| version 1.202.2.2, 2005/09/02 03:45:01 |
version 1.203, 2004/12/06 11:41:03 |
|
|
| works as follows: |
works as follows: |
| .Ss SSH protocol version 1 |
.Ss SSH protocol version 1 |
| Each host has a host-specific RSA key |
Each host has a host-specific RSA key |
| (normally 2048 bits) used to identify the host. |
(normally 1024 bits) used to identify the host. |
| Additionally, when |
Additionally, when |
| the daemon starts, it generates a server RSA key (normally 768 bits). |
the daemon starts, it generates a server RSA key (normally 768 bits). |
| This key is normally regenerated every hour if it has been used, and |
This key is normally regenerated every hour if it has been used, and |
|
|
| prints last login time and |
prints last login time and |
| .Pa /etc/motd |
.Pa /etc/motd |
| (unless prevented in the configuration file or by |
(unless prevented in the configuration file or by |
| .Pa ~/.hushlogin ; |
.Pa $HOME/.hushlogin ; |
| see the |
see the |
| .Sx FILES |
.Sx FILES |
| section). |
section). |
|
|
| Sets up basic environment. |
Sets up basic environment. |
| .It |
.It |
| Reads the file |
Reads the file |
| .Pa ~/.ssh/environment , |
.Pa $HOME/.ssh/environment , |
| if it exists, and users are allowed to change their environment. |
if it exists, and users are allowed to change their environment. |
| See the |
See the |
| .Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
|
|
| Changes to user's home directory. |
Changes to user's home directory. |
| .It |
.It |
| If |
If |
| .Pa ~/.ssh/rc |
.Pa $HOME/.ssh/rc |
| exists, runs it; else if |
exists, runs it; else if |
| .Pa /etc/ssh/sshrc |
.Pa /etc/ssh/sshrc |
| exists, runs |
exists, runs |
|
|
| Runs user's shell or command. |
Runs user's shell or command. |
| .El |
.El |
| .Sh AUTHORIZED_KEYS FILE FORMAT |
.Sh AUTHORIZED_KEYS FILE FORMAT |
| .Pa ~/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| is the default file that lists the public keys that are |
is the default file that lists the public keys that are |
| permitted for RSA authentication in protocol version 1 |
permitted for RSA authentication in protocol version 1 |
| and for public key authentication (PubkeyAuthentication) |
and for public key authentication (PubkeyAuthentication) |
|
|
| The |
The |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| and |
and |
| .Pa ~/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| files contain host public keys for all known hosts. |
files contain host public keys for all known hosts. |
| The global file should |
The global file should |
| be prepared by the administrator (optional), and the per-user file is |
be prepared by the administrator (optional), and the per-user file is |
|
|
| pattern, it is not accepted (by that line) even if it matched another |
pattern, it is not accepted (by that line) even if it matched another |
| pattern on the line. |
pattern on the line. |
| .Pp |
.Pp |
| Alternately, hostnames may be stored in a hashed form which hides host names |
|
| and addresses should the file's contents be disclosed. |
|
| Hashed hostnames start with a |
|
| .Ql | |
|
| character. |
|
| Only one hashed hostname may appear on a single line and none of the above |
|
| negation or wildcard operators may be applied. |
|
| .Pp |
|
| Bits, exponent, and modulus are taken directly from the RSA host key; they |
Bits, exponent, and modulus are taken directly from the RSA host key; they |
| can be obtained, e.g., from |
can be obtained, e.g., from |
| .Pa /etc/ssh/ssh_host_key.pub . |
.Pa /etc/ssh/ssh_host_key.pub . |
|
|
| closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi |
| cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= |
| .Ed |
.Ed |
| .Bd -literal |
|
| # A hashed hostname |
|
| |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa |
|
| AAAA1234.....= |
|
| .Ed |
|
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa /etc/ssh/sshd_config |
.It Pa /etc/ssh/sshd_config |
|
|
| concurrently for different ports, this contains the process ID of the one |
concurrently for different ports, this contains the process ID of the one |
| started last). |
started last). |
| The content of this file is not sensitive; it can be world-readable. |
The content of this file is not sensitive; it can be world-readable. |
| .It Pa ~/.ssh/authorized_keys |
.It Pa $HOME/.ssh/authorized_keys |
| Lists the public keys (RSA or DSA) that can be used to log into the user's account. |
Lists the public keys (RSA or DSA) that can be used to log into the user's account. |
| This file must be readable by root (which may on some machines imply |
This file must be readable by root (which may on some machines imply |
| it being world-readable if the user's home directory resides on an NFS |
it being world-readable if the user's home directory resides on an NFS |
|
|
| .Pa id_rsa.pub |
.Pa id_rsa.pub |
| files into this file, as described in |
files into this file, as described in |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| .It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts" |
.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" |
| These files are consulted when using rhosts with RSA host |
These files are consulted when using rhosts with RSA host |
| authentication or protocol version 2 hostbased authentication |
authentication or protocol version 2 hostbased authentication |
| to check the public key of the host. |
to check the public key of the host. |
|
|
| These files should be writable only by root/the owner. |
These files should be writable only by root/the owner. |
| .Pa /etc/ssh/ssh_known_hosts |
.Pa /etc/ssh/ssh_known_hosts |
| should be world-readable, and |
should be world-readable, and |
| .Pa ~/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
| can, but need not be, world-readable. |
can, but need not be, world-readable. |
| .It Pa /etc/motd |
|
| See |
|
| .Xr motd 5 . |
|
| .It Pa ~/.hushlogin |
|
| This file is used to suppress printing the last login time and |
|
| .Pa /etc/motd , |
|
| if |
|
| .Cm PrintLastLog |
|
| and |
|
| .Cm PrintMotd , |
|
| respectively, |
|
| are enabled. |
|
| It does not suppress printing of the banner specified by |
|
| .Cm Banner . |
|
| .It Pa /etc/nologin |
.It Pa /etc/nologin |
| If this file exists, |
If this file exists, |
| .Nm |
.Nm |
|
|
| Access controls that should be enforced by tcp-wrappers are defined here. |
Access controls that should be enforced by tcp-wrappers are defined here. |
| Further details are described in |
Further details are described in |
| .Xr hosts_access 5 . |
.Xr hosts_access 5 . |
| .It Pa ~/.rhosts |
.It Pa $HOME/.rhosts |
| This file is used during |
This file is used during |
| .Cm RhostsRSAAuthentication |
.Cm RhostsRSAAuthentication |
| and |
and |
|
|
| Either host or user |
Either host or user |
| name may be of the form +@groupname to specify all hosts or all users |
name may be of the form +@groupname to specify all hosts or all users |
| in the group. |
in the group. |
| .It Pa ~/.shosts |
.It Pa $HOME/.shosts |
| For ssh, |
For ssh, |
| this file is exactly the same as for |
this file is exactly the same as for |
| .Pa .rhosts . |
.Pa .rhosts . |
|
|
| .Pa /etc/hosts.equiv . |
.Pa /etc/hosts.equiv . |
| However, this file may be useful in environments that want to run both |
However, this file may be useful in environments that want to run both |
| rsh/rlogin and ssh. |
rsh/rlogin and ssh. |
| .It Pa ~/.ssh/environment |
.It Pa $HOME/.ssh/environment |
| This file is read into the environment at login (if it exists). |
This file is read into the environment at login (if it exists). |
| It can only contain empty lines, comment lines (that start with |
It can only contain empty lines, comment lines (that start with |
| .Ql # ) , |
.Ql # ) , |
|
|
| controlled via the |
controlled via the |
| .Cm PermitUserEnvironment |
.Cm PermitUserEnvironment |
| option. |
option. |
| .It Pa ~/.ssh/rc |
.It Pa $HOME/.ssh/rc |
| If this file exists, it is run with |
If this file exists, it is run with |
| .Pa /bin/sh |
.Pa /bin/sh |
| after reading the |
after reading the |
|
|
| readable by anyone else. |
readable by anyone else. |
| .It Pa /etc/ssh/sshrc |
.It Pa /etc/ssh/sshrc |
| Like |
Like |
| .Pa ~/.ssh/rc . |
.Pa $HOME/.ssh/rc . |
| This can be used to specify |
This can be used to specify |
| machine-specific login-time initializations globally. |
machine-specific login-time initializations globally. |
| This file should be writable only by root, and should be world-readable. |
This file should be writable only by root, and should be world-readable. |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh