version 1.51.2.4, 2001/03/12 15:44:17 |
version 1.51.2.5, 2001/03/21 18:53:16 |
|
|
.\" incompatible with the protocol description in the RFC file, it must be |
.\" incompatible with the protocol description in the RFC file, it must be |
.\" called by a name other than "ssh" or "Secure Shell". |
.\" called by a name other than "ssh" or "Secure Shell". |
.\" |
.\" |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
.\" |
.\" |
.\" Redistribution and use in source and binary forms, with or without |
.\" Redistribution and use in source and binary forms, with or without |
.\" modification, are permitted provided that the following conditions |
.\" modification, are permitted provided that the following conditions |
|
|
.Os |
.Os |
.Sh NAME |
.Sh NAME |
.Nm sshd |
.Nm sshd |
.Nd OpenSSH secure shell daemon |
.Nd OpenSSH ssh daemon |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm sshd |
.Nm sshd |
.Op Fl diqD46 |
.Op Fl diqD46 |
|
|
.Op Fl V Ar client_protocol_id |
.Op Fl V Ar client_protocol_id |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
(Secure Shell Daemon) is the daemon program for |
(SSH Daemon) is the daemon program for |
.Xr ssh 1 . |
.Xr ssh 1 . |
Together these programs replace rlogin and rsh, and |
Together these programs replace rlogin and rsh, and |
provide secure encrypted communications between two untrusted hosts |
provide secure encrypted communications between two untrusted hosts |
|
|
However, when the daemon starts, it does not generate a server key. |
However, when the daemon starts, it does not generate a server key. |
Forward security is provided through a Diffie-Hellman key agreement. |
Forward security is provided through a Diffie-Hellman key agreement. |
This key agreement results in a shared session key. |
This key agreement results in a shared session key. |
The rest of the session is encrypted |
The rest of the session is encrypted using a symmetric cipher, currently |
using a symmetric cipher, currently |
Blowfish, 3DES, CAST128, Arcfour, 128 bit AES, or 256 bit AES. |
Blowfish, 3DES or CAST128 in CBC mode or Arcfour. |
|
The client selects the encryption algorithm |
The client selects the encryption algorithm |
to use from those offered by the server. |
to use from those offered by the server. |
Additionally, session integrity is provided |
Additionally, session integrity is provided |
|
|
.Pp |
.Pp |
.Nm |
.Nm |
rereads its configuration file when it receives a hangup signal, |
rereads its configuration file when it receives a hangup signal, |
.Dv SIGHUP . |
.Dv SIGHUP , |
|
by executing itself with the name it was started as, ie. |
|
.Pa /usr/sbin/sshd . |
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
|
|
authentication is allowed. |
authentication is allowed. |
This option is only available for protocol version 2. |
This option is only available for protocol version 2. |
.Pp |
.Pp |
|
.It Cm ChallengeResponseAuthentication |
|
Specifies whether |
|
challenge response |
|
authentication is allowed. |
|
Currently there is only support for |
|
.Xr skey 1 |
|
authentication. |
|
The default is |
|
.Dq yes . |
.It Cm Ciphers |
.It Cm Ciphers |
Specifies the ciphers allowed for protocol version 2. |
Specifies the ciphers allowed for protocol version 2. |
Multiple ciphers must be comma-separated. |
Multiple ciphers must be comma-separated. |
The default is |
The default is |
.Dq 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc . |
.Dq aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour. |
.It Cm CheckMail |
.It Cm CheckMail |
Specifies whether |
Specifies whether |
.Nm |
.Nm |
|
|
can be used as wildcards in the patterns. |
can be used as wildcards in the patterns. |
Only user names are valid; a numerical user ID isn't recognized. |
Only user names are valid; a numerical user ID isn't recognized. |
By default login is allowed regardless of the user name. |
By default login is allowed regardless of the user name. |
.It Cm PubkeyAuthentication |
|
Specifies whether public key authentication is allowed. |
|
The default is |
|
.Dq yes . |
|
Note that this option applies to protocol version 2 only. |
|
.It Cm GatewayPorts |
.It Cm GatewayPorts |
Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
forwarded for the client. |
forwarded for the client. |
|
|
The default is |
The default is |
.Pp |
.Pp |
.Bd -literal |
.Bd -literal |
``hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com, |
``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com, |
hmac-sha1-96,hmac-md5-96'' |
hmac-sha1-96,hmac-md5-96'' |
.Ed |
.Ed |
.It Cm MaxStartups |
.It Cm MaxStartups |
|
|
The default is |
The default is |
.Dq no . |
.Dq no . |
.It Cm PermitRootLogin |
.It Cm PermitRootLogin |
Specifies whether the root can log in using |
Specifies whether root can login using |
.Xr ssh 1 . |
.Xr ssh 1 . |
The argument must be |
The argument must be |
.Dq yes , |
.Dq yes , |
|
|
(which may be useful for taking remote backups even if root login is |
(which may be useful for taking remote backups even if root login is |
normally not allowed). All other authentication methods are disabled |
normally not allowed). All other authentication methods are disabled |
for root. |
for root. |
|
.Pp |
|
If this option is set to |
|
.Dq no |
|
root is not allowed to login. |
.It Cm PidFile |
.It Cm PidFile |
Specifies the file that contains the process identifier of the |
Specifies the file that contains the process identifier of the |
.Nm |
.Nm |
|
|
Multiple versions must be comma-separated. |
Multiple versions must be comma-separated. |
The default is |
The default is |
.Dq 1 . |
.Dq 1 . |
.It Cm RandomSeed |
.It Cm PubkeyAuthentication |
Obsolete. |
Specifies whether public key authentication is allowed. |
Random number generation uses other techniques. |
The default is |
|
.Dq yes . |
|
Note that this option applies to protocol version 2 only. |
.It Cm ReverseMappingCheck |
.It Cm ReverseMappingCheck |
Specifies whether |
Specifies whether |
.Nm |
.Nm |
|
|
.It Cm ServerKeyBits |
.It Cm ServerKeyBits |
Defines the number of bits in the server key. |
Defines the number of bits in the server key. |
The minimum value is 512, and the default is 768. |
The minimum value is 512, and the default is 768. |
.It Cm ChallengeResponseAuthentication |
|
Specifies whether |
|
challenge reponse |
|
authentication is allowed. |
|
Currently there is only support for |
|
.Xr skey 1 |
|
authentication. |
|
The default is |
|
.Dq yes . |
|
.It Cm StrictModes |
.It Cm StrictModes |
Specifies whether |
Specifies whether |
.Nm |
.Nm |
|
|
authentication. |
authentication. |
.It Cm no-pty |
.It Cm no-pty |
Prevents tty allocation (a request to allocate a pty will fail). |
Prevents tty allocation (a request to allocate a pty will fail). |
|
.It Cm permitopen="host:port" |
|
Limit local |
|
.Li ``ssh -L'' |
|
port-forwading such that it may only connect to the specified host and |
|
port. Multiple |
|
.Cm permitopen |
|
options may be applied seperated by commas. No pattern matching is |
|
performed on the specified hostnames, they must be literal domains or |
|
addresses. |
.El |
.El |
.Ss Examples |
.Ss Examples |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
1024 33 12121.\|.\|.\|312314325 ylo@foo.bar |
|
|
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula |
.Pp |
.Pp |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi |
|
.Pp |
|
permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
.Sh SSH_KNOWN_HOSTS FILE FORMAT |
The |
The |
.Pa /etc/ssh_known_hosts , |
.Pa /etc/ssh_known_hosts , |
|
|
.Nm sshd . |
.Nm sshd . |
This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |
(though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
.It Pa /etc/ssh_host_key |
.It Pa /etc/ssh_host_key, /etc/ssh_host_dsa_key, /etc/ssh_host_rsa_key |
Contains the private part of the host key. |
These three files contain the private parts of the |
This file should only be owned by root, readable only by root, and not |
(SSH1, SSH2 DSA, and SSH2 RSA) host keys. |
|
These files should only be owned by root, readable only by root, and not |
accessible to others. |
accessible to others. |
Note that |
Note that |
.Nm |
.Nm |
does not start if this file is group/world-accessible. |
does not start if this file is group/world-accessible. |
.It Pa /etc/ssh_host_key.pub |
.It Pa /etc/ssh_host_key.pub, /etc/ssh_host_dsa_key.pub, /etc/ssh_host_rsa_key.pub |
Contains the public part of the host key. |
There three files contain the public parts of the |
This file should be world-readable but writable only by |
(SSH1, SSH2 DSA, and SSH2 RSA) host keys. |
|
These files should be world-readable but writable only by |
root. |
root. |
Its contents should match the private part. |
Their contents should match the respective private parts. |
This file is not |
These files are not |
really used for anything; it is only provided for the convenience of |
really used for anything; they are provided for the convenience of |
the user so its contents can be copied to known hosts files. |
the user so their contents can be copied to known hosts files. |
These two files are created using |
These files are created using |
.Xr ssh-keygen 1 . |
.Xr ssh-keygen 1 . |
.It Pa /etc/primes |
.It Pa /etc/primes |
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
|
|
authentication to check the public key of the host. |
authentication to check the public key of the host. |
The key must be listed in one of these files to be accepted. |
The key must be listed in one of these files to be accepted. |
The client uses the same files |
The client uses the same files |
to verify that the remote host is the one it intended to connect. |
to verify that it is connecting to the correct remote host. |
These files should be writable only by root/the owner. |
These files should be writable only by root/the owner. |
.Pa /etc/ssh_known_hosts |
.Pa /etc/ssh_known_hosts |
should be world-readable, and |
should be world-readable, and |