]>
Commit | Line | Data |
---|---|---|
9108f8d9 | 1 | SSHD(8) OpenBSD System Manager's Manual SSHD(8) |
2 | ||
3 | NAME | |
4 | sshd - OpenSSH SSH daemon | |
5 | ||
6 | SYNOPSIS | |
7 | sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] | |
8 | [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] | |
9 | ||
10 | DESCRIPTION | |
11 | sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these | |
12 | programs replace rlogin and rsh, and provide secure encrypted communica- | |
13 | tions between two untrusted hosts over an insecure network. | |
14 | ||
15 | sshd listens for connections from clients. It is normally started at | |
16 | boot from /etc/rc. It forks a new daemon for each incoming connection. | |
17 | The forked daemons handle key exchange, encryption, authentication, com- | |
18 | mand execution, and data exchange. | |
19 | ||
20 | sshd can be configured using command-line options or a configuration file | |
21 | (by default sshd_config(5)); command-line options override values speci- | |
22 | fied in the configuration file. sshd rereads its configuration file when | |
23 | it receives a hangup signal, SIGHUP, by executing itself with the name | |
24 | and options it was started with, e.g. /usr/sbin/sshd. | |
25 | ||
26 | The options are as follows: | |
27 | ||
28 | -4 Forces sshd to use IPv4 addresses only. | |
29 | ||
30 | -6 Forces sshd to use IPv6 addresses only. | |
31 | ||
32 | -b bits | |
33 | Specifies the number of bits in the ephemeral protocol version 1 | |
34 | server key (default 768). | |
35 | ||
36 | -D When this option is specified, sshd will not detach and does not | |
37 | become a daemon. This allows easy monitoring of sshd. | |
38 | ||
39 | -d Debug mode. The server sends verbose debug output to the system | |
40 | log, and does not put itself in the background. The server also | |
41 | will not fork and will only process one connection. This option | |
42 | is only intended for debugging for the server. Multiple -d op- | |
43 | tions increase the debugging level. Maximum is 3. | |
44 | ||
45 | -e When this option is specified, sshd will send the output to the | |
46 | standard error instead of the system log. | |
47 | ||
48 | -f configuration_file | |
49 | Specifies the name of the configuration file. The default is | |
50 | /etc/ssh/sshd_config. sshd refuses to start if there is no con- | |
51 | figuration file. | |
52 | ||
53 | -g login_grace_time | |
54 | Gives the grace time for clients to authenticate themselves (de- | |
55 | fault 120 seconds). If the client fails to authenticate the user | |
56 | within this many seconds, the server disconnects and exits. A | |
57 | value of zero indicates no limit. | |
58 | ||
59 | -h host_key_file | |
60 | Specifies a file from which a host key is read. This option must | |
61 | be given if sshd is not run as root (as the normal host key files | |
62 | are normally not readable by anyone but root). The default is | |
63 | /etc/ssh/ssh_host_key for protocol version 1, and | |
64 | /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- | |
65 | tocol version 2. It is possible to have multiple host key files | |
66 | for the different protocol versions and host key algorithms. | |
67 | ||
68 | -i Specifies that sshd is being run from inetd(8). sshd is normally | |
69 | not run from inetd because it needs to generate the server key | |
70 | before it can respond to the client, and this may take tens of | |
71 | seconds. Clients would have to wait too long if the key was re- | |
72 | generated every time. However, with small key sizes (e.g. 512) | |
73 | using sshd from inetd may be feasible. | |
74 | ||
75 | -k key_gen_time | |
76 | Specifies how often the ephemeral protocol version 1 server key | |
77 | is regenerated (default 3600 seconds, or one hour). The motiva- | |
78 | tion for regenerating the key fairly often is that the key is not | |
79 | stored anywhere, and after about an hour it becomes impossible to | |
80 | recover the key for decrypting intercepted communications even if | |
81 | the machine is cracked into or physically seized. A value of ze- | |
82 | ro indicates that the key will never be regenerated. | |
83 | ||
84 | -o option | |
85 | Can be used to give options in the format used in the configura- | |
86 | tion file. This is useful for specifying options for which there | |
87 | is no separate command-line flag. For full details of the op- | |
88 | tions, and their values, see sshd_config(5). | |
89 | ||
90 | -p port | |
91 | Specifies the port on which the server listens for connections | |
92 | (default 22). Multiple port options are permitted. Ports speci- | |
93 | fied in the configuration file with the Port option are ignored | |
94 | when a command-line port is specified. Ports specified using the | |
95 | ListenAddress option override command-line ports. | |
96 | ||
97 | -q Quiet mode. Nothing is sent to the system log. Normally the be- | |
98 | ginning, authentication, and termination of each connection is | |
99 | logged. | |
100 | ||
101 | -t Test mode. Only check the validity of the configuration file and | |
102 | sanity of the keys. This is useful for updating sshd reliably as | |
103 | configuration options may change. | |
104 | ||
105 | -u len This option is used to specify the size of the field in the utmp | |
106 | structure that holds the remote host name. If the resolved host | |
107 | name is longer than len, the dotted decimal value will be used | |
108 | instead. This allows hosts with very long host names that over- | |
109 | flow this field to still be uniquely identified. Specifying -u0 | |
110 | indicates that only dotted decimal addresses should be put into | |
111 | the utmp file. -u0 may also be used to prevent sshd from making | |
112 | DNS requests unless the authentication mechanism or configuration | |
113 | requires it. Authentication mechanisms that may require DNS in- | |
114 | clude RhostsRSAAuthentication, HostbasedAuthentication, and using | |
115 | a from="pattern-list" option in a key file. Configuration op- | |
116 | tions that require DNS include using a USER@HOST pattern in | |
117 | AllowUsers or DenyUsers. | |
118 | ||
119 | AUTHENTICATION | |
120 | The OpenSSH SSH daemon supports SSH protocols 1 and 2. Both protocols | |
121 | are supported by default, though this can be changed via the Protocol op- | |
122 | tion in sshd_config(5). Protocol 2 supports both RSA and DSA keys; pro- | |
123 | tocol 1 only supports RSA keys. For both protocols, each host has a | |
124 | host-specific key, normally 2048 bits, used to identify the host. | |
125 | ||
126 | Forward security for protocol 1 is provided through an additional server | |
127 | key, normally 768 bits, generated when the server starts. This key is | |
128 | normally regenerated every hour if it has been used, and is never stored | |
129 | on disk. Whenever a client connects, the daemon responds with its public | |
130 | host and server keys. The client compares the RSA host key against its | |
131 | own database to verify that it has not changed. The client then gener- | |
132 | ates a 256-bit random number. It encrypts this random number using both | |
133 | the host key and the server key, and sends the encrypted number to the | |
134 | server. Both sides then use this random number as a session key which is | |
135 | used to encrypt all further communications in the session. The rest of | |
136 | the session is encrypted using a conventional cipher, currently Blowfish | |
137 | or 3DES, with 3DES being used by default. The client selects the encryp- | |
138 | tion algorithm to use from those offered by the server. | |
139 | ||
140 | For protocol 2, forward security is provided through a Diffie-Hellman key | |
141 | agreement. This key agreement results in a shared session key. The rest | |
142 | of the session is encrypted using a symmetric cipher, currently 128-bit | |
143 | AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The | |
144 | client selects the encryption algorithm to use from those offered by the | |
145 | server. Additionally, session integrity is provided through a crypto- | |
146 | graphic message authentication code (hmac-sha1 or hmac-md5). | |
147 | ||
148 | Finally, the server and the client enter an authentication dialog. The | |
149 | client tries to authenticate itself using host-based authentication, pub- | |
150 | lic key authentication, challenge-response authentication, or password | |
151 | authentication. | |
152 | ||
153 | Regardless of the authentication type, the account is checked to ensure | |
154 | that it is accessible. An account is not accessible if it is locked, | |
155 | listed in DenyUsers or its group is listed in DenyGroups . The defini- | |
156 | tion of a locked account is system dependant. Some platforms have their | |
157 | own account database (eg AIX) and some modify the passwd field ( `*LK*' | |
158 | on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a | |
159 | leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is | |
160 | a requirement to disable password authentication for the account while | |
161 | allowing still public-key, then the passwd field should be set to some- | |
162 | thing other than these values (eg `NP' or `*NP*' ). | |
163 | ||
164 | If the client successfully authenticates itself, a dialog for preparing | |
165 | the session is entered. At this time the client may request things like | |
166 | allocating a pseudo-tty, forwarding X11 connections, forwarding TCP con- | |
167 | nections, or forwarding the authentication agent connection over the se- | |
168 | cure channel. | |
169 | ||
170 | After this, the client either requests a shell or execution of a command. | |
171 | The sides then enter session mode. In this mode, either side may send | |
172 | data at any time, and such data is forwarded to/from the shell or command | |
173 | on the server side, and the user terminal in the client side. | |
174 | ||
175 | When the user program terminates and all forwarded X11 and other connec- | |
176 | tions have been closed, the server sends command exit status to the | |
177 | client, and both sides exit. | |
178 | ||
179 | LOGIN PROCESS | |
180 | When a user successfully logs in, sshd does the following: | |
181 | ||
182 | 1. If the login is on a tty, and no command has been specified, | |
183 | prints last login time and /etc/motd (unless prevented in the | |
184 | configuration file or by ~/.hushlogin; see the FILES section). | |
185 | ||
186 | 2. If the login is on a tty, records login time. | |
187 | ||
188 | 3. Checks /etc/nologin; if it exists, prints contents and quits | |
189 | (unless root). | |
190 | ||
191 | 4. Changes to run with normal user privileges. | |
192 | ||
193 | 5. Sets up basic environment. | |
194 | ||
195 | 6. Reads the file ~/.ssh/environment, if it exists, and users are | |
196 | allowed to change their environment. See the | |
197 | PermitUserEnvironment option in sshd_config(5). | |
198 | ||
199 | 7. Changes to user's home directory. | |
200 | ||
201 | 8. If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, | |
202 | runs it; otherwise runs xauth. The ``rc'' files are given the | |
203 | X11 authentication protocol and cookie in standard input. See | |
204 | SSHRC, below. | |
205 | ||
206 | 9. Runs user's shell or command. | |
207 | ||
208 | SSHRC | |
209 | If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment | |
210 | files but before starting the user's shell or command. It must not pro- | |
211 | duce any output on stdout; stderr must be used instead. If X11 forward- | |
212 | ing is in use, it will receive the "proto cookie" pair in its standard | |
213 | input (and DISPLAY in its environment). The script must call xauth(1) | |
214 | because sshd will not run xauth automatically to add X11 cookies. | |
215 | ||
216 | The primary purpose of this file is to run any initialization routines | |
217 | which may be needed before the user's home directory becomes accessible; | |
218 | AFS is a particular example of such an environment. | |
219 | ||
220 | This file will probably contain some initialization code followed by | |
221 | something similar to: | |
222 | ||
223 | if read proto cookie && [ -n "$DISPLAY" ]; then | |
224 | if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then | |
225 | # X11UseLocalhost=yes | |
226 | echo add unix:`echo $DISPLAY | | |
227 | cut -c11-` $proto $cookie | |
228 | else | |
229 | # X11UseLocalhost=no | |
230 | echo add $DISPLAY $proto $cookie | |
231 | fi | xauth -q - | |
232 | fi | |
233 | ||
234 | If this file does not exist, /etc/ssh/sshrc is run, and if that does not | |
235 | exist either, xauth is used to add the cookie. | |
236 | ||
237 | AUTHORIZED_KEYS FILE FORMAT | |
238 | AuthorizedKeysFile specifies the file containing public keys for public | |
239 | key authentication; if none is specified, the default is | |
240 | ~/.ssh/authorized_keys. Each line of the file contains one key (empty | |
241 | lines and lines starting with a `#' are ignored as comments). Protocol 1 | |
242 | public keys consist of the following space-separated fields: options, | |
243 | bits, exponent, modulus, comment. Protocol 2 public key consist of: op- | |
244 | tions, keytype, base64-encoded key, comment. The options field is op- | |
245 | tional; its presence is determined by whether the line starts with a num- | |
246 | ber or not (the options field never starts with a number). The bits, ex- | |
247 | ponent, modulus, and comment fields give the RSA key for protocol version | |
248 | 1; the comment field is not used for anything (but may be convenient for | |
249 | the user to identify the key). For protocol version 2 the keytype is | |
250 | ``ssh-dss'' or ``ssh-rsa''. | |
251 | ||
252 | Note that lines in this file are usually several hundred bytes long (be- | |
253 | cause of the size of the public key encoding) up to a limit of 8 kilo- | |
254 | bytes, which permits DSA keys up to 8 kilobits and RSA keys up to 16 | |
255 | kilobits. You don't want to type them in; instead, copy the | |
256 | identity.pub, id_dsa.pub, or the id_rsa.pub file and edit it. | |
257 | ||
258 | sshd enforces a minimum RSA key modulus size for protocol 1 and protocol | |
259 | 2 keys of 768 bits. | |
260 | ||
261 | The options (if present) consist of comma-separated option specifica- | |
262 | tions. No spaces are permitted, except within double quotes. The fol- | |
263 | lowing option specifications are supported (note that option keywords are | |
264 | case-insensitive): | |
265 | ||
266 | command="command" | |
267 | Specifies that the command is executed whenever this key is used | |
268 | for authentication. The command supplied by the user (if any) is | |
269 | ignored. The command is run on a pty if the client requests a | |
270 | pty; otherwise it is run without a tty. If an 8-bit clean chan- | |
271 | nel is required, one must not request a pty or should specify no- | |
272 | pty. A quote may be included in the command by quoting it with a | |
273 | backslash. This option might be useful to restrict certain pub- | |
274 | lic keys to perform just a specific operation. An example might | |
275 | be a key that permits remote backups but nothing else. Note that | |
276 | the client may specify TCP and/or X11 forwarding unless they are | |
277 | explicitly prohibited. The command originally supplied by the | |
278 | client is available in the SSH_ORIGINAL_COMMAND environment vari- | |
279 | able. Note that this option applies to shell, command or subsys- | |
280 | tem execution. | |
281 | ||
282 | environment="NAME=value" | |
283 | Specifies that the string is to be added to the environment when | |
284 | logging in using this key. Environment variables set this way | |
285 | override other default environment values. Multiple options of | |
286 | this type are permitted. Environment processing is disabled by | |
287 | default and is controlled via the PermitUserEnvironment option. | |
288 | This option is automatically disabled if UseLogin is enabled. | |
289 | ||
290 | from="pattern-list" | |
291 | Specifies that in addition to public key authentication, the | |
292 | canonical name of the remote host must be present in the comma- | |
293 | separated list of patterns. The purpose of this option is to op- | |
294 | tionally increase security: public key authentication by itself | |
295 | does not trust the network or name servers or anything (but the | |
296 | key); however, if somebody somehow steals the key, the key per- | |
297 | mits an intruder to log in from anywhere in the world. This ad- | |
298 | ditional option makes using a stolen key more difficult (name | |
299 | servers and/or routers would have to be compromised in addition | |
300 | to just the key). | |
301 | ||
302 | See PATTERNS in ssh_config(5) for more information on patterns. | |
303 | ||
304 | no-agent-forwarding | |
305 | Forbids authentication agent forwarding when this key is used for | |
306 | authentication. | |
307 | ||
308 | no-port-forwarding | |
309 | Forbids TCP forwarding when this key is used for authentication. | |
310 | Any port forward requests by the client will return an error. | |
311 | This might be used, e.g. in connection with the command option. | |
312 | ||
313 | no-pty Prevents tty allocation (a request to allocate a pty will fail). | |
314 | ||
315 | no-X11-forwarding | |
316 | Forbids X11 forwarding when this key is used for authentication. | |
317 | Any X11 forward requests by the client will return an error. | |
318 | ||
319 | permitopen="host:port" | |
320 | Limit local ``ssh -L'' port forwarding such that it may only con- | |
321 | nect to the specified host and port. IPv6 addresses can be spec- | |
322 | ified with an alternative syntax: host/port. Multiple permitopen | |
323 | options may be applied separated by commas. No pattern matching | |
324 | is performed on the specified hostnames, they must be literal do- | |
325 | mains or addresses. | |
326 | ||
327 | tunnel="n" | |
328 | Force a tun(4) device on the server. Without this option, the | |
329 | next available device will be used if the client requests a tun- | |
330 | nel. | |
331 | ||
332 | An example authorized_keys file: | |
333 | ||
334 | # Comments allowed at start of line | |
335 | ssh-rsa AAAAB3Nza...LiPk== user@example.net | |
336 | from="*.sales.example.net,!pc.sales.example.net" ssh-rsa | |
337 | AAAAB2...19Q== john@example.net | |
338 | command="dump /home",no-pty,no-port-forwarding ssh-dss | |
339 | AAAAC3...51R== example.net | |
340 | permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | |
341 | AAAAB5...21S== | |
342 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | |
343 | jane@example.net | |
344 | ||
345 | SSH_KNOWN_HOSTS FILE FORMAT | |
346 | The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host | |
347 | public keys for all known hosts. The global file should be prepared by | |
348 | the administrator (optional), and the per-user file is maintained auto- | |
349 | matically: whenever the user connects from an unknown host, its key is | |
350 | added to the per-user file. | |
351 | ||
352 | Each line in these files contains the following fields: hostnames, bits, | |
353 | exponent, modulus, comment. The fields are separated by spaces. | |
354 | ||
355 | Hostnames is a comma-separated list of patterns (`*' and `?' act as wild- | |
356 | cards); each pattern in turn is matched against the canonical host name | |
357 | (when authenticating a client) or against the user-supplied name (when | |
358 | authenticating a server). A pattern may also be preceded by `!' to indi- | |
359 | cate negation: if the host name matches a negated pattern, it is not ac- | |
360 | cepted (by that line) even if it matched another pattern on the line. A | |
361 | hostname or address may optionally be enclosed within `[' and `]' brack- | |
362 | ets then followed by `:' and a non-standard port number. | |
363 | ||
364 | Alternately, hostnames may be stored in a hashed form which hides host | |
365 | names and addresses should the file's contents be disclosed. Hashed | |
366 | hostnames start with a `|' character. Only one hashed hostname may ap- | |
367 | pear on a single line and none of the above negation or wildcard opera- | |
368 | tors may be applied. | |
369 | ||
370 | Bits, exponent, and modulus are taken directly from the RSA host key; | |
371 | they can be obtained, for example, from /etc/ssh/ssh_host_key.pub. The | |
372 | optional comment field continues to the end of the line, and is not used. | |
373 | ||
374 | Lines starting with `#' and empty lines are ignored as comments. | |
375 | ||
376 | When performing host authentication, authentication is accepted if any | |
377 | matching line has the proper key. It is thus permissible (but not recom- | |
378 | mended) to have several lines or different host keys for the same names. | |
379 | This will inevitably happen when short forms of host names from different | |
380 | domains are put in the file. It is possible that the files contain con- | |
381 | flicting information; authentication is accepted if valid information can | |
382 | be found from either file. | |
383 | ||
384 | Note that the lines in these files are typically hundreds of characters | |
385 | long, and you definitely don't want to type in the host keys by hand. | |
386 | Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub | |
387 | and adding the host names at the front. | |
388 | ||
389 | An example ssh_known_hosts file: | |
390 | ||
391 | # Comments allowed at start of line | |
392 | closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net | |
393 | cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....= | |
394 | # A hashed hostname | |
395 | |1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa | |
396 | AAAA1234.....= | |
397 | ||
398 | FILES | |
399 | ~/.hushlogin | |
400 | This file is used to suppress printing the last login time and | |
401 | /etc/motd, if PrintLastLog and PrintMotd, respectively, are en- | |
402 | abled. It does not suppress printing of the banner specified by | |
403 | Banner. | |
404 | ||
405 | ~/.rhosts | |
406 | This file is used for host-based authentication (see ssh(1) for | |
407 | more information). On some machines this file may need to be | |
408 | world-readable if the user's home directory is on an NFS parti- | |
409 | tion, because sshd reads it as root. Additionally, this file | |
410 | must be owned by the user, and must not have write permissions | |
411 | for anyone else. The recommended permission for most machines is | |
412 | read/write for the user, and not accessible by others. | |
413 | ||
414 | ~/.shosts | |
415 | This file is used in exactly the same way as .rhosts, but allows | |
416 | host-based authentication without permitting login with | |
417 | rlogin/rsh. | |
418 | ||
419 | ~/.ssh/authorized_keys | |
420 | Lists the public keys (RSA/DSA) that can be used for logging in | |
421 | as this user. The format of this file is described above. The | |
422 | content of the file is not highly sensitive, but the recommended | |
423 | permissions are read/write for the user, and not accessible by | |
424 | others. | |
425 | ||
426 | If this file, the ~/.ssh directory, or the user's home directory | |
427 | are writable by other users, then the file could be modified or | |
428 | replaced by unauthorized users. In this case, sshd will not al- | |
429 | low it to be used unless the StrictModes option has been set to | |
430 | ``no''. The recommended permissions can be set by executing | |
431 | ``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''. | |
432 | ||
433 | ~/.ssh/environment | |
434 | This file is read into the environment at login (if it exists). | |
435 | It can only contain empty lines, comment lines (that start with | |
436 | `#'), and assignment lines of the form name=value. The file | |
437 | should be writable only by the user; it need not be readable by | |
438 | anyone else. Environment processing is disabled by default and | |
439 | is controlled via the PermitUserEnvironment option. | |
440 | ||
441 | ~/.ssh/known_hosts | |
442 | Contains a list of host keys for all hosts the user has logged | |
443 | into that are not already in the systemwide list of known host | |
444 | keys. The format of this file is described above. This file | |
445 | should be writable only by root/the owner and can, but need not | |
446 | be, world-readable. | |
447 | ||
448 | ~/.ssh/rc | |
449 | Contains initialization routines to be run before the user's home | |
450 | directory becomes accessible. This file should be writable only | |
451 | by the user, and need not be readable by anyone else. | |
452 | ||
453 | /etc/hosts.allow | |
454 | /etc/hosts.deny | |
455 | Access controls that should be enforced by tcp-wrappers are de- | |
456 | fined here. Further details are described in hosts_access(5). | |
457 | ||
458 | /etc/hosts.equiv | |
459 | This file is for host-based authentication (see ssh(1)). It | |
460 | should only be writable by root. | |
461 | ||
462 | /etc/moduli | |
463 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group | |
464 | Exchange". The file format is described in moduli(5). | |
465 | ||
466 | /etc/motd | |
467 | See motd(5). | |
468 | ||
469 | /etc/nologin | |
470 | If this file exists, sshd refuses to let anyone except root log | |
471 | in. The contents of the file are displayed to anyone trying to | |
472 | log in, and non-root connections are refused. The file should be | |
473 | world-readable. | |
474 | ||
475 | /etc/shosts.equiv | |
476 | This file is used in exactly the same way as hosts.equiv, but al- | |
477 | lows host-based authentication without permitting login with | |
478 | rlogin/rsh. | |
479 | ||
480 | /etc/ssh/ssh_known_hosts | |
481 | Systemwide list of known host keys. This file should be prepared | |
482 | by the system administrator to contain the public host keys of | |
483 | all machines in the organization. The format of this file is de- | |
484 | scribed above. This file should be writable only by root/the | |
485 | owner and should be world-readable. | |
486 | ||
487 | /etc/ssh/ssh_host_key | |
488 | /etc/ssh/ssh_host_dsa_key | |
489 | /etc/ssh/ssh_host_rsa_key | |
490 | These three files contain the private parts of the host keys. | |
491 | These files should only be owned by root, readable only by root, | |
492 | and not accessible to others. Note that sshd does not start if | |
493 | these files are group/world-accessible. | |
494 | ||
495 | /etc/ssh/ssh_host_key.pub | |
496 | /etc/ssh/ssh_host_dsa_key.pub | |
497 | /etc/ssh/ssh_host_rsa_key.pub | |
498 | These three files contain the public parts of the host keys. | |
499 | These files should be world-readable but writable only by root. | |
500 | Their contents should match the respective private parts. These | |
501 | files are not really used for anything; they are provided for the | |
502 | convenience of the user so their contents can be copied to known | |
503 | hosts files. These files are created using ssh-keygen(1). | |
504 | ||
505 | /etc/ssh/sshd_config | |
506 | Contains configuration data for sshd. The file format and con- | |
507 | figuration options are described in sshd_config(5). | |
508 | ||
509 | /etc/ssh/sshrc | |
510 | Similar to ~/.ssh/rc, it can be used to specify machine-specific | |
511 | login-time initializations globally. This file should be | |
512 | writable only by root, and should be world-readable. | |
513 | ||
514 | /var/empty | |
515 | chroot(2) directory used by sshd during privilege separation in | |
516 | the pre-authentication phase. The directory should not contain | |
517 | any files and must be owned by root and not group or world- | |
518 | writable. | |
519 | ||
520 | /var/run/sshd.pid | |
521 | Contains the process ID of the sshd listening for connections (if | |
522 | there are several daemons running concurrently for different | |
523 | ports, this contains the process ID of the one started last). | |
524 | The content of this file is not sensitive; it can be world-read- | |
525 | able. | |
526 | ||
527 | SEE ALSO | |
528 | scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), | |
529 | chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5), | |
530 | inetd(8), sftp-server(8) | |
531 | ||
532 | AUTHORS | |
533 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | |
534 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | |
535 | de Raadt and Dug Song removed many bugs, re-added newer features and cre- | |
536 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | |
537 | versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support | |
538 | for privilege separation. | |
539 | ||
540 | CAVEATS | |
541 | System security is not improved unless rshd, rlogind, and rexecd are dis- | |
542 | abled (thus completely disabling rlogin and rsh into the machine). | |
543 | ||
544 | OpenBSD 4.0 September 25, 1999 9 |