| sshd.8 (215116) | sshd.8 (221420) |
|---|---|
| 1.\" -*- nroff -*- | |
| 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 29.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" | 1.\" 2.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" All rights reserved 5.\" 6.\" As far as I am concerned, the code I have written for this software 7.\" can be used freely for any purpose. Any derived versions of this 8.\" software must be clearly marked as such, and if the derived work is --- 19 unchanged lines hidden (view full) --- 28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" |
| 37.\" $OpenBSD: sshd.8,v 1.257 2010/08/04 05:37:01 djm Exp $ 38.\" $FreeBSD: head/crypto/openssh/sshd.8 215116 2010-11-11 11:46:19Z des $ 39.Dd August 4, 2010 | 36.\" $OpenBSD: sshd.8,v 1.260 2010/10/28 18:33:28 jmc Exp $ 37.\" $FreeBSD: head/crypto/openssh/sshd.8 221420 2011-05-04 07:34:44Z des $ 38.Dd October 28, 2010 |
| 40.Dt SSHD 8 41.Os 42.Sh NAME 43.Nm sshd 44.Nd OpenSSH SSH daemon 45.Sh SYNOPSIS 46.Nm sshd 47.Bk -words --- 118 unchanged lines hidden (view full) --- 166Specifies a file from which a host key is read. 167This option must be given if 168.Nm 169is not run as root (as the normal 170host key files are normally not readable by anyone but root). 171The default is 172.Pa /etc/ssh/ssh_host_key 173for protocol version 1, and | 39.Dt SSHD 8 40.Os 41.Sh NAME 42.Nm sshd 43.Nd OpenSSH SSH daemon 44.Sh SYNOPSIS 45.Nm sshd 46.Bk -words --- 118 unchanged lines hidden (view full) --- 165Specifies a file from which a host key is read. 166This option must be given if 167.Nm 168is not run as root (as the normal 169host key files are normally not readable by anyone but root). 170The default is 171.Pa /etc/ssh/ssh_host_key 172for protocol version 1, and |
| 174.Pa /etc/ssh/ssh_host_rsa_key | 173.Pa /etc/ssh/ssh_host_dsa_key , 174.Pa /etc/ssh/ssh_host_ecdsa_key |
| 175and | 175and |
| 176.Pa /etc/ssh/ssh_host_dsa_key | 176.Pa /etc/ssh/ssh_host_rsa_key |
| 177for protocol version 2. 178It is possible to have multiple host key files for 179the different protocol versions and host key algorithms. 180.It Fl i 181Specifies that 182.Nm 183is being run from 184.Xr inetd 8 . --- 86 unchanged lines hidden (view full) --- 271.El 272.Sh AUTHENTICATION 273The OpenSSH SSH daemon supports SSH protocols 1 and 2. 274The default is to use protocol 2 only, 275though this can be changed via the 276.Cm Protocol 277option in 278.Xr sshd_config 5 . | 177for protocol version 2. 178It is possible to have multiple host key files for 179the different protocol versions and host key algorithms. 180.It Fl i 181Specifies that 182.Nm 183is being run from 184.Xr inetd 8 . --- 86 unchanged lines hidden (view full) --- 271.El 272.Sh AUTHENTICATION 273The OpenSSH SSH daemon supports SSH protocols 1 and 2. 274The default is to use protocol 2 only, 275though this can be changed via the 276.Cm Protocol 277option in 278.Xr sshd_config 5 . |
| 279Protocol 2 supports both RSA and DSA keys; | 279Protocol 2 supports DSA, ECDSA and RSA keys; |
| 280protocol 1 only supports RSA keys. 281For both protocols, 282each host has a host-specific key, 283normally 2048 bits, 284used to identify the host. 285.Pp 286Forward security for protocol 1 is provided through 287an additional server key, --- 193 unchanged lines hidden (view full) --- 481The options field is optional; 482its presence is determined by whether the line starts 483with a number or not (the options field never starts with a number). 484The bits, exponent, modulus, and comment fields give the RSA key for 485protocol version 1; the 486comment field is not used for anything (but may be convenient for the 487user to identify the key). 488For protocol version 2 the keytype is | 280protocol 1 only supports RSA keys. 281For both protocols, 282each host has a host-specific key, 283normally 2048 bits, 284used to identify the host. 285.Pp 286Forward security for protocol 1 is provided through 287an additional server key, --- 193 unchanged lines hidden (view full) --- 481The options field is optional; 482its presence is determined by whether the line starts 483with a number or not (the options field never starts with a number). 484The bits, exponent, modulus, and comment fields give the RSA key for 485protocol version 1; the 486comment field is not used for anything (but may be convenient for the 487user to identify the key). 488For protocol version 2 the keytype is |
| 489.Dq ecdsa-sha2-nistp256 , 490.Dq ecdsa-sha2-nistp384 , 491.Dq ecdsa-sha2-nistp521 , |
|
| 489.Dq ssh-dss 490or 491.Dq ssh-rsa . 492.Pp 493Note that lines in this file are usually several hundred bytes long 494(because of the size of the public key encoding) up to a limit of 4958 kilobytes, which permits DSA keys up to 8 kilobits and RSA 496keys up to 16 kilobits. 497You don't want to type them in; instead, copy the 498.Pa identity.pub , 499.Pa id_dsa.pub , | 492.Dq ssh-dss 493or 494.Dq ssh-rsa . 495.Pp 496Note that lines in this file are usually several hundred bytes long 497(because of the size of the public key encoding) up to a limit of 4988 kilobytes, which permits DSA keys up to 8 kilobits and RSA 499keys up to 16 kilobits. 500You don't want to type them in; instead, copy the 501.Pa identity.pub , 502.Pa id_dsa.pub , |
| 503.Pa id_ecdsa.pub , |
|
| 500or the 501.Pa id_rsa.pub 502file and edit it. 503.Pp 504.Nm 505enforces a minimum RSA key modulus size for protocol 1 506and protocol 2 keys of 768 bits. 507.Pp --- 241 unchanged lines hidden (view full) --- 749AAAA1234.....= 750# A revoked key 751@revoked * ssh-rsa AAAAB5W... 752# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 753@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 754.Ed 755.Sh FILES 756.Bl -tag -width Ds -compact | 504or the 505.Pa id_rsa.pub 506file and edit it. 507.Pp 508.Nm 509enforces a minimum RSA key modulus size for protocol 1 510and protocol 2 keys of 768 bits. 511.Pp --- 241 unchanged lines hidden (view full) --- 753AAAA1234.....= 754# A revoked key 755@revoked * ssh-rsa AAAAB5W... 756# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org 757@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W... 758.Ed 759.Sh FILES 760.Bl -tag -width Ds -compact |
| 757.It ~/.hushlogin | 761.It Pa ~/.hushlogin |
| 758This file is used to suppress printing the last login time and 759.Pa /etc/motd , 760if 761.Cm PrintLastLog 762and 763.Cm PrintMotd , 764respectively, 765are enabled. 766It does not suppress printing of the banner specified by 767.Cm Banner . 768.Pp | 762This file is used to suppress printing the last login time and 763.Pa /etc/motd , 764if 765.Cm PrintLastLog 766and 767.Cm PrintMotd , 768respectively, 769are enabled. 770It does not suppress printing of the banner specified by 771.Cm Banner . 772.Pp |
| 769.It ~/.rhosts | 773.It Pa ~/.rhosts |
| 770This file is used for host-based authentication (see 771.Xr ssh 1 772for more information). 773On some machines this file may need to be 774world-readable if the user's home directory is on an NFS partition, 775because 776.Nm 777reads it as root. 778Additionally, this file must be owned by the user, 779and must not have write permissions for anyone else. 780The recommended 781permission for most machines is read/write for the user, and not 782accessible by others. 783.Pp | 774This file is used for host-based authentication (see 775.Xr ssh 1 776for more information). 777On some machines this file may need to be 778world-readable if the user's home directory is on an NFS partition, 779because 780.Nm 781reads it as root. 782Additionally, this file must be owned by the user, 783and must not have write permissions for anyone else. 784The recommended 785permission for most machines is read/write for the user, and not 786accessible by others. 787.Pp |
| 784.It ~/.shosts | 788.It Pa ~/.shosts |
| 785This file is used in exactly the same way as 786.Pa .rhosts , 787but allows host-based authentication without permitting login with 788rlogin/rsh. 789.Pp | 789This file is used in exactly the same way as 790.Pa .rhosts , 791but allows host-based authentication without permitting login with 792rlogin/rsh. 793.Pp |
| 790.It ~/.ssh/ | 794.It Pa ~/.ssh/ |
| 791This directory is the default location for all user-specific configuration 792and authentication information. 793There is no general requirement to keep the entire contents of this directory 794secret, but the recommended permissions are read/write/execute for the user, 795and not accessible by others. 796.Pp | 795This directory is the default location for all user-specific configuration 796and authentication information. 797There is no general requirement to keep the entire contents of this directory 798secret, but the recommended permissions are read/write/execute for the user, 799and not accessible by others. 800.Pp |
| 797.It ~/.ssh/authorized_keys 798Lists the public keys (RSA/DSA) that can be used for logging in as this user. | 801.It Pa ~/.ssh/authorized_keys 802Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in 803as this user. |
| 799The format of this file is described above. 800The content of the file is not highly sensitive, but the recommended 801permissions are read/write for the user, and not accessible by others. 802.Pp 803If this file, the 804.Pa ~/.ssh 805directory, or the user's home directory are writable 806by other users, then the file could be modified or replaced by unauthorized 807users. 808In this case, 809.Nm 810will not allow it to be used unless the 811.Cm StrictModes 812option has been set to 813.Dq no . 814.Pp | 804The format of this file is described above. 805The content of the file is not highly sensitive, but the recommended 806permissions are read/write for the user, and not accessible by others. 807.Pp 808If this file, the 809.Pa ~/.ssh 810directory, or the user's home directory are writable 811by other users, then the file could be modified or replaced by unauthorized 812users. 813In this case, 814.Nm 815will not allow it to be used unless the 816.Cm StrictModes 817option has been set to 818.Dq no . 819.Pp |
| 815.It ~/.ssh/environment | 820.It Pa ~/.ssh/environment |
| 816This file is read into the environment at login (if it exists). 817It can only contain empty lines, comment lines (that start with 818.Ql # ) , 819and assignment lines of the form name=value. 820The file should be writable 821only by the user; it need not be readable by anyone else. 822Environment processing is disabled by default and is 823controlled via the 824.Cm PermitUserEnvironment 825option. 826.Pp | 821This file is read into the environment at login (if it exists). 822It can only contain empty lines, comment lines (that start with 823.Ql # ) , 824and assignment lines of the form name=value. 825The file should be writable 826only by the user; it need not be readable by anyone else. 827Environment processing is disabled by default and is 828controlled via the 829.Cm PermitUserEnvironment 830option. 831.Pp |
| 827.It ~/.ssh/known_hosts | 832.It Pa ~/.ssh/known_hosts |
| 828Contains a list of host keys for all hosts the user has logged into 829that are not already in the systemwide list of known host keys. 830The format of this file is described above. 831This file should be writable only by root/the owner and 832can, but need not be, world-readable. 833.Pp | 833Contains a list of host keys for all hosts the user has logged into 834that are not already in the systemwide list of known host keys. 835The format of this file is described above. 836This file should be writable only by root/the owner and 837can, but need not be, world-readable. 838.Pp |
| 834.It ~/.ssh/rc | 839.It Pa ~/.ssh/rc |
| 835Contains initialization routines to be run before 836the user's home directory becomes accessible. 837This file should be writable only by the user, and need not be 838readable by anyone else. 839.Pp | 840Contains initialization routines to be run before 841the user's home directory becomes accessible. 842This file should be writable only by the user, and need not be 843readable by anyone else. 844.Pp |
| 840.It /etc/hosts.allow 841.It /etc/hosts.deny | 845.It Pa /etc/hosts.allow 846.It Pa /etc/hosts.deny |
| 842Access controls that should be enforced by tcp-wrappers are defined here. 843Further details are described in 844.Xr hosts_access 5 . 845.Pp | 847Access controls that should be enforced by tcp-wrappers are defined here. 848Further details are described in 849.Xr hosts_access 5 . 850.Pp |
| 846.It /etc/hosts.equiv | 851.It Pa /etc/hosts.equiv |
| 847This file is for host-based authentication (see 848.Xr ssh 1 ) . 849It should only be writable by root. 850.Pp | 852This file is for host-based authentication (see 853.Xr ssh 1 ) . 854It should only be writable by root. 855.Pp |
| 851.It /etc/moduli | 856.It Pa /etc/moduli |
| 852Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 853The file format is described in 854.Xr moduli 5 . 855.Pp | 857Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 858The file format is described in 859.Xr moduli 5 . 860.Pp |
| 856.It /etc/motd | 861.It Pa /etc/motd |
| 857See 858.Xr motd 5 . 859.Pp | 862See 863.Xr motd 5 . 864.Pp |
| 860.It /etc/nologin | 865.It Pa /etc/nologin |
| 861If this file exists, 862.Nm 863refuses to let anyone except root log in. 864The contents of the file 865are displayed to anyone trying to log in, and non-root connections are 866refused. 867The file should be world-readable. 868.Pp | 866If this file exists, 867.Nm 868refuses to let anyone except root log in. 869The contents of the file 870are displayed to anyone trying to log in, and non-root connections are 871refused. 872The file should be world-readable. 873.Pp |
| 869.It /etc/shosts.equiv | 874.It Pa /etc/shosts.equiv |
| 870This file is used in exactly the same way as 871.Pa hosts.equiv , 872but allows host-based authentication without permitting login with 873rlogin/rsh. 874.Pp | 875This file is used in exactly the same way as 876.Pa hosts.equiv , 877but allows host-based authentication without permitting login with 878rlogin/rsh. 879.Pp |
| 875.It /etc/ssh/ssh_host_key 876.It /etc/ssh/ssh_host_dsa_key 877.It /etc/ssh/ssh_host_rsa_key | 880.It Pa /etc/ssh/ssh_host_key 881.It Pa /etc/ssh/ssh_host_dsa_key 882.It Pa /etc/ssh/ssh_host_ecdsa_key 883.It Pa /etc/ssh/ssh_host_rsa_key |
| 878These three files contain the private parts of the host keys. 879These files should only be owned by root, readable only by root, and not 880accessible to others. 881Note that 882.Nm 883does not start if these files are group/world-accessible. 884.Pp | 884These three files contain the private parts of the host keys. 885These files should only be owned by root, readable only by root, and not 886accessible to others. 887Note that 888.Nm 889does not start if these files are group/world-accessible. 890.Pp |
| 885.It /etc/ssh/ssh_host_key.pub 886.It /etc/ssh/ssh_host_dsa_key.pub 887.It /etc/ssh/ssh_host_rsa_key.pub | 891.It Pa /etc/ssh/ssh_host_key.pub 892.It Pa /etc/ssh/ssh_host_dsa_key.pub 893.It Pa /etc/ssh/ssh_host_ecdsa_key.pub 894.It Pa /etc/ssh/ssh_host_rsa_key.pub |
| 888These three files contain the public parts of the host keys. 889These files should be world-readable but writable only by 890root. 891Their contents should match the respective private parts. 892These files are not 893really used for anything; they are provided for the convenience of 894the user so their contents can be copied to known hosts files. 895These files are created using 896.Xr ssh-keygen 1 . 897.Pp | 895These three files contain the public parts of the host keys. 896These files should be world-readable but writable only by 897root. 898Their contents should match the respective private parts. 899These files are not 900really used for anything; they are provided for the convenience of 901the user so their contents can be copied to known hosts files. 902These files are created using 903.Xr ssh-keygen 1 . 904.Pp |
| 898.It /etc/ssh/ssh_known_hosts | 905.It Pa /etc/ssh/ssh_known_hosts |
| 899Systemwide list of known host keys. 900This file should be prepared by the 901system administrator to contain the public host keys of all machines in the 902organization. 903The format of this file is described above. 904This file should be writable only by root/the owner and 905should be world-readable. 906.Pp | 906Systemwide list of known host keys. 907This file should be prepared by the 908system administrator to contain the public host keys of all machines in the 909organization. 910The format of this file is described above. 911This file should be writable only by root/the owner and 912should be world-readable. 913.Pp |
| 907.It /etc/ssh/sshd_config | 914.It Pa /etc/ssh/sshd_config |
| 908Contains configuration data for 909.Nm sshd . 910The file format and configuration options are described in 911.Xr sshd_config 5 . 912.Pp | 915Contains configuration data for 916.Nm sshd . 917The file format and configuration options are described in 918.Xr sshd_config 5 . 919.Pp |
| 913.It /etc/ssh/sshrc | 920.It Pa /etc/ssh/sshrc |
| 914Similar to 915.Pa ~/.ssh/rc , 916it can be used to specify 917machine-specific login-time initializations globally. 918This file should be writable only by root, and should be world-readable. 919.Pp | 921Similar to 922.Pa ~/.ssh/rc , 923it can be used to specify 924machine-specific login-time initializations globally. 925This file should be writable only by root, and should be world-readable. 926.Pp |
| 920.It /var/empty | 927.It Pa /var/empty |
| 921.Xr chroot 2 922directory used by 923.Nm 924during privilege separation in the pre-authentication phase. 925The directory should not contain any files and must be owned by root 926and not group or world-writable. 927.Pp | 928.Xr chroot 2 929directory used by 930.Nm 931during privilege separation in the pre-authentication phase. 932The directory should not contain any files and must be owned by root 933and not group or world-writable. 934.Pp |
| 928.It /var/run/sshd.pid | 935.It Pa /var/run/sshd.pid |
| 929Contains the process ID of the 930.Nm 931listening for connections (if there are several daemons running 932concurrently for different ports, this contains the process ID of the one 933started last). 934The content of this file is not sensitive; it can be world-readable. 935.El 936.Sh SEE ALSO --- 36 unchanged lines hidden --- | 936Contains the process ID of the 937.Nm 938listening for connections (if there are several daemons running 939concurrently for different ports, this contains the process ID of the one 940started last). 941The content of this file is not sensitive; it can be world-readable. 942.El 943.Sh SEE ALSO --- 36 unchanged lines hidden --- |