.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.201 2004/05/02 11:54:31 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.207 2005/04/21 06:17:50 djm Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
Next, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
.Em .rhosts
-authentication,
-.Em .rhosts
authentication combined with RSA host
authentication, RSA challenge-response authentication, or password
based authentication.
.Ql \&*NP\&*
).
.Pp
-.Em rhosts
-authentication is normally disabled
-because it is fundamentally insecure, but can be enabled in the server
-configuration file if desired.
-System security is not improved unless
.Nm rshd ,
.Nm rlogind ,
and
prints last login time and
.Pa /etc/motd
(unless prevented in the configuration file or by
-.Pa $HOME/.hushlogin ;
+.Pa ~/.hushlogin ;
see the
.Sx FILES
section).
Sets up basic environment.
.It
Reads the file
-.Pa $HOME/.ssh/environment ,
+.Pa ~/.ssh/environment ,
if it exists, and users are allowed to change their environment.
See the
.Cm PermitUserEnvironment
Changes to user's home directory.
.It
If
-.Pa $HOME/.ssh/rc
+.Pa ~/.ssh/rc
exists, runs it; else if
.Pa /etc/ssh/sshrc
exists, runs
Runs user's shell or command.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
-.Pa $HOME/.ssh/authorized_keys
+.Pa ~/.ssh/authorized_keys
is the default file that lists the public keys that are
permitted for RSA authentication in protocol version 1
and for public key authentication (PubkeyAuthentication)
.Dq ssh-rsa .
.Pp
Note that lines in this file are usually several hundred bytes long
-(because of the size of the public key encoding).
+(because of the size of the public key encoding) up to a limit of
+8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
+keys up to 16 kilobits.
You don't want to type them in; instead, copy the
.Pa identity.pub ,
.Pa id_dsa.pub
The
.Pa /etc/ssh/ssh_known_hosts
and
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
files contain host public keys for all known hosts.
The global file should
be prepared by the administrator (optional), and the per-user file is
pattern, it is not accepted (by that line) even if it matched another
pattern on the line.
.Pp
+Alternately, hostnames may be stored in a hashed form which hides host names
+and addresses should the file's contents be disclosed.
+Hashed hostnames start with a
+.Ql |
+character.
+Only one hashed hostname may appear on a single line and none of the above
+negation or wildcard operators may be applied.
+.Pp
Bits, exponent, and modulus are taken directly from the RSA host key; they
can be obtained, e.g., from
.Pa /etc/ssh/ssh_host_key.pub .
closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi
cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....=
.Ed
+.Bd -literal
+# A hashed hostname
+|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
+AAAA1234.....=
+.Ed
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config
concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
-.It Pa $HOME/.ssh/authorized_keys
+.It Pa ~/.ssh/authorized_keys
Lists the public keys (RSA or DSA) that can be used to log into the user's account.
This file must be readable by root (which may on some machines imply
it being world-readable if the user's home directory resides on an NFS
.Pa id_rsa.pub
files into this file, as described in
.Xr ssh-keygen 1 .
-.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts"
+.It Pa "/etc/ssh/ssh_known_hosts", "~/.ssh/known_hosts"
These files are consulted when using rhosts with RSA host
authentication or protocol version 2 hostbased authentication
to check the public key of the host.
These files should be writable only by root/the owner.
.Pa /etc/ssh/ssh_known_hosts
should be world-readable, and
-.Pa $HOME/.ssh/known_hosts
+.Pa ~/.ssh/known_hosts
can, but need not be, world-readable.
+.It Pa /etc/motd
+See
+.Xr motd 5 .
+.It Pa ~/.hushlogin
+This file is used to suppress printing the last login time and
+.Pa /etc/motd ,
+if
+.Cm PrintLastLog
+and
+.Cm PrintMotd ,
+respectively,
+are enabled.
+It does not suppress printing of the banner specified by
+.Cm Banner .
.It Pa /etc/nologin
If this file exists,
.Nm
Access controls that should be enforced by tcp-wrappers are defined here.
Further details are described in
.Xr hosts_access 5 .
-.It Pa $HOME/.rhosts
-This file contains host-username pairs, separated by a space, one per
+.It Pa ~/.rhosts
+This file is used during
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
+and contains host-username pairs, separated by a space, one per
line.
The given user on the corresponding host is permitted to log in
without a password.
Either host or user
name may be of the form +@groupname to specify all hosts or all users
in the group.
-.It Pa $HOME/.shosts
+.It Pa ~/.shosts
For ssh,
this file is exactly the same as for
.Pa .rhosts .
not used by rlogin and rshd, so using this permits access using SSH only.
.It Pa /etc/hosts.equiv
This file is used during
-.Em rhosts
+.Cm RhostsRSAAuthentication
+and
+.Cm HostbasedAuthentication
authentication.
In the simplest form, this file contains host names, one per line.
Users on
If the client host/user is successfully matched in this file, login is
automatically permitted provided the client and server user names are the
same.
-Additionally, successful RSA host authentication is normally required.
+Additionally, successful client host key authentication is required.
This file must be writable only by root; it is recommended
that it be world-readable.
.Pp
.Pa /etc/hosts.equiv .
However, this file may be useful in environments that want to run both
rsh/rlogin and ssh.
-.It Pa $HOME/.ssh/environment
+.It Pa ~/.ssh/environment
This file is read into the environment at login (if it exists).
It can only contain empty lines, comment lines (that start with
.Ql # ) ,
controlled via the
.Cm PermitUserEnvironment
option.
-.It Pa $HOME/.ssh/rc
+.It Pa ~/.ssh/rc
If this file exists, it is run with
.Pa /bin/sh
after reading the
readable by anyone else.
.It Pa /etc/ssh/sshrc
Like
-.Pa $HOME/.ssh/rc .
+.Pa ~/.ssh/rc .
This can be used to specify
machine-specific login-time initializations globally.
This file should be writable only by root, and should be world-readable.