| version 1.176.2.6, 2003/04/03 22:35:18 |
version 1.177, 2002/04/21 16:19:27 |
|
|
| .Nd OpenSSH SSH daemon |
.Nd OpenSSH SSH daemon |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm sshd |
.Nm sshd |
| .Bk -words |
|
| .Op Fl deiqtD46 |
.Op Fl deiqtD46 |
| .Op Fl b Ar bits |
.Op Fl b Ar bits |
| .Op Fl f Ar config_file |
.Op Fl f Ar config_file |
|
|
| .Op Fl o Ar option |
.Op Fl o Ar option |
| .Op Fl p Ar port |
.Op Fl p Ar port |
| .Op Fl u Ar len |
.Op Fl u Ar len |
| .Ek |
|
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| (SSH Daemon) is the daemon program for |
(SSH Daemon) is the daemon program for |
|
|
| .Nm |
.Nm |
| supports both SSH protocol version 1 and 2 simultaneously. |
supports both SSH protocol version 1 and 2 simultaneously. |
| .Nm |
.Nm |
| works as follows: |
works as follows. |
| .Pp |
.Pp |
| .Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
| .Pp |
.Pp |
|
|
| This key is normally regenerated every hour if it has been used, and |
This key is normally regenerated every hour if it has been used, and |
| is never stored on disk. |
is never stored on disk. |
| .Pp |
.Pp |
| Whenever a client connects, the daemon responds with its public |
Whenever a client connects the daemon responds with its public |
| host and server keys. |
host and server keys. |
| The client compares the |
The client compares the |
| RSA host key against its own database to verify that it has not changed. |
RSA host key against its own database to verify that it has not changed. |
|
|
| because it is fundamentally insecure, but can be enabled in the server |
because it is fundamentally insecure, but can be enabled in the server |
| configuration file if desired. |
configuration file if desired. |
| System security is not improved unless |
System security is not improved unless |
| .Nm rshd , |
.Xr rshd 8 , |
| .Nm rlogind , |
.Xr rlogind 8 , |
| and |
and |
| .Nm rexecd |
.Xr rexecd 8 |
| are disabled (thus completely disabling |
are disabled (thus completely disabling |
| .Xr rlogin |
.Xr rlogin 1 |
| and |
and |
| .Xr rsh |
.Xr rsh 1 |
| into the machine). |
into the machine). |
| .Pp |
.Pp |
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
|
|
| log, and does not put itself in the background. |
log, and does not put itself in the background. |
| The server also will not fork and will only process one connection. |
The server also will not fork and will only process one connection. |
| This option is only intended for debugging for the server. |
This option is only intended for debugging for the server. |
| Multiple |
Multiple -d options increase the debugging level. |
| .Fl d |
|
| options increase the debugging level. |
|
| Maximum is 3. |
Maximum is 3. |
| .It Fl e |
.It Fl e |
| When this option is specified, |
When this option is specified, |
|
|
| refuses to start if there is no configuration file. |
refuses to start if there is no configuration file. |
| .It Fl g Ar login_grace_time |
.It Fl g Ar login_grace_time |
| Gives the grace time for clients to authenticate themselves (default |
Gives the grace time for clients to authenticate themselves (default |
| 120 seconds). |
600 seconds). |
| If the client fails to authenticate the user within |
If the client fails to authenticate the user within |
| this many seconds, the server disconnects and exits. |
this many seconds, the server disconnects and exits. |
| A value of zero indicates no limit. |
A value of zero indicates no limit. |
|
|
| .It Fl i |
.It Fl i |
| Specifies that |
Specifies that |
| .Nm |
.Nm |
| is being run from |
is being run from inetd. |
| .Xr inetd 8 . |
|
| .Nm |
.Nm |
| is normally not run |
is normally not run |
| from inetd because it needs to generate the server key before it can |
from inetd because it needs to generate the server key before it can |
|
|
| .Pa utmp |
.Pa utmp |
| file. |
file. |
| .Fl u0 |
.Fl u0 |
| may also be used to prevent |
is also be used to prevent |
| .Nm |
.Nm |
| from making DNS requests unless the authentication |
from making DNS requests unless the authentication |
| mechanism or configuration requires it. |
mechanism or configuration requires it. |
|
|
| (or the file specified with |
(or the file specified with |
| .Fl f |
.Fl f |
| on the command line). |
on the command line). |
| The file format and configuration options are described in |
The file contains keyword-argument pairs, one per line. |
| .Xr sshd_config 5 . |
Lines starting with |
| |
.Ql # |
| |
and empty lines are interpreted as comments. |
| |
.Pp |
| |
The possible |
| |
keywords and their meanings are as follows (note that |
| |
keywords are case-insensitive and arguments are case-sensitive): |
| |
.Bl -tag -width Ds |
| |
.It Cm AFSTokenPassing |
| |
Specifies whether an AFS token may be forwarded to the server. |
| |
Default is |
| |
.Dq no . |
| |
.It Cm AllowGroups |
| |
This keyword can be followed by a list of group name patterns, separated |
| |
by spaces. |
| |
If specified, login is allowed only for users whose primary |
| |
group or supplementary group list matches one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql ? |
| |
can be used as |
| |
wildcards in the patterns. |
| |
Only group names are valid; a numerical group ID is not recognized. |
| |
By default, login is allowed for all groups. |
| |
.Pp |
| |
.It Cm AllowTcpForwarding |
| |
Specifies whether TCP forwarding is permitted. |
| |
The default is |
| |
.Dq yes . |
| |
Note that disabling TCP forwarding does not improve security unless |
| |
users are also denied shell access, as they can always install their |
| |
own forwarders. |
| |
.Pp |
| |
.It Cm AllowUsers |
| |
This keyword can be followed by a list of user name patterns, separated |
| |
by spaces. |
| |
If specified, login is allowed only for users names that |
| |
match one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql ? |
| |
can be used as |
| |
wildcards in the patterns. |
| |
Only user names are valid; a numerical user ID is not recognized. |
| |
By default, login is allowed for all users. |
| |
If the pattern takes the form USER@HOST then USER and HOST |
| |
are separately checked, restricting logins to particular |
| |
users from particular hosts. |
| |
.Pp |
| |
.It Cm AuthorizedKeysFile |
| |
Specifies the file that contains the public keys that can be used |
| |
for user authentication. |
| |
.Cm AuthorizedKeysFile |
| |
may contain tokens of the form %T which are substituted during connection |
| |
set-up. The following tokens are defined: %% is replaced by a literal '%', |
| |
%h is replaced by the home directory of the user being authenticated and |
| |
%u is replaced by the username of that user. |
| |
After expansion, |
| |
.Cm AuthorizedKeysFile |
| |
is taken to be an absolute path or one relative to the user's home |
| |
directory. |
| |
The default is |
| |
.Dq .ssh/authorized_keys . |
| |
.It Cm Banner |
| |
In some jurisdictions, sending a warning message before authentication |
| |
may be relevant for getting legal protection. |
| |
The contents of the specified file are sent to the remote user before |
| |
authentication is allowed. |
| |
This option is only available for protocol version 2. |
| |
By default, no banner is displayed. |
| |
.Pp |
| |
.It Cm ChallengeResponseAuthentication |
| |
Specifies whether challenge response authentication is allowed. |
| |
All authentication styles from |
| |
.Xr login.conf 5 |
| |
are supported. |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm Ciphers |
| |
Specifies the ciphers allowed for protocol version 2. |
| |
Multiple ciphers must be comma-separated. |
| |
The default is |
| |
.Pp |
| |
.Bd -literal |
| |
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, |
| |
aes192-cbc,aes256-cbc'' |
| |
.Ed |
| |
.It Cm ClientAliveInterval |
| |
Sets a timeout interval in seconds after which if no data has been received |
| |
from the client, |
| |
.Nm |
| |
will send a message through the encrypted |
| |
channel to request a response from the client. |
| |
The default |
| |
is 0, indicating that these messages will not be sent to the client. |
| |
This option applies to protocol version 2 only. |
| |
.It Cm ClientAliveCountMax |
| |
Sets the number of client alive messages (see above) which may be |
| |
sent without |
| |
.Nm |
| |
receiving any messages back from the client. If this threshold is |
| |
reached while client alive messages are being sent, |
| |
.Nm |
| |
will disconnect the client, terminating the session. It is important |
| |
to note that the use of client alive messages is very different from |
| |
.Cm KeepAlive |
| |
(below). The client alive messages are sent through the |
| |
encrypted channel and therefore will not be spoofable. The TCP keepalive |
| |
option enabled by |
| |
.Cm KeepAlive |
| |
is spoofable. The client alive mechanism is valuable when the client or |
| |
server depend on knowing when a connection has become inactive. |
| |
.Pp |
| |
The default value is 3. If |
| |
.Cm ClientAliveInterval |
| |
(above) is set to 15, and |
| |
.Cm ClientAliveCountMax |
| |
is left at the default, unresponsive ssh clients |
| |
will be disconnected after approximately 45 seconds. |
| |
.It Cm DenyGroups |
| |
This keyword can be followed by a list of group name patterns, separated |
| |
by spaces. |
| |
Login is disallowed for users whose primary group or supplementary |
| |
group list matches one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql ? |
| |
can be used as |
| |
wildcards in the patterns. |
| |
Only group names are valid; a numerical group ID is not recognized. |
| |
By default, login is allowed for all groups. |
| |
.Pp |
| |
.It Cm DenyUsers |
| |
This keyword can be followed by a list of user name patterns, separated |
| |
by spaces. |
| |
Login is disallowed for user names that match one of the patterns. |
| |
.Ql \&* |
| |
and |
| |
.Ql ? |
| |
can be used as wildcards in the patterns. |
| |
Only user names are valid; a numerical user ID is not recognized. |
| |
By default, login is allowed for all users. |
| |
If the pattern takes the form USER@HOST then USER and HOST |
| |
are separately checked, restricting logins to particular |
| |
users from particular hosts. |
| |
.It Cm GatewayPorts |
| |
Specifies whether remote hosts are allowed to connect to ports |
| |
forwarded for the client. |
| |
By default, |
| |
.Nm |
| |
binds remote port forwardings to the loopback addresss. This |
| |
prevents other remote hosts from connecting to forwarded ports. |
| |
.Cm GatewayPorts |
| |
can be used to specify that |
| |
.Nm |
| |
should bind remote port forwardings to the wildcard address, |
| |
thus allowing remote hosts to connect to forwarded ports. |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq no . |
| |
.It Cm HostbasedAuthentication |
| |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| |
with successful public key client host authentication is allowed |
| |
(hostbased authentication). |
| |
This option is similar to |
| |
.Cm RhostsRSAAuthentication |
| |
and applies to protocol version 2 only. |
| |
The default is |
| |
.Dq no . |
| |
.It Cm HostKey |
| |
Specifies a file containing a private host key |
| |
used by SSH. |
| |
The default is |
| |
.Pa /etc/ssh/ssh_host_key |
| |
for protocol version 1, and |
| |
.Pa /etc/ssh/ssh_host_rsa_key |
| |
and |
| |
.Pa /etc/ssh/ssh_host_dsa_key |
| |
for protocol version 2. |
| |
Note that |
| |
.Nm |
| |
will refuse to use a file if it is group/world-accessible. |
| |
It is possible to have multiple host key files. |
| |
.Dq rsa1 |
| |
keys are used for version 1 and |
| |
.Dq dsa |
| |
or |
| |
.Dq rsa |
| |
are used for version 2 of the SSH protocol. |
| |
.It Cm IgnoreRhosts |
| |
Specifies that |
| |
.Pa .rhosts |
| |
and |
| |
.Pa .shosts |
| |
files will not be used in |
| |
.Cm RhostsAuthentication , |
| |
.Cm RhostsRSAAuthentication |
| |
or |
| |
.Cm HostbasedAuthentication . |
| |
.Pp |
| |
.Pa /etc/hosts.equiv |
| |
and |
| |
.Pa /etc/shosts.equiv |
| |
are still used. |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm IgnoreUserKnownHosts |
| |
Specifies whether |
| |
.Nm |
| |
should ignore the user's |
| |
.Pa $HOME/.ssh/known_hosts |
| |
during |
| |
.Cm RhostsRSAAuthentication |
| |
or |
| |
.Cm HostbasedAuthentication . |
| |
The default is |
| |
.Dq no . |
| |
.It Cm KeepAlive |
| |
Specifies whether the system should send TCP keepalive messages to the |
| |
other side. |
| |
If they are sent, death of the connection or crash of one |
| |
of the machines will be properly noticed. |
| |
However, this means that |
| |
connections will die if the route is down temporarily, and some people |
| |
find it annoying. |
| |
On the other hand, if keepalives are not sent, |
| |
sessions may hang indefinitely on the server, leaving |
| |
.Dq ghost |
| |
users and consuming server resources. |
| |
.Pp |
| |
The default is |
| |
.Dq yes |
| |
(to send keepalives), and the server will notice |
| |
if the network goes down or the client host crashes. |
| |
This avoids infinitely hanging sessions. |
| |
.Pp |
| |
To disable keepalives, the value should be set to |
| |
.Dq no . |
| |
.It Cm KerberosAuthentication |
| |
Specifies whether Kerberos authentication is allowed. |
| |
This can be in the form of a Kerberos ticket, or if |
| |
.Cm PasswordAuthentication |
| |
is yes, the password provided by the user will be validated through |
| |
the Kerberos KDC. |
| |
To use this option, the server needs a |
| |
Kerberos servtab which allows the verification of the KDC's identity. |
| |
Default is |
| |
.Dq yes . |
| |
.It Cm KerberosOrLocalPasswd |
| |
If set then if password authentication through Kerberos fails then |
| |
the password will be validated via any additional local mechanism |
| |
such as |
| |
.Pa /etc/passwd . |
| |
Default is |
| |
.Dq yes . |
| |
.It Cm KerberosTgtPassing |
| |
Specifies whether a Kerberos TGT may be forwarded to the server. |
| |
Default is |
| |
.Dq no , |
| |
as this only works when the Kerberos KDC is actually an AFS kaserver. |
| |
.It Cm KerberosTicketCleanup |
| |
Specifies whether to automatically destroy the user's ticket cache |
| |
file on logout. |
| |
Default is |
| |
.Dq yes . |
| |
.It Cm KeyRegenerationInterval |
| |
In protocol version 1, the ephemeral server key is automatically regenerated |
| |
after this many seconds (if it has been used). |
| |
The purpose of regeneration is to prevent |
| |
decrypting captured sessions by later breaking into the machine and |
| |
stealing the keys. |
| |
The key is never stored anywhere. |
| |
If the value is 0, the key is never regenerated. |
| |
The default is 3600 (seconds). |
| |
.It Cm ListenAddress |
| |
Specifies the local addresses |
| |
.Nm |
| |
should listen on. |
| |
The following forms may be used: |
| |
.Pp |
| |
.Bl -item -offset indent -compact |
| |
.It |
| |
.Cm ListenAddress |
| |
.Sm off |
| |
.Ar host No | Ar IPv4_addr No | Ar IPv6_addr |
| |
.Sm on |
| |
.It |
| |
.Cm ListenAddress |
| |
.Sm off |
| |
.Ar host No | Ar IPv4_addr No : Ar port |
| |
.Sm on |
| |
.It |
| |
.Cm ListenAddress |
| |
.Sm off |
| |
.Oo |
| |
.Ar host No | Ar IPv6_addr Oc : Ar port |
| |
.Sm on |
| |
.El |
| |
.Pp |
| |
If |
| |
.Ar port |
| |
is not specified, |
| |
.Nm |
| |
will listen on the address and all prior |
| |
.Cm Port |
| |
options specified. The default is to listen on all local |
| |
addresses. Multiple |
| |
.Cm ListenAddress |
| |
options are permitted. Additionally, any |
| |
.Cm Port |
| |
options must precede this option for non port qualified addresses. |
| |
.It Cm LoginGraceTime |
| |
The server disconnects after this time if the user has not |
| |
successfully logged in. |
| |
If the value is 0, there is no time limit. |
| |
The default is 600 (seconds). |
| |
.It Cm LogLevel |
| |
Gives the verbosity level that is used when logging messages from |
| |
.Nm sshd . |
| |
The possible values are: |
| |
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. |
| |
The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 |
| |
and DEBUG3 each specify higher levels of debugging output. |
| |
Logging with a DEBUG level violates the privacy of users |
| |
and is not recommended. |
| |
.It Cm MACs |
| |
Specifies the available MAC (message authentication code) algorithms. |
| |
The MAC algorithm is used in protocol version 2 |
| |
for data integrity protection. |
| |
Multiple algorithms must be comma-separated. |
| |
The default is |
| |
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . |
| |
.It Cm MaxStartups |
| |
Specifies the maximum number of concurrent unauthenticated connections to the |
| |
.Nm |
| |
daemon. |
| |
Additional connections will be dropped until authentication succeeds or the |
| |
.Cm LoginGraceTime |
| |
expires for a connection. |
| |
The default is 10. |
| |
.Pp |
| |
Alternatively, random early drop can be enabled by specifying |
| |
the three colon separated values |
| |
.Dq start:rate:full |
| |
(e.g., "10:30:60"). |
| |
.Nm |
| |
will refuse connection attempts with a probability of |
| |
.Dq rate/100 |
| |
(30%) |
| |
if there are currently |
| |
.Dq start |
| |
(10) |
| |
unauthenticated connections. |
| |
The probability increases linearly and all connection attempts |
| |
are refused if the number of unauthenticated connections reaches |
| |
.Dq full |
| |
(60). |
| |
.It Cm PasswordAuthentication |
| |
Specifies whether password authentication is allowed. |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm PermitEmptyPasswords |
| |
When password authentication is allowed, it specifies whether the |
| |
server allows login to accounts with empty password strings. |
| |
The default is |
| |
.Dq no . |
| |
.It Cm PermitRootLogin |
| |
Specifies whether root can login using |
| |
.Xr ssh 1 . |
| |
The argument must be |
| |
.Dq yes , |
| |
.Dq without-password , |
| |
.Dq forced-commands-only |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
.Pp |
| |
If this option is set to |
| |
.Dq without-password |
| |
password authentication is disabled for root. |
| |
.Pp |
| |
If this option is set to |
| |
.Dq forced-commands-only |
| |
root login with public key authentication will be allowed, |
| |
but only if the |
| |
.Ar command |
| |
option has been specified |
| |
(which may be useful for taking remote backups even if root login is |
| |
normally not allowed). All other authentication methods are disabled |
| |
for root. |
| |
.Pp |
| |
If this option is set to |
| |
.Dq no |
| |
root is not allowed to login. |
| |
.It Cm PidFile |
| |
Specifies the file that contains the process identifier of the |
| |
.Nm |
| |
daemon. |
| |
The default is |
| |
.Pa /var/run/sshd.pid . |
| |
.It Cm Port |
| |
Specifies the port number that |
| |
.Nm |
| |
listens on. |
| |
The default is 22. |
| |
Multiple options of this type are permitted. |
| |
See also |
| |
.Cm ListenAddress . |
| |
.It Cm PrintLastLog |
| |
Specifies whether |
| |
.Nm |
| |
should print the date and time when the user last logged in. |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm PrintMotd |
| |
Specifies whether |
| |
.Nm |
| |
should print |
| |
.Pa /etc/motd |
| |
when a user logs in interactively. |
| |
(On some systems it is also printed by the shell, |
| |
.Pa /etc/profile , |
| |
or equivalent.) |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm Protocol |
| |
Specifies the protocol versions |
| |
.Nm |
| |
should support. |
| |
The possible values are |
| |
.Dq 1 |
| |
and |
| |
.Dq 2 . |
| |
Multiple versions must be comma-separated. |
| |
The default is |
| |
.Dq 2,1 . |
| |
.It Cm PubkeyAuthentication |
| |
Specifies whether public key authentication is allowed. |
| |
The default is |
| |
.Dq yes . |
| |
Note that this option applies to protocol version 2 only. |
| |
.It Cm RhostsAuthentication |
| |
Specifies whether authentication using rhosts or /etc/hosts.equiv |
| |
files is sufficient. |
| |
Normally, this method should not be permitted because it is insecure. |
| |
.Cm RhostsRSAAuthentication |
| |
should be used |
| |
instead, because it performs RSA-based host authentication in addition |
| |
to normal rhosts or /etc/hosts.equiv authentication. |
| |
The default is |
| |
.Dq no . |
| |
This option applies to protocol version 1 only. |
| |
.It Cm RhostsRSAAuthentication |
| |
Specifies whether rhosts or /etc/hosts.equiv authentication together |
| |
with successful RSA host authentication is allowed. |
| |
The default is |
| |
.Dq no . |
| |
This option applies to protocol version 1 only. |
| |
.It Cm RSAAuthentication |
| |
Specifies whether pure RSA authentication is allowed. |
| |
The default is |
| |
.Dq yes . |
| |
This option applies to protocol version 1 only. |
| |
.It Cm ServerKeyBits |
| |
Defines the number of bits in the ephemeral protocol version 1 server key. |
| |
The minimum value is 512, and the default is 768. |
| |
.It Cm StrictModes |
| |
Specifies whether |
| |
.Nm |
| |
should check file modes and ownership of the |
| |
user's files and home directory before accepting login. |
| |
This is normally desirable because novices sometimes accidentally leave their |
| |
directory or files world-writable. |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm Subsystem |
| |
Configures an external subsystem (e.g., file transfer daemon). |
| |
Arguments should be a subsystem name and a command to execute upon subsystem |
| |
request. |
| |
The command |
| |
.Xr sftp-server 8 |
| |
implements the |
| |
.Dq sftp |
| |
file transfer subsystem. |
| |
By default no subsystems are defined. |
| |
Note that this option applies to protocol version 2 only. |
| |
.It Cm SyslogFacility |
| |
Gives the facility code that is used when logging messages from |
| |
.Nm sshd . |
| |
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, |
| |
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. |
| |
The default is AUTH. |
| |
.It Cm UseLogin |
| |
Specifies whether |
| |
.Xr login 1 |
| |
is used for interactive login sessions. |
| |
The default is |
| |
.Dq no . |
| |
Note that |
| |
.Xr login 1 |
| |
is never used for remote command execution. |
| |
Note also, that if this is enabled, |
| |
.Cm X11Forwarding |
| |
will be disabled because |
| |
.Xr login 1 |
| |
does not know how to handle |
| |
.Xr xauth 1 |
| |
cookies. If |
| |
.Cm UsePrivilegeSeparation |
| |
is specified, it will be disabled after authentication. |
| |
.It Cm UsePrivilegeSeparation |
| |
Specifies whether |
| |
.Nm |
| |
separated privileges by creating an unprivileged child process |
| |
to deal with incoming network traffic. After successful authentication, |
| |
another process will be created that has the privilege of the authenticated |
| |
user. The goal of privilege separation is to prevent privilege |
| |
escalation by containing any corruption within the unprivileged processes. |
| |
The default is |
| |
.Dq no . |
| |
.It Cm VerifyReverseMapping |
| |
Specifies whether |
| |
.Nm |
| |
should try to verify the remote host name and check that |
| |
the resolved host name for the remote IP address maps back to the |
| |
very same IP address. |
| |
The default is |
| |
.Dq no . |
| |
.It Cm X11DisplayOffset |
| |
Specifies the first display number available for |
| |
.Nm sshd Ns 's |
| |
X11 forwarding. |
| |
This prevents |
| |
.Nm |
| |
from interfering with real X11 servers. |
| |
The default is 10. |
| |
.It Cm X11Forwarding |
| |
Specifies whether X11 forwarding is permitted. |
| |
The default is |
| |
.Dq no . |
| |
Note that disabling X11 forwarding does not improve security in any |
| |
way, as users can always install their own forwarders. |
| |
X11 forwarding is automatically disabled if |
| |
.Cm UseLogin |
| |
is enabled. |
| |
.It Cm X11UseLocalhost |
| |
Specifies whether |
| |
.Nm |
| |
should bind the X11 forwarding server to the loopback address or to |
| |
the wildcard address. By default, |
| |
.Nm |
| |
binds the forwarding server to the loopback address and sets the |
| |
hostname part of the |
| |
.Ev DISPLAY |
| |
environment variable to |
| |
.Dq localhost . |
| |
This prevents remote hosts from connecting to the fake display. |
| |
However, some older X11 clients may not function with this |
| |
configuration. |
| |
.Cm X11UseLocalhost |
| |
may be set to |
| |
.Dq no |
| |
to specify that the forwarding server should be bound to the wildcard |
| |
address. |
| |
The argument must be |
| |
.Dq yes |
| |
or |
| |
.Dq no . |
| |
The default is |
| |
.Dq yes . |
| |
.It Cm XAuthLocation |
| |
Specifies the location of the |
| |
.Xr xauth 1 |
| |
program. |
| |
The default is |
| |
.Pa /usr/X11R6/bin/xauth . |
| |
.El |
| |
.Ss Time Formats |
| |
.Pp |
| |
.Nm |
| |
command-line arguments and configuration file options that specify time |
| |
may be expressed using a sequence of the form: |
| |
.Sm off |
| |
.Ar time Oo Ar qualifier Oc , |
| |
.Sm on |
| |
where |
| |
.Ar time |
| |
is a positive integer value and |
| |
.Ar qualifier |
| |
is one of the following: |
| |
.Pp |
| |
.Bl -tag -width Ds -compact -offset indent |
| |
.It Cm <none> |
| |
seconds |
| |
.It Cm s | Cm S |
| |
seconds |
| |
.It Cm m | Cm M |
| |
minutes |
| |
.It Cm h | Cm H |
| |
hours |
| |
.It Cm d | Cm D |
| |
days |
| |
.It Cm w | Cm W |
| |
weeks |
| |
.El |
| |
.Pp |
| |
Each member of the sequence is added together to calculate |
| |
the total time value. |
| |
.Pp |
| |
Time format examples: |
| |
.Pp |
| |
.Bl -tag -width Ds -compact -offset indent |
| |
.It 600 |
| |
600 seconds (10 minutes) |
| |
.It 10m |
| |
10 minutes |
| |
.It 1h30m |
| |
1 hour 30 minutes (90 minutes) |
| |
.El |
| .Sh LOGIN PROCESS |
.Sh LOGIN PROCESS |
| When a user successfully logs in, |
When a user successfully logs in, |
| .Nm |
.Nm |
|
|
| .It |
.It |
| Reads |
Reads |
| .Pa $HOME/.ssh/environment |
.Pa $HOME/.ssh/environment |
| if it exists and users are allowed to change their environment. |
if it exists. |
| See the |
|
| .Cm PermitUserEnvironment |
|
| option in |
|
| .Xr sshd_config 5 . |
|
| .It |
.It |
| Changes to user's home directory. |
Changes to user's home directory. |
| .It |
.It |
|
|
| spaces: options, bits, exponent, modulus, comment. |
spaces: options, bits, exponent, modulus, comment. |
| Each protocol version 2 public key consists of: |
Each protocol version 2 public key consists of: |
| options, keytype, base64 encoded key, comment. |
options, keytype, base64 encoded key, comment. |
| The options field |
The options fields |
| is optional; its presence is determined by whether the line starts |
are optional; its presence is determined by whether the line starts |
| with a number or not (the options field never starts with a number). |
with a number or not (the option field never starts with a number). |
| The bits, exponent, modulus and comment fields give the RSA key for |
The bits, exponent, modulus and comment fields give the RSA key for |
| protocol version 1; the |
protocol version 1; the |
| comment field is not used for anything (but may be convenient for the |
comment field is not used for anything (but may be convenient for the |
|
|
| .Dq ssh-rsa . |
.Dq ssh-rsa . |
| .Pp |
.Pp |
| Note that lines in this file are usually several hundred bytes long |
Note that lines in this file are usually several hundred bytes long |
| (because of the size of the public key encoding). |
(because of the size of the RSA key modulus). |
| You don't want to type them in; instead, copy the |
You don't want to type them in; instead, copy the |
| .Pa identity.pub , |
.Pa identity.pub , |
| .Pa id_dsa.pub |
.Pa id_dsa.pub |
|
|
| that option keywords are case-insensitive): |
that option keywords are case-insensitive): |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Cm from="pattern-list" |
.It Cm from="pattern-list" |
| Specifies that in addition to public key authentication, the canonical name |
Specifies that in addition to RSA authentication, the canonical name |
| of the remote host must be present in the comma-separated list of |
of the remote host must be present in the comma-separated list of |
| patterns |
patterns |
| .Pf ( Ql * |
.Pf ( Ql * |
|
|
| .Ql ! ; |
.Ql ! ; |
| if the canonical host name matches a negated pattern, the key is not accepted. |
if the canonical host name matches a negated pattern, the key is not accepted. |
| The purpose |
The purpose |
| of this option is to optionally increase security: public key authentication |
of this option is to optionally increase security: RSA authentication |
| by itself does not trust the network or name servers or anything (but |
by itself does not trust the network or name servers or anything (but |
| the key); however, if somebody somehow steals the key, the key |
the key); however, if somebody somehow steals the key, the key |
| permits an intruder to log in from anywhere in the world. |
permits an intruder to log in from anywhere in the world. |
|
|
| The command supplied by the user (if any) is ignored. |
The command supplied by the user (if any) is ignored. |
| The command is run on a pty if the client requests a pty; |
The command is run on a pty if the client requests a pty; |
| otherwise it is run without a tty. |
otherwise it is run without a tty. |
| If an 8-bit clean channel is required, |
If a 8-bit clean channel is required, |
| one must not request a pty or should specify |
one must not request a pty or should specify |
| .Cm no-pty . |
.Cm no-pty . |
| A quote may be included in the command by quoting it with a backslash. |
A quote may be included in the command by quoting it with a backslash. |
| This option might be useful |
This option might be useful |
| to restrict certain public keys to perform just a specific operation. |
to restrict certain RSA keys to perform just a specific operation. |
| An example might be a key that permits remote backups but nothing else. |
An example might be a key that permits remote backups but nothing else. |
| Note that the client may specify TCP/IP and/or X11 |
Note that the client may specify TCP/IP and/or X11 |
| forwarding unless they are explicitly prohibited. |
forwarding unless they are explicitly prohibited. |
|
|
| Environment variables set this way |
Environment variables set this way |
| override other default environment values. |
override other default environment values. |
| Multiple options of this type are permitted. |
Multiple options of this type are permitted. |
| Environment processing is disabled by default and is |
|
| controlled via the |
|
| .Cm PermitUserEnvironment |
|
| option. |
|
| This option is automatically disabled if |
This option is automatically disabled if |
| .Cm UseLogin |
.Cm UseLogin |
| is enabled. |
is enabled. |
|
|
| permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
| .Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
| The |
The |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts , |
| and |
and |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| files contain host public keys for all known hosts. |
files contain host public keys for all known hosts. |
|
|
| .It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
| Contains configuration data for |
Contains configuration data for |
| .Nm sshd . |
.Nm sshd . |
| The file format and configuration options are described in |
This file should be writable by root only, but it is recommended |
| .Xr sshd_config 5 . |
(though not necessary) that it be world-readable. |
| .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key |
| These three files contain the private parts of the host keys. |
These three files contain the private parts of the host keys. |
| These files should only be owned by root, readable only by root, and not |
These files should only be owned by root, readable only by root, and not |
|
|
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| .It Pa /etc/moduli |
.It Pa /etc/moduli |
| Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
| The file format is described in |
|
| .Xr moduli 5 . |
|
| .It Pa /var/empty |
|
| .Xr chroot 2 |
|
| directory used by |
|
| .Nm |
|
| during privilege separation in the pre-authentication phase. |
|
| The directory should not contain any files and must be owned by root |
|
| and not group or world-writable. |
|
| .It Pa /var/run/sshd.pid |
.It Pa /var/run/sshd.pid |
| Contains the process ID of the |
Contains the process ID of the |
| .Nm |
.Nm |
| listening for connections (if there are several daemons running |
listening for connections (if there are several daemons running |
| concurrently for different ports, this contains the process ID of the one |
concurrently for different ports, this contains the pid of the one |
| started last). |
started last). |
| The content of this file is not sensitive; it can be world-readable. |
The content of this file is not sensitive; it can be world-readable. |
| .It Pa $HOME/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
|
|
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| should be world-readable, and |
should be world-readable, and |
| .Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| can, but need not be, world-readable. |
can but need not be world-readable. |
| .It Pa /etc/nologin |
.It Pa /etc/nologin |
| If this file exists, |
If this file exists, |
| .Nm |
.Nm |
|
|
| This file contains host-username pairs, separated by a space, one per |
This file contains host-username pairs, separated by a space, one per |
| line. |
line. |
| The given user on the corresponding host is permitted to log in |
The given user on the corresponding host is permitted to log in |
| without a password. |
without password. |
| The same file is used by rlogind and rshd. |
The same file is used by rlogind and rshd. |
| The file must |
The file must |
| be writable only by the user; it is recommended that it not be |
be writable only by the user; it is recommended that it not be |
|
|
| and assignment lines of the form name=value. |
and assignment lines of the form name=value. |
| The file should be writable |
The file should be writable |
| only by the user; it need not be readable by anyone else. |
only by the user; it need not be readable by anyone else. |
| Environment processing is disabled by default and is |
|
| controlled via the |
|
| .Cm PermitUserEnvironment |
|
| option. |
|
| .It Pa $HOME/.ssh/rc |
.It Pa $HOME/.ssh/rc |
| If this file exists, it is run with |
If this file exists, it is run with /bin/sh after reading the |
| .Pa /bin/sh |
|
| after reading the |
|
| environment files but before starting the user's shell or command. |
environment files but before starting the user's shell or command. |
| It must not produce any output on stdout; stderr must be used |
It must not produce any output on stdout; stderr must be used |
| instead. |
instead. |
|
|
| if read proto cookie && [ -n "$DISPLAY" ]; then |
if read proto cookie && [ -n "$DISPLAY" ]; then |
| if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then |
| # X11UseLocalhost=yes |
# X11UseLocalhost=yes |
| echo add unix:`echo $DISPLAY | |
xauth add unix:`echo $DISPLAY | |
| cut -c11-` $proto $cookie |
cut -c11-` $proto $cookie |
| else |
else |
| # X11UseLocalhost=no |
# X11UseLocalhost=no |
| echo add $DISPLAY $proto $cookie |
xauth add $DISPLAY $proto $cookie |
| fi | xauth -q - |
fi |
| fi |
fi |
| .Ed |
.Ed |
| .Pp |
.Pp |
|
|
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| .Xr login.conf 5 , |
.Xr login.conf 5 , |
| .Xr moduli 5 , |
.Xr moduli 5 , |
| .Xr sshd_config 5 , |
|
| .Xr sftp-server 8 |
.Xr sftp-server 8 |
| .Rs |
.Rs |
| .%A T. Ylonen |
.%A T. Ylonen |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh