xref: /freebsd/crypto/openssh/sshd.8 (revision 3a92d97ff0f22d21608e1c19b83104c4937523b6)
1.\"
2.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4.\"                    All rights reserved
5.\"
6.\" As far as I am concerned, the code I have written for this software
7.\" can be used freely for any purpose.  Any derived versions of this
8.\" software must be clearly marked as such, and if the derived work is
9.\" incompatible with the protocol description in the RFC file, it must be
10.\" called by a name other than "ssh" or "Secure Shell".
11.\"
12.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15.\"
16.\" Redistribution and use in source and binary forms, with or without
17.\" modification, are permitted provided that the following conditions
18.\" are met:
19.\" 1. Redistributions of source code must retain the above copyright
20.\"    notice, this list of conditions and the following disclaimer.
21.\" 2. Redistributions in binary form must reproduce the above copyright
22.\"    notice, this list of conditions and the following disclaimer in the
23.\"    documentation and/or other materials provided with the distribution.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\"
36.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
37.\" $FreeBSD$
38.Dd December 7, 2013
39.Dt SSHD 8
40.Os
41.Sh NAME
42.Nm sshd
43.Nd OpenSSH SSH daemon
44.Sh SYNOPSIS
45.Nm sshd
46.Bk -words
47.Op Fl 46DdeiqTt
48.Op Fl b Ar bits
49.Op Fl C Ar connection_spec
50.Op Fl c Ar host_certificate_file
51.Op Fl E Ar log_file
52.Op Fl f Ar config_file
53.Op Fl g Ar login_grace_time
54.Op Fl h Ar host_key_file
55.Op Fl k Ar key_gen_time
56.Op Fl o Ar option
57.Op Fl p Ar port
58.Op Fl u Ar len
59.Ek
60.Sh DESCRIPTION
61.Nm
62(OpenSSH Daemon) is the daemon program for
63.Xr ssh 1 .
64Together these programs replace
65.Xr rlogin 1
66and
67.Xr rsh 1 ,
68and provide secure encrypted communications between two untrusted hosts
69over an insecure network.
70.Pp
71.Nm
72listens for connections from clients.
73It is normally started at boot from
74.Pa /etc/rc.d/sshd .
75It forks a new
76daemon for each incoming connection.
77The forked daemons handle
78key exchange, encryption, authentication, command execution,
79and data exchange.
80.Pp
81.Nm
82can be configured using command-line options or a configuration file
83(by default
84.Xr sshd_config 5 ) ;
85command-line options override values specified in the
86configuration file.
87.Nm
88rereads its configuration file when it receives a hangup signal,
89.Dv SIGHUP ,
90by executing itself with the name and options it was started with, e.g.\&
91.Pa /usr/sbin/sshd .
92.Pp
93The options are as follows:
94.Bl -tag -width Ds
95.It Fl 4
96Forces
97.Nm
98to use IPv4 addresses only.
99.It Fl 6
100Forces
101.Nm
102to use IPv6 addresses only.
103.It Fl b Ar bits
104Specifies the number of bits in the ephemeral protocol version 1
105server key (default 1024).
106.It Fl C Ar connection_spec
107Specify the connection parameters to use for the
108.Fl T
109extended test mode.
110If provided, any
111.Cm Match
112directives in the configuration file
113that would apply to the specified user, host, and address will be set before
114the configuration is written to standard output.
115The connection parameters are supplied as keyword=value pairs.
116The keywords are
117.Dq user ,
118.Dq host ,
119.Dq laddr ,
120.Dq lport ,
121and
122.Dq addr .
123All are required and may be supplied in any order, either with multiple
124.Fl C
125options or as a comma-separated list.
126.It Fl c Ar host_certificate_file
127Specifies a path to a certificate file to identify
128.Nm
129during key exchange.
130The certificate file must match a host key file specified using the
131.Fl h
132option or the
133.Cm HostKey
134configuration directive.
135.It Fl D
136When this option is specified,
137.Nm
138will not detach and does not become a daemon.
139This allows easy monitoring of
140.Nm sshd .
141.It Fl d
142Debug mode.
143The server sends verbose debug output to standard error,
144and does not put itself in the background.
145The server also will not fork and will only process one connection.
146This option is only intended for debugging for the server.
147Multiple
148.Fl d
149options increase the debugging level.
150Maximum is 3.
151.It Fl E Ar log_file
152Append debug logs to
153.Ar log_file
154instead of the system log.
155.It Fl e
156Write debug logs to standard error instead of the system log.
157.It Fl f Ar config_file
158Specifies the name of the configuration file.
159The default is
160.Pa /etc/ssh/sshd_config .
161.Nm
162refuses to start if there is no configuration file.
163.It Fl g Ar login_grace_time
164Gives the grace time for clients to authenticate themselves (default
165120 seconds).
166If the client fails to authenticate the user within
167this many seconds, the server disconnects and exits.
168A value of zero indicates no limit.
169.It Fl h Ar host_key_file
170Specifies a file from which a host key is read.
171This option must be given if
172.Nm
173is not run as root (as the normal
174host key files are normally not readable by anyone but root).
175The default is
176.Pa /etc/ssh/ssh_host_key
177for protocol version 1, and
178.Pa /etc/ssh/ssh_host_dsa_key ,
179.Pa /etc/ssh/ssh_host_ecdsa_key .
180.Pa /etc/ssh/ssh_host_ed25519_key
181and
182.Pa /etc/ssh/ssh_host_rsa_key
183for protocol version 2.
184It is possible to have multiple host key files for
185the different protocol versions and host key algorithms.
186.It Fl i
187Specifies that
188.Nm
189is being run from
190.Xr inetd 8 .
191.Nm
192is normally not run
193from inetd because it needs to generate the server key before it can
194respond to the client, and this may take tens of seconds.
195Clients would have to wait too long if the key was regenerated every time.
196However, with small key sizes (e.g. 512) using
197.Nm
198from inetd may
199be feasible.
200.It Fl k Ar key_gen_time
201Specifies how often the ephemeral protocol version 1 server key is
202regenerated (default 3600 seconds, or one hour).
203The motivation for regenerating the key fairly
204often is that the key is not stored anywhere, and after about an hour
205it becomes impossible to recover the key for decrypting intercepted
206communications even if the machine is cracked into or physically
207seized.
208A value of zero indicates that the key will never be regenerated.
209.It Fl o Ar option
210Can be used to give options in the format used in the configuration file.
211This is useful for specifying options for which there is no separate
212command-line flag.
213For full details of the options, and their values, see
214.Xr sshd_config 5 .
215.It Fl p Ar port
216Specifies the port on which the server listens for connections
217(default 22).
218Multiple port options are permitted.
219Ports specified in the configuration file with the
220.Cm Port
221option are ignored when a command-line port is specified.
222Ports specified using the
223.Cm ListenAddress
224option override command-line ports.
225.It Fl q
226Quiet mode.
227Nothing is sent to the system log.
228Normally the beginning,
229authentication, and termination of each connection is logged.
230.It Fl T
231Extended test mode.
232Check the validity of the configuration file, output the effective configuration
233to stdout and then exit.
234Optionally,
235.Cm Match
236rules may be applied by specifying the connection parameters using one or more
237.Fl C
238options.
239.It Fl t
240Test mode.
241Only check the validity of the configuration file and sanity of the keys.
242This is useful for updating
243.Nm
244reliably as configuration options may change.
245.It Fl u Ar len
246This option is used to specify the size of the field
247in the
248.Li utmp
249structure that holds the remote host name.
250If the resolved host name is longer than
251.Ar len ,
252the dotted decimal value will be used instead.
253This allows hosts with very long host names that
254overflow this field to still be uniquely identified.
255Specifying
256.Fl u0
257indicates that only dotted decimal addresses
258should be put into the
259.Pa utmp
260file.
261.Fl u0
262may also be used to prevent
263.Nm
264from making DNS requests unless the authentication
265mechanism or configuration requires it.
266Authentication mechanisms that may require DNS include
267.Cm RhostsRSAAuthentication ,
268.Cm HostbasedAuthentication ,
269and using a
270.Cm from="pattern-list"
271option in a key file.
272Configuration options that require DNS include using a
273USER@HOST pattern in
274.Cm AllowUsers
275or
276.Cm DenyUsers .
277.El
278.Sh AUTHENTICATION
279The OpenSSH SSH daemon supports SSH protocols 1 and 2.
280The default is to use protocol 2 only,
281though this can be changed via the
282.Cm Protocol
283option in
284.Xr sshd_config 5 .
285Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
286protocol 1 only supports RSA keys.
287For both protocols,
288each host has a host-specific key,
289normally 2048 bits,
290used to identify the host.
291.Pp
292Forward security for protocol 1 is provided through
293an additional server key,
294normally 768 bits,
295generated when the server starts.
296This key is normally regenerated every hour if it has been used, and
297is never stored on disk.
298Whenever a client connects, the daemon responds with its public
299host and server keys.
300The client compares the
301RSA host key against its own database to verify that it has not changed.
302The client then generates a 256-bit random number.
303It encrypts this
304random number using both the host key and the server key, and sends
305the encrypted number to the server.
306Both sides then use this
307random number as a session key which is used to encrypt all further
308communications in the session.
309The rest of the session is encrypted
310using a conventional cipher, currently Blowfish or 3DES, with 3DES
311being used by default.
312The client selects the encryption algorithm
313to use from those offered by the server.
314.Pp
315For protocol 2,
316forward security is provided through a Diffie-Hellman key agreement.
317This key agreement results in a shared session key.
318The rest of the session is encrypted using a symmetric cipher, currently
319128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
320The client selects the encryption algorithm
321to use from those offered by the server.
322Additionally, session integrity is provided
323through a cryptographic message authentication code
324(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
325hmac-sha2-256 or hmac-sha2-512).
326.Pp
327Finally, the server and the client enter an authentication dialog.
328The client tries to authenticate itself using
329host-based authentication,
330public key authentication,
331challenge-response authentication,
332or password authentication.
333.Pp
334Regardless of the authentication type, the account is checked to
335ensure that it is accessible.  An account is not accessible if it is
336locked, listed in
337.Cm DenyUsers
338or its group is listed in
339.Cm DenyGroups
340\&.  The definition of a locked account is system dependant. Some platforms
341have their own account database (eg AIX) and some modify the passwd field (
342.Ql \&*LK\&*
343on Solaris and UnixWare,
344.Ql \&*
345on HP-UX, containing
346.Ql Nologin
347on Tru64,
348a leading
349.Ql \&*LOCKED\&*
350on FreeBSD and a leading
351.Ql \&!
352on most Linuxes).
353If there is a requirement to disable password authentication
354for the account while allowing still public-key, then the passwd field
355should be set to something other than these values (eg
356.Ql NP
357or
358.Ql \&*NP\&*
359).
360.Pp
361If the client successfully authenticates itself, a dialog for
362preparing the session is entered.
363At this time the client may request
364things like allocating a pseudo-tty, forwarding X11 connections,
365forwarding TCP connections, or forwarding the authentication agent
366connection over the secure channel.
367.Pp
368After this, the client either requests a shell or execution of a command.
369The sides then enter session mode.
370In this mode, either side may send
371data at any time, and such data is forwarded to/from the shell or
372command on the server side, and the user terminal in the client side.
373.Pp
374When the user program terminates and all forwarded X11 and other
375connections have been closed, the server sends command exit status to
376the client, and both sides exit.
377.Sh LOGIN PROCESS
378When a user successfully logs in,
379.Nm
380does the following:
381.Bl -enum -offset indent
382.It
383If the login is on a tty, and no command has been specified,
384prints last login time and
385.Pa /etc/motd
386(unless prevented in the configuration file or by
387.Pa ~/.hushlogin ;
388see the
389.Sx FILES
390section).
391.It
392If the login is on a tty, records login time.
393.It
394Checks
395.Pa /etc/nologin and
396.Pa /var/run/nologin ;
397if one exists, it prints the contents and quits
398(unless root).
399.It
400Changes to run with normal user privileges.
401.It
402Sets up basic environment.
403.It
404Reads the file
405.Pa ~/.ssh/environment ,
406if it exists, and users are allowed to change their environment.
407See the
408.Cm PermitUserEnvironment
409option in
410.Xr sshd_config 5 .
411.It
412Changes to user's home directory.
413.It
414If
415.Pa ~/.ssh/rc
416exists, runs it; else if
417.Pa /etc/ssh/sshrc
418exists, runs
419it; otherwise runs
420.Xr xauth 1 .
421The
422.Dq rc
423files are given the X11
424authentication protocol and cookie in standard input.
425See
426.Sx SSHRC ,
427below.
428.It
429Runs user's shell or command.
430.El
431.Sh SSHRC
432If the file
433.Pa ~/.ssh/rc
434exists,
435.Xr sh 1
436runs it after reading the
437environment files but before starting the user's shell or command.
438It must not produce any output on stdout; stderr must be used
439instead.
440If X11 forwarding is in use, it will receive the "proto cookie" pair in
441its standard input (and
442.Ev DISPLAY
443in its environment).
444The script must call
445.Xr xauth 1
446because
447.Nm
448will not run xauth automatically to add X11 cookies.
449.Pp
450The primary purpose of this file is to run any initialization routines
451which may be needed before the user's home directory becomes
452accessible; AFS is a particular example of such an environment.
453.Pp
454This file will probably contain some initialization code followed by
455something similar to:
456.Bd -literal -offset 3n
457if read proto cookie && [ -n "$DISPLAY" ]; then
458	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
459		# X11UseLocalhost=yes
460		echo add unix:`echo $DISPLAY |
461		    cut -c11-` $proto $cookie
462	else
463		# X11UseLocalhost=no
464		echo add $DISPLAY $proto $cookie
465	fi | xauth -q -
466fi
467.Ed
468.Pp
469If this file does not exist,
470.Pa /etc/ssh/sshrc
471is run, and if that
472does not exist either, xauth is used to add the cookie.
473.Sh AUTHORIZED_KEYS FILE FORMAT
474.Cm AuthorizedKeysFile
475specifies the files containing public keys for
476public key authentication;
477if none is specified, the default is
478.Pa ~/.ssh/authorized_keys
479and
480.Pa ~/.ssh/authorized_keys2 .
481Each line of the file contains one
482key (empty lines and lines starting with a
483.Ql #
484are ignored as
485comments).
486Protocol 1 public keys consist of the following space-separated fields:
487options, bits, exponent, modulus, comment.
488Protocol 2 public key consist of:
489options, keytype, base64-encoded key, comment.
490The options field is optional;
491its presence is determined by whether the line starts
492with a number or not (the options field never starts with a number).
493The bits, exponent, modulus, and comment fields give the RSA key for
494protocol version 1; the
495comment field is not used for anything (but may be convenient for the
496user to identify the key).
497For protocol version 2 the keytype is
498.Dq ecdsa-sha2-nistp256 ,
499.Dq ecdsa-sha2-nistp384 ,
500.Dq ecdsa-sha2-nistp521 ,
501.Dq ssh-ed25519 ,
502.Dq ssh-dss
503or
504.Dq ssh-rsa .
505.Pp
506Note that lines in this file are usually several hundred bytes long
507(because of the size of the public key encoding) up to a limit of
5088 kilobytes, which permits DSA keys up to 8 kilobits and RSA
509keys up to 16 kilobits.
510You don't want to type them in; instead, copy the
511.Pa identity.pub ,
512.Pa id_dsa.pub ,
513.Pa id_ecdsa.pub ,
514.Pa id_ed25519.pub ,
515or the
516.Pa id_rsa.pub
517file and edit it.
518.Pp
519.Nm
520enforces a minimum RSA key modulus size for protocol 1
521and protocol 2 keys of 768 bits.
522.Pp
523The options (if present) consist of comma-separated option
524specifications.
525No spaces are permitted, except within double quotes.
526The following option specifications are supported (note
527that option keywords are case-insensitive):
528.Bl -tag -width Ds
529.It Cm cert-authority
530Specifies that the listed key is a certification authority (CA) that is
531trusted to validate signed certificates for user authentication.
532.Pp
533Certificates may encode access restrictions similar to these key options.
534If both certificate restrictions and key options are present, the most
535restrictive union of the two is applied.
536.It Cm command="command"
537Specifies that the command is executed whenever this key is used for
538authentication.
539The command supplied by the user (if any) is ignored.
540The command is run on a pty if the client requests a pty;
541otherwise it is run without a tty.
542If an 8-bit clean channel is required,
543one must not request a pty or should specify
544.Cm no-pty .
545A quote may be included in the command by quoting it with a backslash.
546This option might be useful
547to restrict certain public keys to perform just a specific operation.
548An example might be a key that permits remote backups but nothing else.
549Note that the client may specify TCP and/or X11
550forwarding unless they are explicitly prohibited.
551The command originally supplied by the client is available in the
552.Ev SSH_ORIGINAL_COMMAND
553environment variable.
554Note that this option applies to shell, command or subsystem execution.
555Also note that this command may be superseded by either a
556.Xr sshd_config 5
557.Cm ForceCommand
558directive or a command embedded in a certificate.
559.It Cm environment="NAME=value"
560Specifies that the string is to be added to the environment when
561logging in using this key.
562Environment variables set this way
563override other default environment values.
564Multiple options of this type are permitted.
565Environment processing is disabled by default and is
566controlled via the
567.Cm PermitUserEnvironment
568option.
569This option is automatically disabled if
570.Cm UseLogin
571is enabled.
572.It Cm from="pattern-list"
573Specifies that in addition to public key authentication, either the canonical
574name of the remote host or its IP address must be present in the
575comma-separated list of patterns.
576See PATTERNS in
577.Xr ssh_config 5
578for more information on patterns.
579.Pp
580In addition to the wildcard matching that may be applied to hostnames or
581addresses, a
582.Cm from
583stanza may match IP addresses using CIDR address/masklen notation.
584.Pp
585The purpose of this option is to optionally increase security: public key
586authentication by itself does not trust the network or name servers or
587anything (but the key); however, if somebody somehow steals the key, the key
588permits an intruder to log in from anywhere in the world.
589This additional option makes using a stolen key more difficult (name
590servers and/or routers would have to be compromised in addition to
591just the key).
592.It Cm no-agent-forwarding
593Forbids authentication agent forwarding when this key is used for
594authentication.
595.It Cm no-port-forwarding
596Forbids TCP forwarding when this key is used for authentication.
597Any port forward requests by the client will return an error.
598This might be used, e.g. in connection with the
599.Cm command
600option.
601.It Cm no-pty
602Prevents tty allocation (a request to allocate a pty will fail).
603.It Cm no-user-rc
604Disables execution of
605.Pa ~/.ssh/rc .
606.It Cm no-X11-forwarding
607Forbids X11 forwarding when this key is used for authentication.
608Any X11 forward requests by the client will return an error.
609.It Cm permitopen="host:port"
610Limit local
611.Li ``ssh -L''
612port forwarding such that it may only connect to the specified host and
613port.
614IPv6 addresses can be specified by enclosing the address in square brackets.
615Multiple
616.Cm permitopen
617options may be applied separated by commas.
618No pattern matching is performed on the specified hostnames,
619they must be literal domains or addresses.
620A port specification of
621.Cm *
622matches any port.
623.It Cm principals="principals"
624On a
625.Cm cert-authority
626line, specifies allowed principals for certificate authentication as a
627comma-separated list.
628At least one name from the list must appear in the certificate's
629list of principals for the certificate to be accepted.
630This option is ignored for keys that are not marked as trusted certificate
631signers using the
632.Cm cert-authority
633option.
634.It Cm tunnel="n"
635Force a
636.Xr tun 4
637device on the server.
638Without this option, the next available device will be used if
639the client requests a tunnel.
640.El
641.Pp
642An example authorized_keys file:
643.Bd -literal -offset 3n
644# Comments allowed at start of line
645ssh-rsa AAAAB3Nza...LiPk== user@example.net
646from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
647AAAAB2...19Q== john@example.net
648command="dump /home",no-pty,no-port-forwarding ssh-dss
649AAAAC3...51R== example.net
650permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
651AAAAB5...21S==
652tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
653jane@example.net
654.Ed
655.Sh SSH_KNOWN_HOSTS FILE FORMAT
656The
657.Pa /etc/ssh/ssh_known_hosts
658and
659.Pa ~/.ssh/known_hosts
660files contain host public keys for all known hosts.
661The global file should
662be prepared by the administrator (optional), and the per-user file is
663maintained automatically: whenever the user connects from an unknown host,
664its key is added to the per-user file.
665.Pp
666Each line in these files contains the following fields: markers (optional),
667hostnames, bits, exponent, modulus, comment.
668The fields are separated by spaces.
669.Pp
670The marker is optional, but if it is present then it must be one of
671.Dq @cert-authority ,
672to indicate that the line contains a certification authority (CA) key,
673or
674.Dq @revoked ,
675to indicate that the key contained on the line is revoked and must not ever
676be accepted.
677Only one marker should be used on a key line.
678.Pp
679Hostnames is a comma-separated list of patterns
680.Pf ( Ql *
681and
682.Ql \&?
683act as
684wildcards); each pattern in turn is matched against the canonical host
685name (when authenticating a client) or against the user-supplied
686name (when authenticating a server).
687A pattern may also be preceded by
688.Ql \&!
689to indicate negation: if the host name matches a negated
690pattern, it is not accepted (by that line) even if it matched another
691pattern on the line.
692A hostname or address may optionally be enclosed within
693.Ql \&[
694and
695.Ql \&]
696brackets then followed by
697.Ql \&:
698and a non-standard port number.
699.Pp
700Alternately, hostnames may be stored in a hashed form which hides host names
701and addresses should the file's contents be disclosed.
702Hashed hostnames start with a
703.Ql |
704character.
705Only one hashed hostname may appear on a single line and none of the above
706negation or wildcard operators may be applied.
707.Pp
708Bits, exponent, and modulus are taken directly from the RSA host key; they
709can be obtained, for example, from
710.Pa /etc/ssh/ssh_host_key.pub .
711The optional comment field continues to the end of the line, and is not used.
712.Pp
713Lines starting with
714.Ql #
715and empty lines are ignored as comments.
716.Pp
717When performing host authentication, authentication is accepted if any
718matching line has the proper key; either one that matches exactly or,
719if the server has presented a certificate for authentication, the key
720of the certification authority that signed the certificate.
721For a key to be trusted as a certification authority, it must use the
722.Dq @cert-authority
723marker described above.
724.Pp
725The known hosts file also provides a facility to mark keys as revoked,
726for example when it is known that the associated private key has been
727stolen.
728Revoked keys are specified by including the
729.Dq @revoked
730marker at the beginning of the key line, and are never accepted for
731authentication or as certification authorities, but instead will
732produce a warning from
733.Xr ssh 1
734when they are encountered.
735.Pp
736It is permissible (but not
737recommended) to have several lines or different host keys for the same
738names.
739This will inevitably happen when short forms of host names
740from different domains are put in the file.
741It is possible
742that the files contain conflicting information; authentication is
743accepted if valid information can be found from either file.
744.Pp
745Note that the lines in these files are typically hundreds of characters
746long, and you definitely don't want to type in the host keys by hand.
747Rather, generate them by a script,
748.Xr ssh-keyscan 1
749or by taking
750.Pa /etc/ssh/ssh_host_key.pub
751and adding the host names at the front.
752.Xr ssh-keygen 1
753also offers some basic automated editing for
754.Pa ~/.ssh/known_hosts
755including removing hosts matching a host name and converting all host
756names to their hashed representations.
757.Pp
758An example ssh_known_hosts file:
759.Bd -literal -offset 3n
760# Comments allowed at start of line
761closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
762cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
763# A hashed hostname
764|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
765AAAA1234.....=
766# A revoked key
767@revoked * ssh-rsa AAAAB5W...
768# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
769@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
770.Ed
771.Sh FILES
772.Bl -tag -width Ds -compact
773.It Pa ~/.hushlogin
774This file is used to suppress printing the last login time and
775.Pa /etc/motd ,
776if
777.Cm PrintLastLog
778and
779.Cm PrintMotd ,
780respectively,
781are enabled.
782It does not suppress printing of the banner specified by
783.Cm Banner .
784.Pp
785.It Pa ~/.rhosts
786This file is used for host-based authentication (see
787.Xr ssh 1
788for more information).
789On some machines this file may need to be
790world-readable if the user's home directory is on an NFS partition,
791because
792.Nm
793reads it as root.
794Additionally, this file must be owned by the user,
795and must not have write permissions for anyone else.
796The recommended
797permission for most machines is read/write for the user, and not
798accessible by others.
799.Pp
800.It Pa ~/.shosts
801This file is used in exactly the same way as
802.Pa .rhosts ,
803but allows host-based authentication without permitting login with
804rlogin/rsh.
805.Pp
806.It Pa ~/.ssh/
807This directory is the default location for all user-specific configuration
808and authentication information.
809There is no general requirement to keep the entire contents of this directory
810secret, but the recommended permissions are read/write/execute for the user,
811and not accessible by others.
812.Pp
813.It Pa ~/.ssh/authorized_keys
814Lists the public keys (DSA, ECDSA, ED25519, RSA)
815that can be used for logging in as this user.
816The format of this file is described above.
817The content of the file is not highly sensitive, but the recommended
818permissions are read/write for the user, and not accessible by others.
819.Pp
820If this file, the
821.Pa ~/.ssh
822directory, or the user's home directory are writable
823by other users, then the file could be modified or replaced by unauthorized
824users.
825In this case,
826.Nm
827will not allow it to be used unless the
828.Cm StrictModes
829option has been set to
830.Dq no .
831.Pp
832.It Pa ~/.ssh/environment
833This file is read into the environment at login (if it exists).
834It can only contain empty lines, comment lines (that start with
835.Ql # ) ,
836and assignment lines of the form name=value.
837The file should be writable
838only by the user; it need not be readable by anyone else.
839Environment processing is disabled by default and is
840controlled via the
841.Cm PermitUserEnvironment
842option.
843.Pp
844.It Pa ~/.ssh/known_hosts
845Contains a list of host keys for all hosts the user has logged into
846that are not already in the systemwide list of known host keys.
847The format of this file is described above.
848This file should be writable only by root/the owner and
849can, but need not be, world-readable.
850.Pp
851.It Pa ~/.ssh/rc
852Contains initialization routines to be run before
853the user's home directory becomes accessible.
854This file should be writable only by the user, and need not be
855readable by anyone else.
856.Pp
857.It Pa /etc/hosts.allow
858.It Pa /etc/hosts.deny
859Access controls that should be enforced by tcp-wrappers are defined here.
860Further details are described in
861.Xr hosts_access 5 .
862.Pp
863.It Pa /etc/hosts.equiv
864This file is for host-based authentication (see
865.Xr ssh 1 ) .
866It should only be writable by root.
867.Pp
868.It Pa /etc/moduli
869Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
870The file format is described in
871.Xr moduli 5 .
872.Pp
873.It Pa /etc/motd
874See
875.Xr motd 5 .
876.Pp
877.It Pa /etc/nologin
878If this file exists,
879.Nm
880refuses to let anyone except root log in.
881The contents of the file
882are displayed to anyone trying to log in, and non-root connections are
883refused.
884The file should be world-readable.
885.Pp
886.It Pa /etc/shosts.equiv
887This file is used in exactly the same way as
888.Pa hosts.equiv ,
889but allows host-based authentication without permitting login with
890rlogin/rsh.
891.Pp
892.It Pa /etc/ssh/ssh_host_key
893.It Pa /etc/ssh/ssh_host_dsa_key
894.It Pa /etc/ssh/ssh_host_ecdsa_key
895.It Pa /etc/ssh/ssh_host_ed25519_key
896.It Pa /etc/ssh/ssh_host_rsa_key
897These files contain the private parts of the host keys.
898These files should only be owned by root, readable only by root, and not
899accessible to others.
900Note that
901.Nm
902does not start if these files are group/world-accessible.
903.Pp
904.It Pa /etc/ssh/ssh_host_key.pub
905.It Pa /etc/ssh/ssh_host_dsa_key.pub
906.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
907.It Pa /etc/ssh/ssh_host_ed25519_key.pub
908.It Pa /etc/ssh/ssh_host_rsa_key.pub
909These files contain the public parts of the host keys.
910These files should be world-readable but writable only by
911root.
912Their contents should match the respective private parts.
913These files are not
914really used for anything; they are provided for the convenience of
915the user so their contents can be copied to known hosts files.
916These files are created using
917.Xr ssh-keygen 1 .
918.Pp
919.It Pa /etc/ssh/ssh_known_hosts
920Systemwide list of known host keys.
921This file should be prepared by the
922system administrator to contain the public host keys of all machines in the
923organization.
924The format of this file is described above.
925This file should be writable only by root/the owner and
926should be world-readable.
927.Pp
928.It Pa /etc/ssh/sshd_config
929Contains configuration data for
930.Nm sshd .
931The file format and configuration options are described in
932.Xr sshd_config 5 .
933.Pp
934.It Pa /etc/ssh/sshrc
935Similar to
936.Pa ~/.ssh/rc ,
937it can be used to specify
938machine-specific login-time initializations globally.
939This file should be writable only by root, and should be world-readable.
940.Pp
941.It Pa /var/empty
942.Xr chroot 2
943directory used by
944.Nm
945during privilege separation in the pre-authentication phase.
946The directory should not contain any files and must be owned by root
947and not group or world-writable.
948.Pp
949.It Pa /var/run/sshd.pid
950Contains the process ID of the
951.Nm
952listening for connections (if there are several daemons running
953concurrently for different ports, this contains the process ID of the one
954started last).
955The content of this file is not sensitive; it can be world-readable.
956.El
957.Sh SEE ALSO
958.Xr scp 1 ,
959.Xr sftp 1 ,
960.Xr ssh 1 ,
961.Xr ssh-add 1 ,
962.Xr ssh-agent 1 ,
963.Xr ssh-keygen 1 ,
964.Xr ssh-keyscan 1 ,
965.Xr chroot 2 ,
966.Xr hosts_access 5 ,
967.Xr login.conf 5 ,
968.Xr moduli 5 ,
969.Xr sshd_config 5 ,
970.Xr inetd 8 ,
971.Xr sftp-server 8
972.Sh AUTHORS
973OpenSSH is a derivative of the original and free
974ssh 1.2.12 release by Tatu Ylonen.
975Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
976Theo de Raadt and Dug Song
977removed many bugs, re-added newer features and
978created OpenSSH.
979Markus Friedl contributed the support for SSH
980protocol versions 1.5 and 2.0.
981Niels Provos and Markus Friedl contributed support
982for privilege separation.
983.Sh CAVEATS
984System security is not improved unless
985.Nm rshd ,
986.Nm rlogind ,
987and
988.Nm rexecd
989are disabled (thus completely disabling
990.Xr rlogin
991and
992.Xr rsh
993into the machine).
994