version 1.176.2.5, 2002/10/11 14:51:53 |
version 1.176.2.6, 2003/04/03 22:35:18 |
|
|
.Nd OpenSSH SSH daemon |
.Nd OpenSSH SSH daemon |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm sshd |
.Nm sshd |
|
.Bk -words |
.Op Fl deiqtD46 |
.Op Fl deiqtD46 |
.Op Fl b Ar bits |
.Op Fl b Ar bits |
.Op Fl f Ar config_file |
.Op Fl f Ar config_file |
|
|
.Op Fl o Ar option |
.Op Fl o Ar option |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Op Fl u Ar len |
.Op Fl u Ar len |
|
.Ek |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH Daemon) is the daemon program for |
(SSH Daemon) is the daemon program for |
|
|
.Nm |
.Nm |
supports both SSH protocol version 1 and 2 simultaneously. |
supports both SSH protocol version 1 and 2 simultaneously. |
.Nm |
.Nm |
works as follows. |
works as follows: |
.Pp |
.Pp |
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
.Pp |
.Pp |
|
|
This key is normally regenerated every hour if it has been used, and |
This key is normally regenerated every hour if it has been used, and |
is never stored on disk. |
is never stored on disk. |
.Pp |
.Pp |
Whenever a client connects the daemon responds with its public |
Whenever a client connects, the daemon responds with its public |
host and server keys. |
host and server keys. |
The client compares the |
The client compares the |
RSA host key against its own database to verify that it has not changed. |
RSA host key against its own database to verify that it has not changed. |
|
|
.Nm rshd , |
.Nm rshd , |
.Nm rlogind , |
.Nm rlogind , |
and |
and |
.Xr rexecd |
.Nm rexecd |
are disabled (thus completely disabling |
are disabled (thus completely disabling |
.Xr rlogin |
.Xr rlogin |
and |
and |
|
|
log, and does not put itself in the background. |
log, and does not put itself in the background. |
The server also will not fork and will only process one connection. |
The server also will not fork and will only process one connection. |
This option is only intended for debugging for the server. |
This option is only intended for debugging for the server. |
Multiple -d options increase the debugging level. |
Multiple |
|
.Fl d |
|
options increase the debugging level. |
Maximum is 3. |
Maximum is 3. |
.It Fl e |
.It Fl e |
When this option is specified, |
When this option is specified, |
|
|
.It Fl i |
.It Fl i |
Specifies that |
Specifies that |
.Nm |
.Nm |
is being run from inetd. |
is being run from |
|
.Xr inetd 8 . |
.Nm |
.Nm |
is normally not run |
is normally not run |
from inetd because it needs to generate the server key before it can |
from inetd because it needs to generate the server key before it can |
|
|
.Pa utmp |
.Pa utmp |
file. |
file. |
.Fl u0 |
.Fl u0 |
is also be used to prevent |
may also be used to prevent |
.Nm |
.Nm |
from making DNS requests unless the authentication |
from making DNS requests unless the authentication |
mechanism or configuration requires it. |
mechanism or configuration requires it. |
|
|
The command supplied by the user (if any) is ignored. |
The command supplied by the user (if any) is ignored. |
The command is run on a pty if the client requests a pty; |
The command is run on a pty if the client requests a pty; |
otherwise it is run without a tty. |
otherwise it is run without a tty. |
If a 8-bit clean channel is required, |
If an 8-bit clean channel is required, |
one must not request a pty or should specify |
one must not request a pty or should specify |
.Cm no-pty . |
.Cm no-pty . |
A quote may be included in the command by quoting it with a backslash. |
A quote may be included in the command by quoting it with a backslash. |
|
|
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
files contain host public keys for all known hosts. |
files contain host public keys for all known hosts. |
|
|
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
should be world-readable, and |
should be world-readable, and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
can but need not be world-readable. |
can, but need not be, world-readable. |
.It Pa /etc/nologin |
.It Pa /etc/nologin |
If this file exists, |
If this file exists, |
.Nm |
.Nm |
|
|
This file contains host-username pairs, separated by a space, one per |
This file contains host-username pairs, separated by a space, one per |
line. |
line. |
The given user on the corresponding host is permitted to log in |
The given user on the corresponding host is permitted to log in |
without password. |
without a password. |
The same file is used by rlogind and rshd. |
The same file is used by rlogind and rshd. |
The file must |
The file must |
be writable only by the user; it is recommended that it not be |
be writable only by the user; it is recommended that it not be |
|
|
.Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
option. |
option. |
.It Pa $HOME/.ssh/rc |
.It Pa $HOME/.ssh/rc |
If this file exists, it is run with /bin/sh after reading the |
If this file exists, it is run with |
|
.Pa /bin/sh |
|
after reading the |
environment files but before starting the user's shell or command. |
environment files but before starting the user's shell or command. |
It must not produce any output on stdout; stderr must be used |
It must not produce any output on stdout; stderr must be used |
instead. |
instead. |