xref: /freebsd/crypto/openssh/sshd.8 (revision 3332f1b444d4a73238e9f59cca27bfc95fe936bd)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $
37.\" $FreeBSD$
38.Dd $Mdocdate: July 30 2021 $
39.Dt SSHD 8
40.Os
41.Sh NAME
42.Nm sshd
43.Nd OpenSSH daemon
44.Sh SYNOPSIS
45.Nm sshd
46.Bk -words
47.Op Fl 46DdeiqTt
48.Op Fl C Ar connection_spec
49.Op Fl c Ar host_certificate_file
50.Op Fl E Ar log_file
51.Op Fl f Ar config_file
52.Op Fl g Ar login_grace_time
53.Op Fl h Ar host_key_file
54.Op Fl o Ar option
55.Op Fl p Ar port
56.Op Fl u Ar len
57.Ek
58.Sh DESCRIPTION
59.Nm
60(OpenSSH Daemon) is the daemon program for
61.Xr ssh 1 .
62It provides secure encrypted communications between two untrusted hosts
63over an insecure network.
64.Pp
65.Nm
66listens for connections from clients.
67It is normally started at boot from
68.Pa /etc/rc.d/sshd .
69It forks a new
70daemon for each incoming connection.
71The forked daemons handle
72key exchange, encryption, authentication, command execution,
73and data exchange.
74.Pp
75.Nm
76can be configured using command-line options or a configuration file
77(by default
78.Xr sshd_config 5 ) ;
79command-line options override values specified in the
80configuration file.
81.Nm
82rereads its configuration file when it receives a hangup signal,
83.Dv SIGHUP ,
84by executing itself with the name and options it was started with, e.g.\&
85.Pa /usr/sbin/sshd .
86.Pp
87The options are as follows:
88.Bl -tag -width Ds
89.It Fl 4
90Forces
91.Nm
92to use IPv4 addresses only.
93.It Fl 6
94Forces
95.Nm
96to use IPv6 addresses only.
97.It Fl C Ar connection_spec
98Specify the connection parameters to use for the
99.Fl T
100extended test mode.
101If provided, any
102.Cm Match
103directives in the configuration file that would apply are applied before the
104configuration is written to standard output.
105The connection parameters are supplied as keyword=value pairs and may be
106supplied in any order, either with multiple
107.Fl C
108options or as a comma-separated list.
109The keywords are
110.Dq addr ,
111.Dq user ,
112.Dq host ,
113.Dq laddr ,
114.Dq lport ,
115and
116.Dq rdomain
117and correspond to source address, user, resolved source host name,
118local address, local port number and routing domain respectively.
119.It Fl c Ar host_certificate_file
120Specifies a path to a certificate file to identify
121.Nm
122during key exchange.
123The certificate file must match a host key file specified using the
124.Fl h
125option or the
126.Cm HostKey
127configuration directive.
128.It Fl D
129When this option is specified,
130.Nm
131will not detach and does not become a daemon.
132This allows easy monitoring of
133.Nm sshd .
134.It Fl d
135Debug mode.
136The server sends verbose debug output to standard error,
137and does not put itself in the background.
138The server also will not
139.Xr fork 2
140and will only process one connection.
141This option is only intended for debugging for the server.
142Multiple
143.Fl d
144options increase the debugging level.
145Maximum is 3.
146.It Fl E Ar log_file
147Append debug logs to
148.Ar log_file
149instead of the system log.
150.It Fl e
151Write debug logs to standard error instead of the system log.
152.It Fl f Ar config_file
153Specifies the name of the configuration file.
154The default is
155.Pa /etc/ssh/sshd_config .
156.Nm
157refuses to start if there is no configuration file.
158.It Fl g Ar login_grace_time
159Gives the grace time for clients to authenticate themselves (default
160120 seconds).
161If the client fails to authenticate the user within
162this many seconds, the server disconnects and exits.
163A value of zero indicates no limit.
164.It Fl h Ar host_key_file
165Specifies a file from which a host key is read.
166This option must be given if
167.Nm
168is not run as root (as the normal
169host key files are normally not readable by anyone but root).
170The default is
171.Pa /etc/ssh/ssh_host_ecdsa_key ,
172.Pa /etc/ssh/ssh_host_ed25519_key
173and
174.Pa /etc/ssh/ssh_host_rsa_key .
175It is possible to have multiple host key files for
176the different host key algorithms.
177.It Fl i
178Specifies that
179.Nm
180is being run from
181.Xr inetd 8 .
182.It Fl o Ar option
183Can be used to give options in the format used in the configuration file.
184This is useful for specifying options for which there is no separate
185command-line flag.
186For full details of the options, and their values, see
187.Xr sshd_config 5 .
188.It Fl p Ar port
189Specifies the port on which the server listens for connections
190(default 22).
191Multiple port options are permitted.
192Ports specified in the configuration file with the
193.Cm Port
194option are ignored when a command-line port is specified.
195Ports specified using the
196.Cm ListenAddress
197option override command-line ports.
198.It Fl q
199Quiet mode.
200Nothing is sent to the system log.
201Normally the beginning,
202authentication, and termination of each connection is logged.
203.It Fl T
204Extended test mode.
205Check the validity of the configuration file, output the effective configuration
206to stdout and then exit.
207Optionally,
208.Cm Match
209rules may be applied by specifying the connection parameters using one or more
210.Fl C
211options.
212.It Fl t
213Test mode.
214Only check the validity of the configuration file and sanity of the keys.
215This is useful for updating
216.Nm
217reliably as configuration options may change.
218.It Fl u Ar len
219This option is used to specify the size of the field
220in the
221.Li utmp
222structure that holds the remote host name.
223If the resolved host name is longer than
224.Ar len ,
225the dotted decimal value will be used instead.
226This allows hosts with very long host names that
227overflow this field to still be uniquely identified.
228Specifying
229.Fl u0
230indicates that only dotted decimal addresses
231should be put into the
232.Pa utmp
233file.
234.Fl u0
235may also be used to prevent
236.Nm
237from making DNS requests unless the authentication
238mechanism or configuration requires it.
239Authentication mechanisms that may require DNS include
240.Cm HostbasedAuthentication
241and using a
242.Cm from="pattern-list"
243option in a key file.
244Configuration options that require DNS include using a
245USER@HOST pattern in
246.Cm AllowUsers
247or
248.Cm DenyUsers .
249.El
250.Sh AUTHENTICATION
251The OpenSSH SSH daemon supports SSH protocol 2 only.
252Each host has a host-specific key,
253used to identify the host.
254Whenever a client connects, the daemon responds with its public
255host key.
256The client compares the
257host key against its own database to verify that it has not changed.
258Forward secrecy is provided through a Diffie-Hellman key agreement.
259This key agreement results in a shared session key.
260The rest of the session is encrypted using a symmetric cipher.
261The client selects the encryption algorithm
262to use from those offered by the server.
263Additionally, session integrity is provided
264through a cryptographic message authentication code (MAC).
265.Pp
266Finally, the server and the client enter an authentication dialog.
267The client tries to authenticate itself using
268host-based authentication,
269public key authentication,
270challenge-response authentication,
271or password authentication.
272.Pp
273Regardless of the authentication type, the account is checked to
274ensure that it is accessible.  An account is not accessible if it is
275locked, listed in
276.Cm DenyUsers
277or its group is listed in
278.Cm DenyGroups
279\&.  The definition of a locked account is system dependent. Some platforms
280have their own account database (eg AIX) and some modify the passwd field (
281.Ql \&*LK\&*
282on Solaris and UnixWare,
283.Ql \&*
284on HP-UX, containing
285.Ql Nologin
286on Tru64,
287a leading
288.Ql \&*LOCKED\&*
289on FreeBSD and a leading
290.Ql \&!
291on most Linuxes).
292If there is a requirement to disable password authentication
293for the account while allowing still public-key, then the passwd field
294should be set to something other than these values (eg
295.Ql NP
296or
297.Ql \&*NP\&*
298).
299.Pp
300If the client successfully authenticates itself, a dialog for
301preparing the session is entered.
302At this time the client may request
303things like allocating a pseudo-tty, forwarding X11 connections,
304forwarding TCP connections, or forwarding the authentication agent
305connection over the secure channel.
306.Pp
307After this, the client either requests a shell or execution of a command.
308The sides then enter session mode.
309In this mode, either side may send
310data at any time, and such data is forwarded to/from the shell or
311command on the server side, and the user terminal in the client side.
312.Pp
313When the user program terminates and all forwarded X11 and other
314connections have been closed, the server sends command exit status to
315the client, and both sides exit.
316.Sh LOGIN PROCESS
317When a user successfully logs in,
318.Nm
319does the following:
320.Bl -enum -offset indent
321.It
322If the login is on a tty, and no command has been specified,
323prints last login time and
324.Pa /etc/motd
325(unless prevented in the configuration file or by
326.Pa ~/.hushlogin ;
327see the
328.Sx FILES
329section).
330.It
331If the login is on a tty, records login time.
332.It
333Checks
334.Pa /etc/nologin and
335.Pa /var/run/nologin ;
336if one exists, it prints the contents and quits
337(unless root).
338.It
339Changes to run with normal user privileges.
340.It
341Sets up basic environment.
342.It
343Reads the file
344.Pa ~/.ssh/environment ,
345if it exists, and users are allowed to change their environment.
346See the
347.Cm PermitUserEnvironment
348option in
349.Xr sshd_config 5 .
350.It
351Changes to user's home directory.
352.It
353If
354.Pa ~/.ssh/rc
355exists and the
356.Xr sshd_config 5
357.Cm PermitUserRC
358option is set, runs it; else if
359.Pa /etc/ssh/sshrc
360exists, runs
361it; otherwise runs
362.Xr xauth 1 .
363The
364.Dq rc
365files are given the X11
366authentication protocol and cookie in standard input.
367See
368.Sx SSHRC ,
369below.
370.It
371Runs user's shell or command.
372All commands are run under the user's login shell as specified in the
373system password database.
374.El
375.Sh SSHRC
376If the file
377.Pa ~/.ssh/rc
378exists,
379.Xr sh 1
380runs it after reading the
381environment files but before starting the user's shell or command.
382It must not produce any output on stdout; stderr must be used
383instead.
384If X11 forwarding is in use, it will receive the "proto cookie" pair in
385its standard input (and
386.Ev DISPLAY
387in its environment).
388The script must call
389.Xr xauth 1
390because
391.Nm
392will not run xauth automatically to add X11 cookies.
393.Pp
394The primary purpose of this file is to run any initialization routines
395which may be needed before the user's home directory becomes
396accessible; AFS is a particular example of such an environment.
397.Pp
398This file will probably contain some initialization code followed by
399something similar to:
400.Bd -literal -offset 3n
401if read proto cookie && [ -n "$DISPLAY" ]; then
402	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
403		# X11UseLocalhost=yes
404		echo add unix:`echo $DISPLAY |
405		    cut -c11-` $proto $cookie
406	else
407		# X11UseLocalhost=no
408		echo add $DISPLAY $proto $cookie
409	fi | xauth -q -
410fi
411.Ed
412.Pp
413If this file does not exist,
414.Pa /etc/ssh/sshrc
415is run, and if that
416does not exist either, xauth is used to add the cookie.
417.Sh AUTHORIZED_KEYS FILE FORMAT
418.Cm AuthorizedKeysFile
419specifies the files containing public keys for
420public key authentication;
421if this option is not specified, the default is
422.Pa ~/.ssh/authorized_keys
423and
424.Pa ~/.ssh/authorized_keys2 .
425Each line of the file contains one
426key (empty lines and lines starting with a
427.Ql #
428are ignored as
429comments).
430Public keys consist of the following space-separated fields:
431options, keytype, base64-encoded key, comment.
432The options field is optional.
433The supported key types are:
434.Pp
435.Bl -item -compact -offset indent
436.It
437sk-ecdsa-sha2-nistp256@openssh.com
438.It
439ecdsa-sha2-nistp256
440.It
441ecdsa-sha2-nistp384
442.It
443ecdsa-sha2-nistp521
444.It
445sk-ssh-ed25519@openssh.com
446.It
447ssh-ed25519
448.It
449ssh-dss
450.It
451ssh-rsa
452.El
453.Pp
454The comment field is not used for anything (but may be convenient for the
455user to identify the key).
456.Pp
457Note that lines in this file can be several hundred bytes long
458(because of the size of the public key encoding) up to a limit of
4598 kilobytes, which permits RSA keys up to 16 kilobits.
460You don't want to type them in; instead, copy the
461.Pa id_dsa.pub ,
462.Pa id_ecdsa.pub ,
463.Pa id_ecdsa_sk.pub ,
464.Pa id_ed25519.pub ,
465.Pa id_ed25519_sk.pub ,
466or the
467.Pa id_rsa.pub
468file and edit it.
469.Pp
470.Nm
471enforces a minimum RSA key modulus size of 1024 bits.
472.Pp
473The options (if present) consist of comma-separated option
474specifications.
475No spaces are permitted, except within double quotes.
476The following option specifications are supported (note
477that option keywords are case-insensitive):
478.Bl -tag -width Ds
479.It Cm agent-forwarding
480Enable authentication agent forwarding previously disabled by the
481.Cm restrict
482option.
483.It Cm cert-authority
484Specifies that the listed key is a certification authority (CA) that is
485trusted to validate signed certificates for user authentication.
486.Pp
487Certificates may encode access restrictions similar to these key options.
488If both certificate restrictions and key options are present, the most
489restrictive union of the two is applied.
490.It Cm command="command"
491Specifies that the command is executed whenever this key is used for
492authentication.
493The command supplied by the user (if any) is ignored.
494The command is run on a pty if the client requests a pty;
495otherwise it is run without a tty.
496If an 8-bit clean channel is required,
497one must not request a pty or should specify
498.Cm no-pty .
499A quote may be included in the command by quoting it with a backslash.
500.Pp
501This option might be useful
502to restrict certain public keys to perform just a specific operation.
503An example might be a key that permits remote backups but nothing else.
504Note that the client may specify TCP and/or X11
505forwarding unless they are explicitly prohibited, e.g. using the
506.Cm restrict
507key option.
508.Pp
509The command originally supplied by the client is available in the
510.Ev SSH_ORIGINAL_COMMAND
511environment variable.
512Note that this option applies to shell, command or subsystem execution.
513Also note that this command may be superseded by a
514.Xr sshd_config 5
515.Cm ForceCommand
516directive.
517.Pp
518If a command is specified and a forced-command is embedded in a certificate
519used for authentication, then the certificate will be accepted only if the
520two commands are identical.
521.It Cm environment="NAME=value"
522Specifies that the string is to be added to the environment when
523logging in using this key.
524Environment variables set this way
525override other default environment values.
526Multiple options of this type are permitted.
527Environment processing is disabled by default and is
528controlled via the
529.Cm PermitUserEnvironment
530option.
531.It Cm expiry-time="timespec"
532Specifies a time after which the key will not be accepted.
533The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time
534in the system time-zone.
535.It Cm from="pattern-list"
536Specifies that in addition to public key authentication, either the canonical
537name of the remote host or its IP address must be present in the
538comma-separated list of patterns.
539See PATTERNS in
540.Xr ssh_config 5
541for more information on patterns.
542.Pp
543In addition to the wildcard matching that may be applied to hostnames or
544addresses, a
545.Cm from
546stanza may match IP addresses using CIDR address/masklen notation.
547.Pp
548The purpose of this option is to optionally increase security: public key
549authentication by itself does not trust the network or name servers or
550anything (but the key); however, if somebody somehow steals the key, the key
551permits an intruder to log in from anywhere in the world.
552This additional option makes using a stolen key more difficult (name
553servers and/or routers would have to be compromised in addition to
554just the key).
555.It Cm no-agent-forwarding
556Forbids authentication agent forwarding when this key is used for
557authentication.
558.It Cm no-port-forwarding
559Forbids TCP forwarding when this key is used for authentication.
560Any port forward requests by the client will return an error.
561This might be used, e.g. in connection with the
562.Cm command
563option.
564.It Cm no-pty
565Prevents tty allocation (a request to allocate a pty will fail).
566.It Cm no-user-rc
567Disables execution of
568.Pa ~/.ssh/rc .
569.It Cm no-X11-forwarding
570Forbids X11 forwarding when this key is used for authentication.
571Any X11 forward requests by the client will return an error.
572.It Cm permitlisten="[host:]port"
573Limit remote port forwarding with the
574.Xr ssh 1
575.Fl R
576option such that it may only listen on the specified host (optional) and port.
577IPv6 addresses can be specified by enclosing the address in square brackets.
578Multiple
579.Cm permitlisten
580options may be applied separated by commas.
581Hostnames may include wildcards as described in the PATTERNS section in
582.Xr ssh_config 5 .
583A port specification of
584.Cm *
585matches any port.
586Note that the setting of
587.Cm GatewayPorts
588may further restrict listen addresses.
589Note that
590.Xr ssh 1
591will send a hostname of
592.Dq localhost
593if a listen host was not specified when the forwarding was requested, and
594that this name is treated differently to the explicit localhost addresses
595.Dq 127.0.0.1
596and
597.Dq ::1 .
598.It Cm permitopen="host:port"
599Limit local port forwarding with the
600.Xr ssh 1
601.Fl L
602option such that it may only connect to the specified host and port.
603IPv6 addresses can be specified by enclosing the address in square brackets.
604Multiple
605.Cm permitopen
606options may be applied separated by commas.
607No pattern matching or name lookup is performed on the
608specified hostnames, they must be literal host names and/or addresses.
609A port specification of
610.Cm *
611matches any port.
612.It Cm port-forwarding
613Enable port forwarding previously disabled by the
614.Cm restrict
615option.
616.It Cm principals="principals"
617On a
618.Cm cert-authority
619line, specifies allowed principals for certificate authentication as a
620comma-separated list.
621At least one name from the list must appear in the certificate's
622list of principals for the certificate to be accepted.
623This option is ignored for keys that are not marked as trusted certificate
624signers using the
625.Cm cert-authority
626option.
627.It Cm pty
628Permits tty allocation previously disabled by the
629.Cm restrict
630option.
631.It Cm no-touch-required
632Do not require demonstration of user presence
633for signatures made using this key.
634This option only makes sense for the FIDO authenticator algorithms
635.Cm ecdsa-sk
636and
637.Cm ed25519-sk .
638.It Cm verify-required
639Require that signatures made using this key attest that they verified
640the user, e.g. via a PIN.
641This option only makes sense for the FIDO authenticator algorithms
642.Cm ecdsa-sk
643and
644.Cm ed25519-sk .
645.It Cm restrict
646Enable all restrictions, i.e. disable port, agent and X11 forwarding,
647as well as disabling PTY allocation
648and execution of
649.Pa ~/.ssh/rc .
650If any future restriction capabilities are added to authorized_keys files
651they will be included in this set.
652.It Cm tunnel="n"
653Force a
654.Xr tun 4
655device on the server.
656Without this option, the next available device will be used if
657the client requests a tunnel.
658.It Cm user-rc
659Enables execution of
660.Pa ~/.ssh/rc
661previously disabled by the
662.Cm restrict
663option.
664.It Cm X11-forwarding
665Permits X11 forwarding previously disabled by the
666.Cm restrict
667option.
668.El
669.Pp
670An example authorized_keys file:
671.Bd -literal -offset 3n
672# Comments are allowed at start of line. Blank lines are allowed.
673# Plain key, no restrictions
674ssh-rsa ...
675# Forced command, disable PTY and all forwarding
676restrict,command="dump /home" ssh-rsa ...
677# Restriction of ssh -L forwarding destinations
678permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-rsa ...
679# Restriction of ssh -R forwarding listeners
680permitlisten="localhost:8080",permitlisten="[::1]:22000" ssh-rsa ...
681# Configuration for tunnel forwarding
682tunnel="0",command="sh /etc/netstart tun0" ssh-rsa ...
683# Override of restriction to allow PTY allocation
684restrict,pty,command="nethack" ssh-rsa ...
685# Allow FIDO key without requiring touch
686no-touch-required sk-ecdsa-sha2-nistp256@openssh.com ...
687# Require user-verification (e.g. PIN or biometric) for FIDO key
688verify-required sk-ecdsa-sha2-nistp256@openssh.com ...
689# Trust CA key, allow touch-less FIDO if requested in certificate
690cert-authority,no-touch-required,principals="user_a" ssh-rsa ...
691.Ed
692.Sh SSH_KNOWN_HOSTS FILE FORMAT
693The
694.Pa /etc/ssh/ssh_known_hosts
695and
696.Pa ~/.ssh/known_hosts
697files contain host public keys for all known hosts.
698The global file should
699be prepared by the administrator (optional), and the per-user file is
700maintained automatically: whenever the user connects to an unknown host,
701its key is added to the per-user file.
702.Pp
703Each line in these files contains the following fields: marker (optional),
704hostnames, keytype, base64-encoded key, comment.
705The fields are separated by spaces.
706.Pp
707The marker is optional, but if it is present then it must be one of
708.Dq @cert-authority ,
709to indicate that the line contains a certification authority (CA) key,
710or
711.Dq @revoked ,
712to indicate that the key contained on the line is revoked and must not ever
713be accepted.
714Only one marker should be used on a key line.
715.Pp
716Hostnames is a comma-separated list of patterns
717.Pf ( Ql *
718and
719.Ql \&?
720act as
721wildcards); each pattern in turn is matched against the host name.
722When
723.Nm sshd
724is authenticating a client, such as when using
725.Cm HostbasedAuthentication ,
726this will be the canonical client host name.
727When
728.Xr ssh 1
729is authenticating a server, this will be the host name
730given by the user, the value of the
731.Xr ssh 1
732.Cm HostkeyAlias
733if it was specified, or the canonical server hostname if the
734.Xr ssh 1
735.Cm CanonicalizeHostname
736option was used.
737.Pp
738A pattern may also be preceded by
739.Ql \&!
740to indicate negation: if the host name matches a negated
741pattern, it is not accepted (by that line) even if it matched another
742pattern on the line.
743A hostname or address may optionally be enclosed within
744.Ql \&[
745and
746.Ql \&]
747brackets then followed by
748.Ql \&:
749and a non-standard port number.
750.Pp
751Alternately, hostnames may be stored in a hashed form which hides host names
752and addresses should the file's contents be disclosed.
753Hashed hostnames start with a
754.Ql |
755character.
756Only one hashed hostname may appear on a single line and none of the above
757negation or wildcard operators may be applied.
758.Pp
759The keytype and base64-encoded key are taken directly from the host key; they
760can be obtained, for example, from
761.Pa /etc/ssh/ssh_host_rsa_key.pub .
762The optional comment field continues to the end of the line, and is not used.
763.Pp
764Lines starting with
765.Ql #
766and empty lines are ignored as comments.
767.Pp
768When performing host authentication, authentication is accepted if any
769matching line has the proper key; either one that matches exactly or,
770if the server has presented a certificate for authentication, the key
771of the certification authority that signed the certificate.
772For a key to be trusted as a certification authority, it must use the
773.Dq @cert-authority
774marker described above.
775.Pp
776The known hosts file also provides a facility to mark keys as revoked,
777for example when it is known that the associated private key has been
778stolen.
779Revoked keys are specified by including the
780.Dq @revoked
781marker at the beginning of the key line, and are never accepted for
782authentication or as certification authorities, but instead will
783produce a warning from
784.Xr ssh 1
785when they are encountered.
786.Pp
787It is permissible (but not
788recommended) to have several lines or different host keys for the same
789names.
790This will inevitably happen when short forms of host names
791from different domains are put in the file.
792It is possible
793that the files contain conflicting information; authentication is
794accepted if valid information can be found from either file.
795.Pp
796Note that the lines in these files are typically hundreds of characters
797long, and you definitely don't want to type in the host keys by hand.
798Rather, generate them by a script,
799.Xr ssh-keyscan 1
800or by taking, for example,
801.Pa /etc/ssh/ssh_host_rsa_key.pub
802and adding the host names at the front.
803.Xr ssh-keygen 1
804also offers some basic automated editing for
805.Pa ~/.ssh/known_hosts
806including removing hosts matching a host name and converting all host
807names to their hashed representations.
808.Pp
809An example ssh_known_hosts file:
810.Bd -literal -offset 3n
811# Comments allowed at start of line
812closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
813cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
814# A hashed hostname
815|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
816AAAA1234.....=
817# A revoked key
818@revoked * ssh-rsa AAAAB5W...
819# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
820@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
821.Ed
822.Sh FILES
823.Bl -tag -width Ds -compact
824.It Pa ~/.hushlogin
825This file is used to suppress printing the last login time and
826.Pa /etc/motd ,
827if
828.Cm PrintLastLog
829and
830.Cm PrintMotd ,
831respectively,
832are enabled.
833It does not suppress printing of the banner specified by
834.Cm Banner .
835.Pp
836.It Pa ~/.rhosts
837This file is used for host-based authentication (see
838.Xr ssh 1
839for more information).
840On some machines this file may need to be
841world-readable if the user's home directory is on an NFS partition,
842because
843.Nm
844reads it as root.
845Additionally, this file must be owned by the user,
846and must not have write permissions for anyone else.
847The recommended
848permission for most machines is read/write for the user, and not
849accessible by others.
850.Pp
851.It Pa ~/.shosts
852This file is used in exactly the same way as
853.Pa .rhosts ,
854but allows host-based authentication without permitting login with
855rlogin/rsh.
856.Pp
857.It Pa ~/.ssh/
858This directory is the default location for all user-specific configuration
859and authentication information.
860There is no general requirement to keep the entire contents of this directory
861secret, but the recommended permissions are read/write/execute for the user,
862and not accessible by others.
863.Pp
864.It Pa ~/.ssh/authorized_keys
865Lists the public keys (DSA, ECDSA, Ed25519, RSA)
866that can be used for logging in as this user.
867The format of this file is described above.
868The content of the file is not highly sensitive, but the recommended
869permissions are read/write for the user, and not accessible by others.
870.Pp
871If this file, the
872.Pa ~/.ssh
873directory, or the user's home directory are writable
874by other users, then the file could be modified or replaced by unauthorized
875users.
876In this case,
877.Nm
878will not allow it to be used unless the
879.Cm StrictModes
880option has been set to
881.Dq no .
882.Pp
883.It Pa ~/.ssh/environment
884This file is read into the environment at login (if it exists).
885It can only contain empty lines, comment lines (that start with
886.Ql # ) ,
887and assignment lines of the form name=value.
888The file should be writable
889only by the user; it need not be readable by anyone else.
890Environment processing is disabled by default and is
891controlled via the
892.Cm PermitUserEnvironment
893option.
894.Pp
895.It Pa ~/.ssh/known_hosts
896Contains a list of host keys for all hosts the user has logged into
897that are not already in the systemwide list of known host keys.
898The format of this file is described above.
899This file should be writable only by root/the owner and
900can, but need not be, world-readable.
901.Pp
902.It Pa ~/.ssh/rc
903Contains initialization routines to be run before
904the user's home directory becomes accessible.
905This file should be writable only by the user, and need not be
906readable by anyone else.
907.Pp
908.It Pa /etc/hosts.allow
909.It Pa /etc/hosts.deny
910Access controls that should be enforced by tcp-wrappers are defined here.
911Further details are described in
912.Xr hosts_access 5 .
913.Pp
914.It Pa /etc/hosts.equiv
915This file is for host-based authentication (see
916.Xr ssh 1 ) .
917It should only be writable by root.
918.Pp
919.It Pa /etc/moduli
920Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
921key exchange method.
922The file format is described in
923.Xr moduli 5 .
924If no usable groups are found in this file then fixed internal groups will
925be used.
926.Pp
927.It Pa /etc/motd
928See
929.Xr motd 5 .
930.Pp
931.It Pa /etc/nologin
932If this file exists,
933.Nm
934refuses to let anyone except root log in.
935The contents of the file
936are displayed to anyone trying to log in, and non-root connections are
937refused.
938The file should be world-readable.
939.Pp
940.It Pa /etc/shosts.equiv
941This file is used in exactly the same way as
942.Pa hosts.equiv ,
943but allows host-based authentication without permitting login with
944rlogin/rsh.
945.Pp
946.It Pa /etc/ssh/ssh_host_ecdsa_key
947.It Pa /etc/ssh/ssh_host_ed25519_key
948.It Pa /etc/ssh/ssh_host_rsa_key
949These files contain the private parts of the host keys.
950These files should only be owned by root, readable only by root, and not
951accessible to others.
952Note that
953.Nm
954does not start if these files are group/world-accessible.
955.Pp
956.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
957.It Pa /etc/ssh/ssh_host_ed25519_key.pub
958.It Pa /etc/ssh/ssh_host_rsa_key.pub
959These files contain the public parts of the host keys.
960These files should be world-readable but writable only by
961root.
962Their contents should match the respective private parts.
963These files are not
964really used for anything; they are provided for the convenience of
965the user so their contents can be copied to known hosts files.
966These files are created using
967.Xr ssh-keygen 1 .
968.Pp
969.It Pa /etc/ssh/ssh_known_hosts
970Systemwide list of known host keys.
971This file should be prepared by the
972system administrator to contain the public host keys of all machines in the
973organization.
974The format of this file is described above.
975This file should be writable only by root/the owner and
976should be world-readable.
977.Pp
978.It Pa /etc/ssh/sshd_config
979Contains configuration data for
980.Nm sshd .
981The file format and configuration options are described in
982.Xr sshd_config 5 .
983.Pp
984.It Pa /etc/ssh/sshrc
985Similar to
986.Pa ~/.ssh/rc ,
987it can be used to specify
988machine-specific login-time initializations globally.
989This file should be writable only by root, and should be world-readable.
990.Pp
991.It Pa /var/empty
992.Xr chroot 2
993directory used by
994.Nm
995during privilege separation in the pre-authentication phase.
996The directory should not contain any files and must be owned by root
997and not group or world-writable.
998.Pp
999.It Pa /var/run/sshd.pid
1000Contains the process ID of the
1001.Nm
1002listening for connections (if there are several daemons running
1003concurrently for different ports, this contains the process ID of the one
1004started last).
1005The content of this file is not sensitive; it can be world-readable.
1006.El
1007.Sh SEE ALSO
1008.Xr scp 1 ,
1009.Xr sftp 1 ,
1010.Xr ssh 1 ,
1011.Xr ssh-add 1 ,
1012.Xr ssh-agent 1 ,
1013.Xr ssh-keygen 1 ,
1014.Xr ssh-keyscan 1 ,
1015.Xr chroot 2 ,
1016.Xr hosts_access 5 ,
1017.Xr login.conf 5 ,
1018.Xr moduli 5 ,
1019.Xr sshd_config 5 ,
1020.Xr inetd 8 ,
1021.Xr sftp-server 8
1022.Sh AUTHORS
1023OpenSSH is a derivative of the original and free
1024ssh 1.2.12 release by Tatu Ylonen.
1025Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1026Theo de Raadt and Dug Song
1027removed many bugs, re-added newer features and
1028created OpenSSH.
1029Markus Friedl contributed the support for SSH
1030protocol versions 1.5 and 2.0.
1031Niels Provos and Markus Friedl contributed support
1032for privilege separation.
1033