| version 1.51.2.4, 2001/03/12 15:44:17 |
version 1.51.2.5, 2001/03/21 18:53:16 |
|
|
| .\" incompatible with the protocol description in the RFC file, it must be |
.\" incompatible with the protocol description in the RFC file, it must be |
| .\" called by a name other than "ssh" or "Secure Shell". |
.\" called by a name other than "ssh" or "Secure Shell". |
| .\" |
.\" |
| .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
| .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
| .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
| .\" |
.\" |
| .\" Redistribution and use in source and binary forms, with or without |
.\" Redistribution and use in source and binary forms, with or without |
| .\" modification, are permitted provided that the following conditions |
.\" modification, are permitted provided that the following conditions |
|
|
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| .Nm sshd |
.Nm sshd |
| .Nd OpenSSH secure shell daemon |
.Nd OpenSSH ssh daemon |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm sshd |
.Nm sshd |
| .Op Fl diqD46 |
.Op Fl diqD46 |
|
|
| .Op Fl V Ar client_protocol_id |
.Op Fl V Ar client_protocol_id |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| (Secure Shell Daemon) is the daemon program for |
(SSH Daemon) is the daemon program for |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| Together these programs replace rlogin and rsh, and |
Together these programs replace rlogin and rsh, and |
| provide secure encrypted communications between two untrusted hosts |
provide secure encrypted communications between two untrusted hosts |
|
|
| However, when the daemon starts, it does not generate a server key. |
However, when the daemon starts, it does not generate a server key. |
| Forward security is provided through a Diffie-Hellman key agreement. |
Forward security is provided through a Diffie-Hellman key agreement. |
| This key agreement results in a shared session key. |
This key agreement results in a shared session key. |
| The rest of the session is encrypted |
The rest of the session is encrypted using a symmetric cipher, currently |
| using a symmetric cipher, currently |
Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. |
| Blowfish, 3DES or CAST128 in CBC mode or Arcfour. |
|
| The client selects the encryption algorithm |
The client selects the encryption algorithm |
| to use from those offered by the server. |
to use from those offered by the server. |
| Additionally, session integrity is provided |
Additionally, session integrity is provided |
|
|
| .Pp |
.Pp |
| .Nm |
.Nm |
| rereads its configuration file when it receives a hangup signal, |
rereads its configuration file when it receives a hangup signal, |
| .Dv SIGHUP . |
.Dv SIGHUP , |
| |
by executing itself with the name it was started as, ie. |
| |
.Pa /usr/sbin/sshd . |
| .Pp |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
|
|
| authentication is allowed. |
authentication is allowed. |
| This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
| .Pp |
.Pp |
| |
.It Cm ChallengeResponseAuthentication |
| |
Specifies whether |
| |
challenge response |
| |
authentication is allowed. |
| |
Currently there is only support for |
| |
.Xr skey 1 |
| |
authentication. |
| |
The default is |
| |
.Dq yes . |
| .It Cm Ciphers |
.It Cm Ciphers |
| Specifies the ciphers allowed for protocol version 2. |
Specifies the ciphers allowed for protocol version 2. |
| Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
| The default is |
The default is |
| .Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc . |
.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour. |
| .It Cm CheckMail |
.It Cm CheckMail |
| Specifies whether |
Specifies whether |
| .Nm |
.Nm |
|
|
| can be used as wildcards in the patterns. |
can be used as wildcards in the patterns. |
| Only user names are valid; a numerical user ID isn't recognized. |
Only user names are valid; a numerical user ID isn't recognized. |
| By default login is allowed regardless of the user name. |
By default login is allowed regardless of the user name. |
| .It Cm PubkeyAuthentication |
|
| Specifies whether public key authentication is allowed. |
|
| The default is |
|
| .Dq yes . |
|
| Note that this option applies to protocol version 2 only. |
|
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. |
forwarded for the client. |
|
|
| The default is |
The default is |
| .Pp |
.Pp |
| .Bd -literal |
.Bd -literal |
| ``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, |
``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, |
| hmac-sha1-96,hmac-md5-96'' |
hmac-sha1-96,hmac-md5-96'' |
| .Ed |
.Ed |
| .It Cm MaxStartups |
.It Cm MaxStartups |
|
|
| The default is |
The default is |
| .Dq no . |
.Dq no . |
| .It Cm PermitRootLogin |
.It Cm PermitRootLogin |
| Specifies whether the root can log in using |
Specifies whether root can login using |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| The argument must be |
The argument must be |
| .Dq yes , |
.Dq yes , |
|
|
| (which may be useful for taking remote backups even if root login is |
(which may be useful for taking remote backups even if root login is |
| normally not allowed). All other authentication methods are disabled |
normally not allowed). All other authentication methods are disabled |
| for root. |
for root. |
| |
.Pp |
| |
If this option is set to |
| |
.Dq no |
| |
root is not allowed to login. |
| .It Cm PidFile |
.It Cm PidFile |
| Specifies the file that contains the process identifier of the |
Specifies the file that contains the process identifier of the |
| .Nm |
.Nm |
|
|
| Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
| The default is |
The default is |
| .Dq 1 . |
.Dq 1 . |
| .It Cm RandomSeed |
.It Cm PubkeyAuthentication |
| Obsolete. |
Specifies whether public key authentication is allowed. |
| Random number generation uses other techniques. |
The default is |
| |
.Dq yes . |
| |
Note that this option applies to protocol version 2 only. |
| .It Cm ReverseMappingCheck |
.It Cm ReverseMappingCheck |
| Specifies whether |
Specifies whether |
| .Nm |
.Nm |
|
|
| .It Cm ServerKeyBits |
.It Cm ServerKeyBits |
| Defines the number of bits in the server key. |
Defines the number of bits in the server key. |
| The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
| .It Cm ChallengeResponseAuthentication |
|
| Specifies whether |
|
| challenge reponse |
|
| authentication is allowed. |
|
| Currently there is only support for |
|
| .Xr skey 1 |
|
| authentication. |
|
| The default is |
|
| .Dq yes . |
|
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether |
Specifies whether |
| .Nm |
.Nm |
|
|
| authentication. |
authentication. |
| .It Cm no-pty |
.It Cm no-pty |
| Prevents tty allocation (a request to allocate a pty will fail). |
Prevents tty allocation (a request to allocate a pty will fail). |
| |
.It Cm permitopen="host:port" |
| |
Limit local |
| |
.Li ``ssh -L'' |
| |
port-forwading such that it may only connect to the specified host and |
| |
port. Multiple |
| |
.Cm permitopen |
| |
options may be applied seperated by commas. No pattern matching is |
| |
performed on the specified hostnames, they must be literal domains or |
| |
addresses. |
| .El |
.El |
| .Ss Examples |
.Ss Examples |
| 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
|
|
| from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
| .Pp |
.Pp |
| command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
| |
.Pp |
| |
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
| .Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
| The |
The |
| .Pa /etc/ssh_known_hosts , |
.Pa /etc/ssh_known_hosts , |
|
|
| .Nm sshd . |
.Nm sshd . |
| This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |
| (though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
| .It Pa /etc/ssh_host_key |
.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key |
| Contains the private part of the host key. |
These three files contain the private parts of the |
| This file should only be owned by root, readable only by root, and not |
(SSH1, SSH2 DSA, and SSH2 RSA) host keys. |
| |
These files should only be owned by root, readable only by root, and not |
| accessible to others. |
accessible to others. |
| Note that |
Note that |
| .Nm |
.Nm |
| does not start if this file is group/world-accessible. |
does not start if this file is group/world-accessible. |
| .It Pa /etc/ssh_host_key.pub |
.It Pa /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, /etc/ssh_host_rsa_key.pub |
| Contains the public part of the host key. |
There three files contain the public parts of the |
| This file should be world-readable but writable only by |
(SSH1, SSH2 DSA, and SSH2 RSA) host keys. |
| |
These files should be world-readable but writable only by |
| root. |
root. |
| Its contents should match the private part. |
Their contents should match the respective private parts. |
| This file is not |
These files are not |
| really used for anything; it is only provided for the convenience of |
really used for anything; they are provided for the convenience of |
| the user so its contents can be copied to known hosts files. |
the user so their contents can be copied to known hosts files. |
| These two files are created using |
These files are created using |
| .Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
| .It Pa /etc/primes |
.It Pa /etc/primes |
| Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
|
|
| authentication to check the public key of the host. |
authentication to check the public key of the host. |
| The key must be listed in one of these files to be accepted. |
The key must be listed in one of these files to be accepted. |
| The client uses the same files |
The client uses the same files |
| to verify that the remote host is the one it intended to connect. |
to verify that it is connecting to the correct remote host. |
| These files should be writable only by root/the owner. |
These files should be writable only by root/the owner. |
| .Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
| should be world-readable, and |
should be world-readable, and |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh