.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.229 2006/02/24 10:39:52 jmc Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
+.Dd $Mdocdate$
.Dt SSHD 8
.Os
.Sh NAME
.Nm
(OpenSSH Daemon) is the daemon program for
.Xr ssh 1 .
-Together these programs replace rlogin and rsh, and
-provide secure encrypted communications between two untrusted hosts
+Together these programs replace
+.Xr rlogin 1
+and
+.Xr rsh 1 ,
+and provide secure encrypted communications between two untrusted hosts
over an insecure network.
.Pp
.Nm
.Nm
rereads its configuration file when it receives a hangup signal,
.Dv SIGHUP ,
-by executing itself with the name and options it was started with, e.g.,
+by executing itself with the name and options it was started with, e.g.\&
.Pa /usr/sbin/sshd .
.Pp
The options are as follows:
When this option is specified,
.Nm
will send the output to the standard error instead of the system log.
-.It Fl f Ar configuration_file
+.It Fl f Ar config_file
Specifies the name of the configuration file.
The default is
.Pa /etc/ssh/sshd_config .
from inetd because it needs to generate the server key before it can
respond to the client, and this may take tens of seconds.
Clients would have to wait too long if the key was regenerated every time.
-However, with small key sizes (e.g., 512) using
+However, with small key sizes (e.g. 512) using
.Nm
from inetd may
be feasible.
to use from those offered by the server.
Additionally, session integrity is provided
through a cryptographic message authentication code
-(hmac-sha1 or hmac-md5).
+(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
.Pp
Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
a leading
.Ql \&*LOCKED\&*
on FreeBSD and a leading
-.Ql \&!!
-on Linux). If there is a requirement to disable password authentication
+.Ql \&!
+on most Linuxes).
+If there is a requirement to disable password authentication
for the account while allowing still public-key, then the passwd field
should be set to something other than these values (eg
.Ql NP
An example might be a key that permits remote backups but nothing else.
Note that the client may specify TCP and/or X11
forwarding unless they are explicitly prohibited.
+The command originally supplied by the client is available in the
+.Ev SSH_ORIGINAL_COMMAND
+environment variable.
Note that this option applies to shell, command or subsystem execution.
.It Cm environment="NAME=value"
Specifies that the string is to be added to the environment when
.It Cm no-port-forwarding
Forbids TCP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error.
-This might be used, e.g., in connection with the
+This might be used, e.g. in connection with the
.Cm command
option.
.It Cm no-pty
to indicate negation: if the host name matches a negated
pattern, it is not accepted (by that line) even if it matched another
pattern on the line.
+A hostname or address may optionally be enclosed within
+.Ql \&[
+and
+.Ql \&]
+brackets then followed by
+.Ql \&:
+and a non-standard port number.
.Pp
Alternately, hostnames may be stored in a hashed form which hides host names
and addresses should the file's contents be disclosed.
.It ~/.ssh/authorized_keys
Lists the public keys (RSA/DSA) that can be used for logging in as this user.
The format of this file is described above.
-This file is not highly sensitive, but the recommended
+The content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
.Pp
+If this file, the
+.Pa ~/.ssh
+directory, or the user's home directory are writable
+by other users, then the file could be modified or replaced by unauthorized
+users.
+In this case,
+.Nm
+will not allow it to be used unless the
+.Cm StrictModes
+option has been set to
+.Dq no .
+The recommended permissions can be set by executing
+.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys .
+.Pp
.It ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
-.It /etc/ssh/ssh_known_hosts
-Systemwide list of known host keys.
-This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.
-The format of this file is described above.
-This file should be writable only by root/the owner and
-should be world-readable.
-.Pp
.It /etc/ssh/ssh_host_key
.It /etc/ssh/ssh_host_dsa_key
.It /etc/ssh/ssh_host_rsa_key
These files are created using
.Xr ssh-keygen 1 .
.Pp
+.It /etc/ssh/ssh_known_hosts
+Systemwide list of known host keys.
+This file should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+The format of this file is described above.
+This file should be writable only by root/the owner and
+should be world-readable.
+.Pp
.It /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
+.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,
andersk / openssh.git / blobdiff