| version 1.6, 1999/10/03 18:46:12 |
version 1.7, 1999/10/07 21:45:02 |
|
|
| .It Fl h Ar host_key_file |
.It Fl h Ar host_key_file |
| Specifies the file from which the host key is read (default |
Specifies the file from which the host key is read (default |
| .Pa /etc/ssh_host_key ) . |
.Pa /etc/ssh_host_key ) . |
| This option must be given if sshd is not run as root (as the normal |
This option must be given if |
| |
.Nm |
| |
is not run as root (as the normal |
| host file is normally not readable by anyone but root). |
host file is normally not readable by anyone but root). |
| .It Fl i |
.It Fl i |
| Specifies that sshd is being run from inetd. Sshd is normally not run |
Specifies that |
| |
.Nm |
| |
is being run from inetd. |
| |
.Nm |
| |
is normally not run |
| from inetd because it needs to generate the server key before it can |
from inetd because it needs to generate the server key before it can |
| respond to the client, and this may take tens of seconds. Clients |
respond to the client, and this may take tens of seconds. Clients |
| would have to wait too long if the key was regenerated every time. |
would have to wait too long if the key was regenerated every time. |
| However, with small key sizes (e.g. 512) using sshd from inetd may |
However, with small key sizes (e.g. 512) using |
| |
.Nm |
| |
from inetd may |
| be feasible. |
be feasible. |
| .It Fl k Ar key_gen_time |
.It Fl k Ar key_gen_time |
| Specifies how often the server key is regenerated (default 3600 |
Specifies how often the server key is regenerated (default 3600 |
|
|
| Note that |
Note that |
| .Nm |
.Nm |
| can also be configured to use tcp_wrappers using the |
can also be configured to use tcp_wrappers using the |
| .Fl LIBWARP |
.Sy LIBWARP |
| compile-time option. |
compile-time option. |
| .It Cm DenyHosts |
.It Cm DenyHosts |
| This keyword can be followed by any number of host name patterns, |
This keyword can be followed by any number of host name patterns, |
|
|
| in both the server and the client configuration files. |
in both the server and the client configuration files. |
| .It Cm KerberosAuthentication |
.It Cm KerberosAuthentication |
| Specifies whether Kerberos authentication is allowed. This can |
Specifies whether Kerberos authentication is allowed. This can |
| be in the form of a Kerberos ticket, or if PasswordAuthentication |
be in the form of a Kerberos ticket, or if |
| |
.Cm PasswordAuthentication |
| is yes, the password provided by the user will be validated through |
is yes, the password provided by the user will be validated through |
| the Kerberos KDC. Default is |
the Kerberos KDC. Default is |
| .Dq yes . |
.Dq yes . |
|
|
| .Dq no , |
.Dq no , |
| as this only works when the Kerberos KDC is actually an AFS kaserver. |
as this only works when the Kerberos KDC is actually an AFS kaserver. |
| .It Cm KerberosTicketCleanup |
.It Cm KerberosTicketCleanup |
| Specifies whether to automatically destroy the user's |
Specifies whether to automatically destroy the user's ticket cache |
| ticket cache file on logout. Default is |
file on logout. Default is |
| .Dq yes . |
.Dq yes . |
| .It Cm KeyRegenerationInterval |
.It Cm KeyRegenerationInterval |
| The server key is automatically regenerated after this many seconds |
The server key is automatically regenerated after this many seconds |
|
|
| stealing the keys. The key is never stored anywhere. If the value is |
stealing the keys. The key is never stored anywhere. If the value is |
| 0, the key is never regenerated. The default is 3600 |
0, the key is never regenerated. The default is 3600 |
| (seconds). |
(seconds). |
| |
.It Cm ListenAddress |
| |
Specifies what local address |
| |
.Nm |
| |
should listen on. |
| |
The default is to listen to all local addresses. |
| .It Cm LoginGraceTime |
.It Cm LoginGraceTime |
| The server disconnects after this time if the user has not |
The server disconnects after this time if the user has not |
| successfully logged in. If the value is 0, there is no time limit. |
successfully logged in. If the value is 0, there is no time limit. |
|
|
| .It Cm RhostsAuthentication |
.It Cm RhostsAuthentication |
| Specifies whether authentication using rhosts or /etc/hosts.equiv |
Specifies whether authentication using rhosts or /etc/hosts.equiv |
| files is sufficient. Normally, this method should not be permitted |
files is sufficient. Normally, this method should not be permitted |
| because it is insecure. RhostsRSAAuthentication should be used |
because it is insecure. |
| |
.Cm RhostsRSAAuthentication |
| |
should be used |
| instead, because it performs RSA-based host authentication in addition |
instead, because it performs RSA-based host authentication in addition |
| to normal rhosts or /etc/hosts.equiv authentication. |
to normal rhosts or /etc/hosts.equiv authentication. |
| The default is |
The default is |
|
|
| .It Cm ServerKeyBits |
.It Cm ServerKeyBits |
| Defines the number of bits in the server key. The minimum value is |
Defines the number of bits in the server key. The minimum value is |
| 512, and the default is 768. |
512, and the default is 768. |
| |
.It Cm SkeyAuthentication |
| |
Specifies whether |
| |
.Xr skey 1 |
| |
authentication is allowed. The default is |
| |
.Dq yes . |
| |
Note that s/key authentication is enabled only if |
| |
.Cm PasswordAuthentication |
| |
is allowed, too. |
| .It Cm StrictModes |
.It Cm StrictModes |
| Specifies whether SSH should check file modes and ownership of the |
Specifies whether SSH should check file modes and ownership of the |
| user's home directory and rhosts files before accepting login. This |
user's home directory and rhosts files before accepting login. This |
| is normally desirable because novices sometimes accidentally leave their |
is normally desirable because novices sometimes accidentally leave their |
| directory or files world-writable. The default is "yes". |
directory or files world-writable. The default is |
| |
.Dq yes . |
| .It Cm SyslogFacility |
.It Cm SyslogFacility |
| Gives the facility code that is used when logging messages from |
Gives the facility code that is used when logging messages from |
| .Nm sshd . |
.Nm sshd . |
|
|
| This file should be writable by root only, but it is recommended |
This file should be writable by root only, but it is recommended |
| (though not necessary) that it be world-readable. |
(though not necessary) that it be world-readable. |
| .It Pa /etc/ssh_host_key |
.It Pa /etc/ssh_host_key |
| Contains the private part of the host key. This file is normally |
Contains the private part of the host key. |
| created automatically by "make install", but can also be created |
|
| manually using |
|
| .Xr ssh-keygen 1 . |
|
| This file should only be owned by root, readable only by root, and not |
This file should only be owned by root, readable only by root, and not |
| accessible to others. |
accessible to others. |
| .It Pa /etc/ssh_host_key.pub |
.It Pa /etc/ssh_host_key.pub |
| Contains the public part of the host key. This file is normally |
Contains the public part of the host key. |
| created automatically by "make install", but can also be created |
This file should be world-readable but writable only by |
| manually. This file should be world-readable but writable only by |
|
| root. Its contents should match the private part. This file is not |
root. Its contents should match the private part. This file is not |
| really used for anything; it is only provided for the convenience of |
really used for anything; it is only provided for the convenience of |
| the user so its contents can be copied to known hosts files. |
the user so its contents can be copied to known hosts files. |
| |
These two files are created using |
| |
.Xr ssh-keygen 1 . |
| .It Pa /var/run/sshd.pid |
.It Pa /var/run/sshd.pid |
| Contains the process ID of the |
Contains the process ID of the |
| .Nm |
.Nm |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh