| sshd.0 (180741) | sshd.0 (180744) |
|---|---|
| 1SSHD(8) OpenBSD System Manager's Manual SSHD(8) 2 3NAME 4 sshd - OpenSSH SSH daemon 5 6SYNOPSIS 7 sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] 8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 9 10DESCRIPTION 11 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these | 1SSHD(8) OpenBSD System Manager's Manual SSHD(8) 2 3NAME 4 sshd - OpenSSH SSH daemon 5 6SYNOPSIS 7 sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] 8 [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] 9 10DESCRIPTION 11 sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these |
| 12 programs replace rlogin and rsh, and provide secure encrypted communica- 13 tions between two untrusted hosts over an insecure network. | 12 programs replace rlogin(1) and rsh(1), and provide secure encrypted com- 13 munications between two untrusted hosts over an insecure network. |
| 14 15 sshd listens for connections from clients. It is normally started at 16 boot from /etc/rc. It forks a new daemon for each incoming connection. 17 The forked daemons handle key exchange, encryption, authentication, com- 18 mand execution, and data exchange. 19 20 sshd can be configured using command-line options or a configuration file 21 (by default sshd_config(5)); command-line options override values speci- --- 18 unchanged lines hidden (view full) --- 40 log, and does not put itself in the background. The server also 41 will not fork and will only process one connection. This option 42 is only intended for debugging for the server. Multiple -d op- 43 tions increase the debugging level. Maximum is 3. 44 45 -e When this option is specified, sshd will send the output to the 46 standard error instead of the system log. 47 | 14 15 sshd listens for connections from clients. It is normally started at 16 boot from /etc/rc. It forks a new daemon for each incoming connection. 17 The forked daemons handle key exchange, encryption, authentication, com- 18 mand execution, and data exchange. 19 20 sshd can be configured using command-line options or a configuration file 21 (by default sshd_config(5)); command-line options override values speci- --- 18 unchanged lines hidden (view full) --- 40 log, and does not put itself in the background. The server also 41 will not fork and will only process one connection. This option 42 is only intended for debugging for the server. Multiple -d op- 43 tions increase the debugging level. Maximum is 3. 44 45 -e When this option is specified, sshd will send the output to the 46 standard error instead of the system log. 47 |
| 48 -f configuration_file | 48 -f config_file |
| 49 Specifies the name of the configuration file. The default is 50 /etc/ssh/sshd_config. sshd refuses to start if there is no con- 51 figuration file. 52 53 -g login_grace_time 54 Gives the grace time for clients to authenticate themselves (de- 55 fault 120 seconds). If the client fails to authenticate the user 56 within this many seconds, the server disconnects and exits. A --- 81 unchanged lines hidden (view full) --- 138 tion algorithm to use from those offered by the server. 139 140 For protocol 2, forward security is provided through a Diffie-Hellman key 141 agreement. This key agreement results in a shared session key. The rest 142 of the session is encrypted using a symmetric cipher, currently 128-bit 143 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The 144 client selects the encryption algorithm to use from those offered by the 145 server. Additionally, session integrity is provided through a crypto- | 49 Specifies the name of the configuration file. The default is 50 /etc/ssh/sshd_config. sshd refuses to start if there is no con- 51 figuration file. 52 53 -g login_grace_time 54 Gives the grace time for clients to authenticate themselves (de- 55 fault 120 seconds). If the client fails to authenticate the user 56 within this many seconds, the server disconnects and exits. A --- 81 unchanged lines hidden (view full) --- 138 tion algorithm to use from those offered by the server. 139 140 For protocol 2, forward security is provided through a Diffie-Hellman key 141 agreement. This key agreement results in a shared session key. The rest 142 of the session is encrypted using a symmetric cipher, currently 128-bit 143 AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The 144 client selects the encryption algorithm to use from those offered by the 145 server. Additionally, session integrity is provided through a crypto- |
| 146 graphic message authentication code (hmac-sha1 or hmac-md5). | 146 graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or 147 hmac-ripemd160). |
| 147 148 Finally, the server and the client enter an authentication dialog. The 149 client tries to authenticate itself using host-based authentication, pub- 150 lic key authentication, challenge-response authentication, or password 151 authentication. 152 153 Regardless of the authentication type, the account is checked to ensure 154 that it is accessible. An account is not accessible if it is locked, 155 listed in DenyUsers or its group is listed in DenyGroups . The defini- 156 tion of a locked account is system dependant. Some platforms have their 157 own account database (eg AIX) and some modify the passwd field ( `*LK*' 158 on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a | 148 149 Finally, the server and the client enter an authentication dialog. The 150 client tries to authenticate itself using host-based authentication, pub- 151 lic key authentication, challenge-response authentication, or password 152 authentication. 153 154 Regardless of the authentication type, the account is checked to ensure 155 that it is accessible. An account is not accessible if it is locked, 156 listed in DenyUsers or its group is listed in DenyGroups . The defini- 157 tion of a locked account is system dependant. Some platforms have their 158 own account database (eg AIX) and some modify the passwd field ( `*LK*' 159 on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a |
| 159 leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is 160 a requirement to disable password authentication for the account while 161 allowing still public-key, then the passwd field should be set to some- 162 thing other than these values (eg `NP' or `*NP*' ). | 160 leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If 161 there is a requirement to disable password authentication for the account 162 while allowing still public-key, then the passwd field should be set to 163 something other than these values (eg `NP' or `*NP*' ). |
| 163 164 If the client successfully authenticates itself, a dialog for preparing 165 the session is entered. At this time the client may request things like 166 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con- 167 nections, or forwarding the authentication agent connection over the se- 168 cure channel. 169 170 After this, the client either requests a shell or execution of a command. --- 301 unchanged lines hidden (view full) --- 472 log in, and non-root connections are refused. The file should be 473 world-readable. 474 475 /etc/shosts.equiv 476 This file is used in exactly the same way as hosts.equiv, but al- 477 lows host-based authentication without permitting login with 478 rlogin/rsh. 479 | 164 165 If the client successfully authenticates itself, a dialog for preparing 166 the session is entered. At this time the client may request things like 167 allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con- 168 nections, or forwarding the authentication agent connection over the se- 169 cure channel. 170 171 After this, the client either requests a shell or execution of a command. --- 301 unchanged lines hidden (view full) --- 473 log in, and non-root connections are refused. The file should be 474 world-readable. 475 476 /etc/shosts.equiv 477 This file is used in exactly the same way as hosts.equiv, but al- 478 lows host-based authentication without permitting login with 479 rlogin/rsh. 480 |
| 480 /etc/ssh/ssh_known_hosts 481 Systemwide list of known host keys. This file should be prepared 482 by the system administrator to contain the public host keys of 483 all machines in the organization. The format of this file is de- 484 scribed above. This file should be writable only by root/the 485 owner and should be world-readable. 486 | |
| 487 /etc/ssh/ssh_host_key 488 /etc/ssh/ssh_host_dsa_key 489 /etc/ssh/ssh_host_rsa_key 490 These three files contain the private parts of the host keys. 491 These files should only be owned by root, readable only by root, 492 and not accessible to others. Note that sshd does not start if 493 these files are group/world-accessible. 494 495 /etc/ssh/ssh_host_key.pub 496 /etc/ssh/ssh_host_dsa_key.pub 497 /etc/ssh/ssh_host_rsa_key.pub 498 These three files contain the public parts of the host keys. 499 These files should be world-readable but writable only by root. 500 Their contents should match the respective private parts. These 501 files are not really used for anything; they are provided for the 502 convenience of the user so their contents can be copied to known 503 hosts files. These files are created using ssh-keygen(1). 504 | 481 /etc/ssh/ssh_host_key 482 /etc/ssh/ssh_host_dsa_key 483 /etc/ssh/ssh_host_rsa_key 484 These three files contain the private parts of the host keys. 485 These files should only be owned by root, readable only by root, 486 and not accessible to others. Note that sshd does not start if 487 these files are group/world-accessible. 488 489 /etc/ssh/ssh_host_key.pub 490 /etc/ssh/ssh_host_dsa_key.pub 491 /etc/ssh/ssh_host_rsa_key.pub 492 These three files contain the public parts of the host keys. 493 These files should be world-readable but writable only by root. 494 Their contents should match the respective private parts. These 495 files are not really used for anything; they are provided for the 496 convenience of the user so their contents can be copied to known 497 hosts files. These files are created using ssh-keygen(1). 498 |
| 499 /etc/ssh/ssh_known_hosts 500 Systemwide list of known host keys. This file should be prepared 501 by the system administrator to contain the public host keys of 502 all machines in the organization. The format of this file is de- 503 scribed above. This file should be writable only by root/the 504 owner and should be world-readable. 505 |
|
| 505 /etc/ssh/sshd_config 506 Contains configuration data for sshd. The file format and con- 507 figuration options are described in sshd_config(5). 508 509 /etc/ssh/sshrc 510 Similar to ~/.ssh/rc, it can be used to specify machine-specific 511 login-time initializations globally. This file should be 512 writable only by root, and should be world-readable. --- 8 unchanged lines hidden (view full) --- 521 Contains the process ID of the sshd listening for connections (if 522 there are several daemons running concurrently for different 523 ports, this contains the process ID of the one started last). 524 The content of this file is not sensitive; it can be world-read- 525 able. 526 527SEE ALSO 528 scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | 506 /etc/ssh/sshd_config 507 Contains configuration data for sshd. The file format and con- 508 figuration options are described in sshd_config(5). 509 510 /etc/ssh/sshrc 511 Similar to ~/.ssh/rc, it can be used to specify machine-specific 512 login-time initializations globally. This file should be 513 writable only by root, and should be world-readable. --- 8 unchanged lines hidden (view full) --- 522 Contains the process ID of the sshd listening for connections (if 523 there are several daemons running concurrently for different 524 ports, this contains the process ID of the one started last). 525 The content of this file is not sensitive; it can be world-read- 526 able. 527 528SEE ALSO 529 scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), |
| 529 chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), 530 inetd(8), sftp-server(8) | 530 ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5), 531 sshd_config(5), inetd(8), sftp-server(8) |
| 531 532AUTHORS 533 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 534 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 535 de Raadt and Dug Song removed many bugs, re-added newer features and cre- 536 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 537 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 538 for privilege separation. 539 540CAVEATS 541 System security is not improved unless rshd, rlogind, and rexecd are dis- 542 abled (thus completely disabling rlogin and rsh into the machine). 543 | 532 533AUTHORS 534 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 535 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 536 de Raadt and Dug Song removed many bugs, re-added newer features and cre- 537 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 538 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 539 for privilege separation. 540 541CAVEATS 542 System security is not improved unless rshd, rlogind, and rexecd are dis- 543 abled (thus completely disabling rlogin and rsh into the machine). 544 |
| 544OpenBSD 4.1 September 25, 1999 9 | 545OpenBSD 4.2 August 16, 2007 9 |