version 1.199, 2003/08/13 08:46:31 |
version 1.200, 2003/10/08 08:27:36 |
|
|
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm sshd |
.Nm sshd |
.Bk -words |
.Bk -words |
.Op Fl deiqtD46 |
.Op Fl 46Ddeiqt |
.Op Fl b Ar bits |
.Op Fl b Ar bits |
.Op Fl f Ar config_file |
.Op Fl f Ar config_file |
.Op Fl g Ar login_grace_time |
.Op Fl g Ar login_grace_time |
|
|
supports both SSH protocol version 1 and 2 simultaneously. |
supports both SSH protocol version 1 and 2 simultaneously. |
.Nm |
.Nm |
works as follows: |
works as follows: |
.Pp |
|
.Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
.Pp |
|
Each host has a host-specific RSA key |
Each host has a host-specific RSA key |
(normally 1024 bits) used to identify the host. |
(normally 1024 bits) used to identify the host. |
Additionally, when |
Additionally, when |
|
|
host and server keys. |
host and server keys. |
The client compares the |
The client compares the |
RSA host key against its own database to verify that it has not changed. |
RSA host key against its own database to verify that it has not changed. |
The client then generates a 256 bit random number. |
The client then generates a 256-bit random number. |
It encrypts this |
It encrypts this |
random number using both the host key and the server key, and sends |
random number using both the host key and the server key, and sends |
the encrypted number to the server. |
the encrypted number to the server. |
|
|
.Pp |
.Pp |
Next, the server and the client enter an authentication dialog. |
Next, the server and the client enter an authentication dialog. |
The client tries to authenticate itself using |
The client tries to authenticate itself using |
.Pa .rhosts |
.Em rhosts |
authentication, |
authentication, |
.Pa .rhosts |
.Em rhosts |
authentication combined with RSA host |
authentication combined with RSA host |
authentication, RSA challenge-response authentication, or password |
authentication, RSA challenge-response authentication, or password |
based authentication. |
based authentication. |
.Pp |
.Pp |
Rhosts authentication is normally disabled |
.Em rhosts |
|
authentication is normally disabled |
because it is fundamentally insecure, but can be enabled in the server |
because it is fundamentally insecure, but can be enabled in the server |
configuration file if desired. |
configuration file if desired. |
System security is not improved unless |
System security is not improved unless |
|
|
and |
and |
.Xr rsh |
.Xr rsh |
into the machine). |
into the machine). |
.Pp |
|
.Ss SSH protocol version 2 |
.Ss SSH protocol version 2 |
.Pp |
|
Version 2 works similarly: |
Version 2 works similarly: |
Each host has a host-specific key (RSA or DSA) used to identify the host. |
Each host has a host-specific key (RSA or DSA) used to identify the host. |
However, when the daemon starts, it does not generate a server key. |
However, when the daemon starts, it does not generate a server key. |
|
|
This key agreement results in a shared session key. |
This key agreement results in a shared session key. |
.Pp |
.Pp |
The rest of the session is encrypted using a symmetric cipher, currently |
The rest of the session is encrypted using a symmetric cipher, currently |
128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. |
128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. |
The client selects the encryption algorithm |
The client selects the encryption algorithm |
to use from those offered by the server. |
to use from those offered by the server. |
Additionally, session integrity is provided |
Additionally, session integrity is provided |
|
|
user (PubkeyAuthentication) or |
user (PubkeyAuthentication) or |
client host (HostbasedAuthentication) authentication method, |
client host (HostbasedAuthentication) authentication method, |
conventional password authentication and challenge response based methods. |
conventional password authentication and challenge response based methods. |
.Pp |
|
.Ss Command execution and data forwarding |
.Ss Command execution and data forwarding |
.Pp |
|
If the client successfully authenticates itself, a dialog for |
If the client successfully authenticates itself, a dialog for |
preparing the session is entered. |
preparing the session is entered. |
At this time the client may request |
At this time the client may request |
|
|
the client, and both sides exit. |
the client, and both sides exit. |
.Pp |
.Pp |
.Nm |
.Nm |
can be configured using command-line options or a configuration |
can be configured using command-line options or a configuration file |
file. |
(by default |
|
.Xr sshd_config 5 ) . |
Command-line options override values specified in the |
Command-line options override values specified in the |
configuration file. |
configuration file. |
.Pp |
.Pp |
|
|
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
.It Fl b Ar bits |
.It Fl b Ar bits |
Specifies the number of bits in the ephemeral protocol version 1 |
Specifies the number of bits in the ephemeral protocol version 1 |
server key (default 768). |
server key (default 768). |
|
.It Fl D |
|
When this option is specified, |
|
.Nm |
|
will not detach and does not become a daemon. |
|
This allows easy monitoring of |
|
.Nm sshd . |
.It Fl d |
.It Fl d |
Debug mode. |
Debug mode. |
The server sends verbose debug output to the system |
The server sends verbose debug output to the system |
|
|
Specifies how often the ephemeral protocol version 1 server key is |
Specifies how often the ephemeral protocol version 1 server key is |
regenerated (default 3600 seconds, or one hour). |
regenerated (default 3600 seconds, or one hour). |
The motivation for regenerating the key fairly |
The motivation for regenerating the key fairly |
often is that the key is not stored anywhere, and after about an hour, |
often is that the key is not stored anywhere, and after about an hour |
it becomes impossible to recover the key for decrypting intercepted |
it becomes impossible to recover the key for decrypting intercepted |
communications even if the machine is cracked into or physically |
communications even if the machine is cracked into or physically |
seized. |
seized. |
|
|
Can be used to give options in the format used in the configuration file. |
Can be used to give options in the format used in the configuration file. |
This is useful for specifying options for which there is no separate |
This is useful for specifying options for which there is no separate |
command-line flag. |
command-line flag. |
|
For full details of the options, and their values, see |
|
.Xr sshd_config 5 . |
.It Fl p Ar port |
.It Fl p Ar port |
Specifies the port on which the server listens for connections |
Specifies the port on which the server listens for connections |
(default 22). |
(default 22). |
|
|
.Cm AllowUsers |
.Cm AllowUsers |
or |
or |
.Cm DenyUsers . |
.Cm DenyUsers . |
.It Fl D |
|
When this option is specified |
|
.Nm |
|
will not detach and does not become a daemon. |
|
This allows easy monitoring of |
|
.Nm sshd . |
|
.It Fl 4 |
|
Forces |
|
.Nm |
|
to use IPv4 addresses only. |
|
.It Fl 6 |
|
Forces |
|
.Nm |
|
to use IPv6 addresses only. |
|
.El |
.El |
.Sh CONFIGURATION FILE |
.Sh CONFIGURATION FILE |
.Nm |
.Nm |
|
|
.It |
.It |
Sets up basic environment. |
Sets up basic environment. |
.It |
.It |
Reads |
Reads the file |
.Pa $HOME/.ssh/environment |
.Pa $HOME/.ssh/environment , |
if it exists and users are allowed to change their environment. |
if it exists, and users are allowed to change their environment. |
See the |
See the |
.Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
option in |
option in |
|
|
port forwarding such that it may only connect to the specified host and |
port forwarding such that it may only connect to the specified host and |
port. |
port. |
IPv6 addresses can be specified with an alternative syntax: |
IPv6 addresses can be specified with an alternative syntax: |
.Ar host/port . |
.Ar host Ns / Ns Ar port . |
Multiple |
Multiple |
.Cm permitopen |
.Cm permitopen |
options may be applied separated by commas. |
options may be applied separated by commas. |
|
|
they must be literal domains or addresses. |
they must be literal domains or addresses. |
.El |
.El |
.Ss Examples |
.Ss Examples |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
1024 33 12121...312314325 ylo@foo.bar |
.Pp |
.Pp |
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula |
.Pp |
.Pp |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi |
.Pp |
.Pp |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |
.Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
|
|
and adding the host names at the front. |
and adding the host names at the front. |
.Ss Examples |
.Ss Examples |
.Bd -literal |
.Bd -literal |
closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi |
closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
.Ed |
.Ed |
.Sh FILES |
.Sh FILES |
|
|
.Pa id_rsa.pub |
.Pa id_rsa.pub |
files into this file, as described in |
files into this file, as described in |
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts" |
.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" |
These files are consulted when using rhosts with RSA host |
These files are consulted when using rhosts with RSA host |
authentication or protocol version 2 hostbased authentication |
authentication or protocol version 2 hostbased authentication |
to check the public key of the host. |
to check the public key of the host. |
|
|
be writable only by the user; it is recommended that it not be |
be writable only by the user; it is recommended that it not be |
accessible by others. |
accessible by others. |
.Pp |
.Pp |
If is also possible to use netgroups in the file. |
It is also possible to use netgroups in the file. |
Either host or user |
Either host or user |
name may be of the form +@groupname to specify all hosts or all users |
name may be of the form +@groupname to specify all hosts or all users |
in the group. |
in the group. |
|
|
not used by rlogin and rshd, so using this permits access using SSH only. |
not used by rlogin and rshd, so using this permits access using SSH only. |
.It Pa /etc/hosts.equiv |
.It Pa /etc/hosts.equiv |
This file is used during |
This file is used during |
.Pa .rhosts |
.Em rhosts |
authentication. |
authentication. |
In the simplest form, this file contains host names, one per line. |
In the simplest form, this file contains host names, one per line. |
Users on |
Users on |
|
|
.Xr ssh-add 1 , |
.Xr ssh-add 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-keygen 1 , |
.Xr ssh-keygen 1 , |
|
.Xr chroot 2 , |
|
.Xr hosts_access 5 , |
.Xr login.conf 5 , |
.Xr login.conf 5 , |
.Xr moduli 5 , |
.Xr moduli 5 , |
.Xr sshd_config 5 , |
.Xr sshd_config 5 , |
|
.Xr inetd 8 , |
.Xr sftp-server 8 |
.Xr sftp-server 8 |
.Rs |
.Rs |
.%A T. Ylonen |
.%A T. Ylonen |