version 1.193, 2002/09/24 20:59:44 |
version 1.193.2.2, 2003/09/16 21:20:29 |
|
|
.Nd OpenSSH SSH daemon |
.Nd OpenSSH SSH daemon |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm sshd |
.Nm sshd |
|
.Bk -words |
.Op Fl deiqtD46 |
.Op Fl deiqtD46 |
.Op Fl b Ar bits |
.Op Fl b Ar bits |
.Op Fl f Ar config_file |
.Op Fl f Ar config_file |
|
|
.Op Fl o Ar option |
.Op Fl o Ar option |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Op Fl u Ar len |
.Op Fl u Ar len |
|
.Ek |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(SSH Daemon) is the daemon program for |
(SSH Daemon) is the daemon program for |
|
|
.Nm |
.Nm |
supports both SSH protocol version 1 and 2 simultaneously. |
supports both SSH protocol version 1 and 2 simultaneously. |
.Nm |
.Nm |
works as follows. |
works as follows: |
.Pp |
.Pp |
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
.Pp |
.Pp |
|
|
This key is normally regenerated every hour if it has been used, and |
This key is normally regenerated every hour if it has been used, and |
is never stored on disk. |
is never stored on disk. |
.Pp |
.Pp |
Whenever a client connects the daemon responds with its public |
Whenever a client connects, the daemon responds with its public |
host and server keys. |
host and server keys. |
The client compares the |
The client compares the |
RSA host key against its own database to verify that it has not changed. |
RSA host key against its own database to verify that it has not changed. |
|
|
.Nm rshd , |
.Nm rshd , |
.Nm rlogind , |
.Nm rlogind , |
and |
and |
.Xr rexecd |
.Nm rexecd |
are disabled (thus completely disabling |
are disabled (thus completely disabling |
.Xr rlogin |
.Xr rlogin |
and |
and |
|
|
log, and does not put itself in the background. |
log, and does not put itself in the background. |
The server also will not fork and will only process one connection. |
The server also will not fork and will only process one connection. |
This option is only intended for debugging for the server. |
This option is only intended for debugging for the server. |
Multiple -d options increase the debugging level. |
Multiple |
|
.Fl d |
|
options increase the debugging level. |
Maximum is 3. |
Maximum is 3. |
.It Fl e |
.It Fl e |
When this option is specified, |
When this option is specified, |
|
|
.It Fl i |
.It Fl i |
Specifies that |
Specifies that |
.Nm |
.Nm |
is being run from inetd. |
is being run from |
|
.Xr inetd 8 . |
.Nm |
.Nm |
is normally not run |
is normally not run |
from inetd because it needs to generate the server key before it can |
from inetd because it needs to generate the server key before it can |
|
|
.Pa utmp |
.Pa utmp |
file. |
file. |
.Fl u0 |
.Fl u0 |
is also be used to prevent |
may also be used to prevent |
.Nm |
.Nm |
from making DNS requests unless the authentication |
from making DNS requests unless the authentication |
mechanism or configuration requires it. |
mechanism or configuration requires it. |
Authentication mechanisms that may require DNS include |
Authentication mechanisms that may require DNS include |
.Cm RhostsAuthentication , |
|
.Cm RhostsRSAAuthentication , |
.Cm RhostsRSAAuthentication , |
.Cm HostbasedAuthentication |
.Cm HostbasedAuthentication |
and using a |
and using a |
|
|
Specifies that in addition to public key authentication, the canonical name |
Specifies that in addition to public key authentication, the canonical name |
of the remote host must be present in the comma-separated list of |
of the remote host must be present in the comma-separated list of |
patterns |
patterns |
.Pf ( Ql * |
.Pf ( Ql \&* |
and |
and |
.Ql ? |
.Ql \&? |
serve as wildcards). |
serve as wildcards). |
The list may also contain |
The list may also contain |
patterns negated by prefixing them with |
patterns negated by prefixing them with |
.Ql ! ; |
.Ql \&! ; |
if the canonical host name matches a negated pattern, the key is not accepted. |
if the canonical host name matches a negated pattern, the key is not accepted. |
The purpose |
The purpose |
of this option is to optionally increase security: public key authentication |
of this option is to optionally increase security: public key authentication |
|
|
The command supplied by the user (if any) is ignored. |
The command supplied by the user (if any) is ignored. |
The command is run on a pty if the client requests a pty; |
The command is run on a pty if the client requests a pty; |
otherwise it is run without a tty. |
otherwise it is run without a tty. |
If a 8-bit clean channel is required, |
If an 8-bit clean channel is required, |
one must not request a pty or should specify |
one must not request a pty or should specify |
.Cm no-pty . |
.Cm no-pty . |
A quote may be included in the command by quoting it with a backslash. |
A quote may be included in the command by quoting it with a backslash. |
|
|
.Ar host/port . |
.Ar host/port . |
Multiple |
Multiple |
.Cm permitopen |
.Cm permitopen |
options may be applied separated by commas. No pattern matching is |
options may be applied separated by commas. |
performed on the specified hostnames, they must be literal domains or |
No pattern matching is performed on the specified hostnames, |
addresses. |
they must be literal domains or addresses. |
.El |
.El |
.Ss Examples |
.Ss Examples |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
|
|
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |
.Pa /etc/ssh/ssh_known_hosts , |
.Pa /etc/ssh/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
files contain host public keys for all known hosts. |
files contain host public keys for all known hosts. |
|
|
bits, exponent, modulus, comment. |
bits, exponent, modulus, comment. |
The fields are separated by spaces. |
The fields are separated by spaces. |
.Pp |
.Pp |
Hostnames is a comma-separated list of patterns ('*' and '?' act as |
Hostnames is a comma-separated list of patterns |
|
.Pf ( Ql \&* |
|
and |
|
.Ql \&? |
|
act as |
wildcards); each pattern in turn is matched against the canonical host |
wildcards); each pattern in turn is matched against the canonical host |
name (when authenticating a client) or against the user-supplied |
name (when authenticating a client) or against the user-supplied |
name (when authenticating a server). |
name (when authenticating a server). |
A pattern may also be preceded by |
A pattern may also be preceded by |
.Ql ! |
.Ql \&! |
to indicate negation: if the host name matches a negated |
to indicate negation: if the host name matches a negated |
pattern, it is not accepted (by that line) even if it matched another |
pattern, it is not accepted (by that line) even if it matched another |
pattern on the line. |
pattern on the line. |
|
|
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
should be world-readable, and |
should be world-readable, and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
can but need not be world-readable. |
can, but need not be, world-readable. |
.It Pa /etc/nologin |
.It Pa /etc/nologin |
If this file exists, |
If this file exists, |
.Nm |
.Nm |
|
|
This file contains host-username pairs, separated by a space, one per |
This file contains host-username pairs, separated by a space, one per |
line. |
line. |
The given user on the corresponding host is permitted to log in |
The given user on the corresponding host is permitted to log in |
without password. |
without a password. |
The same file is used by rlogind and rshd. |
The same file is used by rlogind and rshd. |
The file must |
The file must |
be writable only by the user; it is recommended that it not be |
be writable only by the user; it is recommended that it not be |
|
|
.Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
option. |
option. |
.It Pa $HOME/.ssh/rc |
.It Pa $HOME/.ssh/rc |
If this file exists, it is run with /bin/sh after reading the |
If this file exists, it is run with |
|
.Pa /bin/sh |
|
after reading the |
environment files but before starting the user's shell or command. |
environment files but before starting the user's shell or command. |
It must not produce any output on stdout; stderr must be used |
It must not produce any output on stdout; stderr must be used |
instead. |
instead. |
|
|
machine-specific login-time initializations globally. |
machine-specific login-time initializations globally. |
This file should be writable only by root, and should be world-readable. |
This file should be writable only by root, and should be world-readable. |
.El |
.El |
.Sh AUTHORS |
|
OpenSSH is a derivative of the original and free |
|
ssh 1.2.12 release by Tatu Ylonen. |
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
|
Theo de Raadt and Dug Song |
|
removed many bugs, re-added newer features and |
|
created OpenSSH. |
|
Markus Friedl contributed the support for SSH |
|
protocol versions 1.5 and 2.0. |
|
Niels Provos and Markus Friedl contributed support |
|
for privilege separation. |
|
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr scp 1 , |
.Xr scp 1 , |
.Xr sftp 1 , |
.Xr sftp 1 , |
|
|
.%D January 2002 |
.%D January 2002 |
.%O work in progress material |
.%O work in progress material |
.Re |
.Re |
|
.Sh AUTHORS |
|
OpenSSH is a derivative of the original and free |
|
ssh 1.2.12 release by Tatu Ylonen. |
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
|
Theo de Raadt and Dug Song |
|
removed many bugs, re-added newer features and |
|
created OpenSSH. |
|
Markus Friedl contributed the support for SSH |
|
protocol versions 1.5 and 2.0. |
|
Niels Provos and Markus Friedl contributed support |
|
for privilege separation. |