| sshd.0 (214979) | sshd.0 (218767) |
|---|---|
| 1SSHD(8) OpenBSD System Manager's Manual SSHD(8) 2 3NAME 4 sshd - OpenSSH SSH daemon 5 6SYNOPSIS 7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec] 8 [-c host_certificate_file] [-f config_file] [-g login_grace_time] --- 64 unchanged lines hidden (view full) --- 73 user within this many seconds, the server disconnects and exits. 74 A value of zero indicates no limit. 75 76 -h host_key_file 77 Specifies a file from which a host key is read. This option must 78 be given if sshd is not run as root (as the normal host key files 79 are normally not readable by anyone but root). The default is 80 /etc/ssh/ssh_host_key for protocol version 1, and | 1SSHD(8) OpenBSD System Manager's Manual SSHD(8) 2 3NAME 4 sshd - OpenSSH SSH daemon 5 6SYNOPSIS 7 sshd [-46DdeiqTt] [-b bits] [-C connection_spec] 8 [-c host_certificate_file] [-f config_file] [-g login_grace_time] --- 64 unchanged lines hidden (view full) --- 73 user within this many seconds, the server disconnects and exits. 74 A value of zero indicates no limit. 75 76 -h host_key_file 77 Specifies a file from which a host key is read. This option must 78 be given if sshd is not run as root (as the normal host key files 79 are normally not readable by anyone but root). The default is 80 /etc/ssh/ssh_host_key for protocol version 1, and |
| 81 /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for 82 protocol version 2. It is possible to have multiple host key 83 files for the different protocol versions and host key 84 algorithms. | 81 /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key and 82 /etc/ssh/ssh_host_rsa_key for protocol version 2. It is possible 83 to have multiple host key files for the different protocol 84 versions and host key algorithms. |
| 85 86 -i Specifies that sshd is being run from inetd(8). sshd is normally 87 not run from inetd because it needs to generate the server key 88 before it can respond to the client, and this may take tens of 89 seconds. Clients would have to wait too long if the key was 90 regenerated every time. However, with small key sizes (e.g. 512) 91 using sshd from inetd may be feasible. 92 --- 45 unchanged lines hidden (view full) --- 138 require DNS include RhostsRSAAuthentication, 139 HostbasedAuthentication, and using a from="pattern-list" option 140 in a key file. Configuration options that require DNS include 141 using a USER@HOST pattern in AllowUsers or DenyUsers. 142 143AUTHENTICATION 144 The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to 145 use protocol 2 only, though this can be changed via the Protocol option | 85 86 -i Specifies that sshd is being run from inetd(8). sshd is normally 87 not run from inetd because it needs to generate the server key 88 before it can respond to the client, and this may take tens of 89 seconds. Clients would have to wait too long if the key was 90 regenerated every time. However, with small key sizes (e.g. 512) 91 using sshd from inetd may be feasible. 92 --- 45 unchanged lines hidden (view full) --- 138 require DNS include RhostsRSAAuthentication, 139 HostbasedAuthentication, and using a from="pattern-list" option 140 in a key file. Configuration options that require DNS include 141 using a USER@HOST pattern in AllowUsers or DenyUsers. 142 143AUTHENTICATION 144 The OpenSSH SSH daemon supports SSH protocols 1 and 2. The default is to 145 use protocol 2 only, though this can be changed via the Protocol option |
| 146 in sshd_config(5). Protocol 2 supports both RSA and DSA keys; protocol 1 147 only supports RSA keys. For both protocols, each host has a host- | 146 in sshd_config(5). Protocol 2 supports DSA, ECDSA and RSA keys; protocol 147 1 only supports RSA keys. For both protocols, each host has a host- |
| 148 specific key, normally 2048 bits, used to identify the host. 149 150 Forward security for protocol 1 is provided through an additional server 151 key, normally 768 bits, generated when the server starts. This key is 152 normally regenerated every hour if it has been used, and is never stored 153 on disk. Whenever a client connects, the daemon responds with its public 154 host and server keys. The client compares the RSA host key against its 155 own database to verify that it has not changed. The client then --- 112 unchanged lines hidden (view full) --- 268 public keys consist of the following space-separated fields: options, 269 bits, exponent, modulus, comment. Protocol 2 public key consist of: 270 options, keytype, base64-encoded key, comment. The options field is 271 optional; its presence is determined by whether the line starts with a 272 number or not (the options field never starts with a number). The bits, 273 exponent, modulus, and comment fields give the RSA key for protocol 274 version 1; the comment field is not used for anything (but may be 275 convenient for the user to identify the key). For protocol version 2 the | 148 specific key, normally 2048 bits, used to identify the host. 149 150 Forward security for protocol 1 is provided through an additional server 151 key, normally 768 bits, generated when the server starts. This key is 152 normally regenerated every hour if it has been used, and is never stored 153 on disk. Whenever a client connects, the daemon responds with its public 154 host and server keys. The client compares the RSA host key against its 155 own database to verify that it has not changed. The client then --- 112 unchanged lines hidden (view full) --- 268 public keys consist of the following space-separated fields: options, 269 bits, exponent, modulus, comment. Protocol 2 public key consist of: 270 options, keytype, base64-encoded key, comment. The options field is 271 optional; its presence is determined by whether the line starts with a 272 number or not (the options field never starts with a number). The bits, 273 exponent, modulus, and comment fields give the RSA key for protocol 274 version 1; the comment field is not used for anything (but may be 275 convenient for the user to identify the key). For protocol version 2 the |
| 276 keytype is ``ssh-dss'' or ``ssh-rsa''. | 276 keytype is ``ecdsa-sha2-nistp256'', ``ecdsa-sha2-nistp384'', 277 ``ecdsa-sha2-nistp521'', ``ssh-dss'' or ``ssh-rsa''. |
| 277 278 Note that lines in this file are usually several hundred bytes long 279 (because of the size of the public key encoding) up to a limit of 8 280 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 281 kilobits. You don't want to type them in; instead, copy the | 278 279 Note that lines in this file are usually several hundred bytes long 280 (because of the size of the public key encoding) up to a limit of 8 281 kilobytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 282 kilobits. You don't want to type them in; instead, copy the |
| 282 identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. | 283 identity.pub, id_dsa.pub, id_ecdsa.pub, or the id_rsa.pub file and edit 284 it. |
| 283 284 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 285 2 keys of 768 bits. 286 287 The options (if present) consist of comma-separated option 288 specifications. No spaces are permitted, except within double quotes. 289 The following option specifications are supported (note that option 290 keywords are case-insensitive): --- 208 unchanged lines hidden (view full) --- 499 ~/.ssh/ 500 This directory is the default location for all user-specific 501 configuration and authentication information. There is no 502 general requirement to keep the entire contents of this directory 503 secret, but the recommended permissions are read/write/execute 504 for the user, and not accessible by others. 505 506 ~/.ssh/authorized_keys | 285 286 sshd enforces a minimum RSA key modulus size for protocol 1 and protocol 287 2 keys of 768 bits. 288 289 The options (if present) consist of comma-separated option 290 specifications. No spaces are permitted, except within double quotes. 291 The following option specifications are supported (note that option 292 keywords are case-insensitive): --- 208 unchanged lines hidden (view full) --- 501 ~/.ssh/ 502 This directory is the default location for all user-specific 503 configuration and authentication information. There is no 504 general requirement to keep the entire contents of this directory 505 secret, but the recommended permissions are read/write/execute 506 for the user, and not accessible by others. 507 508 ~/.ssh/authorized_keys |
| 507 Lists the public keys (RSA/DSA) that can be used for logging in 508 as this user. The format of this file is described above. The 509 content of the file is not highly sensitive, but the recommended 510 permissions are read/write for the user, and not accessible by 511 others. | 509 Lists the public keys (DSA/ECDSA/RSA) that can be used for 510 logging in as this user. The format of this file is described 511 above. The content of the file is not highly sensitive, but the 512 recommended permissions are read/write for the user, and not 513 accessible by others. |
| 512 513 If this file, the ~/.ssh directory, or the user's home directory 514 are writable by other users, then the file could be modified or 515 replaced by unauthorized users. In this case, sshd will not 516 allow it to be used unless the StrictModes option has been set to 517 ``no''. 518 519 ~/.ssh/environment --- 40 unchanged lines hidden (view full) --- 560 561 /etc/shosts.equiv 562 This file is used in exactly the same way as hosts.equiv, but 563 allows host-based authentication without permitting login with 564 rlogin/rsh. 565 566 /etc/ssh/ssh_host_key 567 /etc/ssh/ssh_host_dsa_key | 514 515 If this file, the ~/.ssh directory, or the user's home directory 516 are writable by other users, then the file could be modified or 517 replaced by unauthorized users. In this case, sshd will not 518 allow it to be used unless the StrictModes option has been set to 519 ``no''. 520 521 ~/.ssh/environment --- 40 unchanged lines hidden (view full) --- 562 563 /etc/shosts.equiv 564 This file is used in exactly the same way as hosts.equiv, but 565 allows host-based authentication without permitting login with 566 rlogin/rsh. 567 568 /etc/ssh/ssh_host_key 569 /etc/ssh/ssh_host_dsa_key |
| 570 /etc/ssh/ssh_host_ecdsa_key |
|
| 568 /etc/ssh/ssh_host_rsa_key 569 These three files contain the private parts of the host keys. 570 These files should only be owned by root, readable only by root, 571 and not accessible to others. Note that sshd does not start if 572 these files are group/world-accessible. 573 574 /etc/ssh/ssh_host_key.pub 575 /etc/ssh/ssh_host_dsa_key.pub | 571 /etc/ssh/ssh_host_rsa_key 572 These three files contain the private parts of the host keys. 573 These files should only be owned by root, readable only by root, 574 and not accessible to others. Note that sshd does not start if 575 these files are group/world-accessible. 576 577 /etc/ssh/ssh_host_key.pub 578 /etc/ssh/ssh_host_dsa_key.pub |
| 579 /etc/ssh/ssh_host_ecdsa_key.pub |
|
| 576 /etc/ssh/ssh_host_rsa_key.pub 577 These three files contain the public parts of the host keys. 578 These files should be world-readable but writable only by root. 579 Their contents should match the respective private parts. These 580 files are not really used for anything; they are provided for the 581 convenience of the user so their contents can be copied to known 582 hosts files. These files are created using ssh-keygen(1). 583 --- 38 unchanged lines hidden (view full) --- 622 created OpenSSH. Markus Friedl contributed the support for SSH protocol 623 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 624 for privilege separation. 625 626CAVEATS 627 System security is not improved unless rshd, rlogind, and rexecd are 628 disabled (thus completely disabling rlogin and rsh into the machine). 629 | 580 /etc/ssh/ssh_host_rsa_key.pub 581 These three files contain the public parts of the host keys. 582 These files should be world-readable but writable only by root. 583 Their contents should match the respective private parts. These 584 files are not really used for anything; they are provided for the 585 convenience of the user so their contents can be copied to known 586 hosts files. These files are created using ssh-keygen(1). 587 --- 38 unchanged lines hidden (view full) --- 626 created OpenSSH. Markus Friedl contributed the support for SSH protocol 627 versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support 628 for privilege separation. 629 630CAVEATS 631 System security is not improved unless rshd, rlogind, and rexecd are 632 disabled (thus completely disabling rlogin and rsh into the machine). 633 |
| 630OpenBSD 4.8 August 4, 2010 OpenBSD 4.8 | 634OpenBSD 4.8 October 28, 2010 OpenBSD 4.8 |