1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" |
36.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $ 37.\" $FreeBSD: head/crypto/openssh/sshd.8 221420 2011-05-04 07:34:44Z des $ 38.Dd October 28, 2010 |
39.Dt SSHD 8 40.Os 41.Sh NAME 42.Nm sshd 43.Nd OpenSSH SSH daemon 44.Sh SYNOPSIS 45.Nm sshd 46.Bk -words --- 118 unchanged lines hidden (view full) --- 165Specifies a file from which a host key is read. 166This option must be given if 167.Nm 168is not run as root (as the normal 169host key files are normally not readable by anyone but root). 170The default is 171.Pa /etc/ssh/ssh_host_key 172for protocol version 1, and |
173.Pa /etc/ssh/ssh_host_dsa_key , 174.Pa /etc/ssh/ssh_host_ecdsa_key |
175and |
176.Pa /etc/ssh/ssh_host_rsa_key |
177for protocol version 2. 178It is possible to have multiple host key files for 179the different protocol versions and host key algorithms. 180.It Fl i 181Specifies that 182.Nm 183is being run from 184.Xr inetd 8 . --- 86 unchanged lines hidden (view full) --- 271.El 272.Sh AUTHENTICATION 273The OpenSSH SSH daemon supports SSH protocols 1 and 2. 274The default is to use protocol 2 only, 275though this can be changed via the 276.Cm Protocol 277option in 278.Xr sshd_config 5 . |
279Protocol 2 supports DSA, ECDSA and RSA keys; |
280protocol 1 only supports RSA keys. 281For both protocols, 282each host has a host-specific key, 283normally 2048 bits, 284used to identify the host. 285.Pp 286Forward security for protocol 1 is provided through 287an additional server key, --- 193 unchanged lines hidden (view full) --- 481The options field is optional; 482its presence is determined by whether the line starts 483with a number or not (the options field never starts with a number). 484The bits, exponent, modulus, and comment fields give the RSA key for 485protocol version 1; the 486comment field is not used for anything (but may be convenient for the 487user to identify the key). 488For protocol version 2 the keytype is |
489.Dq ecdsa-sha2-nistp256 , 490.Dq ecdsa-sha2-nistp384 , 491.Dq ecdsa-sha2-nistp521 , |
492.Dq ssh-dss 493or 494.Dq ssh-rsa . 495.Pp 496Note that lines in this file are usually several hundred bytes long 497(because of the size of the public key encoding) up to a limit of 4988 kilobytes, which permits DSA keys up to 8 kilobits and RSA 499keys up to 16 kilobits. 500You don't want to type them in; instead, copy the 501.Pa identity.pub , 502.Pa id_dsa.pub , |
503.Pa id_ecdsa.pub , |
504or the 505.Pa id_rsa.pub 506file and edit it. 507.Pp 508.Nm 509enforces a minimum RSA key modulus size for protocol 1 510and protocol 2 keys of 768 bits. 511.Pp --- 241 unchanged lines hidden (view full) --- 753AAAA1234.....= 754# A revoked key 755@revoked * ssh-rsa AAAAB5W... 756# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 757@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 758.Ed 759.Sh FILES 760.Bl -tag -width Ds -compact |
761.It Pa ~/.hushlogin |
762This file is used to suppress printing the last login time and 763.Pa /etc/motd , 764if 765.Cm PrintLastLog 766and 767.Cm PrintMotd , 768respectively, 769are enabled. 770It does not suppress printing of the banner specified by 771.Cm Banner . 772.Pp |
773.It Pa ~/.rhosts |
774This file is used for host-based authentication (see 775.Xr ssh 1 776for more information). 777On some machines this file may need to be 778world-readable if the user's home directory is on an NFS partition, 779because 780.Nm 781reads it as root. 782Additionally, this file must be owned by the user, 783and must not have write permissions for anyone else. 784The recommended 785permission for most machines is read/write for the user, and not 786accessible by others. 787.Pp |
788.It Pa ~/.shosts |
789This file is used in exactly the same way as 790.Pa .rhosts , 791but allows host-based authentication without permitting login with 792rlogin/rsh. 793.Pp |
794.It Pa ~/.ssh/ |
795This directory is the default location for all user-specific configuration 796and authentication information. 797There is no general requirement to keep the entire contents of this directory 798secret, but the recommended permissions are read/write/execute for the user, 799and not accessible by others. 800.Pp |
801.It Pa ~/.ssh/authorized_keys 802Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in 803as this user. |
804The format of this file is described above. 805The content of the file is not highly sensitive, but the recommended 806permissions are read/write for the user, and not accessible by others. 807.Pp 808If this file, the 809.Pa ~/.ssh 810directory, or the user's home directory are writable 811by other users, then the file could be modified or replaced by unauthorized 812users. 813In this case, 814.Nm 815will not allow it to be used unless the 816.Cm StrictModes 817option has been set to 818.Dq no . 819.Pp |
820.It Pa ~/.ssh/environment |
821This file is read into the environment at login (if it exists). 822It can only contain empty lines, comment lines (that start with 823.Ql # ) , 824and assignment lines of the form name=value. 825The file should be writable 826only by the user; it need not be readable by anyone else. 827Environment processing is disabled by default and is 828controlled via the 829.Cm PermitUserEnvironment 830option. 831.Pp |
832.It Pa ~/.ssh/known_hosts |
833Contains a list of host keys for all hosts the user has logged into 834that are not already in the systemwide list of known host keys. 835The format of this file is described above. 836This file should be writable only by root/the owner and 837can, but need not be, world-readable. 838.Pp |
839.It Pa ~/.ssh/rc |
840Contains initialization routines to be run before 841the user's home directory becomes accessible. 842This file should be writable only by the user, and need not be 843readable by anyone else. 844.Pp |
845.It Pa /etc/hosts.allow 846.It Pa /etc/hosts.deny |
847Access controls that should be enforced by tcp-wrappers are defined here. 848Further details are described in 849.Xr hosts_access 5 . 850.Pp |
851.It Pa /etc/hosts.equiv |
852This file is for host-based authentication (see 853.Xr ssh 1 ) . 854It should only be writable by root. 855.Pp |
856.It Pa /etc/moduli |
857Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 858The file format is described in 859.Xr moduli 5 . 860.Pp |
861.It Pa /etc/motd |
862See 863.Xr motd 5 . 864.Pp |
865.It Pa /etc/nologin |
866If this file exists, 867.Nm 868refuses to let anyone except root log in. 869The contents of the file 870are displayed to anyone trying to log in, and non-root connections are 871refused. 872The file should be world-readable. 873.Pp |
874.It Pa /etc/shosts.equiv |
875This file is used in exactly the same way as 876.Pa hosts.equiv , 877but allows host-based authentication without permitting login with 878rlogin/rsh. 879.Pp |
880.It Pa /etc/ssh/ssh_host_key 881.It Pa /etc/ssh/ssh_host_dsa_key 882.It Pa /etc/ssh/ssh_host_ecdsa_key 883.It Pa /etc/ssh/ssh_host_rsa_key |
884These three files contain the private parts of the host keys. 885These files should only be owned by root, readable only by root, and not 886accessible to others. 887Note that 888.Nm 889does not start if these files are group/world-accessible. 890.Pp |
891.It Pa /etc/ssh/ssh_host_key.pub 892.It Pa /etc/ssh/ssh_host_dsa_key.pub 893.It Pa /etc/ssh/ssh_host_ecdsa_key.pub 894.It Pa /etc/ssh/ssh_host_rsa_key.pub |
895These three files contain the public parts of the host keys. 896These files should be world-readable but writable only by 897root. 898Their contents should match the respective private parts. 899These files are not 900really used for anything; they are provided for the convenience of 901the user so their contents can be copied to known hosts files. 902These files are created using 903.Xr ssh-keygen 1 . 904.Pp |
905.It Pa /etc/ssh/ssh_known_hosts |
906Systemwide list of known host keys. 907This file should be prepared by the 908system administrator to contain the public host keys of all machines in the 909organization. 910The format of this file is described above. 911This file should be writable only by root/the owner and 912should be world-readable. 913.Pp |
914.It Pa /etc/ssh/sshd_config |
915Contains configuration data for 916.Nm sshd . 917The file format and configuration options are described in 918.Xr sshd_config 5 . 919.Pp |
920.It Pa /etc/ssh/sshrc |
921Similar to 922.Pa ~/.ssh/rc , 923it can be used to specify 924machine-specific login-time initializations globally. 925This file should be writable only by root, and should be world-readable. 926.Pp |
927.It Pa /var/empty |
928.Xr chroot 2 929directory used by 930.Nm 931during privilege separation in the pre-authentication phase. 932The directory should not contain any files and must be owned by root 933and not group or world-writable. 934.Pp |
935.It Pa /var/run/sshd.pid |
936Contains the process ID of the 937.Nm 938listening for connections (if there are several daemons running 939concurrently for different ports, this contains the process ID of the one 940started last). 941The content of this file is not sensitive; it can be world-readable. 942.El 943.Sh SEE ALSO --- 36 unchanged lines hidden --- |