version 1.39, 2000/03/29 20:17:56 |
version 1.40, 2000/04/12 21:47:51 |
|
|
.Op Fl k Ar key_gen_time |
.Op Fl k Ar key_gen_time |
.Op Fl p Ar port |
.Op Fl p Ar port |
.Op Fl V Ar client_protocol_id |
.Op Fl V Ar client_protocol_id |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(Secure Shell Daemon) is the daemon program for |
(Secure Shell Daemon) is the daemon program for |
.Xr ssh 1 . |
.Xr ssh 1 . |
Together these programs replace rlogin and rsh programs, and |
Together these programs replace rlogin and rsh programs, and |
provide secure encrypted communications between two untrusted hosts |
provide secure encrypted communications between two untrusted hosts |
|
|
.Pp |
.Pp |
.Nm |
.Nm |
is the daemon that listens for connections from clients. |
is the daemon that listens for connections from clients. |
It is normally started at boot from |
It is normally started at boot from |
.Pa /etc/rc . |
.Pa /etc/rc . |
It forks a new |
It forks a new |
daemon for each incoming connection. |
daemon for each incoming connection. |
|
|
.It Fl i |
.It Fl i |
Specifies that |
Specifies that |
.Nm |
.Nm |
is being run from inetd. |
is being run from inetd. |
.Nm |
.Nm |
is normally not run |
is normally not run |
from inetd because it needs to generate the server key before it can |
from inetd because it needs to generate the server key before it can |
|
|
.El |
.El |
.Sh CONFIGURATION FILE |
.Sh CONFIGURATION FILE |
.Nm |
.Nm |
reads configuration data from |
reads configuration data from |
.Pa /etc/sshd_config |
.Pa /etc/sshd_config |
(or the file specified with |
(or the file specified with |
.Fl f |
.Fl f |
|
|
.It Cm IgnoreRhosts |
.It Cm IgnoreRhosts |
Specifies that |
Specifies that |
.Pa .rhosts |
.Pa .rhosts |
and |
and |
.Pa .shosts |
.Pa .shosts |
files will not be used in authentication. |
files will not be used in authentication. |
.Pa /etc/hosts.equiv |
.Pa /etc/hosts.equiv |
and |
and |
.Pa /etc/shosts.equiv |
.Pa /etc/shosts.equiv |
are still used. |
are still used. |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
.It Cm IgnoreUserKnownHosts |
.It Cm IgnoreUserKnownHosts |
Specifies whether |
Specifies whether |
|
|
.Dq yes . |
.Dq yes . |
.It Cm KerberosTgtPassing |
.It Cm KerberosTgtPassing |
Specifies whether a Kerberos TGT may be forwarded to the server. |
Specifies whether a Kerberos TGT may be forwarded to the server. |
Default is |
Default is |
.Dq no , |
.Dq no , |
as this only works when the Kerberos KDC is actually an AFS kaserver. |
as this only works when the Kerberos KDC is actually an AFS kaserver. |
.It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
|
|
.It Cm PrintMotd |
.It Cm PrintMotd |
Specifies whether |
Specifies whether |
.Nm |
.Nm |
should print |
should print |
.Pa /etc/motd |
.Pa /etc/motd |
when a user logs in interactively. |
when a user logs in interactively. |
(On some systems it is also printed by the shell, |
(On some systems it is also printed by the shell, |
|
|
The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
.It Cm SkeyAuthentication |
.It Cm SkeyAuthentication |
Specifies whether |
Specifies whether |
.Xr skey 1 |
.Xr skey 1 |
authentication is allowed. |
authentication is allowed. |
The default is |
The default is |
.Dq yes . |
.Dq yes . |
|
|
.Bl -enum -offset indent |
.Bl -enum -offset indent |
.It |
.It |
If the login is on a tty, and no command has been specified, |
If the login is on a tty, and no command has been specified, |
prints last login time and |
prints last login time and |
.Pa /etc/motd |
.Pa /etc/motd |
(unless prevented in the configuration file or by |
(unless prevented in the configuration file or by |
.Pa $HOME/.hushlogin ; |
.Pa $HOME/.hushlogin ; |
see the |
see the |
.Sx FILES |
.Sx FILES |
section). |
section). |
.It |
.It |
If the login is on a tty, records login time. |
If the login is on a tty, records login time. |
|
|
Runs user's shell or command. |
Runs user's shell or command. |
.El |
.El |
.Sh AUTHORIZED_KEYS FILE FORMAT |
.Sh AUTHORIZED_KEYS FILE FORMAT |
The |
The |
.Pa $HOME/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
file lists the RSA keys that are |
file lists the RSA keys that are |
permitted for RSA authentication. |
permitted for RSA authentication. |
|
|
.Pp |
.Pp |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
and |
and |
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
files contain host public keys for all known hosts. |
files contain host public keys for all known hosts. |
The global file should |
The global file should |
|
|
Note that the lines in these files are typically hundreds of characters |
Note that the lines in these files are typically hundreds of characters |
long, and you definitely don't want to type in the host keys by hand. |
long, and you definitely don't want to type in the host keys by hand. |
Rather, generate them by a script |
Rather, generate them by a script |
or by taking |
or by taking |
.Pa /etc/ssh_host_key.pub |
.Pa /etc/ssh_host_key.pub |
and adding the host names at the front. |
and adding the host names at the front. |
.Ss Examples |
.Ss Examples |
|
|
.Pa $HOME/.ssh/known_hosts |
.Pa $HOME/.ssh/known_hosts |
can but need not be world-readable. |
can but need not be world-readable. |
.It Pa /etc/nologin |
.It Pa /etc/nologin |
If this file exists, |
If this file exists, |
.Nm |
.Nm |
refuses to let anyone except root log in. |
refuses to let anyone except root log in. |
The contents of the file |
The contents of the file |
|
|
has been updated to support ssh protocol 1.5, making it compatible with |
has been updated to support ssh protocol 1.5, making it compatible with |
all other ssh protocol 1 clients and servers. |
all other ssh protocol 1 clients and servers. |
.It |
.It |
contains added support for |
contains added support for |
.Xr kerberos 8 |
.Xr kerberos 8 |
authentication and ticket passing. |
authentication and ticket passing. |
.It |
.It |