| version 1.194.2.2, 2004/03/04 18:18:17 |
version 1.195, 2003/04/30 01:16:20 |
|
|
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm sshd |
.Nm sshd |
| .Bk -words |
.Bk -words |
| .Op Fl 46Ddeiqt |
.Op Fl deiqtD46 |
| .Op Fl b Ar bits |
.Op Fl b Ar bits |
| .Op Fl f Ar config_file |
.Op Fl f Ar config_file |
| .Op Fl g Ar login_grace_time |
.Op Fl g Ar login_grace_time |
|
|
| supports both SSH protocol version 1 and 2 simultaneously. |
supports both SSH protocol version 1 and 2 simultaneously. |
| .Nm |
.Nm |
| works as follows: |
works as follows: |
| |
.Pp |
| .Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
| |
.Pp |
| Each host has a host-specific RSA key |
Each host has a host-specific RSA key |
| (normally 1024 bits) used to identify the host. |
(normally 1024 bits) used to identify the host. |
| Additionally, when |
Additionally, when |
|
|
| host and server keys. |
host and server keys. |
| The client compares the |
The client compares the |
| RSA host key against its own database to verify that it has not changed. |
RSA host key against its own database to verify that it has not changed. |
| The client then generates a 256-bit random number. |
The client then generates a 256 bit random number. |
| It encrypts this |
It encrypts this |
| random number using both the host key and the server key, and sends |
random number using both the host key and the server key, and sends |
| the encrypted number to the server. |
the encrypted number to the server. |
|
|
| .Pp |
.Pp |
| Next, the server and the client enter an authentication dialog. |
Next, the server and the client enter an authentication dialog. |
| The client tries to authenticate itself using |
The client tries to authenticate itself using |
| .Em rhosts |
.Pa .rhosts |
| authentication, |
authentication, |
| .Em rhosts |
.Pa .rhosts |
| authentication combined with RSA host |
authentication combined with RSA host |
| authentication, RSA challenge-response authentication, or password |
authentication, RSA challenge-response authentication, or password |
| based authentication. |
based authentication. |
| .Pp |
.Pp |
| .Em rhosts |
Rhosts authentication is normally disabled |
| authentication is normally disabled |
|
| because it is fundamentally insecure, but can be enabled in the server |
because it is fundamentally insecure, but can be enabled in the server |
| configuration file if desired. |
configuration file if desired. |
| System security is not improved unless |
System security is not improved unless |
|
|
| and |
and |
| .Xr rsh |
.Xr rsh |
| into the machine). |
into the machine). |
| |
.Pp |
| .Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
| |
.Pp |
| Version 2 works similarly: |
Version 2 works similarly: |
| Each host has a host-specific key (RSA or DSA) used to identify the host. |
Each host has a host-specific key (RSA or DSA) used to identify the host. |
| However, when the daemon starts, it does not generate a server key. |
However, when the daemon starts, it does not generate a server key. |
|
|
| This key agreement results in a shared session key. |
This key agreement results in a shared session key. |
| .Pp |
.Pp |
| The rest of the session is encrypted using a symmetric cipher, currently |
The rest of the session is encrypted using a symmetric cipher, currently |
| 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. |
128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. |
| The client selects the encryption algorithm |
The client selects the encryption algorithm |
| to use from those offered by the server. |
to use from those offered by the server. |
| Additionally, session integrity is provided |
Additionally, session integrity is provided |
|
|
| user (PubkeyAuthentication) or |
user (PubkeyAuthentication) or |
| client host (HostbasedAuthentication) authentication method, |
client host (HostbasedAuthentication) authentication method, |
| conventional password authentication and challenge response based methods. |
conventional password authentication and challenge response based methods. |
| |
.Pp |
| .Ss Command execution and data forwarding |
.Ss Command execution and data forwarding |
| |
.Pp |
| If the client successfully authenticates itself, a dialog for |
If the client successfully authenticates itself, a dialog for |
| preparing the session is entered. |
preparing the session is entered. |
| At this time the client may request |
At this time the client may request |
|
|
| the client, and both sides exit. |
the client, and both sides exit. |
| .Pp |
.Pp |
| .Nm |
.Nm |
| can be configured using command-line options or a configuration file |
can be configured using command-line options or a configuration |
| (by default |
file. |
| .Xr sshd_config 5 ) . |
|
| Command-line options override values specified in the |
Command-line options override values specified in the |
| configuration file. |
configuration file. |
| .Pp |
.Pp |
|
|
| .Pp |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl 4 |
|
| Forces |
|
| .Nm |
|
| to use IPv4 addresses only. |
|
| .It Fl 6 |
|
| Forces |
|
| .Nm |
|
| to use IPv6 addresses only. |
|
| .It Fl b Ar bits |
.It Fl b Ar bits |
| Specifies the number of bits in the ephemeral protocol version 1 |
Specifies the number of bits in the ephemeral protocol version 1 |
| server key (default 768). |
server key (default 768). |
| .It Fl D |
|
| When this option is specified, |
|
| .Nm |
|
| will not detach and does not become a daemon. |
|
| This allows easy monitoring of |
|
| .Nm sshd . |
|
| .It Fl d |
.It Fl d |
| Debug mode. |
Debug mode. |
| The server sends verbose debug output to the system |
The server sends verbose debug output to the system |
|
|
| Specifies how often the ephemeral protocol version 1 server key is |
Specifies how often the ephemeral protocol version 1 server key is |
| regenerated (default 3600 seconds, or one hour). |
regenerated (default 3600 seconds, or one hour). |
| The motivation for regenerating the key fairly |
The motivation for regenerating the key fairly |
| often is that the key is not stored anywhere, and after about an hour |
often is that the key is not stored anywhere, and after about an hour, |
| it becomes impossible to recover the key for decrypting intercepted |
it becomes impossible to recover the key for decrypting intercepted |
| communications even if the machine is cracked into or physically |
communications even if the machine is cracked into or physically |
| seized. |
seized. |
|
|
| Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
| This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
| command-line flag. |
command-line flag. |
| For full details of the options, and their values, see |
|
| .Xr sshd_config 5 . |
|
| .It Fl p Ar port |
.It Fl p Ar port |
| Specifies the port on which the server listens for connections |
Specifies the port on which the server listens for connections |
| (default 22). |
(default 22). |
|
|
| from making DNS requests unless the authentication |
from making DNS requests unless the authentication |
| mechanism or configuration requires it. |
mechanism or configuration requires it. |
| Authentication mechanisms that may require DNS include |
Authentication mechanisms that may require DNS include |
| |
.Cm RhostsAuthentication , |
| .Cm RhostsRSAAuthentication , |
.Cm RhostsRSAAuthentication , |
| .Cm HostbasedAuthentication |
.Cm HostbasedAuthentication |
| and using a |
and using a |
|
|
| .Cm AllowUsers |
.Cm AllowUsers |
| or |
or |
| .Cm DenyUsers . |
.Cm DenyUsers . |
| |
.It Fl D |
| |
When this option is specified |
| |
.Nm |
| |
will not detach and does not become a daemon. |
| |
This allows easy monitoring of |
| |
.Nm sshd . |
| |
.It Fl 4 |
| |
Forces |
| |
.Nm |
| |
to use IPv4 addresses only. |
| |
.It Fl 6 |
| |
Forces |
| |
.Nm |
| |
to use IPv6 addresses only. |
| .El |
.El |
| .Sh CONFIGURATION FILE |
.Sh CONFIGURATION FILE |
| .Nm |
.Nm |
|
|
| .It |
.It |
| Sets up basic environment. |
Sets up basic environment. |
| .It |
.It |
| Reads the file |
Reads |
| .Pa $HOME/.ssh/environment , |
.Pa $HOME/.ssh/environment |
| if it exists, and users are allowed to change their environment. |
if it exists and users are allowed to change their environment. |
| See the |
See the |
| .Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
| option in |
option in |
|
|
| Specifies that in addition to public key authentication, the canonical name |
Specifies that in addition to public key authentication, the canonical name |
| of the remote host must be present in the comma-separated list of |
of the remote host must be present in the comma-separated list of |
| patterns |
patterns |
| .Pf ( Ql \&* |
.Pf ( |
| |
.Ql \&* |
| and |
and |
| .Ql \&? |
.Ql \&? |
| serve as wildcards). |
serve as wildcards). |
|
|
| port forwarding such that it may only connect to the specified host and |
port forwarding such that it may only connect to the specified host and |
| port. |
port. |
| IPv6 addresses can be specified with an alternative syntax: |
IPv6 addresses can be specified with an alternative syntax: |
| .Ar host Ns / Ns Ar port . |
.Ar host/port . |
| Multiple |
Multiple |
| .Cm permitopen |
.Cm permitopen |
| options may be applied separated by commas. |
options may be applied separated by commas. No pattern matching is |
| No pattern matching is performed on the specified hostnames, |
performed on the specified hostnames, they must be literal domains or |
| they must be literal domains or addresses. |
addresses. |
| .El |
.El |
| .Ss Examples |
.Ss Examples |
| 1024 33 12121...312314325 ylo@foo.bar |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
| .Pp |
.Pp |
| from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
| .Pp |
.Pp |
| command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
| .Pp |
.Pp |
| permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
| .Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
| The |
The |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
|
|
| bits, exponent, modulus, comment. |
bits, exponent, modulus, comment. |
| The fields are separated by spaces. |
The fields are separated by spaces. |
| .Pp |
.Pp |
| Hostnames is a comma-separated list of patterns |
Hostnames is a comma-separated list of patterns ( |
| .Pf ( Ql \&* |
.Ql \&* |
| and |
and |
| .Ql \&? |
.Ql \&? |
| act as |
act as |
| wildcards); each pattern in turn is matched against the canonical host |
wildcards); each pattern in turn is matched against the canonical host |
| name (when authenticating a client) or against the user-supplied |
name (when authenticating a client) or against the user-supplied |
|
|
| and adding the host names at the front. |
and adding the host names at the front. |
| .Ss Examples |
.Ss Examples |
| .Bd -literal |
.Bd -literal |
| closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi |
| cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
| .Ed |
.Ed |
| .Sh FILES |
.Sh FILES |
|
|
| .Pa id_rsa.pub |
.Pa id_rsa.pub |
| files into this file, as described in |
files into this file, as described in |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| .It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" |
.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts" |
| These files are consulted when using rhosts with RSA host |
These files are consulted when using rhosts with RSA host |
| authentication or protocol version 2 hostbased authentication |
authentication or protocol version 2 hostbased authentication |
| to check the public key of the host. |
to check the public key of the host. |
|
|
| be writable only by the user; it is recommended that it not be |
be writable only by the user; it is recommended that it not be |
| accessible by others. |
accessible by others. |
| .Pp |
.Pp |
| It is also possible to use netgroups in the file. |
If is also possible to use netgroups in the file. |
| Either host or user |
Either host or user |
| name may be of the form +@groupname to specify all hosts or all users |
name may be of the form +@groupname to specify all hosts or all users |
| in the group. |
in the group. |
|
|
| not used by rlogin and rshd, so using this permits access using SSH only. |
not used by rlogin and rshd, so using this permits access using SSH only. |
| .It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
| This file is used during |
This file is used during |
| .Em rhosts |
.Pa .rhosts |
| authentication. |
authentication. |
| In the simplest form, this file contains host names, one per line. |
In the simplest form, this file contains host names, one per line. |
| Users on |
Users on |
|
|
| machine-specific login-time initializations globally. |
machine-specific login-time initializations globally. |
| This file should be writable only by root, and should be world-readable. |
This file should be writable only by root, and should be world-readable. |
| .El |
.El |
| |
.Sh AUTHORS |
| |
OpenSSH is a derivative of the original and free |
| |
ssh 1.2.12 release by Tatu Ylonen. |
| |
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
| |
Theo de Raadt and Dug Song |
| |
removed many bugs, re-added newer features and |
| |
created OpenSSH. |
| |
Markus Friedl contributed the support for SSH |
| |
protocol versions 1.5 and 2.0. |
| |
Niels Provos and Markus Friedl contributed support |
| |
for privilege separation. |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr scp 1 , |
.Xr scp 1 , |
| .Xr sftp 1 , |
.Xr sftp 1 , |
|
|
| .Xr ssh-add 1 , |
.Xr ssh-add 1 , |
| .Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
| .Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
| .Xr chroot 2 , |
|
| .Xr hosts_access 5 , |
|
| .Xr login.conf 5 , |
.Xr login.conf 5 , |
| .Xr moduli 5 , |
.Xr moduli 5 , |
| .Xr sshd_config 5 , |
.Xr sshd_config 5 , |
| .Xr inetd 8 , |
|
| .Xr sftp-server 8 |
.Xr sftp-server 8 |
| .Rs |
.Rs |
| .%A T. Ylonen |
.%A T. Ylonen |
|
|
| .%D January 2002 |
.%D January 2002 |
| .%O work in progress material |
.%O work in progress material |
| .Re |
.Re |
| .Sh AUTHORS |
|
| OpenSSH is a derivative of the original and free |
|
| ssh 1.2.12 release by Tatu Ylonen. |
|
| Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
|
| Theo de Raadt and Dug Song |
|
| removed many bugs, re-added newer features and |
|
| created OpenSSH. |
|
| Markus Friedl contributed the support for SSH |
|
| protocol versions 1.5 and 2.0. |
|
| Niels Provos and Markus Friedl contributed support |
|
| for privilege separation. |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh