optional, but if it is present then it must be one of
655.Dq @cert-authority ,
656to indicate that the line contains a certification authority (CA) key,
657or
658.Dq @revoked ,
659to indicate that the key contained on the line is revoked and must not ever
660be accepted.
661Only one marker should be used on a key line.
662.Pp
663Hostnames is a comma-separated list of patterns
664.Pf ( Ql *
665and
666.Ql \&?
667act as
668wildcards); each pattern in turn is matched against the canonical host
669name (when authenticating a client) or against the user-supplied
670name (when authenticating a server).
671A pattern may also be preceded by
672.Ql \&!
673to indicate negation: if the host name matches a negated
674pattern, it is not accepted (by that line) even if it matched another
675pattern on the line.
676A hostname or address may optionally be enclosed within
677.Ql \&[
678and
679.Ql \&]
680brackets then followed by
681.Ql \&:
682and a non-standard port number.
683.Pp
684Alternately, hostnames may be stored in a hashed form which hides host names
685and addresses should the file's contents be disclosed.
686Hashed hostnames start with a
687.Ql |
688character.
689Only one hashed hostname may appear on a single line and none of the above
690negation or wildcard operators may be applied.
691.Pp
692Bits, exponent, and modulus are taken directly from the RSA host key; they
693can be obtained, for example, from
694.Pa /etc/ssh/ssh_host_key.pub .
695The optional comment field continues to the end of the line, and is not used.
696.Pp
697Lines starting with
698.Ql #
699and empty lines are ignored as comments.
700.Pp
701When performing host authentication, authentication is accepted if any
702matching line has the proper key; either one that matches exactly or,
703if the server has presented a certificate for authentication, the key
704of the certification authority that signed the certificate.
705For a key to be trusted as a certification authority, it must use the
706.Dq @cert-authority
707marker described above.
708.Pp
709The known hosts file also provides a facility to mark keys as revoked,
710for example when it is known that the associated private key has been
711stolen.
712Revoked keys are specified by including the
713.Dq @revoked
714marker at the beginning of the key line, and are never accepted for
715authentication or as certification authorities, but instead will
716produce a warning from
717.Xr ssh 1
718when they are encountered.
719.Pp
720It is permissible (but not
721recommended) to have several lines or different host keys for the same
722names.
723This will inevitably happen when short forms of host names
724from different domains are put in the file.
725It is possible
726that the files contain conflicting information; authentication is
727accepted if valid information can be found from either file.
728.Pp
729Note that the lines in these files are typically hundreds of characters
730long, and you definitely don't want to type in the host keys by hand.
731Rather, generate them by a script,
732.Xr ssh-keyscan 1
733or by taking
734.Pa /etc/ssh/ssh_host_key.pub
735and adding the host names at the front.
736.Xr ssh-keygen 1
737also offers some basic automated editing for
738.Pa ~/.ssh/known_hosts
739including removing hosts matching a host name and converting all host
740names to their hashed representations.
741.Pp
742An example ssh_known_hosts file:
743.Bd -literal -offset 3n
744# Comments allowed at start of line
745closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
746cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
747# A hashed hostname
748|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
749AAAA1234.....=
750# A revoked key
751@revoked * ssh-rsa AAAAB5W...
752# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
753@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
754.Ed
755.Sh FILES
756.Bl -tag -width Ds -compact
| 504or the
505.Pa id_rsa.pub
506file and edit it.
507.Pp
508.Nm
509enforces a minimum RSA key modulus size for protocol 1
510and protocol 2 keys of 768 bits.
511.Pp
512The options (if present) consist of comma-separated option
513specifications.
514No spaces are permitted, except within double quotes.
515The following option specifications are supported (note
516that option keywords are case-insensitive):
517.Bl -tag -width Ds
518.It Cm cert-authority
519Specifies that the listed key is a certification authority (CA) that is
520trusted to validate signed certificates for user authentication.
521.Pp
522Certificates may encode access restrictions similar to these key options.
523If both certificate restrictions and key options are present, the most
524restrictive union of the two is applied.
525.It Cm command="command"
526Specifies that the command is executed whenever this key is used for
527authentication.
528The command supplied by the user (if any) is ignored.
529The command is run on a pty if the client requests a pty;
530otherwise it is run without a tty.
531If an 8-bit clean channel is required,
532one must not request a pty or should specify
533.Cm no-pty .
534A quote may be included in the command by quoting it with a backslash.
535This option might be useful
536to restrict certain public keys to perform just a specific operation.
537An example might be a key that permits remote backups but nothing else.
538Note that the client may specify TCP and/or X11
539forwarding unless they are explicitly prohibited.
540The command originally supplied by the client is available in the
541.Ev SSH_ORIGINAL_COMMAND
542environment variable.
543Note that this option applies to shell, command or subsystem execution.
544Also note that this command may be superseded by either a
545.Xr sshd_config 5
546.Cm ForceCommand
547directive or a command embedded in a certificate.
548.It Cm environment="NAME=value"
549Specifies that the string is to be added to the environment when
550logging in using this key.
551Environment variables set this way
552override other default environment values.
553Multiple options of this type are permitted.
554Environment processing is disabled by default and is
555controlled via the
556.Cm PermitUserEnvironment
557option.
558This option is automatically disabled if
559.Cm UseLogin
560is enabled.
561.It Cm from="pattern-list"
562Specifies that in addition to public key authentication, either the canonical
563name of the remote host or its IP address must be present in the
564comma-separated list of patterns.
565See
566.Sx PATTERNS
567in
568.Xr ssh_config 5
569for more information on patterns.
570.Pp
571In addition to the wildcard matching that may be applied to hostnames or
572addresses, a
573.Cm from
574stanza may match IP addresses using CIDR address/masklen notation.
575.Pp
576The purpose of this option is to optionally increase security: public key
577authentication by itself does not trust the network or name servers or
578anything (but the key); however, if somebody somehow steals the key, the key
579permits an intruder to log in from anywhere in the world.
580This additional option makes using a stolen key more difficult (name
581servers and/or routers would have to be compromised in addition to
582just the key).
583.It Cm no-agent-forwarding
584Forbids authentication agent forwarding when this key is used for
585authentication.
586.It Cm no-port-forwarding
587Forbids TCP forwarding when this key is used for authentication.
588Any port forward requests by the client will return an error.
589This might be used, e.g. in connection with the
590.Cm command
591option.
592.It Cm no-pty
593Prevents tty allocation (a request to allocate a pty will fail).
594.It Cm no-user-rc
595Disables execution of
596.Pa ~/.ssh/rc .
597.It Cm no-X11-forwarding
598Forbids X11 forwarding when this key is used for authentication.
599Any X11 forward requests by the client will return an error.
600.It Cm permitopen="host:port"
601Limit local
602.Li ``ssh -L''
603port forwarding such that it may only connect to the specified host and
604port.
605IPv6 addresses can be specified by enclosing the address in square brackets.
606Multiple
607.Cm permitopen
608options may be applied separated by commas.
609No pattern matching is performed on the specified hostnames,
610they must be literal domains or addresses.
611.It Cm principals="principals"
612On a
613.Cm cert-authority
614line, specifies allowed principals for certificate authentication as a
615comma-separated list.
616At least one name from the list must appear in the certificate's
617list of principals for the certificate to be accepted.
618This option is ignored for keys that are not marked as trusted certificate
619signers using the
620.Cm cert-authority
621option.
622.It Cm tunnel="n"
623Force a
624.Xr tun 4
625device on the server.
626Without this option, the next available device will be used if
627the client requests a tunnel.
628.El
629.Pp
630An example authorized_keys file:
631.Bd -literal -offset 3n
632# Comments allowed at start of line
633ssh-rsa AAAAB3Nza...LiPk== user@example.net
634from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
635AAAAB2...19Q== john@example.net
636command="dump /home",no-pty,no-port-forwarding ssh-dss
637AAAAC3...51R== example.net
638permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
639AAAAB5...21S==
640tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
641jane@example.net
642.Ed
643.Sh SSH_KNOWN_HOSTS FILE FORMAT
644The
645.Pa /etc/ssh/ssh_known_hosts
646and
647.Pa ~/.ssh/known_hosts
648files contain host public keys for all known hosts.
649The global file should
650be prepared by the administrator (optional), and the per-user file is
651maintained automatically: whenever the user connects from an unknown host,
652its key is added to the per-user file.
653.Pp
654Each line in these files contains the following fields: markers (optional),
655hostnames, bits, exponent, modulus, comment.
656The fields are separated by spaces.
657.Pp
658The marker is optional, but if it is present then it must be one of
659.Dq @cert-authority ,
660to indicate that the line contains a certification authority (CA) key,
661or
662.Dq @revoked ,
663to indicate that the key contained on the line is revoked and must not ever
664be accepted.
665Only one marker should be used on a key line.
666.Pp
667Hostnames is a comma-separated list of patterns
668.Pf ( Ql *
669and
670.Ql \&?
671act as
672wildcards); each pattern in turn is matched against the canonical host
673name (when authenticating a client) or against the user-supplied
674name (when authenticating a server).
675A pattern may also be preceded by
676.Ql \&!
677to indicate negation: if the host name matches a negated
678pattern, it is not accepted (by that line) even if it matched another
679pattern on the line.
680A hostname or address may optionally be enclosed within
681.Ql \&[
682and
683.Ql \&]
684brackets then followed by
685.Ql \&:
686and a non-standard port number.
687.Pp
688Alternately, hostnames may be stored in a hashed form which hides host names
689and addresses should the file's contents be disclosed.
690Hashed hostnames start with a
691.Ql |
692character.
693Only one hashed hostname may appear on a single line and none of the above
694negation or wildcard operators may be applied.
695.Pp
696Bits, exponent, and modulus are taken directly from the RSA host key; they
697can be obtained, for example, from
698.Pa /etc/ssh/ssh_host_key.pub .
699The optional comment field continues to the end of the line, and is not used.
700.Pp
701Lines starting with
702.Ql #
703and empty lines are ignored as comments.
704.Pp
705When performing host authentication, authentication is accepted if any
706matching line has the proper key; either one that matches exactly or,
707if the server has presented a certificate for authentication, the key
708of the certification authority that signed the certificate.
709For a key to be trusted as a certification authority, it must use the
710.Dq @cert-authority
711marker described above.
712.Pp
713The known hosts file also provides a facility to mark keys as revoked,
714for example when it is known that the associated private key has been
715stolen.
716Revoked keys are specified by including the
717.Dq @revoked
718marker at the beginning of the key line, and are never accepted for
719authentication or as certification authorities, but instead will
720produce a warning from
721.Xr ssh 1
722when they are encountered.
723.Pp
724It is permissible (but not
725recommended) to have several lines or different host keys for the same
726names.
727This will inevitably happen when short forms of host names
728from different domains are put in the file.
729It is possible
730that the files contain conflicting information; authentication is
731accepted if valid information can be found from either file.
732.Pp
733Note that the lines in these files are typically hundreds of characters
734long, and you definitely don't want to type in the host keys by hand.
735Rather, generate them by a script,
736.Xr ssh-keyscan 1
737or by taking
738.Pa /etc/ssh/ssh_host_key.pub
739and adding the host names at the front.
740.Xr ssh-keygen 1
741also offers some basic automated editing for
742.Pa ~/.ssh/known_hosts
743including removing hosts matching a host name and converting all host
744names to their hashed representations.
745.Pp
746An example ssh_known_hosts file:
747.Bd -literal -offset 3n
748# Comments allowed at start of line
749closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
750cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
751# A hashed hostname
752|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
753AAAA1234.....=
754# A revoked key
755@revoked * ssh-rsa AAAAB5W...
756# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
757@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
758.Ed
759.Sh FILES
760.Bl -tag -width Ds -compact
|
757.It ~/.hushlogin
| 761.It Pa ~/.hushlogin
|
758This file is used to suppress printing the last login time and
759.Pa /etc/motd ,
760if
761.Cm PrintLastLog
762and
763.Cm PrintMotd ,
764respectively,
765are enabled.
766It does not suppress printing of the banner specified by
767.Cm Banner .
768.Pp
| 762This file is used to suppress printing the last login time and
763.Pa /etc/motd ,
764if
765.Cm PrintLastLog
766and
767.Cm PrintMotd ,
768respectively,
769are enabled.
770It does not suppress printing of the banner specified by
771.Cm Banner .
772.Pp
|
769.It ~/.rhosts
| 773.It Pa ~/.rhosts
|
770This file is used for host-based authentication (see
771.Xr ssh 1
772for more information).
773On some machines this file may need to be
774world-readable if the user's home directory is on an NFS partition,
775because
776.Nm
777reads it as root.
778Additionally, this file must be owned by the user,
779and must not have write permissions for anyone else.
780The recommended
781permission for most machines is read/write for the user, and not
782accessible by others.
783.Pp
| 774This file is used for host-based authentication (see
775.Xr ssh 1
776for more information).
777On some machines this file may need to be
778world-readable if the user's home directory is on an NFS partition,
779because
780.Nm
781reads it as root.
782Additionally, this file must be owned by the user,
783and must not have write permissions for anyone else.
784The recommended
785permission for most machines is read/write for the user, and not
786accessible by others.
787.Pp
|
784.It ~/.shosts
| 788.It Pa ~/.shosts
|
785This file is used in exactly the same way as
786.Pa .rhosts ,
787but allows host-based authentication without permitting login with
788rlogin/rsh.
789.Pp
| 789This file is used in exactly the same way as
790.Pa .rhosts ,
791but allows host-based authentication without permitting login with
792rlogin/rsh.
793.Pp
|
790.It ~/.ssh/
| 794.It Pa ~/.ssh/
|
791This directory is the default location for all user-specific configuration
792and authentication information.
793There is no general requirement to keep the entire contents of this directory
794secret, but the recommended permissions are read/write/execute for the user,
795and not accessible by others.
796.Pp
| 795This directory is the default location for all user-specific configuration
796and authentication information.
797There is no general requirement to keep the entire contents of this directory
798secret, but the recommended permissions are read/write/execute for the user,
799and not accessible by others.
800.Pp
|
797.It ~/.ssh/authorized_keys
798Lists the public keys (RSA/DSA) that can be used for logging in as this user.
| 801.It Pa ~/.ssh/authorized_keys
802Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
803as this user.
|
799The format of this file is described above.
800The content of the file is not highly sensitive, but the recommended
801permissions are read/write for the user, and not accessible by others.
802.Pp
803If this file, the
804.Pa ~/.ssh
805directory, or the user's home directory are writable
806by other users, then the file could be modified or replaced by unauthorized
807users.
808In this case,
809.Nm
810will not allow it to be used unless the
811.Cm StrictModes
812option has been set to
813.Dq no .
814.Pp
| 804The format of this file is described above.
805The content of the file is not highly sensitive, but the recommended
806permissions are read/write for the user, and not accessible by others.
807.Pp
808If this file, the
809.Pa ~/.ssh
810directory, or the user's home directory are writable
811by other users, then the file could be modified or replaced by unauthorized
812users.
813In this case,
814.Nm
815will not allow it to be used unless the
816.Cm StrictModes
817option has been set to
818.Dq no .
819.Pp
|
815.It ~/.ssh/environment
| 820.It Pa ~/.ssh/environment
|
816This file is read into the environment at login (if it exists).
817It can only contain empty lines, comment lines (that start with
818.Ql # ) ,
819and assignment lines of the form name=value.
820The file should be writable
821only by the user; it need not be readable by anyone else.
822Environment processing is disabled by default and is
823controlled via the
824.Cm PermitUserEnvironment
825option.
826.Pp
| 821This file is read into the environment at login (if it exists).
822It can only contain empty lines, comment lines (that start with
823.Ql # ) ,
824and assignment lines of the form name=value.
825The file should be writable
826only by the user; it need not be readable by anyone else.
827Environment processing is disabled by default and is
828controlled via the
829.Cm PermitUserEnvironment
830option.
831.Pp
|
827.It ~/.ssh/known_hosts
| 832.It Pa ~/.ssh/known_hosts
|
828Contains a list of host keys for all hosts the user has logged into
829that are not already in the systemwide list of known host keys.
830The format of this file is described above.
831This file should be writable only by root/the owner and
832can, but need not be, world-readable.
833.Pp
| 833Contains a list of host keys for all hosts the user has logged into
834that are not already in the systemwide list of known host keys.
835The format of this file is described above.
836This file should be writable only by root/the owner and
837can, but need not be, world-readable.
838.Pp
|
834.It ~/.ssh/rc
| 839.It Pa ~/.ssh/rc
|
835Contains initialization routines to be run before
836the user's home directory becomes accessible.
837This file should be writable only by the user, and need not be
838readable by anyone else.
839.Pp
| 840Contains initialization routines to be run before
841the user's home directory becomes accessible.
842This file should be writable only by the user, and need not be
843readable by anyone else.
844.Pp
|
840.It /etc/hosts.allow
841.It /etc/hosts.deny
| 845.It Pa /etc/hosts.allow
846.It Pa /etc/hosts.deny
|
842Access controls that should be enforced by tcp-wrappers are defined here.
843Further details are described in
844.Xr hosts_access 5 .
845.Pp
| 847Access controls that should be enforced by tcp-wrappers are defined here.
848Further details are described in
849.Xr hosts_access 5 .
850.Pp
|
846.It /etc/hosts.equiv
| 851.It Pa /etc/hosts.equiv
|
847This file is for host-based authentication (see
848.Xr ssh 1 ) .
849It should only be writable by root.
850.Pp
| 852This file is for host-based authentication (see
853.Xr ssh 1 ) .
854It should only be writable by root.
855.Pp
|
851.It /etc/moduli
| 856.It Pa /etc/moduli
|
852Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
853The file format is described in
854.Xr moduli 5 .
855.Pp
| 857Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
858The file format is described in
859.Xr moduli 5 .
860.Pp
|
856.It /etc/motd
| 861.It Pa /etc/motd
|
857See
858.Xr motd 5 .
859.Pp
| 862See
863.Xr motd 5 .
864.Pp
|
860.It /etc/nologin
| 865.It Pa /etc/nologin
|
861If this file exists,
862.Nm
863refuses to let anyone except root log in.
864The contents of the file
865are displayed to anyone trying to log in, and non-root connections are
866refused.
867The file should be world-readable.
868.Pp
| 866If this file exists,
867.Nm
868refuses to let anyone except root log in.
869The contents of the file
870are displayed to anyone trying to log in, and non-root connections are
871refused.
872The file should be world-readable.
873.Pp
|
869.It /etc/shosts.equiv
| 874.It Pa /etc/shosts.equiv
|
870This file is used in exactly the same way as
871.Pa hosts.equiv ,
872but allows host-based authentication without permitting login with
873rlogin/rsh.
874.Pp
| 875This file is used in exactly the same way as
876.Pa hosts.equiv ,
877but allows host-based authentication without permitting login with
878rlogin/rsh.
879.Pp
|
875.It /etc/ssh/ssh_host_key
876.It /etc/ssh/ssh_host_dsa_key
877.It /etc/ssh/ssh_host_rsa_key
| 880.It Pa /etc/ssh/ssh_host_key
881.It Pa /etc/ssh/ssh_host_dsa_key
882.It Pa /etc/ssh/ssh_host_ecdsa_key
883.It Pa /etc/ssh/ssh_host_rsa_key
|
878These three files contain the private parts of the host keys.
879These files should only be owned by root, readable only by root, and not
880accessible to others.
881Note that
882.Nm
883does not start if these files are group/world-accessible.
884.Pp
| 884These three files contain the private parts of the host keys.
885These files should only be owned by root, readable only by root, and not
886accessible to others.
887Note that
888.Nm
889does not start if these files are group/world-accessible.
890.Pp
|
885.It /etc/ssh/ssh_host_key.pub
886.It /etc/ssh/ssh_host_dsa_key.pub
887.It /etc/ssh/ssh_host_rsa_key.pub
| 891.It Pa /etc/ssh/ssh_host_key.pub
892.It Pa /etc/ssh/ssh_host_dsa_key.pub
893.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
894.It Pa /etc/ssh/ssh_host_rsa_key.pub
|
888These three files contain the public parts of the host keys.
889These files should be world-readable but writable only by
890root.
891Their contents should match the respective private parts.
892These files are not
893really used for anything; they are provided for the convenience of
894the user so their contents can be copied to known hosts files.
895These files are created using
896.Xr ssh-keygen 1 .
897.Pp
| 895These three files contain the public parts of the host keys.
896These files should be world-readable but writable only by
897root.
898Their contents should match the respective private parts.
899These files are not
900really used for anything; they are provided for the convenience of
901the user so their contents can be copied to known hosts files.
902These files are created using
903.Xr ssh-keygen 1 .
904.Pp
|
898.It /etc/ssh/ssh_known_hosts
| 905.It Pa /etc/ssh/ssh_known_hosts
|
899Systemwide list of known host keys.
900This file should be prepared by the
901system administrator to contain the public host keys of all machines in the
902organization.
903The format of this file is described above.
904This file should be writable only by root/the owner and
905should be world-readable.
906.Pp
| 906Systemwide list of known host keys.
907This file should be prepared by the
908system administrator to contain the public host keys of all machines in the
909organization.
910The format of this file is described above.
911This file should be writable only by root/the owner and
912should be world-readable.
913.Pp
|
907.It /etc/ssh/sshd_config
| 914.It Pa /etc/ssh/sshd_config
|
908Contains configuration data for
909.Nm sshd .
910The file format and configuration options are described in
911.Xr sshd_config 5 .
912.Pp
| 915Contains configuration data for
916.Nm sshd .
917The file format and configuration options are described in
918.Xr sshd_config 5 .
919.Pp
|
913.It /etc/ssh/sshrc
| 920.It Pa /etc/ssh/sshrc
|
914Similar to
915.Pa ~/.ssh/rc ,
916it can be used to specify
917machine-specific login-time initializations globally.
918This file should be writable only by root, and should be world-readable.
919.Pp
| 921Similar to
922.Pa ~/.ssh/rc ,
923it can be used to specify
924machine-specific login-time initializations globally.
925This file should be writable only by root, and should be world-readable.
926.Pp
|
920.It /var/empty
| 927.It Pa /var/empty
|
921.Xr chroot 2
922directory used by
923.Nm
924during privilege separation in the pre-authentication phase.
925The directory should not contain any files and must be owned by root
926and not group or world-writable.
927.Pp
| 928.Xr chroot 2
929directory used by
930.Nm
931during privilege separation in the pre-authentication phase.
932The directory should not contain any files and must be owned by root
933and not group or world-writable.
934.Pp
|
928.It /var/run/sshd.pid
| 935.It Pa /var/run/sshd.pid
|
929Contains the process ID of the
930.Nm
931listening for connections (if there are several daemons running
932concurrently for different ports, this contains the process ID of the one
933started last).
934The content of this file is not sensitive; it can be world-readable.
935.El
936.Sh SEE ALSO
937.Xr scp 1 ,
938.Xr sftp 1 ,
939.Xr ssh 1 ,
940.Xr ssh-add 1 ,
941.Xr ssh-agent 1 ,
942.Xr ssh-keygen 1 ,
943.Xr ssh-keyscan 1 ,
944.Xr chroot 2 ,
945.Xr hosts_access 5 ,
946.Xr login.conf 5 ,
947.Xr moduli 5 ,
948.Xr sshd_config 5 ,
949.Xr inetd 8 ,
950.Xr sftp-server 8
951.Sh AUTHORS
952OpenSSH is a derivative of the original and free
953ssh 1.2.12 release by Tatu Ylonen.
954Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
955Theo de Raadt and Dug Song
956removed many bugs, re-added newer features and
957created OpenSSH.
958Markus Friedl contributed the support for SSH
959protocol versions 1.5 and 2.0.
960Niels Provos and Markus Friedl contributed support
961for privilege separation.
962.Sh CAVEATS
963System security is not improved unless
964.Nm rshd ,
965.Nm rlogind ,
966and
967.Nm rexecd
968are disabled (thus completely disabling
969.Xr rlogin
970and
971.Xr rsh
972into the machine).
| 936Contains the process ID of the
937.Nm
938listening for connections (if there are several daemons running
939concurrently for different ports, this contains the process ID of the one
940started last).
941The content of this file is not sensitive; it can be world-readable.
942.El
943.Sh SEE ALSO
944.Xr scp 1 ,
945.Xr sftp 1 ,
946.Xr ssh 1 ,
947.Xr ssh-add 1 ,
948.Xr ssh-agent 1 ,
949.Xr ssh-keygen 1 ,
950.Xr ssh-keyscan 1 ,
951.Xr chroot 2 ,
952.Xr hosts_access 5 ,
953.Xr login.conf 5 ,
954.Xr moduli 5 ,
955.Xr sshd_config 5 ,
956.Xr inetd 8 ,
957.Xr sftp-server 8
958.Sh AUTHORS
959OpenSSH is a derivative of the original and free
960ssh 1.2.12 release by Tatu Ylonen.
961Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
962Theo de Raadt and Dug Song
963removed many bugs, re-added newer features and
964created OpenSSH.
965Markus Friedl contributed the support for SSH
966protocol versions 1.5 and 2.0.
967Niels Provos and Markus Friedl contributed support
968for privilege separation.
969.Sh CAVEATS
970System security is not improved unless
971.Nm rshd ,
972.Nm rlogind ,
973and
974.Nm rexecd
975are disabled (thus completely disabling
976.Xr rlogin
977and
978.Xr rsh
979into the machine).
|